Unwrap the Layers of Password Cracking Attacks

Transcript

Opening

Welcome everybody to What's the problem, the show that explores problems that practitioners, professionals, and buyers of cybersecurity products and services face in today's world. Today, we are very fortunate. We have Adil Ahmed; he goes by joining us.

Conversation

Mike Krass: Ahmed, say hello to our listeners.

Adil Ahmed: Hello. Thank you, Mike. Thanks for inviting me to your show.

Mike Krass: Hey, I'm glad that you have accepted it. So Ahmed, talk to our listeners. Why are you qualified to discuss security?

Adil Ahmed: Well, yeah, I want to point out just a couple of things. Why? Why I am qualified. I have my security plus certification by CompTIA, and I also did a boot camp called the NexGenT. It is a military-grade boot camp for cybersecurity specialists.

Mike Krass: Ahmed, thank you for explaining some of your qualifications. Now let's get into the meat of our episode today. What is a security problem?

Adil Ahmed: Current security problem still today lies and people creating easy to guess passwords. I listened to my favorite podcast about cybersecurity today, and It's by our Solomon. He references a security vendor called Sky Cloud, and they list quite a few common passwords that are still being used currently today. For example, people use passwords like 123456 or use six one as the password or just as the password. And then still people are like movie enthusiasts, or Marvel movie enthusiasts still choose Loki, Falcon, or Wanda as their password. Famous sports teams are still being used as popular passwords, which poses a big problem. One of the issues is that cyber hackers are capable of doing a password spraying attack, which allows them to guess the individual's password and end up with it committing a data security breach.

Mike Krass: Password spraying attack. Tell us a little bit more about that. What is a password spray attack?

Adil Ahmed: A password spray attack is simply where the attacker has a list of accounts or has access to accounts or their username, and then they also have another list like a text file of maybe hundreds of thousands of common passwords. And then what happens is that the attacker uses some software, and he kind of sprays a password onto an account and tests and runs to see if it matches. If it doesn't work on one account, then it cycles through another until it gets a hit but doesn't get a hit. Then the system selects a second password and then goes down the list of usernames until it gets a hit. So if you have a common password out there, hackers will have it in their hands and they'll run it through and this is how they will do this password spraying technique to guess your password.

Mike Krass: Password spray attack, is that an attack that can be used If a login for one of your accounts uses captchas or recaptchas, is that still applicable? You know where it says ‘’Fine, click every square that has a car in it or has a stoplight or something like that.

Adil Ahmed: I am too familiar with whether it's beneficial towards captcha, but I can tell you the upside that hackers do it also because they can prevent account lockouts. Before, there was a thing called Password lockout that hackers used just to do a brute force attack. In other words, they were guessing passwords, throwing in multiple passwords or combinations of passwords until they got the account opened up. But now you have good practices like locking accounts after like, three-four tries. So that method wasn't really successful, so hackers came out with a password spraying attack. So it just sends one password into the account, and then after it goes through all the list, the first account gets kind of like timed out—so kind of clears up a time to the past. So the attacker can still use another password on the same account. You know, so it kind of prevents an account lockout. That's one of the big benefits of password spraying.

Mike Krass: Yeah, I was just thinking about lockouts. If you get two or three, or four wrong entries, you get timed out for 15, 30, or 60 minutes. So, if I hear you correctly, by cycling through the different logins using the same password, that spray attack, we're avoiding the lockout on the hacker side. And the other thing that you didn't say, but I wanted to confirm with you, is because it's a common password that they're going through those list of common passwords when they actually find one of your accounts that uses it. Is it correct to say they take that password and then go back through all your other accounts, assuming that you reuse it?

Adil Ahmed: Yes, yes, that's also another thing. People do have a habit of using the same password for various accounts. So hackers do tend to do that, which makes it even more riskier, makes the password practice more vulnerable, basically, because people tend to do that. You're right about that, Mike.

Mike Krass: Okay. With a spray attack, do they use cybercriminals? Do they start with easier accounts like your yahoo email, and then once they find the accurate password or inaccurate and accepted password, they go to a bank account or something else, or does it not really matter where they start? The concept of the spray attack just works your passwords.

Adil Ahmed: Yeah, as far as I know, from what I've read and what I understand about the spray attack, there is no specific area where they attack. Maybe they're trying to hack into bank accounts, and they happen to have the password working on one user account. They may learn a lot about the user that way, they may also learn the user's email address, and they may test it out to see if these passwords are working on the bank account and work on their email accounts. So they will do that.

Mike Krass: Yeah, that makes sense. If you can get into a communication platform.

Adil Ahmed: The logical thing that a hacker would do.

