Recycling, bad for your environment!

5 July 2016

The news is constantly flooded with yet another breach of a high profile vendor. Perhaps the biggest and most publicized recent breach is the exposure of the 2012 LinkedIn breach data. After the public exposure of this dataset, the news of further companies being compromised and customer accounts being accessed by unknown parties has rapidly spread.

Many blogs and news articles see these reports and jump to the conclusion of yet another breach, while the reality is often quite different. Within days of the public exposure of the LinkedIn dataset, we saw reports of Twitter being compromised, including the hijacking of an account belonging to Mark Zuckerberg. Following this, we saw user reports for various other services having their accounts compromised, such as TeamViewer and GoToMyPC. The likelihood is that people have neglected to change their passwords since 2012, and proceeded to recycle the same password for multiple services.

The LinkedIn passwords were hashed using SHA1 without any unique salt, making it a straightforward task to identify a majority of the passwords given. Once the passwords are recovered for a dataset such as LinkedIn’s, the password and e-mail combinations can then be passed to a script that will attempt to log in to a variety of services to identify valid accounts. This operation can be performed on a small scale by anyone with access to the database, though it would be more identifiable if successive login attempts against millions of accounts from a single IP address. However, in this case, there is a likelihood that this operation has been performed using a large botnet to spread out the requests across many IP address.

So if the attackers have a list of valid credentials for various services, what would they do with them?

The most likely answer is that they would be split up and sold off. Some groups and individuals may be after personal accounts for services such as PayPal that could be used for fraudulent activities. Others may be after e-mail accounts, such as Gmail, Yahoo and Microsoft Live. Gaining access to an e-mail account can then provide access to any other accounts that may use that e-mail address for password recovery purposes.

Let’s look at an example situation:

An individual hacktivist gains access to the LinkedIn breach dataset and sorts the data, pulling out accounts that have been registered with an e-mail address from a particular organization. Once this data has been isolated, they run the list of password hashes through a password recovery setup, which identifies most of – not all of – the passwords.

The hacktivist then take these credentials and attempts to authenticate them against various services. Due to the lack of password hygiene of several of the users, a handful of valid accounts is identified, including an account for a remote access solution that provides access to several workstations within an organization. They are able to gain access to the workstations and establish a connection directly back and have a server under their control. They are then able to use this foothold to perform lateral movement through the network gaining access to a domain administrator account.

This may seem unlikely, but similar scenarios have happened due to password recycling, and will continue to do so. While users may feel safe in the belief that they have a fairly complex password and share it between accounts, you have no idea how these passwords are being stored for a lot of services.

The LinkedIn data, no matter how old, has become easily available. While many accounts on LinkedIn were forced to reset their passwords, many people still to this day have neglected to perform resets on other accounts where they have reused the same password. There are many techniques for remembering unique passwords for individual services and some trusted and reliable password storage solutions.

While the LinkedIn breach data has been highly publicized, there are many others that have exposed credentials that have been used to gain unauthorized access to accounts with the same credentials. Just remember: there are multiple organizations out there that are likely exposed due to an administrator with poor password hygiene.