The IT Nerd

 Specops Software has announced a strategic reseller partnership with GuidePoint Security, the leading cybersecurity solution provider that helps organizations make better decisions to minimize risk. Through this partnership, GuidePoint Security’s customers have the opportunity to further strengthen their customers’ cyber resilience through password protection and end-user verification.

Specops Software is a leading provider of identity management and authentication solutions. Its products help organizations enforce secure password policies, strengthen user verification, and defend against credential-based attacks. Specops is part of Outpost24, which offers industry-leading Attack Surface Management solutions that help security teams stay ahead of emerging threats. Together, they support thousands of organizations worldwide in identifying, protecting, and monitoring digital risks.

After researchers recently uncovered a (seemingly) unprecedented aggregation of roughly 16 billion username–password pairs. However, there’s been some debate around how much of this is recycled data versus new. Similar to the Rockyou2024 password list and ALIENTXTBASE data dump, Specops Software analysts found that this 16 billion passwords leak isn’t as concerning as initial headlines suggested. Having said that, this is still a noteworthy password list and organizations should remain wary of the risk of breached credentials.  

This analysis looks at how this list was discovered, provides an investigation of how many of these credentials are actually new, and offers best practices for how organizations should respond. 

The full report can be found at this link: https://specopssoft.com/blog/16-billion-passwords-leaked/

Specops Software, an Outpost24 company and leading provider of password and identity management solutions, has announced that its Specops Secure Service Desk for Cloud now supports native Entra ID, including on-premises and hybrid, enabling cloud-based organizations to verify the identity of callers to the service desk using stronger authentication methods that minimize the risk for user impersonation. Currently Microsoft does not offer built-in identity verification for users contacting the service desk. Specops Secure Service Desk solves this problem by verifying users when they contact the service desk, now including cloud-only environments. 

In recent months, many high-profile organizations, including British retailer Marks and Spencers (M&S), have been targeted in sophisticated social engineering attacks that specifically target service desk agents. The “Scattered Spider” threat group, thought to be behind the attack on M&S, as well as the 2023 MGM Resorts hack, has repeatedly demonstrated that the service desk is a prime social engineering target that can cause a lot of disruption for organizations. The M&S attack, for example, is thought to have led to an estimated $402 million profit hit for the retailer, with some customer data stolen. As a result, the UK’s National Cyber Security Centre has specifically urged organizations to review and harden their help-desk password reset workflows to stop similar manipulations before they can escalate into full-blown ransomware or extortion events, with other government cyber organizations globally likely to follow suit.    

Verifying the identity of callers to the service desk is just as critical for cloud-only customers as it is for on-prem organizations. An organization’s service desk agents need reliable tools to verify the ID of callers, for the following reasons:

• Remote and hybrid working drives increased call volumes: If users are still calling the service desk with problems, service desk agents are at risk of social engineering.
• Digital transformation adoption outpaces user training: Fighting against sophisticated and quickly evolving social engineering tactics is a complex task if service desk agents are not supported with the right tools.
• Service desks are an easier avenue of attack than passwords: Threat actors know it’s easier to attack the service desk than crack strong passwords or bypass MFA – this attack route won’t disappear.
• Evolving tactics aided by artificial intelligence (AI): Deepfakes and social media reconnaissance can render traditional verification methods ineffective. 

About Specops Secure Service Desk

Specops Secure Service Desk enables customers to increase their service desk security with stronger authentication methods that minimize the risk for user impersonation. Identity verification options range from mobile or email verification codes, to commercial authentication providers such as Duo Security, Okta, Symantec VIP, PingID and YubiKey. These authentication options are paired with technical enforcement of the ID verification, blocking agents from proceeding with the caller’s request until authentication through the platform is completed. Secure Service Desk also integrates with a multitude of ID services and other service desk systems, such as ServiceNow and Jira.

Specops Secure Service Desk is available to Entra ID only organizations (or those planning to move there soon), as well as on-prem and hybrid organizations, today. For more information, visit: https://specopssoft.com/blog/secure-service-desk-for-cloud

A just-published Specops Software Research Report reveals passwords being used to attack FTP ports over the past 30 days, in live attacks happening against real networks.

The Specops Software research team found the most common passwords being used in brute force attacks, as well as the frequencies of password lengths and complexities.

This research coincides with the latest addition of over 133 million compromised passwords to the Specops Breached Password Protection service. These passwords come from a combination of our honeypot network and threat intelligence sources.

To view the full research report, please see this link FTP ports under attack: These Passwords use hackers [New Research

The significant cyberattack on British retailer Marks & Spencer highlights the growing impact of sophisticated ransomware attacks on major corporations – as well as the ongoing need for strong Active Directory security.  

Specops Software has analyzed the attack in an updated post M&S ransomware hack: Active Directory & Service Desk security lessons.