Mike Krass: Yeah, that makes sense. To get into a communication platform, like your email account. Not we all, but many people use paperless banking and paperless statements, whether for your cell phone, bank account, or whatever. And so if they can get into a communication platform, then they get an idea of okay, well, where does this person bank at? Do they use them in the United States? Are they a Verizon Wireless customer or AT&T? And it seems like it's a hop point. Once you get into one system, you can start to hop between other ones and learn more about that, frankly, about that victim if we're using strong language like that.

Adil Ahmed: Right. And it's also kind of dangerous because these hackers tend to gather intel, so if they're able to get into your account, they learn more about you. They may go to your social media accounts if you're using the same password for your email to your social media accounts. All the other accounts you have, they're going to learn a lot about you, and then they will do what is called a spear-phishing attempt, where they will target you specifically, learn about your habits, know about your interest, and they will just find more ways to sabotage you. If they can't get into certain accounts, your bank account has a different password than your email and social media, they will find a way to send you the proper phishing email and find a way to get into your bank account, or if your email leads to other goals. The real thing is with attackers; it's never that simple. They may just want to get into your account, but they may be planning on the bigger pack.

Mike Krass: Sure, it's a password spray attack exactly as it sounds. It's kind of a spray trying to find access points into your different systems' accounts. But then, to your point, once they start to learn more about you, that's when social engineering starts to arrive, and they have those opportunities to execute spear-phishing attacks, which are much more pointed, much more specific. And so, while it seems like the password spraying is not a huge deal, what you got into an old email account in mind, it actually is a hot point for them to get into more of your systems.

Adil Ahmed: Alright. And that's something people don't realize. It's either that some people are under the fallacy that it's a common password, and even with a simple password, people will not be able to guess it. So these hackers will use software to do that, and if you do have a common password, they will find a way to crack it. And they use other methods besides password spray attack, and it'll do other things. That is what I wanted the listeners to understand that if you're going to have simple passwords, it's going to be cracked. So you have to make them lengthy and complex, which is also advised by the cybersecurity advisory.

Mike Krass: That was going to be on this topic. My next and last question is, how do I protect myself? So I'm hearing from you, Ahmed, lengthy, don't use the same one and don't repeat. What other tips can you give to our listeners?

Adil Ahmed: I could just say that you know what it means by lengthy. Some cybersecurity experts suggest making a good password or using a combination of three to four random words, combining them with numbers and special characters, and making sure they're at least 15 characters long. It is what I've been told. So that's a good start when it comes to creating passwords.

Mike Krass: At 15 or more characters, three to four-plus unrelated words. So it doesn't help to say Miami Beach, I love sand. That's probably not a good five-word combination, and it's a little bit too focused. Or Loyola, Chicago class of 1985, if you went to Loyola, Chicago and you graduated in 1985, it’s not a good idea.

Adil Ahmed: Not a good idea. And yeah, you want to keep just another side note. Don't use any, like popular quotes or phrases, something that is obviously out there and has to be something meaningful and unique to you. One that you may only know and nobody else can know about you.

Mike Krass: Alright. Well, Ahmed, I appreciate and know the listeners also appreciate you dropping a little bit of this knowledge when it comes to password spray attacks, brute force attacks, spear-phishing, and hop points. I really appreciate that from a practitioner's point of view. Let's finish with our fun question here. Tell us about a terrible haircut that you've had.

Adil Ahmed: I had too many terrible haircuts as far as I know. I could tell you a bad experience. Maybe I had a haircut, and I could tell you if that's okay, I'll just share that. So I had to go out of town, so I had to get a haircut quickly. So I went to a salon and experienced that person cutting my hair was in a hurry taking the scissors and coming close to my skin. She started cutting, snipping, and she just got so close. I thought she was going to cut me. In fact, she ended up cutting herself and a finger, but then it just ended up leaving my hair like half of it was buzzed off. The other side was kind of like cut too short, and it was just funky looking, and I had to attend an engagement party. So it didn't go very well. I was kind of like people were making all kinds of comments ‘’Your hair's all out of place, out of proportion.’’ You could imagine like it was kind of embarrassing—that bad haircut experience. I never would be walking into a salon again.

Mike Krass: Well, Ahmed, thank you for being brave. That's the first that involves blood and hair cutting stories. Yeah, engagement parties. So you've got to first on the What's the Problem show. We appreciate you being brave and sharing.

Adil Ahmed: Sure, no problem, Mike.

Mike Krass: Awesome. Well, Ahmed, we have come to the end of our time together. To our listeners again, thank you for listening to What's the Problem, the show that explores problems that buyers, professionals, and practitioners of cybersecurity face in today's world. Thanks for listening. We'll see you next time. Ahmed, say goodbye to our listeners.

Adil Ahmed: Bye-bye. Thanks for listening, and thanks again for inviting me, Mike. Have a good day.