Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Password Reuse Strikes Again!

Published: 2020-08-17
Last Updated: 2020-08-17 23:12:21 UTC
by Rick Wanner (Version: 1)
0 comment(s)

Over the weekend the Canada Revenue Agency (CRA), the Canadian equivalent of the U.S. IRS, shut down their online accounts due to account compromises which began at least a couple of weeks. Once the bad guys had access to the accounts they would change the users email address and banking information and attempt to apply for or redirect COVID-19 benefits.  

While this is the public view, the issue is actually bigger than the CRA. It affected accounts associated with GCKey, the Government of Canada’s online portal system.  The CRA accounts were just the ones that had the most immediate benefit to the bad guys. Early indications indicate that approximately, 0.08% of the 12,00,000 (9,000+) GCKey accounts were compromised! 

The easy thing to do is blame the CRA and the Government of Canada for this compromise.  While they are not completely blameless, they made a choice to trade off ease of access for ease of use, a decision made by content provider’s every day. This is what makes this particular attack really sad. This attack was not at all sophisticated, but was entirely preventable through good online practices.  The accounts were not compromised using some clever attack exploiting a zero-day vulnerability, or some other sophisticated attack/compromise. The attack was due to credential stuffing, i.e. using credentials compromised from other websites against GCKey to see which ones would work.  

As much as I would like to see passwords eliminated as a primary form of authentication, unfortunately, passwords are not going away anytime soon.  We can hope that the adoption of MFA and other technologies will make passwords less important, and less exposed, in the future. Even then we will still need to count on users to utilize good password practices.  You don’t have to remind me.  I am aware that users are the weakest link, but I am also aware that the only reasonable solution in the short term is good password management practices.  

I know I am preaching to the choir.  All I can ask of you is that, as technology literate people, if we can continue to help our less technology literate friends to understand that password reuse is bad.  It can lead to online identity theft, as in this case, or possibly outright identity theft, which can ruin your life for years. If we can teach them how to use a password manager so they don’t even need to know their passwords perhaps we can save them a world of hurt.

Friends don't let friends reuse passwords!

Thanks for allowing me to rant!

https://blog.f-secure.com/how-good-or-bad-is-your-password-hygiene/

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords:
0 comment(s)
Diary Archives