Stealth Security Blog

Advanced Credential Exploitation: Beyond Credential Verification Attacks

Posted by Mayank Dhiman on May 17, 2017 10:36:15 AM

Hi, I am Mayank Dhiman, and I am the Principal Security Researcher here at Stealth Security.

 

In our earlier post, we defined the problem of Credential Exploitation, an attack methodology characterized by the abuse of login credentials at scale. We focused largely on how attackers takeover accounts which are reusing credentials that have been dumped elsewhere. We also discussed the proper defensive framework to defend against such attacks. For today’s post, we’ll make the case that the problem runs deeper than traditional “credential verification” or brute-force attacks, and that the same defensive framework can help defend against a wide variety of automation-based attacks.

Read More

Topics: Credential Exploitation

Credential Exploitation: A Defender’s Perspective

Posted by Mayank Dhiman on May 3, 2017 10:20:38 AM

 

For today’s post, we’re attempting to classify a new and increasingly common type of attack that our research team has been following — Credential Exploitation. Our definition of Credential Exploitation is an increasingly popular attack methodology characterized by the abuse of login credentials at scale. Specifically, it targets the Application Interfaces of Web, mobile, and API end-points. These attacks encompass the misuse of credentials for Account-Take-Over (ATO) attacks, Credential Brute-force, and abuse of API keys to take advantage of API endpoints. As the Principal Security Researcher here at Stealth Security, I’m leading a team that has carefully reviewed these attacks in volume. This is our overview of our findings regarding the  source of this issue, as well as what can be done to mitigate its impact.

 

Read More

Topics: Credential Exploitation

Web API Security: A story of authentication, God’s Eye View, and corporate espionage

Posted by Michael Barrett on Apr 18, 2017 2:30:41 PM

Hi, Michael Barrett here, CEO and co-founder of Stealth Security.

 

As a security guy, I tend to think of the world through a relatively simple lens, and use mental models that have worked for our industry before. I have long suspected that we have been ignoring — or at least oversimplifying — the problem of web API security. And then, last week, there was a case-study making announcement about the discovery of the so-called Hell application, that was allegedly used by Uber to identify Lyft driver locations as well as which drivers used both services. I am not going to comment on the allegations themselves except to note that many CISOs run into situations occasionally that make them ask (usually just to themselves) “what were they thinking?”…

 

Read More

Topics: Web API Security

Will businesses adopt Google’s new Invisible reCAPTCHA, or go with a vendor's solution? Yes.

Posted by Shreyans Mehta on Mar 28, 2017 10:22:00 AM

Hi, I’m Shreyans Mehta, CTO at Stealth Security.

 

Most web application interface protection (WAIP) vendors rely heavily on JavaScript injection. Why? Because it’s easy, powerful, and been in use for decades for various functions, such as activity tracking for marketing. Alternatives, such as CAPTCHA and reCAPTCHA, were either too demanding on users or were easily defeatable via Optical Character Recognition (OCR) used by attack tools.

 

That's about to change.


Read More

The Apple Problem

Posted by Michael Barrett on Mar 27, 2017 10:07:00 AM

Hello, Michael Barrett here, co-founder and CEO of Stealth Security.

 

Recently, news has started to come out about the fact that an attacker known as the Turkish Crime Family has penetrated the accounts of many of Apple’s iCloud customers.  The total number is still unknown but is claimed to be hundreds of million.  At this point, rather than trying to monetize the breached accounts directly, the attacker is simply holding Apple ransom and is demanding bitcoin in return for not harming those customers.  This use of an indirect ransom for monetization is a logical next step for attackers.  Some commentators have claimed that the number of breached accounts is considerably smaller than the attackers claim.  This could of course be correct, but in a real sense it’s irrelevant – this is about what the attacker might be capable of doing. 

 

Read More

Topics: Credential Exploitation

Welcome Farzad!

Posted by Michael Barrett on Jan 12, 2017 10:06:00 AM

One of the pleasures of growing a small company is that every hire makes an impact, and if you can hire a really great person into the role, that impact can be huge. This is of course a truism. All teams consist of the best people for the job, all working harmoniously and effectively. When the right people are in them, they are an astonishing force for change. 

 

We had the pleasure of having a strong team of co-founders. Between us, we have a diverse range of skills and experiences. But, as a company grows, another of the things that happens is that you start to zoom in on specific disciplines and look to exemplary performance in them. That’s been happening with us recently, with business development. It’s become clear in the last few months that it’s a topic where we really needed to accelerate our work. We expect it to be a vital component in our long-range success, and therefore an area where we needed more focus than could realistically happen between the co-founders. So, it was evidently time to add another strong leader to our team, someone who could focus solely on business development, and someone who had overwhelmingly strong success in that.

Read More