AppSec attack and defense: The password domino effect

The discourse
around application security makes for a complex discussion. Experts seldom reach
agreement in defining the best strategy in the face of the myriad of threats
that individuals and organizations face. That said, one truth is held unanimously:
There is no “silver bullet.” In
other words, no security solution can compensate for the inherent security vulnerabilities
that exist in each and every layer of the application stack; from the human
factor, through the software stack, and all the way down to the hardware on
which the application runs. At the end of the day, it’s up to the system
designers, developers, and architects to bring order to this chaos.

It’s important
to understand the difference between the manner in which a defender and an
attacker look at the same system. This difference goes beyond the fundamental
asymmetry that we know exists between an attacker and a defender (e.g.,
resources at their disposal, skillset level, tolerance to failure, etc.). Instead,
the core difference is embedded in their distinct perspectives.

Defenders are constrained
to the scope of the system they’re trying to protect. They see its elements as
discrete components, each serving a purpose or function. In contrast, the attackers
have a much broader and more holistic view of the battlefield and treat all the
various interfaces as organic attack vectors that are complimentary to one another.
In extreme cases, an attacker can even leverage the very manner in which the
security system is set up to accomplish the attack. To delve a bit deeper into
this examination, let’s take a look at an example of Red Team research that I’ve
been involved with previously.

The password domino effect

The most
fundamental access control mechanism is the combination of a username and password.
After more than 50 years of devising authentication schemes and authorization
solutions, our practices have reached a high level of maturity. These range
from the fundamentals of strong password policies (e.g., high complexity,
periodic expiration, etc.), to common practices of solid backend security
principles (e.g., anti-brute force, paraphrase hashing and salting, etc.), and
the adoption of out-of-band and two-factor authentication techniques. Even with
this knowledge and these capabilities, the risk of account breach and identity
theft is still prevalent.

In December
2013, I presented a live demo of a complete account hack at the Globes
Israel Business Conference. There, I showcased how to take over a user’s email
accounts, social media accounts, and even pin-pointed and erased all the data
in the user’s mobile devices and cloud storage. What’s interesting about that
demo is that there wasn’t actually any hacking involved. Rather, it was a
demonstration showing how a combination between the poor implementation of
password recovery across the web and the availability of personal data on
social media websites can lead to catastrophic results.

To summarize, I
presented how the obfuscation (i.e., replacing parts of the email string with
“*”) of the email account used for account reset wasn’t standardized across
different websites. Thus, leaving the attacker with a simple task of
reconstructing the string by visiting the different sites. Next, I showed how
answers to what were supposedly secret questions in the account reset procedure
were actually publicly available in the user’s social media accounts. Once an
attacker gained access to the account in which the password reset links are
sent, the whole authentication scheme collapses like dominos.

A few months after
this presentation, in August 2014, news broke of the infamous celebrity iCloud
account hack and subsequent leak of private and intimate pictures. This attack was
perpetrated in a similar fashion utilizing the same weaknesses.

If this all sounds
too easy, it’s actually the harder path to an account compromise. In fact, you
can find online databases with billionsof account credentials that have been stolen from previously leaked
websites. Couple this with the phenomenon of password reuse and the entire
username and password authentication paradigm is made redundant.

If you’re
thinking that this can be fixed with two-factor authentication (2FA), you’re
(mostly) correct. The bad news is that, according to a recent
EliE study, only 52.5% of websites support 2FA (there is no data on how
many of the users actually opt to use it). Then again, there are also emerging techniques
for circumventing 2FA solutions. As such, the issue at the core remains: The
administrator (or security architect) has limited visibility and can only observe
a fraction of the full threat landscape. Even if this individual had more
visibility, they have no control over the level of security within third-party organizations
nor the user’s cyber hygiene.

Lessons learned

While this
anecdotal example illustrates the security gap between defender and attacker, it
doesn’t represent the complete picture. For every successful attack you see in the
news, there are thousands (perhaps even millions) of unsuccessful attempts that
we never hear about.

While every organization is different, and every CISO faces unique challenges, the industry is united in its motivation to bettering our cyber hygiene and increasing our resilience to threats.

Matan Scharf, senior security solutions manager at Synopsys

Comments are closed.