IT Security Matters

Klaus Jochem

Skip to content
  • Home
  • About me
    • About me
    • Copyright and Disclaimer

The Premera Plot – The PiggyPack version

13 April 2015

Have you recognized the temporal connection between the detection of the eBay data breach and the starting time of the Premera attack? The eBay data breach was made public at 21 May 2014, the assumed starting time of the Premera attack is 5 May 2014. Sounds interesting, doesn’t it?

eBay detected the breach, which happened in February/March 2014, with a delay of two month in early May. It can be assumed that the data circulated in hacker communities for several weeks, before eBay reported the data breach and the attackers published an excerpt on pastebin.com.

And, since millions of data sets were stolen, it is very likely, that login data of Premera employees were amongst this data.

All of this wouldn’t be so bad, if employees would not use their company usernames and passwords for login to non-company services as well. Unfortunately this is a widespread bad habit. Therefore it’s very likely that the stolen login data included valid login credentials of Premera employees. With this credentials the attackers were able to login to the Premera network.

This sounds really strange, but it is a definitely realistic scenario. Weaknesses in the system configuration, e.g. the missing minimum password age, support the attackers in staying undetected.

With this we get the following plot:

Initial Attack Vector

Login to company network with stolen user credentials from other data breaches

Vulnerabilities used

  • Missing password minimum age
  • Misuse of company login credentials
  • Missing Two Factor Authorization

Mitigation measures

  • People & Processes, short-term
  1. Enhance the security policy by rules to prevent misuse of company login data for non-company services
  2. Run an awareness campaign and communicate the policy changes to all users
  • People & Processes, mid-term
  1. Restrict login times to prevent attackers from sign-in to the network outside an employee’s standard working hours
  2. Enhance the security policy, define exceptions for handling of overtime and remote access to the company network from outside the standard working hours
  3. Communicate the policy changes to all users
  • Technology, short-term
  1. Enforce strong password history and minimum password age
  • Technology, mid-term
  1. Implement measures to prevent users from sign-in to non-company owned services with  company owned login data, if technically possible.
  2. Implement Two Factor Authentication for remote access to company services

That’s it for today. Take care!

Share this:

  • Email
  • Print
  • LinkedIn

Related

This entry was posted in Opinion, Survival tips and tagged Awareness campaign, company network, data breach, eBay, login credentials, login data, Minimum Password Age, Password History, Premera, Story Board, Two factor Authentication on April 13, 2015 by Klaus Jochem.

Post navigation

← Premera is still stuck in my mind Would the European NIS Directive have averted the TV5 Monde hack? →

Technology and more

  • 4 Elementary IT Security Design Principles

Endnotes

  • SRM Blog Information Security Breach Reports
  • [1] Frequently Asked Questions on eBay Password Change
  • [2] Ponemon Institute, Cost of Cyber Crime Study: United States 2013
  • [3] Hashed Passwords – Crack The Cred
  • [4] Important Information – Office Passwort Reset
  • [5] Reducing the Effectiveness of Pass-the-Hash

Tags

  • administrative privileges
  • anti-malware
  • AppGuard
  • Attack Surface
  • critical infrastructure
  • Cyber Attack
  • data breach
  • Endpoint Protection
  • Malware
  • Phishing
  • Principle of least privilege
  • Ransomware
  • Remote Code Execution Vulnerability
  • Separation of Duties
  • strong passwords
  • Two factor Authentication
  • UAC
  • Vulnerability
  • WannaCry
  • Zero day exploits

Archive

  • August 2020 (2)
  • June 2020 (4)
  • May 2020 (4)
  • April 2020 (1)
  • March 2020 (3)
  • January 2020 (1)
  • December 2019 (1)
  • November 2019 (1)
  • October 2019 (1)
  • September 2019 (2)
  • August 2019 (3)
  • July 2019 (2)
  • June 2019 (1)
  • May 2019 (2)
  • April 2019 (1)
  • March 2019 (3)
  • February 2019 (1)
  • January 2019 (2)
  • December 2018 (1)
  • November 2018 (2)
  • October 2018 (2)
  • September 2018 (1)
  • August 2018 (2)
  • July 2018 (1)
  • June 2018 (3)
  • May 2018 (2)
  • April 2018 (3)
  • March 2018 (3)
  • February 2018 (3)
  • January 2018 (3)
  • December 2017 (1)
  • November 2017 (3)
  • October 2017 (6)
  • September 2017 (1)
  • August 2017 (1)
  • July 2017 (5)
  • June 2017 (2)
  • May 2017 (5)
  • April 2017 (4)
  • March 2017 (3)
  • February 2017 (3)
  • January 2017 (2)
  • December 2016 (2)
  • November 2016 (5)
  • October 2016 (8)
  • September 2016 (4)
  • August 2016 (4)
  • July 2016 (6)
  • June 2016 (4)
  • May 2016 (4)
  • April 2016 (5)
  • March 2016 (6)
  • February 2016 (9)
  • January 2016 (7)
  • December 2015 (2)
  • November 2015 (6)
  • October 2015 (4)
  • September 2015 (4)
  • August 2015 (5)
  • July 2015 (6)
  • June 2015 (6)
  • May 2015 (9)
  • April 2015 (8)
  • March 2015 (8)
  • February 2015 (8)
  • January 2015 (10)
  • December 2014 (4)
  • November 2014 (9)
  • October 2014 (9)
  • September 2014 (9)
  • August 2014 (10)
  • July 2014 (10)
  • June 2014 (5)

Blogs I Follow

  • Jaya's Blog
  • Ponder Younder
  • TIME GENTS
  • Crowdbase Blog
  • It's More Than Tea

Subscribe

RSS Feed

Blog at WordPress.com.
Jaya's Blog

Ponder Younder

Read, think more and Act on what you read

TIME GENTS

Australian Pub Project

Crowdbase Blog

A blog about knowledge sharing, collective intelligence and enterprise collaboration.

It's More Than Tea

jill's tea blog

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy