Lieberman Software
  Follow us on Twitter  Follow us on LinkedIn  Blog  Lieberman Software on
                            YouTube  Google Plus
January 2014      

Top of Mind

Common Credentials and the Recent Attacks of Retailers

Philip Lieberman, President & CEO
Lieberman Software

Over the last few years I and other staff members of our company have been presenting a presentation deck called The Common Credentials Dilemma.

The slide deck outlines a series of scenarios we keep seeing in the field where companies set all of their machines/devices to the same password and also create password spreadsheets that are available on public shares. The deck also goes into a series of other scenarios such as not changing privileged account passwords after employees leave.

In the deck we also explore some of the scenarios that can occur when malware infects a company machine. Once malware is in place within a company machine, the attacker can install a key logger to record accounts and passwords typed, install one or more network scanners to look for additional resources (i.e. password spreadsheets, certificates, private keys), and run programs like Metasploit to find weaknesses in systems so that they can be taken over remotely.

Another weakness covered in our deck is the common use of factory default passwords in production. In the Target breach, one of the transcripts of the hackers show they exposed common point of sale passwords used such as “micros”, “pos”, “123456” and others.

The other scenario also described in the deck is the Rainbow Table Attack whereby the attacker exfiltrates the password hashes on the local machine and then attempts to find a match between clear text and the hashes generated.

Lessons Learned From the Target Attack

We do regular CIO/CISO briefings all over the world and one of the common refrains from C-level execs working at retailers is that they have little interest or motivation for fixing the problems that nailed Target. Part of the lack of motivation is due to the naivety and gross incompetence of their auditors, followed by a lack of financial resources being provided by the CEO and CFO.

The other element of the Target breach that was interesting was that not all stores were breached. A subset of stores that were on different networks and had different credentials for access were apparently untouched.

In the report of remediation after the attack, try to guess what was the first thing done by the “security experts”? Yes, that is correct; change the passwords of their systems.

Preaching the Gospel

We have been preaching the use of fully automated password randomization of all end points for years and have developed technology to accomplish this at massive scale with little need for human labor. Had Target deployed our solutions, they would not have had this massive breach. Further, they could have deployed our solution to all stores in less than one day.

How Clueless are CEOs at Major Corporations?

Along the lines of gross negligence and amazing ignorance regarding IT security, I found this quote from the former CEO of Costco stating that they don’t have any significant security issues because they only accept AMEX cards.

Given that many of the credit card hacks were accomplished by installing memory scrappers in the point of sale terminals to capture the credit card details, and given that AMEX has just as many problems with credit card theft as its competitors, this statement from the former Costco CEO is irresponsible.

Shout Out to Our Competitor

One of the common questions potential customers ask us is how we are different from our competitors. We answer simply: our solution can be deployed and remediate most of your environment in less than one day, even if it is gigantic. How is this possible? We are the only vendor that provides end-to-end automation as well as continuous discovery and remediation.

Target decided to purchase our competitor’s offering. Our competitor took great delight in putting the Target logo on their presentation slides. We are not aware of what happened after the purchase, but it would appear that our competitor’s solution did not randomize the point of sale system credentials, nor did it manage the credentials of their servers since these too were compromised. Or so we surmise…

It will be interesting to see whether or not the forensic investigation will highlight why technology deployed to protect against such a breach failed to do its job. Maybe our competitor owes it to the industry to publicize why their system failed to protect privileged access to help avoid similar accidents in the future.

Maybe Target can explain why having purchased technology to protect against this very thing, it didn't do its job. Just one more piece of shelfware? Maybe it wasn't the technology that failed but the company that failed to properly implement the technology - like an airline that doesn't carry out the manufacturers recommendations. In any case, it is necessary to get to the bottom of this to protect our critical infrastructure and economy.

Theories of why our Competitor’s Solution Failed to Protect Target

In any cyber-warfare scenario, the goal is to capture as much of the infrastructure as possible as quickly as possible. The strategy is known as “land and expand”. It is generally pretty easy to get a foothold in an environment using malware and from there, look for and exploit weaknesses in security.

Our technology is designed to operate like the attackers, doing continuous discovery of weaknesses. In the case of our product, we add the automatic remediation step to close the net immediately. We also make sure that each system has unique credentials so that at most, an attacker only can compromise a single machine via malware.

Our competitor’s design requires humans to do interactive discovery, change imports, mapping and remediation as well as custom development. If organizations don’t have the budget to hire an army of workers to keep their solution fed and happy, the work does not get done. Our best guess (and it is a guess), is that our competitor’s solution was never fully deployed for a variety of reasons that are shared between the vendor and the client.

