• Premium
  • Small Logo
  • About
  • Partner Pages
  • Support & FAQs
  • Log in

The Mandarin

The Mandarin
The Mandarin
  • Small Logo
  • Premium
  • Careers
    • Search SES Jobs
    • Career Advice
  • News
  • Editors' Picks
  • Portfolios
  • Events
  • Resource library
  • Small Logo
  • Premium
  • Careers
    • Search SES Jobs
    • Career Advice
  • News
  • Editors' Picks
  • Portfolios
  • Events
  • Resource library

Partner Content

Home Features Can your online credentials get stuffed? A quick guide for government…

Can your online credentials get stuffed? A quick guide for government…

By Julian Bajkowski

Thursday March 22, 2018

Job losses aren’t the only dark side of automation. Account takeovers powered by credential stuffing are fast becoming the new black for cyber attackers hitting government.

As a wave of cloud-powered automation sweeps across industry and government services, opportunistic miscreants around the world are learning how to harness the power of increasingly cheap machine learning to grind away at online security.

In days gone by a strong, randomised passcode used to be the first line of defence against so-called ‘brute force’ attacks used to crack open and take control of sensitive accounts.

And while they’re still an essential primary defence, the rules of network defence and attack countermeasures are again shifting very quickly.

That’s because of the increasingly cheap availability of unsecured consumer devices remotely hijacked and pressganged into roboticised miscreant machine armies: or ‘bots’.

The upshot is ‘credential stuffing’: the automated craft of stealing and linking keys to take over personal, workplace and commercial accounts. Make no mistake, it’s a growth industry.

Bots on the march

Those charged with safeguarding the internet and government networks have detected a disturbingly sharp escalation in precursor behaviour on networks that indicates credential targeting is in full swing.

The latest edition of the State of the Internet / Security report released by the worlds largest and most trusted cloud platform Akamai assessed that more than 40% of login attempts are now malicious or hostile.

“While analysing more than 7.3 trillion bot requests per month, we found a sharp increase in the threat of credential abuse,” the report said, also noting that distributed denial of service attacks (DDoS) have also remained a persistent threat with the now infamous Mirai botnet still capable of strong bursts of activity.

Here’s how it works…

As the Internet of Things (IoT) proliferates, everything from online movie boxes in the lounge room to routers and cheap home security systems are increasingly being hijacked to smartly grind away at interlinked security credentials.

Your washing machine sends you an alert to say that its done, or your bike computer tells you it needs a battery recharge. Let’s face it. Nobody with an active life has the time or forbearance to lock down rudimentary labour saving devices.

So as they proliferate exponentially, so do the number of interlinked compromised devices in the IoT ecosystem that can be used to smartly chip away at other identity credentials of higher value for a much bigger return.

We used to think of ‘brute forcing’ as a simplistic technique reliant on limited attack vectors for a relatively short timeframe. But what’s changed in that typology is that the distribution — across time, device and location — is no longer limited or immediately apparent.

The daily grind

Key web infrastructure guardians, like Akamai’s Director of Security Technology and Strategy, Patrick Sullivan are frank about where the automation juggernaut is headed in terms of personal credentials and the escalation of threats now occurring.

Put simply, the combined commoditisation of cloud and automation is quickly reducing the barrier of effort needed to bust open accounts by crooks, spies and miscreants. That’s the fuel for credential stuffing.

“Automation is a key part of almost every attacker’s toolkit these days,” Sullivan says.

By Akamai’s estimates, the proportion of roboticised traffic going to websites today is somewhere between 30% and 40% and creeping towards the halfway mark.

But here’s the kicker: bot traffic now directed at sensitive areas like log-ins and access control jump to around two thirds of requests from traffic.

“It’s coming from a bot as part of an attack. They’re trying to take over somebody’s account, Sullivan says. “We call that credential stuffing. It’s the first phase of an account takeover attack.”

There’s a real and hard cost too. According to the Ponemon Institute, credential stuffing attacks can cost businesses as much as US$2.7 million on an annual basis.

Stuffing: the golden goose

Cast your mind to the persistence of large (and small) data breaches that have now become endemic and it’s not difficult to appreciate how data “spilled” from compromises is quickly weaponised at a mass market scale.

“It could be a large mail provider, it could be a dating site, it really doesn’t matter, as long as there are credentials,” Sullivan observes. “They just retry those across logins that are exposed to the public Internet.”

Sullivan asserts that bots now just keep hitting log-in interfaces until something gives. Nothing really new there — but what’s changed is the distribution patterns used to evade detection.

Insecurity by numbers

In a similar technique to high frequency and algorithmic trading on legitimate markets, stabs at credential compromises are chopped up and sprayed from anywhere and everywhere to obfuscate their actual source.

It’s a numbers game and the agile mantra of ‘cheaper, better, faster’ doesn’t just apply to the good guys.

“They’ll get low single-digit percentage point success, but once that credential stuffing is successful, the attacker may outsource the monetisation phase to another group, or they may run that full account takeover attack themselves,” Sullivan says.

The typology looks like this.

On a typical day, Akamai monitors more than 2,750 bot requests per second, which accounts for more than 30% of all pure web traffic (excluding video streaming) across its platform. Of the 17 billion login requests tracked through the Akamai platform in November 2017 and December 2017, almost half (43%) were used for credential abuse.

