Password RBL Unaffected by Log4j Vulnerability

Password RBL is not impacted by this log4j vulnerability because Password RBL does not utilize this library in any systems.

This should not be surprising, since Password RBL has a zero-logging policy.  Thus, Password RBL has no need for a code library that provides advanced logging services.  But it is important for subscribers to know that Password RBL is unaffected by this recent vulnerability and continues to be a secure and easy way to prevent bad passwords before they happen.

Update on Additional Vulnerabilities

Since the original positing of this statement, additional vulnerabilities in the log4j library have been disclosed.  Password RBL remains unaffected by these additional vulnerabilities as well, since Password RBL does not utilize the log4j library at all.

Not a customer?

If you are not yet a customer of Password RBL but are interested in better passwords for your organization, then follow this link to learn more and read about why our zero-trust solution for better passwords really is secure.  Our solutions are easy to use and subscription costs are very reasonable.  Subscribe today!

The post Password RBL Statement on Log4j Vulnerability appeared first on Password RBL.

MFA

As we know, Multi-Factor Authentication (MFA) is a great way to combat potential account takeovers or just general bad password hygiene.  Even when MFA is used, Password Blacklisting still makes sense.  But if MFA is not in use, then Password Blacklisting is an absolute must!   Unfortunately, the report found that 52% of people have never heard of MFA.  This makes enforcing strong passwords even more important.  But why is this?  Well, 64% say they have no access to MFA, and another 10% say they do have access MFA, but choose not to use it.

Responsibility

Additionally, the data indicates a significant proportion of people simply do not see themselves as responsible for looking after their workplace’s sensitive information.  Over a third (40%) of the full-time and part-time employees participating in this report considered themselves to be the least responsible agency for their organization’s cybersecurity.  That means that nearly half of your employees don’t think it’s their responsibility to choose a strong password!  This statistic is alarming and makes the case for all businesses to deploy Password Blacklisting in order to prevent users from choosing poor passwords.

Passwords

Speaking of passwords, the report also discovered some alarming, but simultaneously not surprising, statistics on real-life password behaviors.  Only 43% of participants reported creating long and unique passwords for their online accounts “very often” or “always”. However, almost a third (28%) stated that they didn’t do so.  A third of real-life users are knowingly choosing weak passwords!  That’s a big number!

But about the more middle-of-the-road, average password behavior.  It’s still not great.  A majority (58%) of the respondents say they only “sometimes” (30%), “rarely” (18%), or “never” (10%) create long (12 character) and unique passwords.  This is probably because use of a stand-alone password manager application, which would create these long unique passwords, was uncommon, with almost half (49%) of the participants noting they ‘never’ or ‘rarely’ used one.

Not Great.  But What To Do?

The full Cybersecurity Attitudes and Behaviors report (available here) contains lots more information and statistics.  But even with just the few takeaways mentioned above, it’s clear that more work needs to be done.  Deployment of Multi-Factor Authentication would absolutely help, but by 2021, the reason MFA isn’t completely pervasive is because of many real-life problems, including end-user adoption woes, cost to the business, supportability, and definitely incomplete deployments since businesses commonly support legacy systems which have no concept of MFA – or anything other than usernames and passwords, really.

Enter Password Blacklisting – the incredibly affordable and easy to use solution to the bad password problem.  Password RBL has drop-in support for Microsoft Active Directory (and anything linked to AD) and a dead-simple API that can be incorporated into basically anything else.  The return on investment (ROI) of a subscription to Password RBL makes deployment an easy choice – for IT and decision makers.  See our solutions in action and request a free quote today!

The post Cybersecurity Attitudes and Behaviors Report appeared first on Password RBL.

Reason 1 – Exceptions

First off, it is very common that when MFA gets implemented, there will be exceptions for systems/services that just do not (yet) support MFA.  Each of these applications/services are holes in your organization’s security and attackers will find them.  Most MFA rollouts have at least one of these apps/services that still rely on classic username and password authentication.  As many organizations found out the hard way in the summer of 2020, MFA is great, but if your company VPN solution doesn’t use/support it, then very bad things can happen.  Attackers can log into the company VPN, impersonating a real company user.  Once attackers have direct access to the interior of company networks, it is as if the bad guys are freely roaming the isles of the company datacenter.  Nothing good becomes of that!

