The Plight of Passwords
Passwords and security foibles are a tale as old as time. One of our first records of this comes from the story of Ali Baba and the Forty Thieves. In the story, Ali Baba, a poor woodcutter, overhears a group of thieves as they approach a cave sealed with a massive stone. He listens closely, and discovers that the thieves utter a password before entering; “open sesame”. Ali Baba proceeds to use this password to enter the cave, treating himself to the riches within.
The point here is that people have been struggling with passwords since their very inception. In today’s blog, we discuss some of the most common cybersecurity pitfalls when using passwords in your networks and applications, and how best to avoid them.
The Default Dilemma
One of the most common issues discovered by Secora Consulting, on internal penetration tests in particular, is that of the default password. When software or hardware is purchased, it often comes with a set of credentials designed to help you get up and running with your new offering as quickly as possible. However, in the hustle and bustle of getting everything configured and working, device administrators often neglect these credentials, leaving an open door for attackers and insider threats alike.
When discussing default credentials, our minds often go to web applications; ideas of attackers suddenly escalating themselves to the administrator on the company website. However, the reality is often much more mundane. With more and more devices going online, it seems that almost everything has a web administrative interface.
One of the more common devices we find success with at Secora are printers. While they may seem a low value target, printers can often contain valuable information such as email addresses and, occasionally, passwords for other services, as printers can commonly authenticate with file share servers to grab important documents for printing.
Another issue that we have observed recently in a number of tests is a door controller with default credentials. Door controllers, as the name would suggest, are devices that are used to manage the electronic locks that have become so common in the modern office. By authenticating with these controllers using their default passwords, a suitably placed attacker can lock and unlock doors, as well as provide and restrict access to them. The impact of this issue is one of the most obvious cases for managing the credentials for your networks devices.
Remediation for this kind of issue has to be two-pronged. Technically, the ideal way to discover these devices is through an internal penetration test. Here at Secora, we excel at finding systems and devices that you may have overlooked during your day-to-day operations and can provide you with the scenarios through which they might be used and abused. The second arm of defense is policies and procedures. Documentation should be put into place that ensures that the passwords of all newly installed devices are changed at installation.
What’s the crack?
During an internal penetration test, security consultants will often stumble upon passwords in some way or another. Occasionally, these passwords are in plaintext; that is, they are completely human readable and usable in the format in which they are stored. More commonly, they’re stored in what’s called hash. A hash is a one way cryptographic operation, through which a chunk of data is ingested, and a simple string of characters is outputted. For example, the string “Secora Consulting: Securing Your Success”, results in a hash of “3a26d2aaef8df04528ba95281a1018ee”. When our consultants come across these kinds of passwords, we must begin the arduous process of cracking them. By cracking passwords, we attempt to hash a number of common passwords and compare them to the hash we’ve recovered.
Your goal as a user of systems and software is to make this task as difficult for us as possible. Using longer and more complex passwords can significantly increase the time it takes to crack. For more details on how to build a strong password, refer to our Cyber Hygiene Basics blog.
How can we help?
Are you concerned that you may be vulnerable to the attacks described in this blog? At Secora Consulting, we can provide you with a comprehensive view of your network through our baseline assessments. For a more hands-on approach, consider our internal penetration tests, where our consultants will assume the role of a malicious insider on your network and uncover all the pain points on your infrastructure.
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.