So while most traffic is legitimate (for the time being) the botnets usually responsible for launching DDoS attacks are also being used to abuse stolen login credentials.

Martin McKeay, senior security advocate and senior editor of the State of the Internet / Security report says that “increased automation and data mining have caused a massive flood of bot traffic to impact websites and Internet services.”

In terms of scale and raw power it means hostile actors now manipulate the powerful volume of bots for nefarious gains, McKeay says.

“Enterprises need to watch who is accessing their sites to differentiate actual humans from both legitimate and malicious bots. Not all web traffic and not all bots are created equal.”

Neighbourhood threat

An established security parameter for government and industry to date has been internet protocol address or geo-blocking. Kiss goodbye to that.

Automation is now blended with crooked, if basic, machine learning. What’s powering that is not laptops and desktops and servers — but millions of el-cheapo, unsecured IoT devices open and ready to be unwitting slaves.

For example, security controls based on IP request rate and a location can now be fooled because miscreant access to IoT devices means an onshore attack can be constructed and executed from anywhere.

That has big operational and customer service implications.

Global intelligence, local response

“Just blocking on the IP’s that participate in these attacks carries a lot of risks,” Sullivan says. “That’s no longer a feasible solution, because you’re going to block valid users at the same time.”

Sullivan is candid in his assessment that there is no silver bullet or turnkey solution to the shifting security landscape. This said, he observes that any government agency involved with distribution or collection of money is in the same boat as banks or other higher value financial credentials.

And the more sensitive the data, the higher the premium, especially as digital government takes hold.

Good security intelligence has a price; the costs of insecurity are yet to be determined.

 

About the author
Avatar

By Julian Bajkowski

Julian Bajkowski is an award-winning journalist, editor and adviser who specialises in explaining developments in business, technology, policy and finance. Prior to becoming managing editor of The Mandarin, he worked in senior editorial roles at the Australian Financial Review, ACP, IDG and the Intermedia Group, and has been a public policy and corporate affairs adviser at MasterCard.

People: Patrick Sullivan

Companies: Ponemon Institute

Departments: Australian Federal Police Australian Public Service Australian Securities and Investments Commission Australian Security Intelligence Organisation Australian Signals Directorate Australian Tax Office Centerlink

Partners: Akamai

Tags: Botnet brute force attack cloud computing credential stuffing Internet of Things IoT machine learning Mirai

Login
Please login to comment
0 Comments
Inline Feedbacks
View all comments

The essential resource for effective
public sector professionals

Check out the Latest

By Julian Bajkowski

Thursday March 22, 2018
Avatar
Text size: A A A

Upcoming Events

19
Apr
Public Sector Leaders Colloquium – Senior
20
Apr
Mandarin Talks: The challenge for government departments to be heard
22
Apr
Communicating to Get the Right Outcomes
27
Apr
DocuSign for Government
27
Apr
From Crisis Management To Rapid Recovery Masterclass
View Calendar

Partner Content

eBook: Elevating the art of citizen conversations

eBook: Elevating the art of citizen conversations

eBook: The finer points of Microsoft Teams backups

eBook: The finer points of Microsoft Teams backups

Reimagining corporate education in a post-COVID world
Promoted

Reimagining corporate education in a post-COVID world

Latest Jobs


  • Director, Clinical Governance, SWSLHD

    NSW Ministry of Health

    • NSW
    Closing date 2nd May, 2021
    1 day ago Full Time - Ongoing
  • Executive Director, Educational Standards

    Department of Education

    • NSW
    Closing date 7th May, 2021
    1 day ago Full Time - Ongoing
  • Deputy Secretary Estate & Infrastructure

    Department of Defence

    • ACT
    Closing date 22nd April, 2021
    1 day ago
  • Assistant Under Treasurer, Economics

    Department of Treasury and Finance

    • NT CBD
    Closing date 26th April, 2021
    6 days ago Full Time - Fixed Term
  • Partnerships Account Manager

    The Mandarin

    • NSW
    • VIC
    Closing date 23rd April, 2021
    14 days ago Full Time - Ongoing
  • Executive Director, People And Culture

    Department of Education

    • NSW
    Closing date 16th April, 2021
    28 days ago Full Time - Ongoing
Search All Jobs

Login

New to The Mandarin? Create an account

Forgot password?

Share via email

Access your 3 free Mandarin Premium articles

As part of your free trial you will receive 'The Juice', The Mandarin's daily free newsletter, the 'Premium wrap' every Saturday and marketing emails. You can opt out at any time.
The Mandarin

Get the Juice. The Mandarin’s FREE daily newsletter.

You’ll also receive special offers from our partners. You can opt out any time.
Content
  • Small Logo
  • News
  • Research Series
  • Features
  • Portfolios
  • Jurisdictions
  • New Zealand
  • People & Capability
  • Thought Leadership
  • Editors' Picks
  • Resource Library
  • Site Map
Products & Services
  • Small Logo
  • The Juice Newsletter
  • Partner & Advertising solutions
  • Mandarin Live
  • Public Sector Events Calendar
  • Partner Content
  • Premium
  • Careers
Legal
  • Small Logo
  • Privacy Policy
  • Terms of Usage
  • Code of Conduct
Connect
  • Small Logo
  • About Us
  • Contact Us
  • Support
  • Our Team
Social
Copyright © The Mandarin
Private Media logo CRIKEY SMARTCOMPANY STARTUPSMART
wpDiscuz