Report: Penetration testers’ five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros’ priority list because exploiting software doesn’t even rank among the top five plays in the attacker’s playbook, according to a new report from Praetorian.
[…]

Tweet
Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware
Report: Penetration testers’ five most reliable methods of compromising targets include four different ways to use stolen credentials, but zero ways to exploit software.

Playing whack-a-mole with software vulnerabilities should not be top of security pros’ priority list because exploiting software doesn’t even rank among the top five plays in the attacker’s playbook, according to a new report from Praetorian.

Organizations would be far better served by improving credential management and network segmentation, according to researchers there.

Over the course of 100 internal penetration tests, Praetorian pen testers successfully compromised many organizations using the same kinds of attacks. The most common of these “root causes” though, were not zero-days or malware at all.

The top five activities in the cyber kill chain — sometimes used alone, sometimes used in combination — were:

1. abuse of weak domain user passwords — used in 66% of Praetorian pen testers’ successful attacks
2. broadcast name resolution poisoning (like WPAD) — 64%
3. local admin password attacks (pass-the-hash attacks) — 61%
4. attacks on cleartext passwords in memory (like those using Mimikatz) — 59%
5. insufficient network segmentation — 52%

The top four on this list are all attacks related to the use of stolen credentials, sometimes first obtained via phishing or other social engineering. Instead of suggesting how to defend against social engineering, Praetorian outlines mitigations to defend against what happens after a social engineer gets past step one.

Source: Attacker’s Playbook Top 5 Is High On Passwords, Low On Malware

Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature
[…]
The feature means customers are able to checkout quickly by just putting their email address into a text entry box. Doing so returns personal information in cleartext, if the email address entered is already in Strawberrynet’s records.
[…]
The mail explains the company’s stance as follows:

Please be advised that in surveys we have completed, a huge majority of customers like our system with no password. Using your email address as your password is sufficient security, and in addition we never keep your payment details on our website or in our computers.

Source: Beauty site lets anyone read customers’ personal information

For anyone wondering, this is incredibly stupid behaviour.

Two hackers were able to steal email addresses and easily crackable passwords from three separate forums in this latest hack.

Two hackers carried out attacks on three separate game-related forums in July and August. One forum alone accounted for almost half of the breached data — a little under 13 million records; the other two forums make up over 12 million records.

The databases were stolen in early August, according to breach notification site LeakedSource.com, which obtained a copy of the databases.

The hackers’ names aren’t known, but they used known SQL injection vulnerabilities found in older vBulletin forum software to get access to the databases.

Source: Millions of accounts stolen after Russian forums hacked