July 2023
Would you be embarrassed by your password…or worse?
11/07/23 11:16
That was the nagging question in my head after hosting last month’s security summit. It was seeded by a conversation with Britton White, a security practitioner, who is trying to raise awareness of the very real threat posed by infostealers like Raccoon, Vidar and RedLine. Britton shared details of several incidents (use cases) leading to exposure of extremely sensitive information, including diagnostic medical records, like exam pictures. We also discussed the disappearing lines between work, home and “play” in a post Covid world. What I found most interesting about these incidents, were the reactions of the victims. They ranged from shocked disbelief to denial and everything in between.
Infostealers are a type of malware sold on underground forums and criminal marketplaces. Infostealers are part of a fascinating and growing ecosystem. Victims can be infected via phishing, compromised websites and interaction with infected files. Once infected, the victim’s data is exfiltrated, packaged and sold. While the data stolen can vary, of special interest are authentication credentials like user names and passwords. An excellent primer on infostealers can be found here.
A common theme in many of the use cases, involve organization’s system credentials being compromised by infostealers installed on personal computing devices. Since many organizations, allow users to access organizational systems from unmanaged devices, those systems can become collateral damage from an infostealer attack. Key personnel with privileged system access pose a special risk to organizations. Those users have a responsibility to alert their organizations of a breach, however, they are typically the last to learn they have been compromised!
In a recent incident, I observed an interesting variant of the above scenario. Corporate security personnel were made aware of an infostealer incident involving one of their employees. It appeared the victim had been accessing corporate systems from an impacted personal computer. The corporate systems were protected via multi-factor authentication, but the victim’s personal accounts were not. While the employee had an obligation to report the breach, that obligation did not necessarily apply to their employer. In fact, the corporate security team did not have a clear policy or procedure in place to deal with this incident. Therefore, they had to engage with HR, legal and compliance before finding a way forward.
Of course, the right thing to do is to help the victim, however, the specific intelligence and how it is acquired matters. Does it contain stolen or doxed data? Does it fall under PII protections? Should corporations monitor their employee’s activity while not working? Are there any liability pitfalls? This type of intelligence will most assuredly contain compromised passwords associated with the victim. Those “secrets” can NEVER be unseen. Let that sink in. Best case, the victim is shown to use strong passwords but was still compromised. Perhaps they use simple easily guessed passwords that frame them as lazy or ignorant. Or worse, what if the victim’s password is a racial slur, sexually suggestive or otherwise prohibited by company policy? Malware, the gift that keeps on giving.
What does a reasonable response to the growing threat of infostealers look like? Consider these four simple practices that could limit the negative impact of an infostealer attack:
1. Don’t do company business on personal systems
2. Don’t use password vaults
3. Don’t save credentials in your browsers
4. Don’t use embarrassing passwords
Unfortunately, convenience is the antithesis of security, safety and privacy. Please be thoughtful when finding your balance.
Infostealers are a type of malware sold on underground forums and criminal marketplaces. Infostealers are part of a fascinating and growing ecosystem. Victims can be infected via phishing, compromised websites and interaction with infected files. Once infected, the victim’s data is exfiltrated, packaged and sold. While the data stolen can vary, of special interest are authentication credentials like user names and passwords. An excellent primer on infostealers can be found here.
A common theme in many of the use cases, involve organization’s system credentials being compromised by infostealers installed on personal computing devices. Since many organizations, allow users to access organizational systems from unmanaged devices, those systems can become collateral damage from an infostealer attack. Key personnel with privileged system access pose a special risk to organizations. Those users have a responsibility to alert their organizations of a breach, however, they are typically the last to learn they have been compromised!
In a recent incident, I observed an interesting variant of the above scenario. Corporate security personnel were made aware of an infostealer incident involving one of their employees. It appeared the victim had been accessing corporate systems from an impacted personal computer. The corporate systems were protected via multi-factor authentication, but the victim’s personal accounts were not. While the employee had an obligation to report the breach, that obligation did not necessarily apply to their employer. In fact, the corporate security team did not have a clear policy or procedure in place to deal with this incident. Therefore, they had to engage with HR, legal and compliance before finding a way forward.
Of course, the right thing to do is to help the victim, however, the specific intelligence and how it is acquired matters. Does it contain stolen or doxed data? Does it fall under PII protections? Should corporations monitor their employee’s activity while not working? Are there any liability pitfalls? This type of intelligence will most assuredly contain compromised passwords associated with the victim. Those “secrets” can NEVER be unseen. Let that sink in. Best case, the victim is shown to use strong passwords but was still compromised. Perhaps they use simple easily guessed passwords that frame them as lazy or ignorant. Or worse, what if the victim’s password is a racial slur, sexually suggestive or otherwise prohibited by company policy? Malware, the gift that keeps on giving.
What does a reasonable response to the growing threat of infostealers look like? Consider these four simple practices that could limit the negative impact of an infostealer attack:
1. Don’t do company business on personal systems
2. Don’t use password vaults
3. Don’t save credentials in your browsers
4. Don’t use embarrassing passwords
Unfortunately, convenience is the antithesis of security, safety and privacy. Please be thoughtful when finding your balance.