The first critical lesson is that Active Directory (AD) environments must be treated as crown jewels and defended accordingly. While attackers getting access to the NTDS.dit file is obviously a serious breach, if your passwords are strong (long, not using common base words, not using existing breached passwords) it can still be quite expensive for an attacker to brute force those hashes to learn the users’ actual passwords. There also needs to be a focus on detecting and containing lateral movement in the event of a breach. Implementing certain measures will harden Active Directory environments against both offline-hash cracking and the misuse of elevated credentials—two of the primary enablers of the M&S attack. 

To vew the full Specops Software analysis, please see the report M&S ransomware hack: Active Directory & Service Desk lessons, which includes a summary of the attack, how it happened, who is Scattered Spider and what can be learned from the attack.   

Scattered Spider is a disparate hacking collective that has surged to prominence by using sophisticated social engineering tactics. One of their key tactics is exploiting people – specifically, corporate service desks. They’ve recently hit the headlines by allegedly duping an IT help desk at Marks & Spencer into resetting a password that let them breach internal networks.

Today, Specops Software has published an analysis on Scattered Spider service desk attacks including a timeline of major attacks. Think: MGM Resorts, Caesars Entertainment, now M&S, Harrods, and Co-op. The deep dive also covers the why behind these Scattered Spider’s attack of choice, the how, and finally what organizations can do to protect themselves on the service desk front. 

For full details, the analysis can be read here: https://specopssoft.com/blog/scattered-spider-service-desk-defense-tips/

‘Cyber-attack’ was the phrase on many people’s minds when large parts of Spain and Portugal were recently plunged into a blackout. Authorities are investigating the root cause, with early reports suggesting a technical malfunction caused by a ‘rare atmospheric phenomenon’. However, there has been speculation (yet to be ruled out) that a cyberattack could be to blame.

Specops Software today published a blog diving into the possibility that the widespread power outage across the Iberian Peninsula could be due to a cyber-attack. 

Questions asked include: 

1. Why was a cyber-attack initially suspected in the blackout in Spain and Portugal?
2. Why would hackers target a country’s energy grid?
3. What are the signs of a cyber-attack on a power grid?
4. Could weak passwords play a role in power grid attacks?
5. Cyber-attack or cautionary tale?

For full details please see the analysis at this link: https://specopssoft.com/blog/spain-portugal-blackout-cyber-attack

Most people are pretty familiar with biometrics at this point. You scan your thumbprint, iris, or face as a way of identifying yourself and accessing a device or application. It’s a simple but effective way to add an extra security factor on top of a password or one-time passcode. But what if we could go a step further and identify someone through their behavior? 

This week, Specops Software published an analysis on behavioral biometric authentication methods as well as their security efficacy in comparison to a more traditional method — passwords. 

The analysis looks at common types of biometrics, recent innovations to this technology, and the advantages of biometrics for end users and organizations alike. The piece also dives into how hackers might exploit behavioral biometrics and whether these are more secure than passwords, and how. 

The full report can be read here: https://specopssoft.com/blog/behavioral-biometrics-authentication-passwords/

Today Specops Software published an analysis digging into the ALIEN TXTBASEdata-dump, which was recently merged into the HaveIBeenPwned (HIBP) dataset by Troy Hunt. 

As with the Rockyou2024 data dump last year, Specops Software researchers found that this dump isn’t quite the mega-leak it was initially hyped as. The ALIEN TXTBASE dump contained a pretty standard distribution of base words, passwords, and lengths – essentially a lot of peoples’ local password stores. There was a non-zero amount of junk, telegram URLs, and other stuff mashed in there too. It’s clear this is someone collecting and processing a lot of stealer logs into one.

However, 20 million of the breached passwords were new to the Specops Breached Password database. 

For the full findings, the analysis can be read here: https://specopssoft.com/blog/alien-txtbase-data-dump-analysis/

A new research report reveals the 10 most common passwords attackers are using and analyzes their wordlists for the most common complexity rules and password lengths. Results of a similar analysis were completed in 2022, so this research is now refreshed and up to date for 2025. The launch of the report also coincides with the latest addition of over 85 million compromised passwords to the Specops Breached Password Protection service. These passwords come from Specops honeypot network and threat intelligence sources.

The key points in the report are:

• 85 million compromised passwords added to Specops Breached Password Protection
• Top 10 passwords being used in honeypot attacks
• Welcome1 is an interesting one—emphasizes the need for secure employee onboarding as new passwords are set and maybe never changed, making them an easy target for attack

• 24% of all honeypot attack passwords are solely numbers
• Enabling push-spam resistant MFA to RDP connections adds a layer of protection, even if the password was to be breached
• Keep Windows servers and clients patched and up to date to protect against CVEs 
• Check for misconfiguration – ensure the TCP port 3389 is using an SSL connection and isn’t exposed directly to the internet 
• Limit the range of IP addresses that can use RDP connections 

You can read the report here.