Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Password Stealers
Quick Take
On this episode of Compliance Unfiltered, the CU guys cut to the chase on thieves in our midst and chat openly about the various types of passwords stealers currently wreaking havoc on a largely unsuspecting public.
How do they work? How do you know you have one on your machine? What should you do if you find one?!
All these answers and more on this episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Gosling.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the spaghetti to your compliance Bolognese. Mr. Adam Goslin, how the heck are you, sir? I’m doing good, Todd. How about yourself? I’m good. Are you moving a two -bedroom apartment over there? No, just apparently adjusting myself makes more noise than should be legally allowed. Just wait till the motion alerts go off, then it’s going to get really exciting.
Let me tell you what. Well, listen, man, I’m thankful you’re here. I’m also thankful, Adam, for those listening. Those of you at home who take the time each and every week to put us in your earbuds or however it is that you consume this fine podcast, we are thankful. Please, if you are in the compliance space or not, and you have a friend in the compliance space that you think would appreciate our content, let them know, give them a heads up, that we exist. We’re available on all major podcast platforms.
This week, Adam, we’re talking about thieves. That’s right. Password stealers. For those that may not be in the know, why is knowing about password stealers important? Well, when it comes to protecting organizational sensitive information, Password protection is one of the most critical elements when you’re running your organization. In some cases, a single password can open up a door for bad actors to break into your entire network, exfiltrate proprietary information, employee data, sensitive customer information, all sorts of fun stuff.
So in most organizations, the employees are usually the weakest link. People use weak passwords, they reuse their passwords, they make their login credentials easy to discover in various other ways, and other times they’ll unknowingly download a password stealer. So those can discover even the strongest and best guarded login credentials. So it’s definitely something for the folks out there to be paying attention to. Don’t tell me more about what password stealers actually are. So, it’s a kind of malware spyware that gets installed secretly on a machine, you know, it’s a type of Trojan software that makes its way across a network. Somebody opens up the wrong file in their email or executes a program they downloaded from the wrong website, and without their knowledge or consent, the file’s installed onto the machine and begins working away in the background undetected, you know, And depending on, you know, depending on the organization, you know, it could be months before somebody has any clue, you know, what all happened or, you know, the fact that they may be at risk that anything got stolen. So, it’s a pretty big deal from that perspective.
No doubt about it. Now, how do these things actually work? Well, what they’re doing is their job is to sit in the background and capture authentication credentials, but, you know, oftentimes the software that, you know, if they’ve gotten that far, it’s usually bigger than, you know, than just simply, you know, than just simply passwords, you know, the malware is effectively scraping login information as you’re entering your credentials in on your machine, and so as I’m on my machine and I’m typing, you know, typing into the, you know, username and password fields, you know, it’s gathering up that information. It is, you know, actively watching for login prompts, collecting keystroke information, exfiltrating any gathered data to secondary locations that would, you know, would ostensibly, you know, have access by the bad actor, and that exfiltration can happen, you know, in a number of different ways, you know, they could be, you know, they could be posting it to a secondary website, which is just, you know, to redirect to the, you know, to maybe another indirect, redirect, etc, to finally get back to the bad actor, but, I mean, they could be doing this through, you know, through web calls, FTP calls, you know, pretty much any port that they, you know, that they desire, you know, type of thing, they’d be able to leverage for pushing this information and data out. More often than not, they use kind of, we’ll call it common, you know, common ports and protocols, just because those are less likely to get, you know, kind of get picked up by the, you know, by the organization that they’re targeting.
Sure. That makes sense. Now, how does one tell they have a password stealer? I mean, that’s really what people want to know. Like, how do we figure out what the heck this is and where we find it? Sure. Well, the best and most reliable way to know that you have a problem, you know, before and hopefully before it’s doing damage, is making sure that you’ve got updated, you know, kind of AV software and all the machines within your organization. You know, keep in mind, we were talking a little bit earlier about how the, about how the, you know, the password stealing software kind of gets in once and then attempts to get itself replicated to other devices and machines within the environment. So when I say, make sure you’ve got this all over the place, I mean it, you don’t know where the kind of first point is going to be that something comes in, but certainly as the software is making its way across the network, the more machine, you know, if you have every machine protected, then theoretically all of them are nodes that could, you know, report and or thwart, you know, what’s happening.
