Call for Incident Response

866.428.4567

Episode #1 - Why Passwords Must Die

Inaugural episode for The Hash-Time Show - Cyber Security Podcast. Discussion around new packet compression techniques from the US Army and why passwords must die!

Release Date:

May 20, 2019

Duration:

27:42


Contributors:

Show Transcript

Intro Snippet:

"Yeh the password stuff though I think kinda needs to die, I was thinking about this just the other day, there's so many other ways that you can authenticate nowadays."

Intro VO

Welcome to the Hash Time Show your weekly review of cybersecurity news and info.  This is Episode number one.  On today's show Dave Chris and Jeff discuss, new packet compression techniques and why passwords must die.

Show

Alright guys welcome to the show, I'm your host Chris Vincent. I'm here today with Jeff Marshall and David Norlin and this is gonna be the first episode so bear with us as we figure things out and get through the process.

I want to kick off the show today with our first segment Getting to Know You and I'll start with the man on my left Jeff.  Jeff tell us who you are

Jeff Marshall - Hey this is Jeff Marshall I'm the Chief Information and Security Officer for DATASHIELD.   I've been with the company for about three years; handling security operations, threat intelligence engineering and development. Prior to that I was at Koch Industries handling security architecture, including policies, procedures, security operations, risk management around enterprise architecture, acquisitions and divestitures.  Prior to that I have been doing security and IT for quite a while

Alright, Thanks Jeff – Dave can you tell us about you a little bit?

Dave Norlin - Hi I'm David Norlin and I am the Director of Security Operations here at DATASHIELD.  I've been with a company about three years.   Prior to that I worked for the Army as a contractor, working incident response for the entire continental US for all Army installations that fell under that command.  And then prior to that I was in the Air Force and I got my security introduction through kind of an alternate means. I started doing vulnerability management as a system admin and then I found out that I have a little bit of aptitude for doing that and unfortunately so did everybody else, because that's where I got stuck permanently.  So I found way out of that and into a more strict security role and have kind of stayed with that throughout my career.  Enjoying it and I hope to do so for a long time to come

Chris Vincent - And my name is Chris Vincent, I'm the host of the show. I'm not the host because I'm the most technical, I’m the host because I'm the marketing guy.  So before I worked here, I just started here at DATASHIELD we're here in April 2019, I spent 10 years running a marketing firm. Doing consulting, grassroots Guerilla marketing, all that kind of fun stuff.  Now learning the security industry.   And I’ll tell you what, it is fascinating… so far. I mean that kind of facetiously, it's dry I'm trying to keep my get my feet wet.

[Laughs]

You don’t have to lie to us Chris.

[Laughs]

I won't, it's one of those things that you have to figure out how to digest, it's a big elephant.

If it helps we feel the same way about marketing.

[Laughs]

Exactly so this is our new show guys and our goal here is, as the format changes we will see how things go, but we're gonna do our best to be topical and discuss cybersecurity and tech and InfoSec information for the week.

We're gonna jump into news, might give you guys some tips I got some questions like for example. Where I should store my passwords? I heard that putting a sticky note on my Windows desktop was not the place to do that.

No

Yeah that's not a good place nor is your Outlook contacts and under your keyboard those are all

bad places.

You should put it either like beneath the drawer under the desk somewhere.

So it's not PCI compliant I'm guessing but definitely not HIPPA

Don't take that advice don't listen to this.

So we'll get into what we're gonna get into.  Today we're gonna talk about news of the week if you will. Today is April 24 2009 and we're gonna chat about what's been going on recently.

News

Headline #1 - Army researchers want to identify how to compress network traffic as much as possible without losing the ability to detect and investigate malicious activity.

Source: https://www.arl.army.mil/www/default.cfm?article=3408)

So in the news a few weeks ago.  Army researchers want to identify how to compress network traffic as much as possible without losing the ability to detect and investigate malicious activity.

Article Quote

So to read the quote this is a mouthful, “Researchers at the US Army Combat Capabilities Development Command Army Research Laboratory (ARL) - them and Townsend University have identified a way to improve network security.

So guys I want to get your take on this Jeff I guess I'll start with you…

Yes thats too long of an acronym

[Laughs]

Your doing a great job, that’s fantastic

It's hard to read, so what I'm understanding from this is that the bandwidth required to get full down the packet level it's just too intensive when you're outsourcing to a SOC.  So the goal of this is the sort of only transmit data until you detect a breach and stop?  Is that what's going on here? Explain this to me…

Jeff - Yeah you know I think the general gist, is there's a lot of data when it comes to security right this is the Target breach other breaches what happens? You get fatigue, there's just so much information. So them as the ARMY especially, trying to bring all the security data from all their installations back to a central console.  Where they can have analysts look at that data, requires a huge amount of bandwidth and probably space depending on what level of data.  Whether it's full packet capture, logs etc. So they're looking at ways to minimize what they have to store and what they have to transmit for an analyst to make a decision

Okay, Dave I didn't know you, Jeff sorry for cutting you off, I didn't know you worked in the military, did you work for a SOC in the military?

