"...organizations should not act out the old adage that the CISO’s primary job is to get fired when something goes wrong, in this case."
"Credential-stuffing attacks are not rare. They account for more than 90 percent of the Internet traffic to log-in pages at major services, Shape Security’s Ghosemajumder says."
"Quid looked at more than 50,000 companies and chose 50 it deemed the most promising."
"This incident has many people suggesting that everyone in the world should change all of their passwords immediately"
"Criminals are already using image recognition technology, in combination with "Captcha farms," to by-pass this security measure"
"In 2011, while serving as deputy assistant secretary of defence at the Pentagon, Shape Security co-founder Sumit Agarwal observed a rising trend in the volume and complexity of automated attacks on Web and mobile applications. "
"On most websites, users enter their email addresses in lieu of user IDs, so cybercriminals often need only to crack a victim’s password once to gain entry to several of his or her accounts."
"A study out today from Shape Security shows that it's common for credential-stuffing login attempts to account for more than 90% of all login activity on Internet-facing systems at Fortune 100 firms."
"Now consider credential stuffing. The term was coined by Shape Security co-founder Sumit Agarwal when he was serving as Deputy Assistant Secretary of Defense at the Pentagon."
"Hackers achieve a success rate of 0.1 to 2 per cent when reusing stolen credentials to access other sites, according to a new study by Shape Security."
"According to figures from Shape Security, at least 11 gaming organizations suffered credential leaks last year."
"A botnet is very efficient at testing a stolen logon at dozens of different accounts to access as many as possible."
"The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo, as cybercriminals use advanced automated tools to discover where users have used those same passwords on other sites," Shuman Ghosemajumder, chief technology officer of Shape Security, told NBC News.
"The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo, as cybercriminals use advanced automated tools (like Sentry MBA) to discover where users have used those same passwords on other sites, through credential stuffing attacks, the most common attacks on web applications and APIs today."
"There's no sign in a computer saying, 'Haha, we're the Russians -- we did it!'"
"People who create a really strong password for one site but then use it across others are vulnerable to attacks"
"When entities have mediocre security hygiene, they inevitably end up having lost the keys to a much larger kingdom than we originally thought,"
“Unless you have a secondary email account registered with that account, which most Yahoo users likely do not, there is no good mechanism to force a password reset without effectively locking many users out of their accounts permanently,”
"this most recent credential spill at one of the world’s largest email providers further exacerbates the risk of millions of accounts being taken over at thousands of other major websites."
"Hackers obtained more than just names and passwords in the Yahoo breach -- they also nabbed answers to security questions. Cybercriminals can use that info to conduct automated attacks called 'credential stuffing.'"
"This breach makes the job of cybercriminals that much easier"
"By understanding user behavior, many companies are learning to spot and deflect sophisticated automated attacks (including credential stuffing, content scraping or application DDoS) before companies are struck by fraud."
"Dyn’s service disruption was yet another demonstration of how attacks on various critical points on the Internet can impact millions of users, and how vulnerable those points may currently be."
"The outage on Dyn customers is yet another demonstration of how attacks on various critical points on the Internet can affect large numbers of users..."
"Internet of Things’ excitement marred by vulnerability to hacking attacks"
"Attack on company with fewer than 500 employees causes massive disruption"
"while DDoS attacks aren't a new phenomenon, some attacks have had 'unprecedented volume recently.'"
"If there are other people in the WikiLeaks organization with access to the same documents and a protocol to operate if they cannot communicate with him, there's no need for a ‘digital’ dead man's switch"
"Testing passwords against email addresses has been termed ‘credential cracking’ in a new handbook from OWASP (the Open Web Application Security Project)"
"Data breaches on the scale of Yahoo are the security equivalent of ecological disasters"
"We’re looking at hundreds of different signals to analyse the ways that real human activity should look in every single transaction."
"If you’re one of the 500 million people whose Yahoo! accounts were breached, you are now being actively targeted."
"Automated threats are responsible for millions in fraud losses per day"
"Shape Security Announces Partnership With Hewlett-Packard Pathfinder. The security provider will accelerate its growth due to its latest round of investments."
"One of the unintended consequences in the rise of eCommerce is a related rise in cyberfraud attacks on online shoppers."
"Shape Security raises $40 million, lands HPE as partner, investor."
"Cybersecurity startup Shape Security raised $40 million in funding on Thursday to expand sales in the U.S. and internationally."
"Today’s top three cybersecurity threats are not manual attacks like in the olden days of hackers, but rather automated attacks that are difficult to stop."
"Shape Security is now protecting 20 percent of the world's in-store mobile payments."
"The growing concern over online security is leading to a growing investment in cybersecurity platforms."
"Yahoo likely faced a dilemma in efforts to reset user passwords following the breach."
