Users Cannot be Trusted with Their Passwords!

Monday, January 13, 2014

Joseph Rogalski

F5eb0cf67469a4982ea81ddf8b4d4048

Let’s face it users cannot be trusted to know their entire password, I am not talking about the user that writes down their passwords on sticky notes the bad guys would need physical access to actually access those. What I am really speaking to how easily with social engineering or malware passwords can be compromised. If you are not protecting your Internet facing systems that contain anything but public data with multifactor authentication you are asking to be breached, this includes Outlook Web Access. 
 
So how could Outlook Web Access lead to a breach? When trying to breach your company I would first look to the many lists of username, email addresses and password that are available from any of the Social Media password breaches of late. This is a value because as you know many users reuse passwords and it only takes ONE of out of the 1,000, 5,000, 10,000, 100,000+ users that work for your company that decided to reuse that password. Next I will use the username\password combination against Outlook Web Acesss. If those combinations don’t work it’s not a problem as I have a list of email addresses within the company as well as their personal addresses too. With a bit of research run a targeted attack against them both at work and their personal accounts. Odds have it again that one of the users will click on the link I send and I will own their home PC collecting all kinds of information including their Outlook credentials. Without a second factor of authentication I am in and will send emails to internal users containing malware that exploits recent Java vulnerabilities giving a backdoor to do my bidding.  
 
This is not a Sci Fi story either, this happens all the time. It is not just Outlook either, these types of attacks can be perpetrated on any system that has communication abilities, Salesforce.com, or SharePoint for example. If that Internet facing system contains Intellectual Property needless to say it would be gone in a blink of the eye.
 
This is a very real and serious threat. The best answer for protection is multifactor authentication for any Internet facing systems as well as you high value internal systems. In addition you should be protecting any accounts that have super user rights as well. If you have thoughts on other ways to protect these systems I would appreciate your feedback.

Cross Posted from the Symantec Readiness and Response Blog

Possibly Related Articles:
9072
Passwords Outlook Web Acesss
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.