Dave - Yeah so I was just part of a base communication squadron at first and I was doing kind of a typical sysadmin tasks.  Then I got veered off into security, having to chase out-of-date machines into dark hangars, you know in the Tucson heat so it was kind of an abrupt entry into security, and not comfortable by any means, but eventually we got a golf cart and that helped.

[Chuckles]

You were in Tucson?

Yeah I was in Tucson at Davis-Monthan Air Force Base.

Now do you refer to Tucson as the armpit of Arizona like the rest of us Phoenicians do?

Nah Tucson is like, it's becoming like San Fran but not by the beach

No Beach

No

Is there's as many homeless people out in the streets?

You know I'm not gonna take a stance on the homeless.

[Laughs]

That’s a San Fran and Portland thing.

Yeah no I mean unfortunately there were a few disaffected individuals.

This has been the hot Arizona talk here on the Podcast.

[Giggles]

Very topical

Slice of Arizona

Dave - So and then after that I worked for the army as a security analyst.  I did Incident Response and you know incident triage investigation the whole gamut.  We had a ton of tools available to us and tons of data, so it was a really good learning experience for me to kind of formalize some of my training, after the hodgepodge I had out of operational necessity in the Air Force.   They kind of just told you whatever you needed to know. And then I went to the Army and learned it in a more organized structured format.

Chris - So when you read this like having the military background in security, do you think this is something they're just trying to implement from a military standpoint or does this have applications commercially?

Dave - I mean that they were in the middle of a big restructure when I left that environment. I think this is maybe part of it. But you know I've been out of that sphere for a while.  I think the most interesting thing to me is some of the technical aspects. They are talking about lossless compression, and that means that you obviously don't lose anything. So if you've ever compressed a JPEG or something into a JPEG, you do lose color data inside that image. But there are formats where it will make the file smaller, but you won't actually lose any of the data. So you could zoom into the smallest point and it would still be the same as the original file.

So the point being here, is when they say lossless, I'm interested in how they're doing that, because they may be truncating parts of it or taking out empty space from some of the headers and when you do that, compression is a computationally intensive sort of thing, so I'm guessing there's some kind of inline device that is compressing it and then decompressing it when it gets to the destination.

Jeff - Yeah they mentioned something in there too about not sending all of the data because the attacks are at the beginning of data right, which is true, but other things happen later on so, I think what they're really trying to do is saying hey what's the minimal amount of information, then how do we shrink that and get it there quickly.   it is the gist of it.  I mean there's lots of technologies out there that do that that kind of thing.

We use that in some areas, Uber Kafka and some other tools can take data compress it send it off.  The truncating of it maybe a little bit different but there's lots of methods to do this.  Commercial applications, I guess there could be some use for it but it, would have to be in very large installations and companies where they have maybe multiple subdivisions but their main corporation handles all the security operations.

Got it, so the SOC maybe at one site and they have a ton of different facilities like a multinational corporation.

Yep

Got it ok

Dave - Yeah I'd be interested to know what they're taking out of the packets or what they deem not useful or what they're chopping from it.  Because if you're looking at a encrypted packet then yeah there's going to be a gigantic chunk of that that is not useful there's only some parts of the transaction that might actually be worthy of investigation But if they're doing like just raw data and capturing regular unencrypted data as well I mean there's potentially interesting things I know you wouldn't want to chop.

Yeah, exactly

Nice ok, well that kind of kind of puts a top on that one I guess.  It definitely helps me understand a little bit more because when I look at this, I'm thinking about it from like a very top-level standpoint.  Thinking oh everyone can use this, but really what you're saying, is no this is kind of specialized.

Jeff - Yeah I mean would it help individuals? Yeah, I mean there's lots of installations out there that have low bandwidth maybe they have a scattered network and we've got a lot of rural area stuff for things. There's definitely areas where it could be valid but the average consumer of say firewalls and IDS equipment, I don't know that there's a whole lot of value there for them.

Dave - They don't dive into the technical side of this too much but they did you say that it's less than 10% of the original traffic volume while losing no more than 1% of cyber security threats.  I personally have never heard of a lossless compression technique for anything that got it down to less than 10% of the source.  So I would really love to know how they're doing that.

