Carbonite has fallen victim to a password-reuse attack and is asking users to change their passwords. IT Security experts from MIRACL, Lieberman Software, ESET, AlienVault and Imperva commented below.
Brian Spector, CEO at MIRACL:
“Password re-use is one of the biggest problems with the username and password system. We’re all human, and it’s difficult to remember a different password for each online service that you use, so it’s not surprising that so many people use the same password across multiple sites. This of course makes hackers’ jobs much easier, because they don’t even need to hack into new databases anymore to reap their rewards. With millions of passwords stolen from recent breaches floating around the dark web, if people have been reusing passwords across multiple sites, it’s only a matter of time before these credentials could be used elsewhere.
“It’s high time that we recognise passwords as the antiques that they are. They don’t provide protection for the volume of information we all store online today, they don’t scale for users, and they are vulnerable to a myriad of attacks. Customers are rightly demanding to be protected when they submit their valuable personal information on the web, and online services need to respond appropriately by replacing the password with more rigorous authentication technologies.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Every breach provides a new set of username and password pairs for bad guys to test elsewhere looking for people who are reusing their credentials despite years of security pros begging them not to do that. Carbonite’s system wide password reset is the first of many we’ll see. They are simply forcing users to at least participate actively in making a bad choice. Carbonite will force you to reset your password, tell you it’s because you may be attacked specifically with passwords you used elsewhere, and if you still choose to use the same old tired password you used at your fantasy sports site and shopping sites, then at least they can sit back with a well justified ‘told you so’ look on their face when a bad guy waltzes right into all your data.
For your online banking and other highly important online accounts, you should do the work to use complex, unique passwords. For other sites, there are other tricks. Use unique passwords but let your browser remember them so you don’t have to. If you have a Google or Microsoft account that you’ve protected with multi factor (the thing where you get codes on your phone that you should absolutely be using), then use that to log into any sites that will let you instead of creating a new account for every site. Since email accounts are free, consider having a second email you use just for all the silly websites that require a log in, but aren’t worthy of the same email you use for your more secure accounts.
While companies can’t stop you from reusing passwords you’ve used elsewhere, they are taking steps to fight reuse attacks like the one Carbonite is seeing. Microsoft, for example, recently starting using a system that not only checks the complexity of passwords, but also checks to see if you’ve used a commonly used password or one related to it. Since year after year reports confirm that many people use the same weak passwords (e.g. ‘123456’ or ‘password’), using a system to check if a user has used any of these terrible password options will go a long way to fighting bad passwords. But it won’t stop someone from picking a good password and trying to use that at every single website they touch. Stopping that would require massive efforts and cooperation among these sites, or just a tiny bit of effort on the part of the users – at this point both seem unlikely.”
Mark James, Security Specialist at ESET:
“All too often we hear about another data breach and how our private data was leaked or stolen. The usual questions are asked, what was stolen? Did it include CC numbers? But the real fact is any data can and often is used for identify theft or as a means to gather more useable information from you.
Because so many organisations require your username to be your email address and the fact that so many people only have one email it basically gives the bad guys 50% of your login credentials. If you search through all the stolen information to match usernames and are lucky enough to access passwords either poorly secured or even openly viewable then one of the first things that’s going to happen is to try that data in many other places to see what it turns up.
With such a push on online backups to keep our data safe using such terms like “Ultra Secure” or “Stored on servers deep underground for your protection” we are led to believe it’s totally safe. The problem arises when people have the same credentials we use to access that data. They can read and access it just like we can, the days of simple username and passwords need to be long gone, we should where possible utilise password managers to create unique one time use passwords and secure where possible with 2FA for added security.”
Javvad Malik, Security Advocate at AlienVault:
“With the recent breaches, password-reuse attacks are increasingly popular. As long as we’re using passwords for authentication, this will remain an issue. However, both users and providers can take steps to minimise the risks.
Users:
– Don’t reuse passwords across sites. This is particularly true for high value accounts, e.g. email, financial, or social media.
– Consider using a password manager to help in generating unique passwords.
– Turn on 2 factor authentication where available.
– Enable notifications, if available that let you know when someone has logged on or changed your account password.
Providers:
Be proactive. The steps taken by Carbonite Online are very encouraging, showing that the company has been proactive in monitoring its accounts and the attack patterns against it which has caused it to take this step to issue password changes.
Last month Microsoft also announced it was undertaking similar measures to protect accounts from weak passwords and password reuse https://blogs.technet.microsoft.com/enterprisemobility/2016/05/10/how-we-protect-azuread-and-microsoft-account-from-leaked-usernames-and-passwords/
Rolling out 2FA or similar technologies to users should help provide an additional level of protection.
But also investing in enhancing monitoring and detecting controls that can detect deviation from standard behaviour, devices, location, etc. can help go a long way in flagging suspicious activity.”
Nadav Avital, Application Security Research TL, ADC, Imperva:
“In the last month we’ve witnessed several leaks of credentials from some major social networks, allegedly containing millions of users’ credentials. Due to the common user behavior – using the same password for accounts on different sites – these credentials can be used to increase the success rates of brute force in different sites.
The popularity of this attack is on the rise since it is fairly simple; it requires minimal resources from the attacker and there are lots of leaked credentials to work with. There are plenty of tools out there, including advanced ones that can mask the attacker’s identity through TOR, rotating the User-Agent string and more.
In addition to threatening the site users, these attacks also present risk to the attacked site, due to intense load on the authentication server, or massive legitimate accounts lockout due to the common lock-after-X-failures safety mechanisms.
Sadly, most sites lack the proper security measures to stop these attacks. A Proper mitigation must provide account takeover solutions such as detection of stolen passwords usage, detection of automated tools (bots) and detection of account access from malicious device.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.