"Six lawmakers question why it took Yahoo two years to discover breach as experts warn of the implications of the record-breaking haul of password data."
"A password can be changed, after all, but how do you change your mother's maiden name"
"As investors and investigators weigh the damage of Yahoo's massive breach to the internet icon, information security experts worry that the record-breaking haul of password data could be used to open locks up and down the web."
"Hacked passwords that are transacted in darknet domains usually end up in password databases. This is where the big problem arises."
"A big worry is a cybercriminal technique known as "credential stuffing," which works by throwing leaked username and password combinations at a series of websites in an effort to break in"
"Credential spills are one of the most widespread, yet misunderstood, security breaches."
"A cybercriminal using 500 million passwords to attempt to take over accounts on another website would be able to take over tens of thousands of accounts on most other websites."
"Top five biggest hack of all time."
"The real issue now is that these passwords will be used to breach thousands of other websites unrelated to Yahoo."
"We typically see a 0.1% to 2% login success rate from credential stuffing attacks, meaning that a cybercriminal using 500 million passwords to attempt to take over accounts on another website would be able to take over tens of thousands of accounts on most websites"
"This cycle [of credential spills] is typical, but the scale is pretty astounding"
"cybercriminals use advanced automated tools to discover where users have used those same passwords on other sites."
"The real issue is what will happen next with these passwords."
"In the case of credential stuffing, the most commonly used standalone management tool we have observed enabling attacks is called Sentry MBA"
"The hackers are believed to have been stealing user credentials from around 85 companies, including Amazon, American Airlines, Apple Pay, AT&T, Best Buy, DropBox, Dunkin' Donuts, Ebay, GoDaddy, Match.com, McDonald's, Office Depot, PayPal, Pizza Hut, Steam, Uber and Wells Fargo."
"Cybercriminals are getting creative, and coming up with ways to interact with websites we haven't thought of before."
"If you lack the resources to integrate your own security solution from the various point products on the market, Care recommended using a "one stop shop" solution that uses Layer 1 (endpoint) and Layer 3 (user data)."
"A new report released by Shape Security yesterday details how the Sentry MBA tool makes credential stuffing attacks more widely available to cybercriminals."
"Shape Security warns of the growing threat of the hacking tool, which is able to bypass many modern IT defenses."
"Shape Security, a California-based Web security firm, warned that the tool is an example of how cybercrime is increasingly compartmentalized and commoditized."
"RSA 2016 Security researchers have thrown the spotlight on a popular cybercrime tool that’s used by crooks to automate the process of taking over accounts on major websites before making fraudulent purchases."
"It demonstrates the urgent need for nationwide support and coordination at the highest levels on cybersecurity issues"
"Baseline Ventures led the investment in the company that targets attacks led by bots."
"Shape's "Botwall" technology helps protect websites and mobile apps against automated attacks conducted by threat actors that use automation."
"The same tricks that make attack bots blind on the Web are now blinding them when they attack mobile APIs."
"Shape counts airlines, financial services companies, retailers and government entities as customers."
"Shape's software aims to inform retailers about whether attackers targeting them have targeted them in the past and to detect and prevent future attacks."
"VTech apparently had almost nothing in the way of security on their web application…"
"This attacker hasn't shared the data, but there's no way of knowing whether other attackers may have already obtained the same data…"
"Cyber Grinches scalp Santa with an automated arsenal of software programs that snap up new toy releases faster than any parent's frantic fingers can click 'buy.'"
"Watch for telltale signs that a company isn't taking security seriously, such as not using Secure Sockets Layer/Transport Layer Security (SSL/TLS) while logging in or submitting sensitive information…"
Shuman Ghosemajumder talks with Jon Fortt on the hot topic of encryption on CNBC’s Squawk Alley.
"…in an interesting twist, consultants at Shape Security discovered that at least one Icoscript strain receives C&C updates from Gmail draft messages."
Shuman Ghosemajumder offers his perspectives on the practice of paying up when confronted with ransomware attacks.
"Shape Security offered an illustration of how its Botwall service alters the underlying HTML code of a Web page so that it is constantly changing…"
Shape’s Sumit Agarwal offers his perspectives on the role of integrated access management in recent breaches.
"By succinctly defining broad but actionable rules of the playground, Shape enables its employees to experiment freely without constantly checking in with supervisors."
"Researchers at the security startup Shape Security say they’ve found a strain of malware on a client’s network…"
"Companies that require top-notch site security, such as e-commerce vendors and health-care providers, are just two of the industries the company is looking to convert."
"Shape Security. Remember that name."
"One of the most ingenious ways to make software more secure…"
“You don’t have to be more clever than the hackers. You just have to be more clever than their other targets.”
2017 CREDENTIAL SPILL REPORT DOWNLOAD