Shape Security introduces tool to blunt impact of stolen password caches

Shape Security is a company you may never heard of, yet it’s been around for five years and its founders include former Googlers and DoD officials. Their products provide the primary line of defense for applications at some of the top companies the world and they’ve raised $106 M.

Today, the company released Blackfish, a product that could help blunt the impact of stolen password caches from massive breaches like Yahoo (the mother of all breaches), Adobe and Home Depot to name but a few examples.

Typically, we’ve seen companies try to locate stolen passwords on the “Dark Web,” the black market of the internet, and set up warning systems when those passwords show up. While that may seem like a logical approach, Shape CTO Shuman Ghosemajumder, who ran click fraud prevention at Google from 2003-2010, says it actually doesn’t make a lot of sense for criminals to place these important assets where they can be found by corporate trackers.

“If you are going to Dark Web and finding credentials, it sounds like leading edge, but tons of companies are trying to do this and cyber criminals are aware of this,” he said. Once they have reached the public marketplace, he says, chances are the hackers have sucked the value out of them.

“It’s that time window before a password gets released where it’s most valuable and most dangerous. where you can take over accounts on banks, airlines [and other high-end targets] and people aren’t aware they are compromised,” he said.

That’s where Blackfish comes in. It’s designed to stop an approach called ‘credential stuffing.’ This involves taking the stolen passwords, and instead of trying them one at a time, writing a script and testing millions of usernames and passwords. “When users have the same passwords on both systems, you can compromise a large number of accounts,” Ghosemajumder explained.

He said that typically a good haul is in the 1-2 percent range, but when you have a million passwords, that adds up pretty quickly. “In the past hackers used simple scripts to do brute force attacks. Now they are using AI-based simulation tools to take a million passwords to make it look like a million real users.”

Blackfish looks for the credential stuffing activity — talk about anomalous behavior — and when it detects it, stops it and marks the passwords as compromised. What’s more, the company is creating a network of customers using the system to create a collective defense system against this approach.

And what’s to prevent Shape from getting hacked and having the stolen passwords stolen again? Ghosemajumder says the company actually anticipated this and created “bloom filters,” which are often used in search, but which his company is using in a security context. It’s essentially a mathematical representation of the information, so that even if a hacker compromised the system, there would be no useful data.

Blackfish is available on a subscription basis either as an appliance or cloud service.