Cyber 321: 1st January 2022

Plain English cybersecurity advice in 3 articles, 2 numbers and 1 action.

This week: LastPass was under attack but it shouldn’t matter. iPhones were under attack, but it didn’t matter. And Elves are under attack, but they don’t matter.

This week’s action: Your New Year’s Resolution should involve small but frequent action.

Three Articles

1: LastPass was under attack, and why it should not matter.

“Password manager app LastPass said [on December 28th] that a threat actor has launched a credential stuffing attack against its users in an attempt to gain access to their cloud-hosted password vaults. [..] A credential stuffing attack is when hackers take username and password combinations leaked through data breaches and attempt to use them at other online services, hoping that some users reused credentials across different sites.”

I am not sure why this attack has made the news. I assume LastPass and other password managers are attacked every day.

In any case, it should not matter if:

You use a unique password on each of your most important accounts (and your password manager account is certainly important), and
You use Multi-Factor Authentication / 2FA, so a password is never sufficient to gain access to your account.

2: Apparently, selling software that can hack an iPhone doesn’t matter. Until you use it to hack US diplomats.

“[A]bout two years after the sales pitch [to the son of Uganda’s president], someone deployed Pegasus [software sold by NSO Group] to try to hack the phones of 11 American diplomats and employees of the US embassy in Uganda. [..] It is not clear who tried to hack the US citizens.

[..] NSO has always told its customers that US phone numbers are off-limits. [..] Putting NSO, one of the jewels of Israel’s tech community, on a US blacklist was designed to “punish and isolate” the company. [..] After spending a decade in the favor of the Israeli government, NSO now finds itself as an irritant in relations between Israel and the US.”

3: An Elf on the Shelf does not matter.

“An expert with the American Civil Liberties Union (ACLU) has raised concerns that the custom in which parents hide the [Elf on the Shelf] doll in the home in the days leading up to [Christmas] could be normalizing the idea of surveillance by authorities.”

Until this year, I successfully blocked all requests for an Elf to be allowed into our home. My response that ‘you will never be watched by outsiders when you are within the safety of these four walls’ was deeply principled. And duly ignored. I came home a few weeks ago to find an Elf occupying some prime shelf space in the living room.

I still have a deep dislike of the Elf on the Shelf concept. And yet, I willingly have an Alexa speaker in our kitchen.

In my warped risk-vs-reward evaluation, it appears fictional Elves are bad but real-world surveillance is fine.

Two Numbers

1: 7%

On average, 7% of a firm’s cybersecurity budget will be spent on security awareness training, according to a ‘Security Priorities Study’ by CSO magazine. This compares to 20% of the budget being spent on on-premises infrastructure and hardware.

As the article states: “Spending doesn’t necessarily equate to security”.

2: 0

On a scale of 0-10 (with 10 being ‘losing my mind with the stress of it’), my level of concern about recent reports that LastPass was subjected to a credential stuffing attack = 0.

One Action

1: New Year’s Resolutions

It’s that time of year when we fool ourselves into thinking we will do better next year.

To increase the chance of actually sticking to your security resolutions, commit to doing one small thing each week. By the end of the year, you will have 52 fewer weaknesses in your defences.

‘Small’ depends on your current baseline.

If you are starting from scratch: it could be setting up multi-factor authentication or setting a long and unique password on an important account.
If you are a little further ahead: it could be something from My Guide to the Basics.