This post is related to the 12/28/16 Ars Technica article – Did my account actually get hacked? Hard to tell, even after Netflix’s “heads up”.
The author of the above article describes his experience receiving an email alert from Netflix warning about a potential compromise of his Netflix credentials. Not to spoil a good read, but a point of confusion the author makes is that Netflix advised their clients to do a password reset without any apparent security breach or other explanation.
What is Netflix Telling Us?
There are a couple of hypotheses what might have happened and even more offered by readers in the article’s comments section. VeriClouds has worked with numerous companies on risk mitigation for prevention of account takeover attacks.
Based on that experience, I review what the Netflix warning message tells us about their methodology. I also provide insight into a better way for companies to analyze exactly which credentials have been compromised and communicate that effectively with their customers.
Compromised Credentials Strategy – Let’s Break it Down
Netflix is using leaked credentials from data breaches in other organizations. In an email sent to subscribers the first week of June, they said: “We believe your Netflix account credentials may have been included in a recent release of email addresses and passwords from an older breach at another company”. This notice was sent right after the LinkedIn attack.
Netflix is taking a proactive approach to protecting their users. This is without question the right strategy.
Why is it important to warn users?
- People are reusing passwords across online services. The authentication systems of many of those services look for UN (User Name) and PW (Password) + some data from the SEIM (Security Event and Incident Management), such as current IP, last log-in IP, time, OS, browser name, browser version, and some other info they can get during the session. All of this info can be spoofed by sophisticated attackers with the correct UN and PW.
- Companies feel vulnerable to leaked credentials attacks. The corporate concern over leaked personal information is because attackers can use those credentials to bypass security checks to compromise corporate data.
- Online services also feel vulnerable to leaked credentials attacks because hackers can use the credentials to get outside the sandbox and compromise the actual service.
It seems there may have been a miscommunication between the Netflix Security Team detecting the leaked credentials and the PR & Customer Service teams. The core of the issue is that it is difficult to communicate the concept to users that Netflix hadn’t been breached, but hackers possess your Netflix credentials through hacking a different service.
I suspect that Netflix didn’t do a comparison of the complete credential sets of the leaked credentials with those of the Netflix’s customers. Most probably they only performed a comparison of the email User Names. As a result, a large number of Netflix customers whose credentials were not at risk also received the warning message.
The more thorough and effective method, recommended by VeriClouds, is to compare the User Names and the Passwords between the compromised accounts and the accounts of the customers you are protecting. This produces a more accurate list of the impacted users.
The reason this is not the common practice is because is difficult to use Passwords in the comparison. Leaked credentials are usually hashed and in many cases encrypted. To perform the comparison, the company must crack the hash/decrypt the encryption and then hash/encrypt the outcome with the same method used for their users’ credentials.
If Netflix did the comparison as described in #8, they could have sent emails only to the customers whose Netflix credentials completely matched with the leaked credentials. This would have avoided the confusion pointed out in the article.
The confusion is not as benign as it seems. It is, in fact, dangerous when a security alert message is confusing. A confusing message cannot be acted on and is frequently ignored.
Security alert messages must:
- Target to the impacted users only
- Be based on the most accurate analysis techniques
- Include an explanation of the reason for the alert message
- Include the rationale for the action recommendations
VeriClouds utilizes leaked credentials as part of our Penetration Testing Methodology. We are able to compare User Names and Passwords as recommended in this article. As a result, we have had great success using leaked credentials in our penetration testing assignments with our clients.
VeriClouds serves as a trusted security advisor to the Global 500 and other progressive enterprises, helping to safeguard their most important assets and improve their overall security posture. We have domain expertise in several vertical industries. Our industry-specific methodologies and assessments are aligned with our core competencies:
- Account Security
- Penetration Testing
- Social Engineering