lastpass as a solution to risk analyst, uw-madison doit ......risk analyst, uw-madison doit...
TRANSCRIPT
![Page 1: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/1.jpg)
LastPass as a Solution to Credential Stuffing
Jesse ThompsonSolutions Architect, UW-Madison DoIT User Services
John NaglerRisk Analyst, UW-Madison DoIT Cybersecurity
![Page 2: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/2.jpg)
Credential Stuffing - A Story
The Russian Passenger - From Reply All• How was his Uber account and his Gmail hacked?• So many potential causes
• Malware• Keyloggers• Compromised Wi-fi• Uber was hacked• Gmail was hacked• Compromised phone• Compromised SMS MFA• Other guesses?
![Page 3: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/3.jpg)
Problem: Credential Loss3600
320
![Page 4: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/4.jpg)
Thesis for Today’s Talk
Problem: Credential Loss
• Examine the current mitigation strategies
• Credential Stuffing attacks need to be addressed
• Password managers are part of the solution
![Page 5: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/5.jpg)
Mitigation Strategies (to date)
• Improving detection
• Phishing awareness
• Domain authentication
• Multi-factor authentication (Duo)
![Page 6: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/6.jpg)
Challenges with Detection
• Predicting the future and changing the past is hard
![Page 7: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/7.jpg)
Automation of Detection
Automation maintenance is labor intensive• Blue = automated• Red = human
![Page 8: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/8.jpg)
Phishing Awareness
• Phish simulations do not help users identify advanced attacks
• Some users are more trainable than others
![Page 9: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/9.jpg)
Domain Authentication (DMARC)
• go.wisc.edu/email-authenticity
• Email clients do not always show the sender’s address
• Compromised accounts in DMARC-authenticated domains are more valuable to attackers
![Page 10: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/10.jpg)
Multi-Factor Authentication
• A practical MFA strategy must also secure the 1st factor
![Page 11: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/11.jpg)
Gap Analysis
• Improving detection - timing is the enemy
• Phishing awareness - untrainable users
• Domain authentication - trust leveraged by attackers
• Multi-factor authentication - easy to bypass
![Page 12: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/12.jpg)
Are We Solving the Underlying Problem?
![Page 13: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/13.jpg)
Additional Observations
• Brute force password guessing is happening
• ⅔ are from IPs making less than 5 attempts/day
• Unable to distinguish successful attacks from user activity
• Duo protects only after successful authentication
• 6% of users were compromised multiple times in 2018
![Page 14: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/14.jpg)
Anecdotes From Users
• They WERE NOT phished
• Users who no longer reuse their NetID password, but…
• Poor password manager practices
![Page 15: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/15.jpg)
What Can We Conclude?
• Mitigation strategies (to date) are not 100%• Evidence of brute force & web automation• User behavior is still a weak link• We have blind spots• Compromised credentials not solely caused by phishing
• We see evidence of Credential Stuffing
![Page 16: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/16.jpg)
What is Credential Stuffing?
• Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts.
• “one of the most common techniques used to take-over user accounts”
https://www.owasp.org/index.php/Credential_stuffing
![Page 17: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/17.jpg)
How Does Credential Stuffing Work?
• Lots of breaches
• Reused passwords
• Botnets make it easy
![Page 18: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/18.jpg)
How Are Passwords Being Breached?
• 3rd party data breaches• https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
• Brute force guessing and phishing attacks get smarter and automated
• Malware (e.g. TrickBot)• https://techcrunch.com/2019/07/12/trickbot-spam-millions-emails/
• Buggy software & unencrypted network connections
![Page 19: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/19.jpg)
Credential Stuffing Economics• UW passwords get caught up in database breaches
• Even if we are not the direct target
• When they are found:• Validate (automated)• Sold (black market)
https://www.recordedfuture.com/credential-stuffing-attacks/
![Page 20: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/20.jpg)
But my work address is obscure, right?
![Page 21: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/21.jpg)
Credential Stuffing - A Story
• The Russian Passenger - From Reply All• What was the ultimate cause of this Uber mystery?
![Page 22: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/22.jpg)
How to address Credential Stuffing
• Force password resets based on evidence of breaches• Detect botnets that are testing passwords• Compare our passwords with breached account data
• ... These will not find the advanced threat actors• Move to platforms less susceptible to malware
• e.g ChromeOS or TENS (Trusted End Node Security)• Help users to stop reusing and sharing passwords• Re-architect systems that require users to share passwords • Give people a tool to help - password manager
![Page 23: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/23.jpg)
How to address Credential Stuffing
![Page 24: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/24.jpg)
Not all password managers are created equalYou might have a bad password manager if
• It can be easily read or decrypted by others
• It is cumbersome to create unique passwords
• It relies on your system clipboard• It is not integrated with your
browser and mobile device• It is not vetted by the cybersecurity
research community• It is abandonware
You might have a good password manager if
• A good password manager never stores your passwords in a vendor-decryptable form in the cloud
• A good password manager is vetted by security researchers
• published & remediated vulnerabilities are a good metric
• Bug bounty programs are another trait of a good password manager
• A good password manager costs money
• It is profitable for the vendor to have a reputation for being secure
![Page 25: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/25.jpg)
Not all password managers are created equal
![Page 26: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/26.jpg)
Why allow browser/mobile integration?
• Convenience breeds strength• URL Matching• Defeats malware
![Page 27: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/27.jpg)
Why UW chose LastPass
• LastPass is a good password manager• Adoption• Cost Effective
![Page 28: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/28.jpg)
LastPass Enterprise Features
• Duo integration• Enterprise API• Eligibility-based deprovisioning• Delegated support• Shared folders• Enhanced Logging & alerting
![Page 29: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/29.jpg)
LastPass Decision Points
• To SSO or not to SSO – that is a question• What to do with existing LastPass users• Automated deprovisioning, friend or foe
![Page 30: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/30.jpg)
Future LastPass features
• Extension installs• Compromise video• Automated Password changes
![Page 31: LastPass as a Solution to Risk Analyst, UW-Madison DoIT ......Risk Analyst, UW-Madison DoIT Cybersecurity. Credential Stuffing - A Story The Russian Passenger - From Reply All](https://reader034.vdocument.in/reader034/viewer/2022042307/5ed3b22b7f3dc53cc40caec4/html5/thumbnails/31.jpg)
Thank you!
We welcome your feedback
John Nagler - [email protected] Jesse Thompson - [email protected]
• Some podcast plugs: