Skip to main content

HoneyPot WarGames (WFH edition) - Improving your password game.

Improving your password game.

Many companies around the world are settling into a future where most people work from home, at least for a while.


Working from home comes with many benefits, but there are downsides from a security point of view. Most modern enterprises have spent significant chunks of their security budget on securing their perimeter. Sure everything is moving to the cloud and most of the workforce has been mobile for some time, but many IT departments still rely on people either physically coming into the office or using VPN. Without this patches cannot to be pushed to machines, updates cannot be applied, and perimeter IPS and IDS systems cannot pick up connections to C2 and malicious URLs that traditional AV missed.

When it comes to security, most enterprises aren't set up for people to work outside the wire for sustained periods.

What are the risks of working outside the wire?

The chances are that when your employees are working from home, the only thing protecting them from the internet is the router supplied by their ISP. A mis-configured router could expose your laptop directly to the internet, or a compromised device expose you to hackers and bots.

No one is probably monitoring the devices on your network at home for malicious activity and a company can't assume that everyone has a home network that is free from compromised machines, viruses and malware.

90% of enterprise security usually comes down to network segregation, patching, and identity management. 

90% of enterprise security usually comes down to network segregation, patching, and identity management. There's not much a company can do to enforce network segregation on home networks your patching and identity management games are going to have to be really strong.

Password management at home

People chose rubbish passwords. Hackers know this and will hit anything exposed to the internet.

This is a visualization of real attacks against a honeypot exposed to the internet. These aren't port scans or people connecting by accident, these are real failed login attempts by bots and hackers.

This single honeypot is being hit with over 3000 login attempts a day. There are many ways to mitigate these sorts of attacks on an enterprise level, or even at the hobbyist level. A simple IPS, basic WAF or the humble fail2ban will easily protect against basic attacks like this.

Very few household networks have any protection against brute force attacks.

Unfortunately very few household networks have any protection against brute force attacks in place. This means that now more than ever it is important to have good strong passwords and multi-factor authentication in place.

If you want to see what passwords hackers are currently using, click on the image here to see a semi-regularly updated list of usernames and passwords collected by honeypots.

Hackers do their best to reduce the amount of time they waste in brute force attacks, so we can infer that the most common passwords that they try are the most common passwords that they have success with. The top 20 passwords include hello, password, 123456, qwerty and admin123.

Just making it in at number 20 is 1qaz2wsx. For a second this seems like a good password until you notice it's a pattern on the keyboard. Non-dictionary words and patterns on keyboards are not good enough anymore.

There are some really strong passwords in the list such as J5cmmu=Kyf0-br8CsW. Some of these stronger ones are interesting because they appear to be passwords used by botnets that have taken over devices. I'll do a separate blog post on this in the future.

When your team are working from home, passwords need to be able to withstand a beating that they might not be exposed to in the office. Security professionals always recommend password managers however people still aren't using them. There are also plenty of passwordless options and hardware tokens such a yubikeys to protect accounts. These all take time to implement but now is the time to roll those tools out.

Bottom line on passwords

If you can only do one thing, stop expecting users to think of good passwords. Get them to use their password manager to generate the passwords or at least use tools like https://toughpassword.com to generate passwords that are tough to brute force or crack.

Labels:

Comments

Post a Comment

Popular posts from this blog

Snagging creds with Raspberry Pi Zero and Responder

So this is not all my own original work. This is a bringing together of the ethernet gadget tutorial by lady ada at adafruit and the beautiful work by Mubix at room362 which uses Laurent Gaffie's from SpiderLabs responder.py scripts. I'm still using Mubix's recipe of USB Ethernet + DHCP + Responder == Creds but here we are using a £4.00 Raspberry Pi Zero instead of the USB armoury or the HAK5 LAN turtle. Both are awesome products. Please note that this only works on the RPi Zero. Other RPi's will not work!   1.0 Setup the the RPi Zero for Ethernet over USB Download and install the latest Jessie Lite from here onto an SD Card. Pop the card out of the card reader and re-insert it to mount it. Take your favorite text editor and edit the following two files in the boot partition. config.txt Go to the bottom and add dtoverlay=dwc2 as the last line: Save the config.txt file. cmdline.txt After rootwait (the last word on the first line) add a spa...
3 comments
Read more

HoneyPot WarGames - The Hackers Dictionary

Every year security companies are coming up with the “worst passwords” based on breached credentials found on in the murkier parts of the internet. Every year people seem surprised that “123456” is a terrible password and people are still using it. Passwords often get rated by how quickly the could be “cracked”. The length of time for cracking passwords in the real world varies wildly according the the context and the numbers are often confusing. NordPass recently published their list of most common passwords and claimed that the third most popular password was “picture1” and it would take 3 hours to crack. If that’s referring to offline password cracking then we should have a whip-round to upgrade the hackers hardware because a password like that should take seconds to crack. When hackers try to brute force their way into an account online they have to try lots of different password combinations until they get in, or just give up. This takes a lot of time so hackers spend time optimiz...
Post a Comment
Read more

DIY RedTeam Bypass Tools - Wallet Jim

I keep hand written notes on everything I find that is useful. This is part of a series of blog posts on making your own DIY red team tools from my notes. Obviously you should only use these tools where you are allowed to use these tools, and you should take care when making or using any tools. These are just my notes on what worked for me, your mileage may very, etc. Wallet Sized Slim Jim Tool The slim jim or shove tool is for "latching loiding". It works by reaching into the gap between the door and the frame to push or pull on the latch. This won't work on a properly fitted lock which use a deadlatch or dead locking plunger. Many deadlatch locks are not properly fitted or badly maintained so it's always worth a try. The term loiding comes from celluloid used in filmstrips which was the material originally used in some of these attacks. This jim is very small and sized to fit in a wallet. You are going to need: Materials: This is made from a thin steel ruler l...
Post a Comment
Read more