You know, antivirus scans, you know, you know, will detect the malware. You know, when it identifies a password stealer, then it will typically quarantine either, you know, securely deleting it or, you know, setting it off into a, you know, into a penalty box, etc., the malware and removing it, you know, removing it from the machine itself. You know, it’s most important to have the AV software installed on all of your organization’s computers, but similarly, you’ve got to make sure that you actually have it set up right. You know, making sure that your AV software is scanning your machine on a regular basis, you know, even if you have, you know, a lot of the, a lot of the you know, live scans, you know, type of thing. Well, that’s great. But if for some reason, the live scan misses it. then you also wanna have a secondary configuration that basically does a full system scan once a week, once a day, whatever, you know, something along those lines. You know, that’s the one side of it. The other is that you wanna make sure that, you know, your scan engine and scan definitions are being updated regularly. A lot of people kind of take it for granted that while I’m running the software, but every single one of these pieces of software is different in terms of how it works and behaves. You want to make sure that you have, you know, that you have the, everything is actually being updated. Don’t just assume it’s being updated, but actually go in and take a look. You know, were my definitions getting updated? Is the engine getting updated? You know, you wanna put your eyeballs on that and do periodic. checks to make sure. Because I’ve seen in more than a handful of cases where organizations were like, well, we installed the software and everything should be working and we never looked at it again. And of course, one machine is misconfigured or one machine is having a communication issue and can’t get its updates or a whole myriad of reasons. But you want to go in and make sure that your central dashboard for your AV software is pulling in and reporting back both the definition and engine updates being applied to all of the boxes within the environment.
We talked earlier about how making sure that you have this on all of your devices. That’s the other thing is periodically effectively taking your inventory and bouncing it up against your core AV repository to confirm that as an example, boxes that had the software, whatever, last month or last quarter or last year still have it. A lot of crazy stuff happens through the course of the year. Some of it may be nefarious and some not. But you want to go through and take a look at those. Make sure that the machines that you believe you have it on still have it. And then also it’s a good sanity check for any new devices and new machines that you set up, confirming periodically that when those new machines or servers or whatever hit the network that those are configured properly. Of course, you got all your checks and balances as you’re going through your deployment methodology but if somebody drops the ball, now you have a trust but verified moment, if you will. When you’re looking for the AV software, I’d look for one that’s running live on the machine in addition to periodic scan versus just a periodic scan. scan, you know, running live means that the AV is actively seeing running processes, comparing them with definitions, finding stuff, you know, basically as it’s hitting the machines instead of, let’s say I ran a, I’m just gonna say, there’s an organization has a one full weekly scan, you know, type of thing. Well, if that’s the case, and I happen to have this, you know, bad software, get onto a machine and it does it the day after that scan, well, it’s six more days before I’m even seeing that, you know, before I’m getting alerts off of that, you know, periodic scan. So yeah, you definitely want to, the faster you can identify, you know, that Houston, we got a problem, then the faster you’re able to, you know, to go through and, and do something about it. Yeah, most definitely.
Now, what should you do if you find you have a password stealer? Well, if you detect a password stealer on a machine, then you want to make sure that it gets cleaned and cleared off of the device. Before you go too far, make sure that you’re connecting with your IT department. Having them help to figure things out. What steps do we want to take? And what do we need to do? Blah, blah, blah. You want their involvement. Knowing that we have a single machine within the environment that has bad software, that should elicit a whole myriad of questions about, how did it get there? When did it get there? What types of communication? Do I have modes or methods to determine types of communications from that machine? That type of thing. Certainly, there will be some very, very distinct and deliberate instructions coming out of IT and or out of, certainly, if you need to go to data forensics or anything along those lines, they will absolutely have steps for you to take. My best recommendation is coordinate with your IT, coordinate with your teams for incident response. Take their guidance and advice. I’ve seen a number of organizations that their gut reaction is, oh my god, we have this problem.
