Compliance Solutions Strategies (CSS) is now part of Confluence
Title Image

Blog Masonry Full Width

We're quite the bloggers
August 21, 2020

The Door is Wide Open: Unpatched Security Flaw Leads to Leak of Login Credentials for 900+ Enterprise VPNs

A popular brand of VPN software recently had usernames, passwords, and IP addresses published on a dark web hacker forum frequented by ransomware gangs.

I first wrote about this issue in July 2019. At the time, various VPN appliances from three well known and highly used vendors were vulnerable to a critical vulnerability which could allow a hacker to access a company’s network – and view everything on that company’s network – without requiring any credentials. From a data privacy and information security standpoint, this is probably one of the single greatest threats to any business today – hackers bypassing all security measures in place – i.e. usernames, passwords, and multifactor authentication – and accessing all of a company’s data.

Almost exactly one year later and I’m writing about this again. This post focuses on VPN appliances from one vendor specifically – Pulse Secure.

The Cybersecurity and Infrastructure Security Agency (CISA), which is essentially the federal government’s equivalent to an investment adviser’s Risk Committee, has issued multiple alerts regarding this vulnerability over the last 13 months. The initial CISA Alert in July 2019 advised of the existence of the vulnerabilities discussed in my previous post and encouraged systems administrators to review information released by the vendors regarding fixes, which included, among other things, installing the software patch and changing all account passwords immediately after installing the patch. Pulse Secure was singled out in the October 2019 CISA Alert; once again, systems administrators were encouraged to follow the vendor’s guidelines for securing their VPN appliances.

Subsequently, the CISA Alert published January 10, 2020, “strongly urge[d]” companies to install patches provided by the vendor and follow the vendor’s other recommendations to remedy the vulnerability, with the agency expecting attacks to continue exploiting the vulnerability. It was in this alert that CISA first mentioned that hackers could access all active users of a compromised VPN and read their credentials in plain-text, meaning they could see the network credentials of all users of that vulnerable VPN, which could be used later for nefarious purposes. According to this alert, as of August 24, 2019, the patch had not been installed on over 14,500 servers globally – leaving them still vulnerable.

The CISA Alert published April 16, 2020, indicates that in the three months since the previous Alert was issued, multiple US Government and private agencies had fallen victim to this vulnerability being exploited. The big problem here is that attackers were able to exfiltrate account credentials and use them months later. Even if organizations had patched the vulnerability, many of them had not followed the vendor’s recommendation to change all user credentials subsequent to patching – basically closing the screen door on your house but leaving the main door wide open to anyone on the outside.

It was recently discovered that the usernames and passwords – including accounts with elevated privileges for system administrators – of over 900 Pulse Secure enterprise VPNs had been compromised and posted to a hacker forum on the dark web frequented by ransomware gangs. It is evident that the dark web can be a treasure trove of access credentials, and dark web monitoring enables firms to proactively stay abreast of these compromises.

Pulse Secure released a patch for this vulnerability on April 24th, 2019, noting that the “vulnerability is critical and should be patched right away.” Pulse Secure also recommended that all accounts, including administrator accounts and service accounts, change their passwords following the patch install.

The guidance and recommendation for this post remains similar to that of last year: if your company uses VPN software to accomplish connections for remote working, which is increasingly likely now in the midst of a pandemic, ask your IT department or IT vendor whether Pulse Connect Secure and/or Pulse Policy Secure products are used, and if they are used confirm that the patch for CVE-2019-11510 has been applied, all account passwords have been changed, and any other recommendations provided by the vendor have been implemented. If your company uses one of these products and has not patched the vulnerability discussed here, stop what you are doing, contact your IT personnel and request that this be remedied immediately! The full list of Pulse Secure’s recommendations following the installation of the patch can be found in the “Post-Update Recommendations” section of the article linked in this paragraph.

CSS wants to keep your data safe. We’re offering a complimentary Dark Web Monitoring assessment. To get in touch with our cybersercurity experts, please email us at: cybersecurity@cssregtech.com.

August 16, 2020

Q&A on Sensitive Industries with Marye Cherry, CSS’s Regulatory Guidance Expert

The COVID-19 pandemic and the resulting market volatility have led several governments to amend law and regulation in the context of sensitive industries. Much of the regulatory response has been directed at tightening foreign investment restrictions by lowering shareholding thresholds as well as expanding the sectors caught by a foreign investment review. As a result of the recent regulatory changes, more investments are now subject to regulatory scrutiny, accelerating an existing trend of reform in this space.

CSS’s Regulatory Guidance expert Marye Cherry answers the most common questions she’s seen around sensitive industries and investment monitoring. With more than 15 years of legal and compliance experience, Marye specializes in transparency and regulatory reporting issues in the financial services industry. At CSS, Marye focuses on financial regulations that affect fund managers and their operations worldwide and helps translate regulatory requirements into automated reporting solutions.

How has COVID and market volatility impacted sensitive industries?

MC: This is a question I have been asked a lot, and there has indeed been a lot of activity in this area in the last few months. Most prominently, foreign investment scrutiny, either under foreign direct investment (FDI) review regimes or national security reviews, have been expanded to deal with the perceived increased threat to critical national assets. The recent market volatility has raised an alarm with regulators who are concerned that some important assets could become distressed and then easily acquired cheaply by foreign investors.

To address that concern, regulators have done a number of things, including: 1) expanding foreign investment review regimes to include certain healthcare related sectors (e.g. in France and Germany); 2) expanded existing review regimes to bring more investment activity within scope of the review process (e.g. in Italy, new sectors were added and in Australia and New Zealand, previous monetary thresholds were temporarily eliminated) and 3) created an FDI review system in some countries where one previously didn’t exist (e.g. Spain and Slovenia).

What are the typical challenges in monitoring sensitive industries?

MC: The number one challenge in monitoring sensitive industries is the breadth of coverage. The sheer number of industries that can be regulated and that have restrictions around for all investors, or particular foreign investors, is challenging. The classic industries are defence or military, along with banking, media, energy (including both utilities and extractive industries such as oil and gas), transportation and technology. Recent legislation, especially in Europe, includes activities like the handling of sensitive personal data.

What that means for monitoring developments is that a wide range of laws are relevant, and there is no one consolidated place to go for information regarding sensitive industries. This is in contrast to shareholding disclosure or position limit monitoring, where there is often a single relevant piece of legislation that, while very detailed and nuanced, is manageable to monitor for developments. However, for sensitive industries, staying on top of developments in a particular country requires consulting several different pieces of legislation that are likely under the purview of several different regulators, or many different ministries. There are as many laws as there are industries to monitor, which means there are as many government bodies as there are industries to pay attention to. That is ultimately the number one challenge in monitoring sensitive industries.

Another challenge in this context is that we have this definitional issue with sensitive industries. For example, which issuers and activities fall within the scope of a particular industry restriction? Banking and other financial sectors are well-defined in most jurisdictions, especially in well-developed markets. But for other industries, and in most jurisdictions, there is often no definite list of issuers that are within scope of a particular industry regulation. That is the challenge. In these situations, we are relying on market practice and market data, namely industry codes classifications. However, these of course have not been validated by any regulator.

How are firms typically caught off guard by the complexity of sensitive industries?

MC: Where some can get caught off guard is that there are some very low thresholds in this sensitive industry context. Now, it is true that in this area we often see quite high thresholds. For example, reviews that are triggered when acquiring control or 50% shareholding in a company, and even the commonly found restrictions in the financial sector, such as the EU qualifying holding approvals, often start at 10% shareholding. But there are some notable exceptions in the financial sector such as the 1% post-notification requirement in China, for listed banks. Another example is the low thresholds in Italy. Shareholdings in certain types of bank are restricted to 1% and acquisitions in the defence sector are reviewable as from 3% shareholding.

How best can firms stay ahead of sensitive industries?

MC: As sensitive industries cover such a broad scope and is a rapidly changing area, it is wise to have monitoring tools and resources in place to stay on top of the fast-moving changes. That can be in the form of a dedicated compliance or regulatory team that are monitoring these changes around the world and have set up internal alerts. Firms can do it internally with their own team, manually setting up alerts to track these changes in different industries around the world.

Also, there are automated tools and platforms that are available to help you stay on top of these changes in real-time.

What do firms need to understand about the EU FDI Screening Regulation?

MC: There are a few important issues to note.

First, is to understand the nature of the regulation. It is a coordination mechanism; it does not create any new obligations directly for investors. This contrasts with other regulations, for example the Short Selling Regulation.

The EU FDI Screening Regulation obligates the member states to exchange information about certain foreign investments coming into their countries and also to inform the European Commission. Even though the regulation does not create a direct legal obligation upon investors, investors will feel impacts of this regulation. For example, in March of this year, the European Commission issued guidance to member states about how they can best use their foreign investment screening rules to protect critical assets in the context of COVID-19. That is, in fact, what prompted the changes I mentioned in response to the first question. In Germany and France, the governments expanded their foreign regime to include certain healthcare sectors such as biotechnology and vaccines.

Investors can also be impacted as EU countries move to align their foreign investment regimes with the sectors identified in the FDI Screening Regulation. In addition to the tweaks made by France and Germany, we’ve seen a broader expansion of the existing FDI review system (Italy), and the creation of a brand-new investment screening regime, as in the case of Spain.

I expect that we will see more EU countries reviewing their national rules to better align them with the FDI Screening Regulation which means that investors should monitor national FDI rules to identify any shifts in scope and application of the national review system.

Are there any sensitive industries blindspots firms need to be aware of?

MC: From my research, I have seen certain industries pop up repeatedly across jurisdictions even though they are not as significant as some of the larger ones such as banking and media. A good example would be the lottery or gambling sector. I have also noticed that not every legal service provider covers that type of industry to the same extent, and I think it is important to be mindful of the less common industries that can show up.

What are your key considerations firms need to be aware of regarding sensitive industries?

It’s important to remember that with sensitive industries, you have all the complexity and nuances from the long shareholding situation, but then multiplied by the number of industries and legal rules per industry given that there are multiple laws and regulations laying down these restrictions. All the tricky issues around securities within scope, voting shares vs. shares outstanding, aggregation and other distinctions exist for sensitive industries.

For more information on CSS’s Investment Monitoring solution, including Sensitive Industries, please email us at info@cssregtech. Our automated platform and our team of regulatory experts can help your firm stay ahead of regulatory changes across global jurisdictions, reduce risk and optimize operational efficiency.

*This article includes content derived from Rulefinder Shareholding Disclosure, the online legal service from aosphere LLP. We work with aosphere to source legal content for our rules engine.

August 13, 2020

An unusual data breach: One without actual theft and that hasn’t caused harm…yet!

A well-known New York-based financial institution is the most recent financial services firm to report a pair of data breaches to its brokers, clients, and Offices of States’ Attorneys General. The kicker here is that while they know some data has undoubtedly been lost, it is nearly impossible to identify what and how much data we’re talking about.

Here is what we understand about the breach:

In 2016, the firm had contracted with a third-party service provider to wipe (remove any trace evidence of) data from storage devices, such as hard drives, contained within two of its data centers it decommissioned that year, before selling these storage devices to a computer hardware recycling company. It appears the vendor did not remove all of the data from the storage devices before the transfer of ownership to the recycling company, and certain data remained stored in an unencrypted format on certain of these devices at the time of transfer. To be clear, the vendor was hired to wipe the data from the storage devices with the intention that they be used or sold again by the hardware recycling vendor.

Additionally, in 2019, one of the firm’s branch offices replaced an onsite server, which it later could not account for in inventory. Subsequent to decommissioning this server, and after learning that it could not be located, the server’s manufacturer informed the firm that a software flaw existed that could have allowed certain data to have been stored unencrypted on the server’s hard drives.

In short, due to a vendor’s failure to completely wipe data from old storage devices before re-use and a software flaw existing within a misplaced, decommissioned server, there are now multiple storage devices with unencrypted, unprotected personal information somewhere in the world. The number of devices in question and still in existence is unknown at this point.

Sensitive and confidential information, such as account numbers, account balances, social security numbers, and other personally identifiable information (PII), is generally stored encrypted. Encryption is the means of securing data by which plain text is converted into a scrambled ciphertext that can only be read by those with appropriate permissions. Sensitive and confidential data is typically stored encrypted because even if an unauthorized party were to gain access, without the decryption key the text would just look like a garbled mess. The data at issue on the missing storage devices is believed to have been stored unencrypted, meaning that anyone with access to any of these storage devices can potentially read the information stored on them.

A troublesome part of this particular breach is that it is very difficult (if not impossible) to know if or when any of the unencrypted information has been or will ever be accessed. Online account breaches can be pinpointed and confirmed because there are systems in place to log every action. There are no such systems to detect if one of these devices is connected to a computer system.

The firm appears to have known about both of these issues for over a year. Public commentary on the matter suggests many clients were not aware they had an account with the firm, as some had closed their accounts years ago and were questioning why the firm continued to maintain any of their information. Situations like this present compelling arguments for the existence of regulations such as General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), which afford individuals the right, subject to certain exceptions, to request their data be deleted from companies they no longer do business with.