Well too bad we can't call them right?

[Chuckes]

Yes I’ll pick up the phone.

I'll get the colonel on the phone…

All right so next topic.

Headline #2 – A recent study by the UK's National Cybersecurity Center the NCSC, looked at public databases of breached accounts, confirms that for many people simple passwords are still a thing.

Source: https://www.digitaltrends.com/computing/online-passwords-research-confirms-millions-are-using-123456/)

A recent study by the UK's National Cybersecurity Center the NCSC (everything has got an acronym) that looked at public databases of breached accounts, confirms that for many people simple passwords are still a thing, with 23.2 million accounts globally using 1 2 3 4 5 6.  That was the most common password on the list, and then after that was like 1 through 9 and 1 1 1 1 and then QWERTY and then the bottom row of the keyboard. So these are all some of the most popular passwords still which is humorous to me.  I want to ask you guys about this, is this one of the common issues you guys run into with like some of these mid-market and smaller businesses, where a lot of breaches are happening, is it brute force password hacking like this?

I mean not veer off the discussion into a different direction…

Please do veer us [Ha Ha]

Dave - I would say that your passwords are always gonna be a weakness but so much stuff comes in through the application layer or phishing.  Passwords are an important aspect of that, but it's possibly not as big an issue as some other things.

Jeff - I would say not just mid-market, I mean there's enterprise organizations that don't have good IAM strategies, and tools out there and they have poor hygiene as well.  You know I don't think everybody has the brainpower to remember 4 million passwords, so sometimes people shortcut it, especially those uneducated or unknowledgeable about security practices.

Security awareness is critical, as we go forward not just in enterprises, but we have to start doing it in school and training people on true hygiene and how to know what not to do. - Jeff Marshall

Dave - I think passwords can still definitely be a vector for attack, but so many organizations are getting smarter and starting to implement two-factor.  I think that where the passwords really come into play, are those systems that were stood up four or five years ago, then everyone's forgotten about, they're still somehow online and then that's the thing that gets attacked.  If you have a weak password on that machine, then maybe you're in trouble.

So like a Yahoo breach kind of thing, someone's old yahoo email kinda deal?

Jeff - It could be a lot of those too.  If you go look at a lot of these breaches,  they're fairly old breaches that these passwords are out there, there's a lot of test systems and things that people leave up that have you know… having good hygiene of ensuring you're shutting down old systems or changing passwords, you know in the past lot of that didn't happen.  So I think people are getting better at that but it's still there.

Chris - Well its sort of like, everybody knows when they leave the house to close the garage and to lock your front door right? I guess unless you're in Park City, Utah - that's one place that I went where they didn’t even have fences.  So that's the Utopia right, but the rest of the world, at least here in Phoenix, you lock your door when you leave your house.  Is that kind of what the password is metaphorically for a society, we have to make sure you lock the door and you can't leave one two three four five six as your code?

Dave - I mean if anything, there's access management tools out there that can help you control stuff like that.  You can know when certain accounts are being accessed when certain credentials are being used.

Jeff - There's plenty of password management tools out there even for personal use and things that make it easy for people to keep track of different passwords for everything.  It's just a practice and again I think we're going to have to start educating people younger and sooner to ensure that they're no longer following those bad practices.

Chris - Is that the message for a CISO or CTO at a company that's starting to implement some of these things like two-factor and some of those systems the thing to implement for them.

Jeff - Two-factor been around for a while and it's kind of a standard.  If you're not doing two-factor… granted there's a lot of stuff out there that we need to come up with new and better ways to do this because you know if you've seen recently the Samsung smartphone they 3d printed a fingerprint and they can get into it.

They used chewing gum or something like that?

Yeah there's different methods.

That some Mission Impossible stuff.

Exactly

But it's no longer impossible.

Where is Tom Cruise at with that face mold thing?

Exactly

Yeah the password stuff though, I think kind of needs to die.  I was thinking about this just the other day. There are so many other ways that you can authenticate nowadays. - Dave Norlin

Like for…

Blood drops?

Oh well you could do that

That is going to be the quote of the show, David says, Dave Norlin says the password needs to die!

[Laughs]

Dave - For like your Google account, I have two factor set up on that.  It goes right to my phone I authenticate with my fingerprint.  I think there's got to be ways for that to become more accepted and deployed.

Jeff - You know, if we don't start coming up with better ideas and killing the password you're gonna keep seeing these generic passwords. You can't stop people from being lazy.

Chris - So lets talk about that for a couple seconds. So the retinal is the Mac kind of thing right.  Let's just say we're in a world where you're in a company and all your employees, they have to actually look at their computer for it to work.  What does that do for the hackers out there that are remote in other countries trying to hack in? Does that make it significantly more difficult or does it matter that much? Because you were saying they're coming in through phishing or other mechanisms.

Dave - Yeah the weakest link is always the users. So if that person's logged on when they get attacked, and the attack can run under whatever permissions or credentials they're using then yeah, there are shortcuts around these biometric methods. But anything to add in one extra step, one extra hurdle for an attacker to get over I think is a positive step.

Headline #3 - Popular hot spot finder app for Android exposed the Wi-Fi network passwords for more than two million networks

Source: https://techcrunch.com/2019/04/22/hotspot-password-leak/)

All right next topic kind of leaning into this.  This one's kind of interesting, I want to get you guys to take on this.  So they dont even list the name in the article. It was a popular hot spot finder app for Android exposed the Wi-Fi network passwords for more than two million networks. The app downloaded by thousands of users allowed anyone to search the Wi-Fi networks in their nearby area and also allowed the user to upload their own Wi-Fi network passwords from their devices to the database, so other people could use it.  So does this mean that people were, “hey I'm an apartment complex and I'm uploading my password of my device so people can get free Wi-Fi.”  Is that what that was saying?

Yeah no, you know percent.

I think really it's around, well first off you can't just download apps.  I try to tell my daughter this all the time, stop just downloading every app in the App Store.

But dad it's free! [Ha Ha]

Jeff - Yeah and putting information in there right.  You've got to know what its worth.  So in this case, I forget the name of the application as well, but it was by a developer in China.  There wasn't a whole lot of information out there.  People were just putting stuff in there and it was uploading all of it. That happens more than people understand or know whether it be on purpose or an accident.  Dump or put something in there forget to take it out it's uploading information so try to make sure you're using apps from reputable sources is important in this in this scenario.  So I think people are putting in their Wi-Fi passwords, or as they said, keeping a catalogue of free Wi-Fi out there, really bad idea.

Chris - You reminded me, my son said “hey dad there's a way I can get free V-Bucks,” you know from Fortnite, if I login.  And I said “I don’t think so buddy, pretty such that's not free, I'm sure they're gonna steal your account.  Well that's interesting and makes me think, so phishing is happening to Sheryl in HR and Chris and Marketing, and some people maybe that aren't as technically savvy on this stuff.  Like you were saying earlier about educating kids, phishing that's an easy spot for kids, because kids are connected now right. I didn't have access to online accounts, my kids have a Facebook and a YouTube page for logging into stuff and you know he has access and phishing is a lot easier because he's 9.  So it's probably not gonna affect the mid-market as much, but it's kind of overall society thing.

Dave - You say that, but I’ve heard of instances, not too long ago, I wont say who but, circumstances in which a person with a business device like a cell phone that they use for work, they leave it out and their kid gets ahold of it, downloads an app and then before you know it they're doing some kind of crazy thing on this person's business device with business information on it and is probably doing something it was never intended to do.  So I mean there are ways that this can can still bite you.

Interesting…

Yeah absolutely I mean you look at kids especially you know my daughter's high school friends.  They are in everything, they're in Instagram, Snapchat you know everything but Facebook, because apparently Facebook's for old guys now.

Its for grandparents yeah…

That’s what I’m told.

They are so connected, my daughter has a friend who thinks it's great to just click every link that comes in in a fake text message. To them they just they just don't understand the repercussions to doing so.

Right

Correct me if I’m wrong, wasn't this one of the original premises of Windows 10. Is that you could share automatically your Wi-Fi with friends that you had identified.  Am I just imagining that

No, so iCloud does that too.  It stores your Wi-Fi password and then any device you log into to that iCloud account, it just auto connects to your Wi-Fi.

Really

My kid will do things on the iPad and all of a sudden I have an account saved on my MacBook, and I’m like “what the heck you doing kid.”

Yeah and this Wi-Fi thing is ridiculous. I mean there's so many Wi-Fi enabled thermostats on our block of the street that I'd be surprised if you didn't have two million network passwords or network SSID just driving down or through Phoenix.  You know the Wi-Fi pollution these days is ridiculous. - Dave Norlin

Jeff - Yeah actually I saw an article recently about that. Gary Hayslip the CEO of Webroot had posted something about, a tinkerer or tech guy has all these connected things but a real security guy has none of them in his house. The risk of having these things is so great.  My wife the other day was arguing with me about putting a digital keypad on my front door and I refuse just because I know what I can do to it.

Chris - So I agree with you guys it's like you're putting yourself at risk but I guess this is a slippery slope right.  My though is …”ahhh who cares you know they can hack it what are they gonna see.”  But if everyone has that posture, especially here within an organization where they may care, we have to kind of change our posture a little bit.  We're not living in Park City Utah, we've got to have fences up, digital fences around what we're doing to make sure that we're keeping the bad guys out.

Yep

Cool we got time for one more?

I think we do

Headline #4 – Bodybuilding.com Breach

Source: https://www.zdnet.com/article/bodybuilding-com-discloses-security-breach/)

Okay cool, this one is near and dear to my heart. I just found out Bodybuilding.com was breached and they disclosed it on their website. There's a lot to read here, I’ll just give you the highlights on it.  Basically they identified a breach in February and then they kind of released it.  Someone had accessed the data but they weren't sure what was compromised.  They're saying no credit cards and I kind of wanted to get you guys feedback.  I don't know if you have evern been in the Bodybuilding.com forums but I'm not surprised that they've been breached cuz there's some crazy stuff going on.

As you can see from my dad bod, I go to those forums all the time.

What was the joke?  The breach was really bad? Or it was swole?

The breach was whey bad…

[Lolz]

Oh that's right “whey protein” bad.  I mean do you guys have any insight on this?  So this is the first time that, well I guess maybe my awareness is low, but I've seen a company saying, “hey we were breached.”  Is this a PCI thing? They have to put it out there?

Jeff - You know in some cases people are required to announce a breach.  We've talked a lot about this recently, Dave and I, about the right in the wrong way to go about getting breached. Because scare tactics aside, it happens right, and you can you can have the best hygiene in the world but again, end users are still the weak point. So looking back at this one they claim that they think it happened in July of 2018, I think it's the thing I saw and they found it and released it in April that they think they found it in February?  I is a little unclear, but I think it's really doing the right thing; disclosing what happened, how it happened and what you're doing to resolve it. It is really the way forward and making sure you're clear about what you found and how long it took you to find it and why. I mean people want to know.

Dave - Yeah breaches are kind of a pivotal moment, I think for a lot of companies because you're at that decision point where if you keep it to yourself maybe you allow things to continue normally, at least from the outside or if you disclose it and there's a lot of doubt and potential fallout and public opinion.  But I think more and more society on the whole is kind of looking favorably on disclosure. I look at the most recent breach with Norsk Hydro,  the Norwegian aluminum producer, they came out very quickly, as soon as they were able to and said we got hit and this is what happened and I think that kind of boosted the opinion of that company for a lot of people, versus just keeping it to themselves.

Like the Experian breach right?

Yeah

Chris - So they did a solid for their customers, is what you guys are saying?  From a security professional standpoint this is bearing all and saying “hey we got breached, you know we don't think you were affected but you might have been.”  I think that their practices was to send out a notification to their customers saying “reset your password” and set a deadline of like June to reset it by. So that's kind of the good practice if you get breached.

Exactly

With these e-commerce sites, my guess is the goal is to either skim data or to get credit card information right?  And so that's kind of the main thing

Yeah I mean health data is just as important to a lot of these guys as credit card information.  Now granted, credit card has a quicker financial, but you know there's a lot of health data on the black market to purchase as well.

Interesting, right I guess, speaking of the forums there's a lot of health discussions. I say that in air quotes for the Bodybuilding.com forums. I guess that is a piece of it right.

Yeah

Dave - I mean there's also other ways you could make use of the data. There's plenty of military people that are gonna find themselves talking about various things on there that might identify them as military. That information falls into you know less than proper hands they could then use that information to identify more about that person and target them for you know human to human exploitation. There's all sorts of ways that you can take seemingly innocuous data and have that be pivotal and in how you go about your nefarious deeds.

Interesting, social engineering at its best.

Dave - Yeah especially if you have insider information. It seems silly but things you would post on a bodybuilding site, like your workout routine, certain features about your body, I mean people put dimensions and that kind of thing on there, of other gains and losses whatever the case may be.  That's a very personal information. Imagine meeting someone that kind of had an in with you and then you get to know more about them and they seem to know you really well. I mean people open up under all kinds of circumstances and that kind of familiarity could be a vulnerability.

Interesting, we probably should explore that on a later episode but…for now that's all the time we have. Stay tuned this is our weekly scheduled podcast and we'll catch you guys next week.

We are an end-to-end Cyber Security Resilience Provider

At DATASHIELD we provide a suite of security services including, MDR, Co-Managed SOC, Vulnerability Management, EDR, Email Security, NOC Services and more.

check out our home page