Shut the machine off. The problem is, is the minute that you shut the machine off, now you have potentially cleared or cleansed really valuable information about what was going on, local logs on that device or box. So I would certainly do that coordination with your internal crew and make sure to follow their guidance. It could be everything from a high confidence factor that we’ve discovered and cleaned it up, quote unquote. But, depending on which machine got hit, you might be in for a machine rebuild to make absolutely certain that we’ve cleared the clock on this thing, you know. And so, you know, they’re also going to, once they’ve done the, you know, kind of the initial analysis on, you know, the one instance that’s known, that’s when they’re going to want to go and look for whatever the signature pattern is of the nefarious software you got onto the machine and look at other machines within the environment. Are they, you know, are they aware and cognizant of this? Are they picking it up? You may need to go ahead and report. you know, the identification of this software to, you know, to your AV software vendor, you know, that type of thing.
So, you know, there’s a lot of steps involved. You definitely want to coordinate with kind of your internal experts, but, you know, as best you can, you know, the first step is, you know, getting the right people to give the right guidance and secluding that machine from other things on the network until you can ensure that, you know, the malware has been, you know, isolated, disconnected from other machines and then take the steps for kind of cleaning the clock, if you will. Well, what are some best practices for the folks out there, Adam? Well, I mean, it goes without saying that, you know, you’re better off to prevent it from getting to your machines in the first place. So, you know, certainly, you know, training, you know, training personnel, you know, for spotting suspicious emails and using best practices for passwords. Those are certainly two arenas that will be helpful.
So let’s talk about email, kind of email best practices. There’s a lot of indicators for helping recognizing phishing emails. You know, oftentimes when you receive these emails, there’ll be some type of a sense of doom and gloom or urgency, you know, type of thing. If you don’t act within the next two hours, then, you know, this deal is no longer gonna be valid or so -and -so is gonna throw you in jail if you don’t blah, blah, blah, or, you know, or, or, or. But if they’re developing a sense of urgency, you know, then, you know, things like confirm your account before it gets shut off, you know, things along those lines or your computer security is at risk and you need to confirm your credentials. Where you’re seeing those sense of urgencies, that’s usually a pretty key indicator. Unexpected emails, whether it’s someone you know or don’t. You know, if it’s a Facebook friend that’s emailing your work account or a billing issue is sent to you instead of accounting. You know, those are all kind of. indicators for that if it you know you know if it looks weird or it seems odd you know etc then your alert should be going up you know the from email address is odd so you want to pay attention to the exact spelling and punctuation of the email addresses a lot of times they’ll, they’ll mask the the company email when it comes in so all it’ll say and the you know kind of the from line will be it’s coming from talk to show and instead if you hover over talk to show it’ll then say oh this is really coming from you know ABC one two three at hotmail .com you know type of thing so yeah you want to you want to you know kind of double check there and you know make sure that it’s not you know it’s not coming from a hyphenated company name instead of the normal domain you’d expect things like that poorly written is still prevalent.
A lot of the phishing emails often are coming from overseas. We had a discussion talking about the downsides of AI previously, where I can see AI helping these bad actors with their English language and quickly composing different scenarios, etc. But for the moment, English is a second language for a lot of the folks that are perpetrating the phishing schemes. So if you’re seeing poorly written for grammar, that’s another arena. The logo in an email, just not looking right. If the attacker stole a company logo, paste it into an email, maybe it’s wrong aspect ratio or low res. Maybe an outdated version of the logo, because they picked it up three years ago or whatever. So that can be another sign. Strange attachments or links, hovering over any links, checking the URL, the URL that’s showing up at the bottom of your window as you’re hovering over it. Are the links going to India, Russia, Japan, China, whatever? Some other foreign country. So the nefarious emails will typically be seeking you to click on a link, download an attachment, or replying with sensitive information so they can kind of take the next step of trying to do damage, if you will.
