Personal password practices place thousands of UK businesses at risk
SecureData Labs research cautions that OWA email is the ‘sleeping dragon’ of corporate security
24 November 2016, London: SecureData, a leading provider of cybersecurity services and solutions, with its elite consulting arm SensePost, today published original research from its Labs team revealing thousands of UK businesses are immediately at risk from potential compromise of their Outlook Web Access platform.
This research serves to illustrate the potential impact of a new generation of hacking tools that escalate the impact of a compromised email address and password via the Outlook Web Access interface to full remote compromise of the corporate network.
The research suggests close to 0.5% of all organisations in the SecureData Labs study could be cracked using a combination of publically available email addresses from previous data breaches and poor password security behaviour by users, as they reuse passwords between professional and personal applications.
The researchers analysed 1.5million compromised email addresses from 173,000 individual organisations in the UK. SecureData Labs could crack 92% of passwords* where the compromise included the hashed, or one-way encrypted password. From this sample of organisations, 1,226 could be identified as using Outlook Web Access. Assuming some users were reusing the same password (or password ‘scheme’) between their private and work accounts**, as many as 868 organisations in the study are at immediate risk of simple, low-cost and sophisticated compromise of their network systems. Using the ratio of compromised organisations revealed in the research (0.5%), it suggests as many as 53,000 of the 10.5million .uk domain registrations in the UK could be similarly at risk.
With 1 billion newly breached email addresses exposed on the public web during 2016 (Source: haveibeenpwned.com), the SecureData Labs team has highlighted this attack vector as a sleeping dragon of corporate network security and a style of exploit which they expect to increase in prevalence.
Charl van der Walt, Head of Security Strategy at SecureData comments: “We developed this research as a vehicle to illustrate the increasing security challenge as employees mix their corporate and personal online universes. This is exacerbated by enterprise risk models that fail to appreciate how attackers view their business, reflecting instead their own view as to what is valuable.
“The prize here for the hacker is not just the email account itself, but the ability to write Outlook rules on the user’s desktop via OWA. Our “Ruler” toolset shows how we can turn an OWA password compromise into full and persistent remote access to the network, with potentially devastating effect,” van der Walt continues. “Microsoft Exchange has been considered a relatively benign element of corporate IT, but it’s becoming more popular and valuable as a target. In addition, Exchange is exposed onto the Internet via OWA and put more at risk via weak or leaked email passwords. We wanted to highlight this simple exploit as a way to warn security managers not to under value what appear to be low-risk corporate assets.”
Email address compromise has become more common and is often the intention of large-scale hacks (Ashley Madison, LinkedIn, YouPorn, Adobe etc). With the increasing supply of compromised email addresses available to hackers, organisations should be vigilant about the potential impact of these leaks, for example via an escalation of phishing attacks or password reuse attacks.
Key stats from the study:
- Research took place between October 22 and November 22, 2016
- Dataset 1 – breached email data:
- 5million compromised email address researched, from 173,000 UK domains (.uk only)
- Scanning uncovered 1,226 OWA interfaces
- 92% of passwords leaked could be cracked by SecureData Labs
- 868 UK organisations, or 0.5% overall of UK organisations are at risk from this type of exploit (assuming 77% password prediction rate)
- Dataset 2 – LinkedIn:
- 7 million compromised email address researched, from 500,000 UK domains (.uk only)
- Scanning uncovered 2,000 OWA interfaces
- 92% of passwords leaked could be cracked by SecureData Labs
- 1842 UK organisations, or 0.36% overall of UK organisations are at risk from this type of exploit (assuming 77% password prediction rate)
- Dataset 3 – Alexa Top Million:
- From the Alexa “Top Million” websites list, 15,653 have a .uk domain
- Scanning identified 1,105 unique .uk domains within this dataset with exposed OWA servers (7%)
- 712 of these OWA accounts were also present in the list of 173,000 organisations exposed in the breaches we studied in dataset 1
- 92% of passwords leaked could be cracked by SecureData
- This analysis suggests 504 .uk domains in the Alexa Top Million (3.2%) are potentially at risk to an OWA compromise
Key supporting information and industry sources:
- * “SecureData Labs can crack 92% of passwords”, statement refers to SensePost’s elite consulting team activity and is supported through previous analysis, for instance of 3,743,733 UK addresses compromised in the 2012 LinkedIn breach, 2,622,252 included hashed passwords. Of these the SecureData Labs team were able to crack 2,382,216 or 90.85%. SecureData Labs reports the percentage crack range to be consistently between 90-95% for UK email addresses
- ** “77% of passwords are reused by users”, statistic is referenced by Princeton University study, 2014 which suggested that most internet users have a universe of 25 online accounts. When asked to select a password for a new account, the study found 77% would either modify or reuse existing passwords. Further SecureData Labs supports this statistic.
- 123,621,620 compromised email address reported through haveibeenpwned.com from October 22 – November 22 2016
- Over 1 billion compromised email addresses reported through haveibeenpwned.com from January 1 – November 22 2016
- 412,214,295 email addresses compromised in October 2016 from Friend Finder Network Inc. – the world’s largest single reported hack – by leakedsource.com
- UK domain registrations data source, https://en.wikipedia.org/wiki/.uk