The firm now faces a pair of lawsuits[1][2]. The lawsuits, both filed in federal court in New York at the end of July 2020, allege negligence on behalf of the firm and invasion of privacy due to the firm’s failure to confirm that all of the data had in fact been destroyed, potentially resulting in the exposure of customers’ personal information; and that the firm took too long to identify and notify affected parties of the breaches. Plaintiffs are seeking class action status on behalf of all affected parties.

The firm is offering free credit monitoring and fraud detection through a company that in 2017 reported its own data breach affecting over 147 million people. The irony of this is not lost on me.

This is not the first time this particular firm has been in hot water over not protecting its customers’ data. In 2016, the firm was charged with violating Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”) for, among other things, failure to implement sufficient authorization and access controls for two of its web portals, allowing one employee to misappropriate the personal information, including full names, account numbers and balances, and securities holdings information of approximately 730,000 customer accounts between 2011 and 2014. The firm was censured and fined $1 million in that instance.[3]

There are some things this firm could have done differently to ensure a different outcome, and hindsight is always 2020, but most of the issues here circle back to having appropriate policies, procedures, and controls in place for data and hardware destruction, asset inventory, and decommissioning hardware. Policies requiring vendors to attest to, or otherwise provide certification of, data and hardware destruction should be implemented. These types of policies hold vendors accountable for ensuring data is properly wiped and hardware is properly disposed of, and also provide an audit trail for firms to review. Maintaining and periodically reviewing asset inventories in conjunction with logs of decommissioned hardware helps to ensure that equipment no longer being used is properly decommissioned and any information stored on such hardware is properly handled. These policies and procedures serve more than to just satisfy regulatory requirements. They provide the blueprints firms rely on to securely dispose of data; they exist so that breaches like this don’t occur.

For more information on how you can keep your data secure, please contact our cybersecurity experts at: cybersecurity@cssregtech.com.

 

[1] https://classactionsreporter.com/wp-content/uploads/Morgan-Stanley-Unauthorized-Disclosure-of-PII-Complaint.pdf

[2] https://www.classaction.org/media/grossman-et-al-v-morgan-stanley-smith-barney-llc.pdf

[3] https://www.sec.gov/litigation/admin/2016/34-78021.pdf

August 12, 2020

Breakdown of OCIE’s COVID-19 Compliance Risks Alert

The SEC’s “Office of Compliance Inspections and Examinations (“OCIE”) issued an Alert today regarding “Select COVID-19 Compliance Risks for Investment Advisers and Broker-Dealers.”

OCIE shared observations regarding six broad categories:

  1. protection of investors’ assets;
  2. supervision of personnel;
  3. practices relating to fees, expenses, and financial transactions;
  4. investment fraud;
  5. business continuity; and
  6. the protection of investor and other sensitive information.

The observations centered on oversight and controls, encouraging enhanced monitoring, additional training, and modifying and enhancing updates to policies and procedures.   A major theme involves risks associated with remote personnel and remote locations, and the need for enhanced security measures. One example is enhancing security and support for facilities, including the integrity of vacated facilities.

The staff reminds firms of the obligation to protect investor personally identifiable information (“PII”), including potential vulnerabilities from videoconferencing while working remotely, use of web-based applications, increased use of personal devices and controls over records and sensitive documents, and remote access when working remotely. The staff encouraged firms to pay particular attention to risks regarding access to systems, as well as taking additional steps to validate the identify of the investor and authenticity of disbursement instructions.

OCIE noted the impact of limited on-site due diligence reviews, communications outside a firm’s systems, market volatility and potential for increased misconduct. Other notable recommendations included:

  • Modifying or enhancing existing policies to reflect current (changed) practices
  • Enhancing monitoring regarding accuracy of fees and expense allocations
  • Reminding investors to contact the firm by telephone about suspicious communications
  • Providing additional training
  • Conducting heightened reviews of access rights and controls
  • Using encryption and multifactor authentication technologies
  • Addressing cyber related issues related to third parties, also operating remotely
  • And encouraging enhanced due diligence related to investment risks during times of crises or uncertainty.

The Risk Alert highlights examples of ways firms may wish to modify or enhance their procedures, enhance supervision and training, and steps to take to enhance protection of client assets and sensitive information.

For additional information, see the SEC Risk Alert or download our free BCP Checklist to do a retrospective on how prepared your firm was for COVID-19.

August 7, 2020

Are Investment Managers Going to Have More KIDs?

Let us be clear…. we’re actually talking about the potential increase in production of point-of-investment disclosure documents for investment managers.

The complications and stress of Brexit just got a whole lot more real for many UK- and EU-based investment management companies that are subject to rules requiring production of UCITS KIID (Key-Investor-Information-Document) and PRIIPs KID (Key-Information-Document) document. Why so? On the 30th of July, HMT published proposed plans to bring forward legislation to improve the functioning of the UK’s implementation of PRIIPs regulation in the UK. There were two key points in the HMT plan:

  • An indication that the ‘performance scenarios’ in the KID will be replaced with ‘appropriate information on performance’
  • A proposal to statutorily extend (in the UK) the UCITS exemption in PRIIPs by up to five years – noting the current exemption expires on December 31st 2021, up to which point UCITS funds can use the UCITS KIID instead of the PRIIPs KID.

This update from HMT followed an announcement earlier in July where the EU’s ESAs informed the EU Commission of the result of the EU PRIIPs review following the consultation paper that they issued last year.

Only two of the three ESAs approved the proposed RTS, with the EBA and ESMA adopting it via a qualified majority, while in EIOPA the adoption proposal did not receive a qualified majority. The result is that the ESAs cannot formally submit the proposed draft RTS (which they published here) to the European Commission. There was broad support for the re-architecture of the PRIIPs performance scenarios to use past-performance as outlined in the ESAs letter to John Berrigan at the Commission.

It would appear this clear divergence on PRIIPs is a signal of the way two regulatory regimes (UK and EU) will follow, post the failure to arrive at a declaration of equivalence in July.

Where does this leave UK and EU management companies? The quick answer is –  a very tough spot. The reality is that most firms have cross-border distribution that means UK firms sell product in the EU, and EU firms sell product in the UK. Those products had a common rule book and a single set of documents to produce – be that the UCITS KIID or the PRIIPs KID.

Going forward it looks like the content of the PRIIPs KID will be different in UK vs. EU, while the expiration date for when UCITS KIID must be replaced by a PRIIPs KID will be different. As it stands, a cross border (UK:EU / EU:UK) firm would need to produce both a UCITS [UK flavour] KIID (or a PRIIPs [UK] KID) and an EU PRIIPs KID.

Not to be outdone, the US also looks to be getting in on the act. Before the SEC’s Chair Clayton departs for the DA’s office in New York, he announced that the agency voted 4-0 to propose a rule regarding pre-investment disclosure documents and client communications.

The proposed rule would lead to a new type of disclosure document that would be more visually engaging and concise in comparison to current shareholder prospectus documents. The new documents would contain particularly important information on the fund’s fees, expenses, performance and holdings. These changes sound suspiciously like a form of KID/KIID, albeit with an SEC mandated flavour to the content and analytics.

This is a lot to take in, and EU, UK and US managers are rightfully fearful of the impacts these changes will have. Divergence and conflict in regulation is never a good thing, and with the Brexit power struggle being played out in the halls of Brussels and Whitehall, the investment managers are the pawns in the battle.

The result could mean the duplicate effort with cross-border products to try and satisfy two regimes with regulations that sound similar but are structurally different. It will lead to multiple documents being produced, where in the past there was one. How can management firms protect themselves? A key aspect of insuring against divergence is working with a vendor community that is acutely in tune with the path the various regimes are taking, who invest as heavily in regulatory knowledge as they do in technology, operate long and short range regulatory radar, and that have a proven pedigree in the delivery of strategic platforms that are one step ahead of the next crisis.

For more information on how CSS can help navigate the complexities around global fund reporting, please email us at info@cssregtech.com.

 


Glossary:

  • UK – United Kingdom
  • EU – European Union
  • UCITS – Undertakings for the Collective Investment in Transferable Securities
  • KIID – Key Investor Information Document
  • PRIIPs – Packaged Retail and Insurance-based Investment Products
  • KID – Key Information Document
  • HMT – Her Majesty’s Treasury
  • ESAs – European Supervisory Authorities
  • EBA – European Banking Authority
  • ESMA – European Securities and Markets Authority
  • EIOPA – European Insurance and Occupational Pension Authority
  • RTS – Regulatory Technical Standard
  • US – United States
  • SEC – Securities and Exchange Commission

 

 

August 5, 2020

Do You Feel Confident Your Password Hasn’t Been Hacked?

As a cybersecurity consultant, I am often asked if some of the threats we industry practitioners talk about are overstated. Hyped up fear as a sales tactic. The simple answer is no. The fear is not overstated, and the risks all too real – which helps to explain why cyber remains a top priority for financial firms. The risk really hits home when senior management realizes just how much exposure they have when their own data is sitting out there for the taking.

