1 00:00:06,440 --> 00:00:08,350 - So Ron, in the news, we always hear 2 00:00:08,350 --> 00:00:09,380 about these big stories 3 00:00:09,380 --> 00:00:11,670 about major companies getting breached 4 00:00:11,670 --> 00:00:15,400 from Adobe to Dropbox, to LinkedIn. 5 00:00:15,400 --> 00:00:19,970 And this seems to be almost an everyday recurrence. 6 00:00:19,970 --> 00:00:22,230 So how are passwords actually stored 7 00:00:22,230 --> 00:00:24,690 in these companies, in these systems? 8 00:00:24,690 --> 00:00:27,920 - Sure, so at a very high level, most systems store 9 00:00:27,920 --> 00:00:29,910 user credentials in some sort of 10 00:00:29,910 --> 00:00:32,883 database or a text file. 11 00:00:33,720 --> 00:00:36,860 With web applications often they store the credentials 12 00:00:36,860 --> 00:00:38,990 in an SQL database 13 00:00:38,990 --> 00:00:42,942 while in active directory, in an active directory domain 14 00:00:42,942 --> 00:00:46,630 credentials are stored in a proprietary database. 15 00:00:46,630 --> 00:00:47,720 - That makes sense. 16 00:00:47,720 --> 00:00:51,730 So one of the recent Petya ransomware attacks 17 00:00:51,730 --> 00:00:53,160 they used some type 18 00:00:53,160 --> 00:00:57,204 of password attack in the, in their process. 19 00:00:57,204 --> 00:00:58,037 What exactly was that? 20 00:00:58,037 --> 00:01:00,030 - Yeah, so it's pretty interesting. 21 00:01:00,030 --> 00:01:01,370 What they did was 22 00:01:01,370 --> 00:01:05,130 of course they exploited the system initially 23 00:01:05,130 --> 00:01:07,550 using the eternal blue exploit. 24 00:01:07,550 --> 00:01:08,562 And then from there, 25 00:01:08,562 --> 00:01:13,562 what the Petya attack did was, or the, the payload did 26 00:01:13,640 --> 00:01:16,100 was it used a tool called Mimi cats. 27 00:01:16,100 --> 00:01:19,690 What that does is it allows you to dump the credentials 28 00:01:19,690 --> 00:01:20,750 out of memory. 29 00:01:20,750 --> 00:01:23,930 And from there they utilized the credentials that 30 00:01:23,930 --> 00:01:26,210 that they were able to steal 31 00:01:26,210 --> 00:01:28,127 to attack the other systems 32 00:01:28,127 --> 00:01:33,127 on the network using well known protocols like PS Exec 33 00:01:33,240 --> 00:01:37,730 and WMI that are used all the time as in Windows. 34 00:01:37,730 --> 00:01:39,503 So it looked like normal traffic. 35 00:01:40,850 --> 00:01:42,890 So how do you defend 36 00:01:42,890 --> 00:01:45,003 against these types of attacks John? 37 00:01:46,080 --> 00:01:48,290 - It is understandably very difficult. 38 00:01:48,290 --> 00:01:49,994 It's often a cat and mouse game 39 00:01:49,994 --> 00:01:53,180 where we work on it from the defense side 40 00:01:53,180 --> 00:01:54,550 and then a new tack comes out. 41 00:01:54,550 --> 00:01:57,020 But basically there's two ways. 42 00:01:57,020 --> 00:02:00,610 Passwords, we have to protect on both the storage side 43 00:02:00,610 --> 00:02:03,480 and while they're being transmitted over the network. 44 00:02:03,480 --> 00:02:06,840 So being transmitted over the network have to use some type 45 00:02:06,840 --> 00:02:08,330 of encryption to ensure 46 00:02:08,330 --> 00:02:10,550 that people listening in on the network traffic 47 00:02:10,550 --> 00:02:14,120 can't just intercept that information and then storage. 48 00:02:14,120 --> 00:02:17,070 There's various ways to protect the storage. 49 00:02:17,070 --> 00:02:17,930 Operating systems 50 00:02:17,930 --> 00:02:20,610 have their own protective measures in there. 51 00:02:20,610 --> 00:02:23,490 There's also, you have to limit access to these 52 00:02:23,490 --> 00:02:26,720 these storage mechanisms to only the people that 53 00:02:26,720 --> 00:02:29,430 and the accounts that need access to that. 54 00:02:29,430 --> 00:02:32,170 Also have your intrusion detection 55 00:02:32,170 --> 00:02:34,850 endpoint protection, various auditing. 56 00:02:34,850 --> 00:02:38,160 So you can look and see if anything looks fishy. 57 00:02:38,160 --> 00:02:39,540 If people are accessing it 58 00:02:39,540 --> 00:02:41,490 in ways that they really shouldn't be. 59 00:02:41,490 --> 00:02:42,860 So there, there are various ways. 60 00:02:42,860 --> 00:02:46,026 And then from an end user standpoint 61 00:02:46,026 --> 00:02:48,500 to protect your own account 62 00:02:48,500 --> 00:02:52,460 it's highly recommended to have longer passwords 63 00:02:52,460 --> 00:02:55,453 and also enable two factor authentication when you can.