Have you ever wondered what cybercriminals do with all those passwords and usernames they gather after a data breach like the one Yahoo suffered?https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iYes, we know they sell them on the dark web or use them to access more information about individuals or companies. But according to research from Akamai Technologies, Inc., those stolen passwords and usernames are also being tested on the various devices that make up the Internet of Things (IoT). As The Wall Street Journal explained:
The network security provider on Wednesday said it has new evidence that hackers spent several months or more manipulating as many as two million “smart” devices in homes and businesses to test whether stolen usernames and passwords were able to access others’ websites, known as “credential stuffing campaigns.”
As Krebs on Security reported, this is not a new tactic, as the bad guys have used PCs as test engines or proxies in the past. We shouldn’t be surprised, he added, that hackers have moved on to IoT. Security in most IoT devices continues to be an afterthought. Without any security tools in place to protect the devices, they are sitting there just waiting to be compromised.
However, the weak security in IoT is only part of the problem. Users continue to be complacent about password-related security, as Brad Bussie, CISSP, Director of Product Management, STEALTHbits, said to me in an email comment:
The main problem facing the Internet of Things stems from the common vulnerability known as the default password. How many devices do consumers purchase that have a default username and password that are never changed? Many Internet routers, cable boxes and other devices connected to the Internet all have default profiles used for configuration. The intention is for the end users to change the default password or to even create another user account once the device setup is complete, but most devices do not enforce this activity. So what are we left with? Millions of devices with admin and password as the only login information that an attacker needs. Gone are the days where simply being behind a firewall that's set to deny most incoming traffic means a protected device.
Plus, companies are failing at protecting passwords in general. For example, eSecurity Planet reported on a CyberArk study that found:
40 percent of organizations store privileged and administrative passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick.
To sum it up, we have a weak and too often unprotected authentication method (passwords) that are stolen during a data breach and are in turn being used to compromise devices with weak to no security (IoT), and my guess is that most of us still won’t do anything to strengthen our passwords, better protect our passwords and be smarter about IoT security. It’s a nasty cycle.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.