CloudSOC CASB Gateway

 View Only

Why steal passwords when they are being given away? 

Jun 30, 2015 02:35 PM

 
 
Note: The following blog post was migrated from the Elastica/Blue Coat website. It was first published on 6/30/2015.

 

It is a well known fact that cloud services are being embraced widely. Gartner's 2Q14 update on the adoption of public cloud services projects that in the next 5 years enterprises will spend 1.1 trillion on public cloud services. Cloud services are being adopted by both small and big enterprises, as well as governments. For example, the US federal government's Cloud First policy mandates that the federal agencies "evaluate safe, secure cloud computing options before making any new investments." However, with openness come security challenges. Cloud services are becoming more susceptible to security flaws and one of them is data leakage and exposure. Elastica’s latest Shadow IT report unveils the trends in data exposure and highlights that 25% of the files per user are broadly shared.

In this blog post, we discuss a live case study which is a result of our efforts to collect active threat intelligence in order to secure SaaS applications and provide insights to our customers. Recently, we detected a very sensitive document of a government postal service agency in India being exposed online on Google Drive, a cloud storage service provided by Google. The document was unmasked by our in-house scanning engine named ElScan, which looks for potential issues in exposed documents in cloud storage platforms such as Google Drive, Dropbox, etc. The data collected from this engine is filtered and used as a feed for our intelligence services and enhancing our detection algorithms.

The exposed document seems to be related to an infrastructure migration in the organization. It contains cleartext information of accounts and email addresses with passwords of the various offices of the government postal service agency. The particular agency has multiple offices in the state and every office has a dedicated account and email address for management purposes. It is highly likely that these accounts have broad administrative privileges as they are not dedicated to specific users. The document contains cleartext records of 50 offices in the government postal service agency.

Exposing sensitive data in cleartext is not a new problem as enterprises have made these mistakes quite often. Last year’s Sony attack exploited this problem in the security posture of the organization. Sony stored usernames and passwords of employees on web services and Online Social Network (OSN) accounts such as Facebook and Twitter in cleartext files. Although this file was not available on the cloud, it was very easy for the hackers to take control of the sensitive documents after compromising the internal systems. One can imagine the risk it poses to the organization if such a sensitive file is exposed in the cloud and available to attackers. In this case, attackers do not have to think about gaining access to the internal systems of the network in order to retrieve passwords.

In accordance with our responsible disclosure policy, the issue presented in this blog has been reported to the concerned Computer Emergency Response Team (CERT) which accepted it and is working with the government postal service agency to patch the flaw. For privacy and responsible disclosure reasons, we are not disclosing the specific details of the government postal service agency. However, we outline below some details that show the serious nature of the exposure.

The information present in the exposed document provides a perfect recipe for the attackers to conduct targeted cyber-attacks. Here are some of the possibilities:

  • The usernames and passwords are available to the attacker. Since the credentials are in the control of the attacker, gaining access to critical systems is rather straightforward.
  • The users’ emails (official accounts) with passwords are also available to the attacker, so triggering spear phishing attacks is easy. The attacker can login into one of the user accounts and exploit it to send targeted emails with malicious intent to the rest of the government employees. As a general security principle, passwords should be stored in an encrypted format. Sharing passwords in cleartext can be the nightmare for any organization.
  • The attacker can also gather ample information about the statistical layout of credentials and the associated complexity. This type of information is beneficial to the attacker because it unearths any account related security policies of the organization. This includes, among other things, the default password configured during account initialization, password complexity, the layout of the user email accounts, and associated domains. The attacker does not have to perform aggressive information gathering and reconnaissance about the organization as sensitive details are already present in the document.
  • The attacker can use the compromised email accounts to exfiltrate data from the organization by simply attaching the company files in emails and sending to email accounts controlled by the attacker. The attacker can also follow other techniques to exfiltrate data such as altering the permission of documents present in Google Drive and sharing it with unauthorized accounts managed by the attacker itself.

