Plain English cybersecurity advice in 3 articles, 2 numbers and 1 action.
This week: Why use a password manager, what is SIM swap fraud, and why does DeFi defy logic?
This week’s action: Put at least some or your eggs in one basket.
>>>>> THREE ARTICLES <<<<<
1: Password managers: Is putting all your eggs in one basket a good thing?
When I suggest to a client that they should use a password manager to reduce the risks of a password-related breach, I often face resistance. There is an understandable reluctance to put all of our eggs in one basket.
After all, if a hacker figures out the password for our password manager account, they will gain access to all of our other passwords. Also, a password manager is just another piece of software, and no software is completely secure.
This short video from CyberHoot does a good job of acknowledging those risks, but explains why, for most people most of the time, the risks of using a password manager are lower than the risks of not using one.
2: Human defences failed
Insurance Journal discusses a recently-published memo that reviews how three significant ransomware attacks in 2021 succeeded.
“In all three costly attacks, the cybercriminals appear to have exploited ‘small failures’ in security systems. In the case of Colonial, the attack started with a single stolen password for an old user profile. In the case of JBS, the failure was an old network administrator account that had not been deactivated and had a weak password. CNA’s attackers convinced a single employee to accept a fake web browser update from a commercial website. [..]Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education”
I have highlighted the key points above. The most interesting phrase is ‘small failures’. I think this should be ‘simple failures’.
For most of us most of the time, it is the simple things that catch us out.
3: SIM Swap Fraud and Two-Factor Authentication
ENISA (The EU Agency for Cybersecurity) recently released information that explains how cyber attackers will try to get around your use of Two-Factor Authentication by taking control of your mobile phone number.
The technique (called ‘SIM Swap Fraud’) involves the attacker fooling your mobile phone provider into routing phone calls and SMS text messages send to your mobile phone number to the attacker’s phone. Most importantly, this will include security codes that are sent to you as SMS text messages by your online service providers.
This is why using an authenticator application (e.g. Google Authenticator; LastPass Authenticator) is more secure than relying on security codes sent via SMS text message. Even if the attacker takes over your mobile number, they won’t have access to the codes in your authenticator app.
Most online services now allow you to use an authenticator application and many no longer support the use of SMS security codes. There are some notable exceptions – Shame on you, PayPal.
Read more: The ENISA leaflet for the general public can be downloaded at https://www.enisa.europa.eu/publications/how-to-avoid-sim-swapping-leaflet. A more detailed explanation of SIM Swap Fraud is provided at https://www.enisa.europa.eu/news/enisa-news/beware-of-the-sim-swapping-fraud.
>>>>> TWO NUMBERS <<<<<
1: $55.4 million
Ransomware payments totalling USD $55.4m were made by three US companies after they were infected with ransomware, according to the InsuranceJournal article that I mentioned earlier.
Two of the attacks succeeded because of weak / stolen passwords associated with old accounts. The third succeeded because a staff member was fooled into downloading a malicious software update, and had the necessary access permissions to install the software on their device.
Three successful attacks. Three effective security measures to stop such attacks:
- Disable accounts when they are no longer in use.
- Train staff about how they will be targeted.
- Restrict the ability to install software on devices. (I discuss the separation of ‘privileged’ and ‘standard’ accounts in the Cyber 3-2-1 action @ https://codeinmotion.ie/cyber321-20211015/)
2: $12 billion
“So-called DeFi protocols have lost $12 billion to date due to theft and fraud. Losses in the first roughly 10 months of this year reached $10.5 billion. [..] The relative immaturity of the underlying technology has allowed hackers to steal users’ funds.”
DeFi may stand for Decentralised Finance, but why people trust many of these platforms defies logic. (Thank you, thank you, I’m here all week.)
>>>>> ONE ACTION <<<<<
1: Password Managers: Think about it.
If you have not adopted a password manager, have another think about it.
As acknowledged in the Cyberhoot video, there are risks associated with using a password manager. But there are ways to mitigate the risks. For example:
- You can use multi-factor authentication on your password manager account, so the attacker needs more than just your password to gain access.
- You can use a “zero-knowledge” password manager. If the software got hacked, it is not be a foregone conclusion that your passwords would be exposed.
If you still shake at the thought of putting ALL your passwords in to a password manager, why not start with the passwords of your less-critical accounts?
By doing this:
- You will only need to remember a smaller number of passwords.
- When you need to remember fewer passwords, you will be more likely to use unique passwords on your critical accounts.
- You will be less likely to reuse a password on those sites which you also use on your important accounts (e.g. email; online banking; social media).
- You will benefit from the convenience of the password manager’s ‘create a secure password’ functionality, so you won’t need to try to formulate a new secure password every time you sign up to a new service.
- You will benefit from the convenience of the password manager’s autofill functionality, so you won’t need to type in the passwords to these sites anymore.
Personally, I have used LastPass for many years.
PS Don’t tell anyone but I will admit that a few of my most critical passwords are still not stored in my password manager, although hints to help me remember these passwords are. Despite the facts, I still have not put every single one of my important eggs in one basket. But as I sit here in my ivory tower, I am working through my irrationality.