I am referring, of course, to our passwords – those sequences of text that give us access to our online lives. Everything from our corporate email to our social media accounts to our bank accounts and our Netflix accounts are accessible by usernames and passwords. If we’re lucky, we have multi-factor authentication enabled, although even that can be exploited and is not foolproof. But if our passwords are compromised, that second factor of authentication effectively becomes only one factor of authentication.

The fact is, as humans, we are inherently lazy. I don’t mean you, the specific reader of this post, but rather the collective “we” seem to prefer to create simple passwords and to reuse those same (or mostly similar) passwords across multiple sites. After all, we have so many passwords to remember right now, who can possible keep track of them all? Wouldn’t it be easier to have one password, say your favorite sports team followed by a number, and just use that same password for your company email, your personal email, your social media accounts, your bank accounts, and your Netflix accounts? Why stop there? It would be even easier for us to use those same or similar passwords for every website where we have to create an account to access information, do online shopping, book travel, and go about our daily lives.

The problem is that many folks do just that. And data breaches of companies such as Target, Neiman Marcus, Adobe, LinkedIn, Marriott, and Yahoo, just to name a few, have left many passwords in the hands of hackers. Following a data breach of an entire company or even successful phishing attacks against individuals, hackers routinely post the credentials they have garnered in a seedy corner of the Internet called the dark web. There, hackers offer the credentials for sale in an online marketplace much like Amazon.

As part of CSS’s dark web monitoring cybersecurity service, we regularly find plaintext, unencrypted passwords of our clients out there on the dark web and we provide prompt notification to our clients that their credentials have been compromised and a recommendation to quickly change their passwords. In addition to the unencrypted passwords we have been able to find for firms on the dark web, we have also been able to find many hashed passwords. Sometimes when a company’s database is hacked, the actual passwords aren’t compromised but the hashed version of the passwords that were stored in the database are.  It may look like gibberish, something like acbf7004dfa45def9397bbc00234dffab654.    “Hashing” is the one-way process of taking a sequence of text (usually a password) and scrambling the characters in a way to produce a unique message text (like the gibberish sequence of characters in the prior sentence). If hashing algorithms are designed well, they should produce a unique sequence for a particular password. Encryption is a different process, a two-way process, where anyone with the right key can decrypt the message and vice versa.

A compromise of scrambled, “hashed” passwords of employees is still a cybersecurity risk for firms. Why? Because hashed passwords can sometimes be decoded. Depending on the hashing algorithm used (in other words, depending on how the message is scrambled), it may be possible for hackers to easily determine what the underlying passwords are. Our team has been able to crack hashed passwords we found posted on the dark web, so we know the hackers can do it too. One password recently took less than 60 seconds to crack from that sequence of gibberish text into a six character password. Other passwords sometimes take about 24 hours to crack. And hackers have all the time in the world.

In both examples above, the passwords were less than eight characters long. A short password, and particularly one that is just letters or numbers, can be cracked that easily.

Why can passwords be cracked?

The reason we are able to crack passwords so easily is that users rarely create passwords that are truly random when creating them on their own. So hackers can take a list of the most common few thousand or few million passwords, run them through the common hashing algorithms, and see what hash values are output. They put these in a table. Then, if I find a hashed password value in a hacker chat room on the dark web, I can simply look it up in that table to try to find the matching password. Maybe I can decipher a few characters at a time by matching known hashes to known text. But eventually, and with sufficient time and sample sizing, the password can likely be deciphered. The closer your password is to a commonly used password, the greater than chances that the password, or at least a portion of it, can be uncovered. A quick search of the Internet shows numerous lists of common passwords.

What we can do about it?

So back to the hype and fearmongering. Unless you have been living under a rock, I hate to be the bearer of bad news, but your passwords are out there on the dark web. They may be your old passwords. Some of them may be current. But with enough samples of your passwords, hackers can put together a fairly comprehensive profile of how you tend to create passwords. Dark web monitoring helps us all be a little more proactive, informing us right away when our passwords have been compromised and posted to the dark web hacker channels. With dark web monitoring we perform for our clients, the value is about identifying not only compromised credentials for our clients so that they can change their passwords before the hackers use those logins against them, but also in being able to tell CCOs, CTOs, and CISOs that some of their employees are using company email accounts to register for personal websites, or are creating very poor passwords which put the firm at risk.

Contact CSS at cybersecurity@cssregtech.com for a dark web monitoring assessment to put you back in the driver’s seat about keeping your passwords safe.