The figures below provide some additional details about the exposed data. Figure 1 reveals the directory structure containing sensitive files. Figure 2 shows that any remote user can access the critical file containing usernames and passwords. Figures 3 and 4 show the snippets taken from the document exposed on the Google Drive. The information has been masked for privacy and legal purposes.

govt1.png

Figure 1: Directory containing the exposed files

govt2.png

Figure 2: Exposed Document Containing Sensitive Users and Passwords

govt3.png

Figure 3: Masked Information - Username and Passwords

govt4.png

Figure 4: Masked Information - Users’ Email Ids and Passwords

We did not use the credentials present in the document for additional penetration, but we did perform some analysis on the layout of the passwords. Not surprisingly, the passwords were found to be easily crackable or even guessable without too much work. We analyzed the structure of email addresses and associated passwords and found that they were actually the combinations of the static words and the zip codes of the respective areas. Let’s take a look into the structure.

  • Email Address: If the initial code is “ABC” and the region name is “REGION” with Zip code “123456”, the email address of the office would be constructed is “ABCREGION123456@”.
  • Password: If the initial code is “ABC” and the zip code is “123456”, the password of a regional office of the office would be constructed as “ABC123456”. The brute-force analysis of that password is shown in Figure 5 which shows how easy it is to crack it the through brute-force attack.

govt5.png

Figure 5: Brute-force Analysis of the Email Password

This shows that password is, in fact the subset of the email address which is a very poor security practice for creating email addresses and passwords combinations. One password was used for multiple accounts which shows that the organization followed the insecure practice of reusing credentials and that in itself is a serious problem.

We also selected the most frequently used password for accounts and analyzed the password complexity including brute-force properties. Figure 6 shows that password has low complexity whereas Figure 7 shows the estimated password cracking time using brute-force attack on various platforms.

govt6.png

Figure 6: Password Complexity of the Most Frequently Used Password in the Document

govt7.png

Figure 7: Brute-force Cracking Estimate of the Most Frequently Used Password in the Document

Unfortunately, the root-cause for the public-availability of the document may be unknown. It does not matter from the perspective of an attacker because they can use the sensitive information in the document to chain together the components of an advanced targeted cyber-attack. This is where the deep-visibility into cloud-app usage becomes critical. Visibility means that the moment the document is made publicly-available, a detailed alert is immediately sent to the organization's InfoSec team. Visibility means that a set of remediation policies, designed by InfoSec, can automatically block the share action or unshare it before any third-party can retrieve it. Finally, visibility means that all actions leading to the shared action were logged, allowing InfoSec to perform a root-cause analysis to see if it was accidental, intentional, or a result of a broader malware attack.

This case study makes the following key points:

  • Government agencies and organizations around the globe are increasingly using SaaS applications for their work. It is hard to claim that every organization is doing that, but it can be assumed that the number is increasing.
  • Built-in security mechanisms in cloud platforms are not sufficed enough to protect organizations from threats as users’ mistakes are inevitable. For that, a strong and robust activity monitoring solution is required which actively monitors the user’s activity specific to SaaS applications including cloud storage access.
  • Content discovery and classification remain a critical security feature for the cloud, but traditional DLP systems may not be suited for this new environment. Users are no longer required to transfer an entire document in order to view, edit, or share it, and moreover, different cloud services implement these mechanisms differently. This necessitates a modern approach to DLP that seamlessly works across different cloud services. Greater monitoring and control is possible if the solution also interoperates with a security solution that provides configurable remediation and alerting.
  • Education and awareness training are needed for enterprise users to interact securely with SaaS applications in order to avoid simple mistakes that can cause losses of millions of dollars to the organizations.

Cloud applications offer many compelling benefits to their customers, including convenient access, always up-to-date capabilities, and efficient maintenance. But, as a new and fundamentally different information technology, traditional informational security solutions don't fully apply. To fully leverage the benefits of the cloud, enterprises need to adopt modern security solution designed specifically for it. Point-solutions are helpful, but robust security requires a translation of the traditional security stack. This includes deep visibility into user actions, detection of potentially malicious events, insight into the contents of the information being shared, and the ability to remediate harmful events quickly and effectively._

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.