Happy Monday, and welcome back to Roadmap to Securing Your Infrastructure. Last week, we covered the importance of password policies and some points that should be covered by those policies. Hopefully, I was able to convey the importance of policies, and this is now on your to-do list or, better yet, on your to-done list! As this week’s title suggests, we’re going to identify how we can be proactive in identifying compromised passwords in an effort to head off attackers using them to breach our infrastructures.

Be proactive, not reactive

How can we be proactive, you ask? I’m sure you’ve heard of the website HaveIbeenpwned created by Troy Hunt. It’s a great resource for identifying compromised accounts, which includes their passwords. As of the writing of this article, HaveIbeenpwned (HIBP) has a list of 6,474,028,664 compromised accounts. That’s right — over 6 1/2 billion (with a B) accounts. Is that not mind-blowing? Why not take advantage of all that data to see if any accounts using your organization’s emails have been compromised?

Keep in mind, if an email from your organization is on a list, it doesn’t necessarily mean your organizational email account was compromised. It simply means an account somewhere in the world was using an email address associated with your organization, and that account was compromised. We also know people like to reuse passwords, which is a huge no-no, but we cannot guarantee James in accounting didn’t use his work email for his Staples.com account as well as the same password as he uses at work.

Using have I been pwned in enterprise 

So, let’s dig in and do some searching! HIBP is kind enough to offer a special signup page to search by entire domains at no cost. That website is here. I would highly recommend you sign up and have all domains owned by your organization checked. When you receive the results, you can inform those with compromised accounts so they know to change those passwords — and it would be a good idea to remind them to go ahead and change their organization password as well.

So, that takes care of our organization’s domains, but there’s more we can do. Since executives are often targets of spear phishing or whaling attacks, it’s probably a good idea to check their other accounts if they’ll let you.

This would include their personal email account addresses and any other email addresses they use in other ventures. Just let them know you are not asking for the password, but simply need the email addresses to check for signs of compromised accounts. If you receive pushback, so be it. You tried! I came across a nice Bash script from Michal Szalkownski (I must give credit where credit is due) and decided to include it here. You simply put the emails you want to check in a text document and run the script against the text file, and it will output whether or not each email address has been pwned. The script and usage is as follows:

#!/usr/bin/env bash
ARG=$1
RED='33[0;31m'
GREEN='33[0;32m'
YELLOW='33[0;33m'
NC='33[0m'
function pwned {
    statusCode=$(curl --write-out %{http_code} --silent --output /dev/null "https://haveibeenpwned.com/api/v2/breachedaccount/$email")
    if [ "$statusCode" == 200 ]
        then
            echo -e ${RED} 'Oh no — pwned!' ${email} ${NC}
        else
    if [ "$statusCode" == 404 ]
        then
            echo -e ${GREEN} 'Good news — no pwnage found!' ${email} ${NC}
        else
            echo -e  ${YELLOW} 'Error' ${email} ${NC}
        fi
    fi
}
if [ $ARG == *.txt ]
  then
    for FILE in "$@"
    do
        while read email;
            do
            pwned email
            sleep 2
        done < ${ARG}
    done
  else
    email=$ARG
    pwned $email
fi

Once you paste this into a file and name it, pwned.sh you’ll need to make sure it’s executable, which can be done with the command chmod +x pwned.sh. Now, simply run the script followed by an email address or the path of a text file containing a list of email accounts, like so:

./pwned.sh emails.txt

./pwned.sh user@domain.com

That’s it. A simple way to test a list of email addresses to see if they’ve been compromised. If they have, you’ll want to alert the account owners about the threat and again recommend changing the passwords. If you’re interested in using scripts in other languages such as Python or Powershell check out all of these options!

What are you waiting for

I hope you see the value in being proactive when it comes not only to passwords but to security in general. There’s no need to sit back and wait for something bad to happen when we have ways to prevent the attacks from occurring in the first place. That wraps up this week’s post, and I’m looking forward to hearing your thoughts on these topics. See you next week!

Previous tips for securing your infrastructure:

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *