Over the past 10 months, software firm Rapid7 has conducted hundreds of penetration tests: Simulated cyberattacks that test how a network holds up against actual threats. The results were compiled in a study called “Under the Hoodie 2018”, which not only perpetuates the stereotype of darkly cowled hackers but makes for some pretty interesting reading.
Of the 268 tests conducted across a range of industries, 251 involved live, production networks, meaning Rapid7’s hackers were attempting to infiltrate systems likely holding real proprietary and confidential data.
In 59 per cent of the tests the hackers began outside the network environment, attempting to break in. For a majority of businesses, this makes the most since. However, others have realistic concerns about threats from within.
The results were not so great for Rapid7’s clients, though their networks are better off now that these tests have been performed. At least one live vulnerability was exploited in 84 per cent of the engagements, though when not forced to access the network remotely, some level of compromise was assured nearly 100 per cent of the time.
Similarly, network misconfigurations allowed for infiltration in 80 per cent of external tests versus 96 per cent during a simulated insider threat.
The hackers were able to capture at least one credential 53 per cent of the time, a figure that shot up to 86 per cent with access to the target’s local network. And with network access, via wireless or LAN connection, the hackers were able to gain complete administrative control over the organisation’s network 67 per cent of the time.
More than just statistics, the Rapid7 study includes a number of stories by researchers on the ground, such as the time its investigators managed to scrape corporate credit cards, passport data, and social security numbers by taking advantage of the 2014 “Heartbleed” bug:
We began the task of testing the security of each and every web server. Not long into the process, we identified three servers that hadn’t had their OpenSSL installations updated in a while; they were consequently vulnerable to the “Heartbleed” bug of 2014. We divided up the three servers amongst the team and began harvesting memory contents from the three servers in 65 KB chunks. We set up a looping process to continually request chunks of memory and append them to the ever-expanding file of leaked secrets. We let our automated memory grabbers run overnight, and by the next morning, we awoke to find a wealth of information.
The memory files we had generated contained cleartext usernames and passwords for users that logged into the servers in question. In addition, we were able to confirm that one of the servers also acted as a secure messaging server which handled sensitive emails. As a result, our memory dump file contained full message bodies of hundreds of (otherwise) secure emails!
The research also yields a wealth of information about numerical patterns in passwords and the most common types of passwords, which, sadly, have not changed much over the years — “Password1” continues to top the list. The investigators also found that an overwhelming majority of users stick to the exact minimum password length, which is typically eight characters.
“We are able to generate patterns and figure out which characters are used in each position. This can show where someone prefers to place the uppercase letter, the digit, the special character, and the lowercase letters,” Rapid7 says.
So for the purpose of password guessing, where do people tend to toss the number in their password? At the end, of course. “Eight out of the top ten passwords end with a digit,” the study says.
The study also churned out considerable data on which digits are most likely to be used. The number “1” is the most common. The most common trailing two digits are “2” then “3”. When four digits are used it’s most commonly a year, so “20” is how most trailing four-digit combinations begin. (However, “1234” remains pretty popular.)
Of course, complex passwords aren’t worth a spit if employees fail to change their passwords following a breach.
“One of the most important aspects of penetration testing is the initial stage of information gathering,” writes Rapid7 investigators Steven Laura, describing a test that collected a wealth of personally identifiable customer data and financial information. “In a recent web application penetration test that I performed, a number of email addresses and passwords were found in a public password dump.”
“With the list of usernames and passwords,” he said, “I kicked off my login attempts, and soon found that one of the credential sets listed in the password dump worked on the corporate network.”
You can find a link to the full Rapid7 report here.