Our Mission

Our mission has been to take humans out of the security process and use automation to keep systems secure. Via automation, there is no reason to delay the deployment since human resources are not needed for remediation.

Although many analysts and customers would have you believe that privileged identity management is now a generic offering suitable for the lowest price decision, we strongly disagree. There are many generic secret vaulting solutions on the market that depend on humans to keep the vaults loaded and require armies of developers to write connectors for your environment. We believe these solutions are practically useless against real attackers and only serve to deceive auditors that you are “doing something”. Without our full automation technology (which is not generic) you are easy pickings for criminals and nation states.

Ask Target how their analyst and auditor selected generic solution worked out for them. Then ask our customers who are secure and can prove total control. We charge more for our solutions because they provide real security and are designed to protect governments and the largest companies in the world.

I can only guess that our competitor is erasing Target from their reference account slides.

What do you think? Email me at: You can also follow me on Twitter: @liebsoft or connect with me via LinkedIn.
What's New in Identity Week

Featured commentary on our
Identity Week blog this month includes:
  • 2014 IT Security Predictions. Guest Post by Prateek Gianchandani. With the new year now upon us, what IT Security Trends can we expect to see in 2014? To find out, we turned to the experts at the InfoSec Institute...

Events / Press / Analysts
  • What's next for Target -- and its customers? USA Today. Low cost, low price retailers have a real challenge when it comes selling their goods at slim margins, while also running information technology shops on tiny budgets.
  • IT Life: From Mainframes To Startups. TechWeek Europe. Calum McLeod is EMEA vice president of security firm Lieberman Software, but he started in the days of mainframes. He may have set off with a holy ambition but was quickly seduced to piracy...
  • Target now says up to 110 million customers victimized in breach. San Jose Mercury News. In yet another disturbing revelation about its massive data breach, Target said Friday that 70 million to 110 million customers were victimized -- far more than it initially disclosed -- potentially making the attack among the worst ever.
  • Evolution of the Cloud as a Security Platform. TechZone 360. The cloud has always had the potential of being a cost-effective and elastic computing resource for customers. However, security has long been an issue that impeded adoption by many customers.
  • Password Manager Makes Move to the Cloud. Virtualization Review. For large organizations, managing privileged accounts, such as root and administrator, has been a task so sensitive it could only be handled on-premises -- until now, says Lieberman Software. The security management company is making its Enterprise Random Password Manager privileged identity management tool available on the Windows Azure platform.
  • Lieberman Intros Privileged Identity Management For Windows Azure. Dark Reading. Lieberman Software Corporation announced that its privileged identity management (PIM) product, Enterprise Random Password Manager&trade (ERPM), is now available on Windows Azure, Microsoft's cloud hosting platform. ERPM can deploy in less than an hour in Windows Azure to automatically find, manage and secure the privileged identities located in Azure or on-premises.
  • India in 2014: Ready to Bounce Back. IDG Connect. When Huawei and ZTE attracted the suspicion of India’s Research and Analysis Wing (RAW) intelligence agency, swift and decisive action was taken against the Chinese telecoms equipment makers.
  • Windows Azure users get secure password manager. CloudPro. Organisations using Windows Azure will be able to use a new password manager in the cloud after Lieberman Software has made its privileged identity management (PIM) product, Enterprise Random Password Manager (ERPM), available on Windows Azure.
  • The Death Of Outsourcing. Information Security Buzz. What does 2014 bring for the security industry? Calum MacLeod, VP of EMEA at Lieberman Software Corporation shares his opinions.

Tech Tip of the Month

Got Audit Reports?

Need to see what BIOS level, service pack and application is on every Windows machine? Want to report on and make global changes to user credentials, group memberships, files, policies, rights, shares, NTFS permissions, registry settings, audit settings and more?

With User Manager Pro Suite, you can gain convenient access to real-time reports on all of the system data collected and modify settings directly from interactive reports. Provide reports to security auditors and verify that you are in compliance with regulatory standards.

Lieberman Software Corporation respects your right to privacy, and believes any information you provide us should be protected from disclosure to others. For more information, please read our privacy policy. You are receiving this email because you have granted us permission to contact you. If you do not wish to receive email messages from Lieberman Software in the future, please click here.

Lieberman Software Corporation
1900 Avenue of the Stars, Suite 425
Los Angeles, CA  90067
           |    (01) 310-550-8575  |