A ‘Password Spraying’ Primer

In This Issue:

  • Password spraying: what you need to know
  • Please, F5, Don’t ‘Oracle’ Nginx
  • Streamlining Cyber Risk Assessments
  • Facebook Judged: Found Guilty
  • Hands-On Defense
  • Are You Really Covered By Your Cyber Insurance?
  • Shoplifters Beware: AI Is Watching You

Password Spraying: What You Need To Know

Password spraying is bad, but what is it? The short version of a successful password attack goes like this: have multiple different sources attempt to log in to a target using random usernames and passwords. Don't do things sequentially, don't repeatedly attack the same username (within reasonable timeouts), and generally try not to trigger automated lockout defenses.
Password spraying relies on having either a truly massive number of attacking devices, or spiffy automation combined with the capture packets outbound from your target, destined from addresses you don't actually occupy.
Brian Krebs talks about password spraying and the role of hacked IoT devices in anonymizing repeated attempts: Ad Network Sizmek Probes Account Breach.


Refine your lockout conditions for password attacks. Get edge security devices that are credential-aware, and designed to help block password spraying and other types of password attacks. Large numbers of unexpected authentication failures can indicate a spraying attack. Look for lots of failures from behind NAT sources, or unexpected spikes in IPv6 authentication attempts. Attack patterns bots are good at, but humans are unlikely to be engaging in, are clues.

Read More >

Please, F5, Don’t ‘Oracle’ Nginx

The press release: F5 Acquires NGINX to Bridge NetOps & DevOps. This is a big deal. Nginx is one of the most popular web servers out there, and is widely used as a load balancer and reverse proxy, especially within the DevOps and "cloud native" development cultures.

NGINX is the company providing a commercial version of nginx, along with support, and the other bits that are standard to a commercial open source venture. NGINX leads the nginx project, does most of the dev work, etc.
Each commercial open source company has different layers of abstraction between the commercial vendor and the open source project. It’s all in an effort to make it look as though the open source project is kept at arm's length from the commercial vendor, but in reality, that's almost never true.

The Internet is covered in speculation about F5's purchase of NGINX. Business types want to know how F5 will monetize nginx. Everyone else wants to know if F5 will be a good steward of a beloved product, or whether or not they will attempt to “Oracle” it. Nginx is part of a rather large number of commercial products and services, so there are numerous companies (vendor and otherwise) that will be sitting up and taking notice.
Oracle, as readers might recall, has a long history of buying up open source products, then meddling with them. This meddling didn't go over well, which is how OpenOffice begat LibreOffice, MySQL begat MariaDB, and so forth.
Oracle's stewardship provides lessons about the acquisition of open source projects. The first is that things rarely turn out quite so dire as the Internet's gut reaction to an open source acquisition fears they will be. The second lesson: if you use the acquired open source product, you can expect to start paying more for it soon.


Now is a good time to review where you use nginx, and why. It's not yet time to panic and start switching to alternatives, but it is time to take inventory of its usage. The most important factor for information security professionals is that patches keep flowing: if F5 doesn't keep up the support cadence, it will be time to pull the cord. If, after 18 months or so, there don't appear to be dramatic changes in support, maintaining nginx becomes largely a question of cost; any major support changes are likely to happen during the initial integration event.

Read More >

Streamlining Cyber Risk Assessments

Third-party cyber risk assessments are not exactly standardized. In fact, they're still rare enough that each vendor seems to have a unique approach, and this can make comparing them to one another somewhat difficult. This brings us to NEW TECH: CyberGRX seeks to streamline morass of third-party cyber risk assessments.
The CyberGRX folks seem to have the right idea, though they do need to be wary of falling prey to standards proliferation (like this).


Third-party cyber risk is a real thing, and we all need to pay attention to it. Whether one engages with the CyberGRX folks or some other third party assessment firm, having third-party digital risks evaluated should be a regular part of one's yearly security processes.

Read More >

Facebook Judged: Found Guilty

Last week we mocked mentioned Facebook’s pivot to privacy. This week, Bruce Schneier has a comprehensive list of what Facebook should do if it’s really serious: Judging Facebook's Privacy Shift.
Schneier's exploration of Facebook's privacy woes is instructive, even if only because it can teach us a new way to think about privacy.


Start asking the same questions of your own organization that Schneier asks of Facebook. Apply the same measures, and try to think about privacy in the same way Schneier’s trying to get Facebook to think. Does your organization even have a Chief Privacy Officer? Are they internal facing, or external facing? Both? Neither? Privacy is part of security; it's time we all stopped ignoring it.

Read More >

Hands-On Defense

Insert Skimmer + Camera Cover PIN Stealer. A brief look (with photos) at a ATM card skimmer setup that uses the ATM’s own security camera to steal PINs.


Your hand. Yep, the low-tech “cover your PIN” still helps, at least with this type of exploit.

Read More >

Are You Really Covered By Your Cyber Insurance?

Insurance companies love to take our money. There’s insurance for the weirdest stuff you can imagine. Cyber insurance has, until recently, been a great gig for insurance companies. Truly damaging compromise events are frequent enough to keep people terrified, but rare enough that they don't have to pay out all that often.

Insurance companies usually just have to specify that certain basic steps, such as backups existing and/or passing a third-party audit, be performed to qualify for insurance. Simply causing organizations to do these two things would make them immune to the overwhelming majority of financially impactful IT problems, and insurance companies know this.
And then there’s this: Is the world ready for the next big ransomware attack? The interesting wrinkle here is the mention that Zurich American Insurance Company is refusing to pay out a $100 million claim from Mondele. In other words, an insurance company has refused to pay for claims arising from government hacks. Turns out that insuring against cyber attacks isn't quite the easy money the insurance companies had hoped it would be.


If your information security plan includes "insurance will cover what we missed," it may be time to revisit that approach. With expediency.

Read More >

Shoplifters Beware: AI Is Watching You

Another in the endlessly-expanding use cases for artificial intelligence: These Cameras Can Spot Shoplifters Even Before They Steal


Hiding in a shack in the woods seems like the only rational response. Though all of us here at The Countermeasure are entirely open to any real-world alternatives.

Read More >

Tweet of the Week:

"When the CISO tells you to pull traffic from 6 months ago, but didn't come with the money for retention like that." - @hexadecim8

Videos of the Week

Podcasts of the Week

Quick Links

Get Your Copy.