Feb 13, 2020
6 Minutes
Weak passwords are detrimental to any organization’s security. This holds for commonly used passwords, passwords that are complex but are reused across services and applications, and even highly secure passwords that have been leaked.
(image credit – https://xkcd.com/2176/)
We strongly advocate for strong authentication methods on top of passwords, such as biometrics and multi-factor authentication, to boost password security.
Having said that, to be effective, these methods must be applied consistently throughout the entire organization. And enterprises need a way to verify that this is the case.
Often, enterprises will put tremendous effort into ensuring that their main services are secured correctly with multi-factor authentication and certificates while neglecting password security best practices when it comes to ‘side services.’ Often, the users of these services and applications are left to their own devices, and as a result end up relying on plain passwords and practicing poor cyber hygiene.
Solving brute force and credential stuffing attacks with SideScanning (™) and Fuzzy Search
To stay one step ahead of the hackers and bolster password security, Orca’s patent-pending SideScanning™ technology accesses the organization’s block storage. It then attempts to match discovered passwords to commonly used passwords and known leaked password databases. For common passwords, we also perform offline brute force attacks to test how easy it is for a threat actor to break into the company’s accounts.
Next, we perform a fuzzy search on the username in our extensive leaked password database. For the fuzzy search, we use the Damerau-Levenshtein edit distance algorithm.
By fuzzy search, we mean, for example, that for the username johndoe@acme.com, we will try to match passwords from john.doe@acme.net, johndoe@gmail.com and so on. All of the passwords we discover will be checked against the hashed password to see if it matches. We then send an alert to the customer of their breached password and location.
The primary metric for fuzzy search is edit distance. For example: “cat” and “bat” are edit distance 1 because we only need to substitute c→b. “run” and “burn” are edit distance 2, insert “b” and swap u & r.
We deploy fuzzy search instead of exact search because many users use similar but not identical usernames and passwords across services and accounts. This happens due to availability, human cognitive limitations, as well as company policies. For example, the same user might technically not “reuse” an identical password across services and have a relatively strong password, while leaving their account vulnerable and easy to crack, like, Victory@19 and Victory@20.
Our extensive database of leaked credentials contains passwords, usernames, emails, and nicknames. To detect vulnerable passwords, we specifically use the Damerau-Levenshtein distance algorithm. The algorithm measures how many edits (deletion, inserts, substitutions, and transpositions) are required to transform word1 to word2.
Our fuzzy matching breaks down the target identifiers into words, and then it tries to match those to the target words. For example, if we had an entry in the database for john.doe@gmail.com, we will break it into “john,” “doe,” “gmail,” “com.” We will try to match to “john” “doe” but not to “gmail” & “com” since they are not unique enough.
Thanks to SideScanning™ technology and Fuzzy Search, we can discover vulnerable passwords that are not necessarily an exact match. We locate similar credentials and notify our customers when those passwords need to be strengthened or if they were involved in an outside breach.
Orca’s intelligent alerts give users a better recommendation for their password security, providing a roadmap to tighter security posture.
Real-world examples: An Orca Security customer was running a vulnerable Internet-facing file server that was used to communicate sensitive data with clients. Unfortunately, the admin password for the service wasan easy to crack password and username combination. Orca’s SideScanning™ technology located the weak credentials and suggested that the customer change their server passwords in order to secure their data.
In another case, a customer had a bastion server used by employees, which utilized SSH on their production servers. One of the employees had his personal email credentials leaked. Orca’s SideScanning™ technology was able to match the password to the employee, thereby preventing compromise to the organization.
We’ve seen that these serious security policy violations happen far more frequently on services where the rest of the security guidelines aren’t followed, and therefore, miss the integration and installation of agent based security tools. SideScanning™ scans every single workload with no per asset integration, which enables organizations to see into their entire cloud infrastructure.
Interested in learning more? Schedule a demo to see where you are exposed.