09-05, 14:30–15:00 (Europe/Amsterdam), Second track
Free Taylor Swift tickets. DNA data breached. A $150 million fine for Uber. Phone records of nearly all users of a large US telco stolen. What do these incidents have in common? Stolen passwords. Off course all OrangeCon attendees use multi factor authentication and password managers. But most people don’t. Incidents caused by stolen password are (still) on the rise. According to research, stolen password are used in over 80% of recent IT security incidents. Launching a basic attack is within financial and technical reach of school kids. How to protect against account takeover attacks? Do what the bad guys are doing. And do it better! We have recovered over seven billion unique email/password pairs in the past years. In this presentation we dive into the details of password cracking at scale, and how this data can help you to keep your accounts safe.
In this presentation we dive into the process of cracking billions of passwords, and how this data can be used to protect organizations against account takeovers. Covered topics:
• Introduction. Many well-known attacks started using credential stuffing and account takeovers. Think about for example TicketMaster and Uber. But what exactly happened? What motivated hackers? What went wrong at the victims? What’s the scale of the problem?
• Password blacklisting, email breach notification, password breach notification, what are the differences? Explanation of techniques that power well-known services like HaveIBeenPwnd and products from the tech giants. They might look similar, but they are not.
• Why do most well-known defenses do not protect against account takeover attacks? Techniques like rate limiting and anomaly detection are typically not effective. More complex password policies can even work contra-productive.
• How to get raw data? For free? Without TOR? Getting raw data is easy. The amount of (semi-)publicly available data is overwhelming. Processing the data is more challenging.
• Passwords: how did it all start? History of password storage and password cracking. Lessons (not) learned over the decades.
• What’s the right tools for the job? Different password hashing algorithms have different characteristics. Some algorithms were not designed for storing passwords at all. Some other algorithms were specifically designed to not work well on generic cost effective hardware, making cracking extremely slow. How to overcome this? We have built FPGA-based crackers based on ex-Bitcoin miners, to achieve an orders of magnitude speed advantage over conventional hardware.
• How to use recovered credentials to protect accounts? So now we’ve got over seven billion email/password pairs. How to use this unique dataset to disrupt cybercrime?
• Results and conclusion.
Jeroen van Beek is a penetration tester & IT security consultant at Dexlab, and dataleak expert at Scattered Secrets. Besides cracking passwords, he likes fast red Italian motorcycles and red wine.