Credentials and the Recent Attacks of Retailers
Over the last few years I and other staff
members of our company have been presenting a presentation deck called “The
Common Credentials Dilemma”.
The slide deck outlines a series of scenarios we keep seeing in the
field where companies set all of their machines/devices to the same
password and also create password spreadsheets that are available on
public shares. The deck also goes into a series of other scenarios such
as not changing privileged account passwords after employees leave.
In the deck we also explore some of the scenarios that can occur when
malware infects a company machine. Once malware is in place within a
company machine, the attacker can install a key logger to record
accounts and passwords typed, install one or more network scanners to
look for additional resources (i.e. password spreadsheets,
certificates, private keys), and run programs like Metasploit to find
weaknesses in systems so that they can be taken over remotely.
Another weakness covered in our deck is the common use of factory
default passwords in production. In the Target breach, one of the transcripts of the hackers show
they exposed common point of sale passwords used such as “micros”,
“pos”, “123456” and others.
The other scenario also described in the deck is the Rainbow Table Attack
whereby the attacker exfiltrates the password hashes on the local
machine and then attempts to find a match between clear text and the
Lessons Learned From the
We do regular CIO/CISO briefings all over the world and one of the
common refrains from C-level execs working at retailers is that they
have little interest or motivation for fixing the problems that nailed
Target. Part of the lack of motivation is due to the naivety and gross
incompetence of their auditors, followed by a lack of financial
resources being provided by the CEO and CFO.
The other element of the Target breach that was interesting was that
not all stores were breached. A subset of stores that were on different
networks and had different credentials for access were apparently
In the report of remediation after the attack, try to guess what was
the first thing done by the “security experts”? Yes, that is correct; change the passwords of their systems.
Preaching the Gospel
We have been preaching the use of fully automated password
randomization of all end points for years and have developed technology
to accomplish this at massive scale with little need for human labor.
Had Target deployed our solutions, they would not have had this massive
breach. Further, they could have deployed our solution to all stores in
less than one day.
How Clueless are CEOs at
Along the lines of gross negligence and amazing ignorance regarding IT
security, I found this quote from the former CEO
of Costco stating that
they don’t have any significant security issues because they only
accept AMEX cards.
Given that many of the credit card hacks were accomplished by
installing memory scrappers in the point of sale terminals to capture
the credit card details, and given that AMEX has just as many problems
with credit card theft as its competitors, this statement from the
former Costco CEO is irresponsible.
Shout Out to Our Competitor
One of the common questions potential customers ask us is how we are
different from our competitors. We answer simply: our solution can be
deployed and remediate most of your environment in less than one day,
even if it is gigantic. How is this possible? We are the only vendor
that provides end-to-end automation as well as continuous discovery and
Target decided to purchase our competitor’s offering. Our competitor
took great delight in putting the Target logo on their presentation
slides. We are not aware of what happened after the purchase, but it
would appear that our competitor’s solution did not randomize the point
of sale system credentials, nor did it manage the credentials of their
servers since these too were compromised. Or so we surmise…
It will be interesting to see
whether or not the forensic
investigation will highlight why technology deployed to protect against
breach failed to do its job. Maybe our competitor owes it to the
publicize why their system failed to protect privileged access to help
similar accidents in the future.
Maybe Target can
explain why having purchased technology to protect
against this very thing, it didn't do its job. Just one more piece of
shelfware? Maybe it wasn't the technology that failed but the company
that failed to properly implement the technology - like an airline that
doesn't carry out the manufacturers recommendations. In any case, it is
necessary to get to the bottom of this to protect our critical
infrastructure and economy.
Theories of why our
Competitor’s Solution Failed to Protect Target
In any cyber-warfare scenario, the goal is to capture as much of the
infrastructure as possible as quickly as possible. The strategy is
known as “land and expand”. It is generally pretty easy to get a
foothold in an environment using malware and from there, look for and
exploit weaknesses in security.
Our technology is designed to operate like the attackers, doing
continuous discovery of weaknesses. In the case of our product, we add
the automatic remediation step to close the net immediately. We also
make sure that each system has unique credentials so that at most, an
attacker only can compromise a single machine via malware.
Our competitor’s design requires humans to do interactive discovery,
change imports, mapping and remediation as well as custom development.
