AppSec attack and defense: The password domino effect

The discourse around application security makes for a complex discussion. Experts seldom reach agreement in defining the best strategy in the face of the myriad of threats that individuals and organizations face. That said, one truth is held unanimously: There is no “silver bullet.” In other words, no security solution can compensate for the inherent security vulnerabilities that exist in each and every layer of the application stack; from the human factor, through the software stack, and all the way down to the hardware on which the application runs. At the end of the day, it’s up to the system designers, developers, and architects to bring order to this chaos.

It’s important to understand the difference between the manner in which a defender and an attacker look at the same system. This difference goes beyond the fundamental asymmetry that we know exists between an attacker and a defender (e.g., resources at their disposal, skillset level, tolerance to failure, etc.). Instead, the core difference is embedded in their distinct perspectives.

Defenders are constrained to the scope of the system they’re trying to protect. They see its elements as discrete components, each serving a purpose or function. In contrast, the attackers have a much broader and more holistic view of the battlefield and treat all the various interfaces as organic attack vectors that are complimentary to one another. In extreme cases, an attacker can even leverage the very manner in which the security system is set up to accomplish the attack. To delve a bit deeper into this examination, let’s take a look at an example of Red Team research that I’ve been involved with previously.

The password domino effect

The most fundamental access control mechanism is the combination of a username and password. After more than 50 years of devising authentication schemes and authorization solutions, our practices have reached a high level of maturity. These range from the fundamentals of strong password policies (e.g., high complexity, periodic expiration, etc.), to common practices of solid backend security principles (e.g., anti-brute force, paraphrase hashing and salting, etc.), and the adoption of out-of-band and two-factor authentication techniques. Even with this knowledge and these capabilities, the risk of account breach and identity theft is still prevalent.

In December 2013, I presented a live demo of a complete account hack at the Globes Israel Business Conference. There, I showcased how to take over a user’s email accounts, social media accounts, and even pin-pointed and erased all the data in the user’s mobile devices and cloud storage. What’s interesting about that demo is that there wasn’t actually any hacking involved. Rather, it was a demonstration showing how a combination between the poor implementation of password recovery across the web and the availability of personal data on social media websites can lead to catastrophic results.

To summarize, I presented how the obfuscation (i.e., replacing parts of the email string with “*”) of the email account used for account reset wasn’t standardized across different websites. Thus, leaving the attacker with a simple task of reconstructing the string by visiting the different sites. Next, I showed how answers to what were supposedly secret questions in the account reset procedure were actually publicly available in the user’s social media accounts. Once an attacker gained access to the account in which the password reset links are sent, the whole authentication scheme collapses like dominos.

A few months after this presentation, in August 2014, news broke of the infamous celebrity iCloud account hack and subsequent leak of private and intimate pictures. This attack was perpetrated in a similar fashion utilizing the same weaknesses.

If this all sounds too easy, it’s actually the harder path to an account compromise. In fact, you can find online databases with billionsof account credentials that have been stolen from previously leaked websites. Couple this with the phenomenon of password reuse and the entire username and password authentication paradigm is made redundant.

If you’re thinking that this can be fixed with two-factor authentication (2FA), you’re (mostly) correct. The bad news is that, according to a recent EliE study, only 52.5% of websites support 2FA (there is no data on how many of the users actually opt to use it). Then again, there are also emerging techniques for circumventing 2FA solutions. As such, the issue at the core remains: The administrator (or security architect) has limited visibility and can only observe a fraction of the full threat landscape. Even if this individual had more visibility, they have no control over the level of security within third-party organizations nor the user’s cyber hygiene.

Lessons learned

While this anecdotal example illustrates the security gap between defender and attacker, it doesn’t represent the complete picture. For every successful attack you see in the news, there are thousands (perhaps even millions) of unsuccessful attempts that we never hear about.

While every organization is different, and every CISO faces unique challenges, the industry is united in its motivation to bettering our cyber hygiene and increasing our resilience to threats.

Matan Scharf, senior security solutions manager at Synopsys

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.