Reason 2 – MFA Bypass

Another great reason to keep password blacklisting around is that as the prevalence of MFA deployments increases, attackers are changing their ways and are figuring out how to bypass MFA altogether.  There have been numerous high-profile MFA-bypasses in the past year.  A quick google search shows reports on many of them.  But the most disastrous MFA bypass has to be the Solarwinds supply-chain attack announced in late 2020.   In order for the attackers to gain access to the source-code of Solarwinds’ popular Orion platform, they first had to bypass the MFA that Solarwinds had deployed.  Spoiler alert, the attackers were able to bypass Duo MFA and injected malicious code into the Solarwinds source.   The Cybersecurity and Infrastructure Security Agency (CISA) in the US issued an advisory about attackers combining numerous different attack methods, but notably, MFA bypasses.

The Bottom Line

The answer is clear: you should deploy both Password Blacklisting and Multifactor Authentication.  MFA deployments can stress the budget, but whereas the cost for a Password RBL subscription is quite reasonable.  If you do not have the budget for MFA, then Password RBL blacklisting is a perfect first step – providing an effective addition to your security makeup and fantastic ROI.  And if you do already have MFA deployed (or the budget to do so), then you can inexpensively add Password RBL blacklisting for a fraction of the total cost.  Either way, Password RBL is for you!  Check out our Packages for Small & Medium Business or request a free quote if your organization is larger.

The post Got MFA? Good. But You Still Need Password Blacklisting appeared first on Password RBL.

The attack is quite simple.  A regular end-user has a bad password.  Attackers can figure this out in the typical manner – a password spray or credential stuffing attack.  Once they know the credentials for a user account, the attackers perform a scan of the companies public infrastructure to find the VPN device.  They log into the VPN with the compromised credentials and now have direct network connectivity. The attacker uses this recent Netlogon vulnerability to gain SYSTEM level permissions on the domain controller which means that can basically do anything they want after that, because they can create a new Domain Administrator account.

And now with a Domain Administrator account in hand, the attacker can trigger a very thorough crypto-malware attack across the entire organization.  Ransomware with the reduced privileges of a normal end-user account is bad enough.  But ransomware from a Domain Administrator can be debilitating.  Not only can it encrypt important company data, but also system files which can bring down every Windows systems.  Most companies have good backups of servers.  But most companies do not back up workstations.  It could take weeks or months to rebuild or replace all the workstations.

Obviously, organizations need to follow Microsoft’s guidance on patching this vulnerability as soon as possible.  But there has been similar vulnerabilities before, and there will surely be similar ones in the future.  So, organizations should also deploy Password Firewall for Windows to prevent the use of bad passwords that lead to account takeover and much, much worse.

The post Bad Password + Zerologon = Ransomware appeared first on Password RBL.

Password spraying is when attackers simply guess the passwords of known accounts using a list of common passwords.  It is a crude, brute-force method, but can be incredibly effective when the target businesses don’t employ the necessary defenses.

The worst part of a password-based attack is when it is successful.  It is possible to detect while the attack is happening (for example, there more authentications per time period than expected), but it is nearly impossible to detect when an attacker successfully logs into a target account.  This is because that login event “looks” just as legitimate as the actual account owner using the same credentials to log into the same account.  In fact, Citrix did not even realize hackers were actively breaching their network.  The FBI contacted Citrix in March, 2019 to inform them that they believed the cyber-criminals had gained access to Citrix’s internal network.

Because these unauthorized logins do not raise any alarms, the Citrix attackers were able to continue logging into the victim accounts and root around the inside of Citrix’s corporate network for five months!  They have plenty of time to discover the interior systems and data layout and thus, were able to make off with a swath of proprietary data, social security numbers and other personal identity data, as well as payment card information.

To prevent such an attack, all Citrix needed to do, was employ Password Blacklisting.  Yes, Multi-Factor Authentication (MFA) is an effective defense against password-based attacks, too, but there are commonly many reasons MFA doesn’t get deployed [everywhere] including, cost, complexity, incompatibility, end-user training, and more.  But Password Blacklisting is simple, affordable, best yet, incredibly effective.

Password RBL has solutions for all size customers, are super-easy to deploy and use, and provide the power of 3 password blacklists.  Get started today – costs are typically just a few dollars per user per YEAR (yes, per Year, not per month).

The post Password-based Hack of Citrix appeared first on Password RBL.