The second kind of main topic we were talking about earlier was, as far as things that we can do proactively, is passwords. So some password best practices that can keep you out of hot water. Number one. Number one. And I’ll say it from the rooftops. I’ll say it in the gutters. Blah, blah, blah, blah. Please, for the love of all. That’s holy and true Please store your passwords in a password management system Do not use a password pattern do not Store your passwords in an excel sheet do not you know stick them into a text file You know use a password management system and actually I’ve got a We’ve done we’ve done Blogs on this topic. We’ve done pods on this topic. I can’t I can’t encourage people enough To leverage that password management system in my case every single one of my passwords, and I have hundreds of them Every single one honestly. I don’t even know what the password is number one number two it is Usually as long as I can make the password scrambled bar Letters number special characters a lot fun stuff I don’t know what my passwords are because they’re in the password management system So, you know, don’t use the same password across multiple accounts. Don’t use the same pattern that you tweaked from account to account. Maybe it’s like the business name, underscore, puppy one, two, three, you know, type of thing. No, because the person that gets exposed to that password is just going to go to the other business, you know, type of deal, switch the name, and poof, they got your video, they’re in. You know, for password security questions, here’s another good, a good tip. You know, don’t just answer the question that’s asked. What I mean by that is, let’s say, the one that I see a fair amount, whatever, what was your name of your best friend in elementary school or grade school, you know, type of thing. If my best friend, when I was in, you know, elementary or grade school, her name was Gertrude. Well, if I go and put Gertrude in and I answer that question over on this site, when I’m answering the same question on this other site and put in Gertrude, well, now I’ve got a way that people can use my security questions against me.
So usually what I’ll do with those is in the password management system, in the notes for the account that we’re talking about, I will literally put in the notes, you know, name of best friend from grade school, you know, colon, and then I’ll either just, you know, kind of punch my keyboard with a whole bunch of random characters or, you know, you know, blue potato 42, you know, exclamation point, whatever, I’ll just make it up, you know. In that way, my security questions for the same questions across multiple sites are all different as well. You know, so that’s another option and certainly not the least of which is, if the site gives you the option of turning on two -factor, do it, you know, even if an attacker gets a hold of your username and your password through either password. Scraping or pattern recognition or you use the same password everywhere, or you know They got onto your local machine You happen to have all your stuff in an excel sheet which they can crack the password on that about five seconds You know then you know then if they got a hold of it the secondary Authentication number one is going to alert you that hey wait a second I’m not I don’t know I use zebra lamps calm as a as my it’s kind of my example You know my example of website if you will I know if I know if that exists um so But you know zebra lamps calm if I know my account on that has two -factor, and I’m busily sitting here I haven’t tried to go to the site. You know it’s sadder and out of the blue I’m getting a two -factor request for zebra lamps calm Now you know you got night now. You know now. You know you got an issue And honestly, if I get those errant, any errant, if I ever got an errant, it hasn’t happened to me in a long time. But if I ever got an errant notification, I could tell what site it was coming from. The very first thing that I would do is go in and change my password on that site. Because I know somehow somebody might’ve got ahold of it. But in my case, because of the fact that I use that password management system, I’m not as worried because I know that is the only site that password is being used on across all of the passwords that I’ve got.
So the password management system puts you in a much stronger position because every single one of your passwords is different across the board. The other plus side is you no longer need to remember any of your passwords type of thing.
Parting shots and thoughts for the folks this week, Adam. So there’s no guarantee that you’re gonna be able to protect your company from everything under the sun. Every cyber attack somebody can come up with. But you can certainly use some of these best practices to put yourself in a solid position so that you can kind of protect yourself as best as you can. Organizations that tend to take security and compliance seriously are the ones that also tend to avoid the ones that wanna be in the headlines in the news. So certainly use some of the stuff that we’ve had in here. Do some remedial training with your internal folks. I know people get tired of their supplemental training sessions and blah, blah, blah, and a lot of their eyes will glaze over, etc. But honestly, your personnel literally are one of the biggest forms of defense, if you will, for these. organization. So go ahead and get them retrained. Have them listen to this. You may want to also double check. Do some sanity checking on some of your folks. Where are they putting their passwords? You might be afraid once you find out some of the answers across the board, despite all the training and whatnot. So it’s an exercise to try to keep everybody in the organizational and straight and narrow when it comes to the security and compliance arena. But I have faith in our listeners. As do I, sir. As do I.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow . And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.