If organizations don’t have the budget to hire an army of workers to
keep their solution fed and happy, the work does not get done. Our best
guess (and it is a guess), is that our competitor’s solution was never
fully deployed for a variety of reasons that are shared between the
vendor and the client.
Our mission has been to take humans out of the security process and use
automation to keep systems secure. Via automation, there is no reason
to delay the deployment since human resources are not needed for
Although many analysts and customers would have you believe that
privileged identity management is now a generic offering suitable for
the lowest price decision, we strongly disagree. There are many generic
secret vaulting solutions on the market that depend on humans to keep
the vaults loaded and require armies of developers to write connectors
for your environment. We believe these solutions are practically
useless against real attackers and only serve to deceive auditors that
you are “doing something”. Without our full automation technology
(which is not generic) you are easy pickings for criminals and nation
Ask Target how their analyst and auditor selected generic solution
worked out for them. Then ask our customers who are secure and can
prove total control. We charge more for our solutions because they
provide real security and are designed to protect governments and the
largest companies in the world.
I can only guess that our competitor is erasing Target from their
reference account slides.
you think? Email me at: Phil@liebsoft.com.
You can also follow me on Twitter: @liebsoft
or connect with me via LinkedIn.
New in Identity Week
Featured commentary on our Identity
Week blog this month includes:
- 2014 IT Security Predictions.
Guest Post by Prateek Gianchandani. With the new year now upon us, what
IT Security Trends can we expect to see in 2014? To find out, we turned
to the experts at the InfoSec Institute...
Events / Press /
next for Target -- and its customers? USA Today. Low cost,
low price retailers have a real challenge when it comes selling their
goods at slim margins, while also running information technology shops
on tiny budgets.
Life: From Mainframes To Startups. TechWeek Europe. Calum
McLeod is EMEA vice president of security firm Lieberman Software, but
he started in the days of mainframes. He may have set off with a holy
ambition but was quickly seduced to piracy...
now says up to 110 million customers victimized in breach. San Jose
Mercury News. In yet another disturbing revelation about its
massive data breach, Target said Friday that 70 million to 110 million
customers were victimized -- far more than it initially disclosed --
potentially making the attack among the worst ever.
of the Cloud as a Security Platform. TechZone 360. The cloud
has always had the potential of being a cost-effective and elastic
computing resource for customers. However, security has long been an
issue that impeded adoption by many customers.
Manager Makes Move to the Cloud. Virtualization Review. For
large organizations, managing privileged accounts, such as root and
administrator, has been a task so sensitive it could only be handled
on-premises -- until now, says Lieberman Software. The security
management company is making its Enterprise Random Password Manager
privileged identity management tool available on the Windows Azure
Intros Privileged Identity Management For Windows Azure. Dark
Reading. Lieberman Software Corporation announced that its
privileged identity management (PIM) product, Enterprise Random
Password Manager&trade (ERPM), is now available on Windows Azure,
Microsoft's cloud hosting platform. ERPM can deploy in less than an
hour in Windows Azure to automatically find, manage and secure the
privileged identities located in Azure or on-premises.
in 2014: Ready to Bounce Back. IDG Connect. When Huawei and
ZTE attracted the suspicion of India’s Research and Analysis Wing (RAW)
intelligence agency, swift and decisive action was taken against the
Chinese telecoms equipment makers.
Azure users get secure password manager. CloudPro.
Organisations using Windows Azure will be able to use a new password
manager in the cloud after Lieberman Software has made its privileged
identity management (PIM) product, Enterprise Random Password Manager
(ERPM), available on Windows Azure.
Death Of Outsourcing. Information Security Buzz. What does
2014 bring for the security industry? Calum MacLeod, VP of EMEA at
Lieberman Software Corporation shares his opinions.
Tech Tip of the Month
Got Audit Reports?
Need to see what BIOS level, service pack and application is on every
Windows machine? Want to report on and make global changes to user
credentials, group memberships, files, policies, rights, shares, NTFS
permissions, registry settings, audit settings and more?
With User Manager Pro Suite,
you can gain convenient access to real-time reports on all of the
system data collected and modify settings directly from interactive
reports. Provide reports to security auditors and verify that you are
in compliance with regulatory standards.