If you were confused about what exactly was stolen in 2022’s LastPass breach – join the club. I think much of the confusion is stemming from the damage control LastPass is attempting to do around their massive data exposure that happened in August and was revealed to the public in December. We know that much of the info that was stolen was unencrypted – login names, email addresses, URLs, etc. and there was some debate as to whether or not the hackers stole encrypted data that contained actual passwords. I’ve had several folks tell me point blank that the passwords weren’t exposed and that LastPass is still safe. Well, guess what – we can put that misconception to bed now. LastPass has dropped another bombshell – one of their devs got hacked and the hackers used the dev’s compromised home computer to gain access to LastPass’s Amazon secure cloud storage to steal the encrypted password vaults of 30 million customers.
What this means for you
There’s a whole lot of gobbledy-gook in the LastPass release – it reads like technical explanations filtered through an army of lawyers and PR flacks (because it was), and beats around the bush on the most important part: LastPass is confirming that Hackers have exfiltrated everyone’s encrypted password vaults – and as I have been warning you about since I learned about this – it is only a matter of time before someone brute-forces their way into someone’s encrypted vault and is rewarded with the password trove within. And they have all the time in the world to do this, which means you have much less time to change any passwords that were stored in LastPass. Hackers will target high-value password vaults first – they will look for ones that have lots of bank account logins or other potentially lucrative access points, but you can bet they will put computers to grinding out every single vault, big or small – because they can, and they have the resources to make this investment pay off.
Stop reading. Go change your passwords.
Image by Gerd Altmann from Pixabay
Late in the year, just in time for the holidays, LastPass released more information about the security breach they experienced in August of 2022. And as could be expected, it wasn’t good news. It wasn’t the worst news, but in my estimation, it’s still going to create a lot of headache and work for their customers, some of whom are using their service based on our recommendation. C2 uses LastPass internally but not to store client passwords, but regardless we will be migrating away from them as soon as practically possible.
What this means for you
If you’ve read their statements regarding this security breach you might be under the impression than your passwords are safe. The encrypted vault that was stolen was a backup of customer data from September 22, 2022. If you started using LastPass after that date, you are not part of the breach and you are actually in the clear (for the moment). If you’ve been using LastPass before that date, it’s highly likely that hackers have access to your encrypted passwords. Per LastPass, if you choose a strong master password, those passwords are relatively safe. However, given enough time and computational resources, any encryption can be broken, so the clock is ticking on how long they will remain encrypted. It’s more important that you should know that each password’s associated login name and URL were also captured in the data stolen and those important bits weren’t encrypted. This gives hackers many more points of data to hone their phishing attacks and will result in highly targeted, realistic phishing emails that purport to be from services you actually use, utilizing specific information you will recognize, to lend credibility to fake emails. Given that it is definitely easier to trick humans than to crack 256-bit encryption, we’re banking on the fact that everyone, not just our clients will be facing numerous phishing attempts in the coming year. What can you do to combat (I do not use that word lightly) this?
- Any passwords stored in LastPass should be changed. If you have lots of passwords stored, this may take some time, but it will be well worth it.
- Any opportunity you are given to utilize multi-factor authentication to further protect an account should be taken.
- Review your master password. If it is not complex and/or easily guessable, you should change it. Be careful! If you mess this process up and lose your master password, they will not be able to recover it. You will have to abandon the account and the data within.
- Regard emails received from your known services very carefully, especially if it results in a login prompt or a password inquiry. Phishing emails are getting very sophisticated. If you receive an email that looks legitimate, don’t use the links embedded in the email regardless. Hand-type the URL of the service you need to use into your browser or use a favorite/shortcut you created to get to the website. Make sure you don’t mistype the URL – there are plenty of fake domains created specifically to capture mistyped URLs. Don’t search for the website using your browser – this can also lead to fake websites if you aren’t paying close attention.
- Consider moving to a different password management platform. Industry opinion is mixed on whether or not LastPass was using best-in-class technology and methodology to store your data at the time of the breach, but they are being widely criticized for their lack of transparency and urgency in addressing the breach. Understand that with a breach on this scale, multiple lettered agencies will be involved as well as numerous lawyers, so transparency will always suffer in these types of matters.
If you have questions about how you might be impacted by this breach, or what your company can do to implement password management at an organizational level, please give us a call or send us an email. We can provide a platform that can provide secure password sharing for you and your co-workers that is also administered and supported by C2.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
For those of us who’ve been using computers in the workplace for more than a decade or longer, we have frequent “Pepperidge Farm moments” about technology (and other stuff too, let’s be honest!) but for good reason. How many of you have been grinding through emails for the better part of a Monday morning, gathering up a pile of work, and when you go to open that attachment (which you know is safe, right?) and instead of getting to work, you get password checked. More often than not, if you are from my generation or possibly older, you’ll grind your teeth while looking up those credentials and reminisce about those halcyon days when apps just opened and let you get to work. They didn’t need constant updates, repairs and password checks. You opened them, did your work, and maybe left them open for days at a time, because they didn’t need to be relaunched three times a day just to keep it functioning.
Get off my lawn?
I know that joke doesn’t play as well for the younger crowd, but while they are quietly chuckling about our obsession with ancient technologies like email, they too are subject to the same plague of passwords and the various hoops we all have to jump through in our current technology age, and they don’t have those yesteryears to view through nostalgic glasses. Those bygone days may have seemed glorious; some of us remember when your appliances didn’t need Bluetooth to wash clothes, or doorbells needing WIFI to work properly, or needing a phone app to get a date. But those were also the days when pregnant women drank and smoked, kids rolled around in the backseat or cargo space without seatbelts, and computers (and ourselves) weren’t connected to the internet all the time.
The internet is and will be a permanent part of our culture, business and human progress, whether we like it or not. It has allowed us to globalize and democratize in a way that eclipses every other technology before it, but as I have mentioned before, not without a razor-sharp edge that cuts both ways. The rise of cyberthreats have forced our technology tools (and toys!) on a security march at a pace that no sane consumer finds comfortable, and the only way technology companies can keep us (moderately) safe and stay profitable (and therefore viable) is to move their pricing models to subscription-based services to support the constant development costs. Which also means for the foreseeable future you are going to have to regularly prove you have the right to use the technology to which you subscribe. The only way passwords go away is if we find a better way to authenticate you as you, and so far, even though the need and the threat has existed for well over a decade, no one has found a better, cost-effective solution than the password.
Image by Gerd Altmann from Pixabay
Don’t let down your guard yet, but it would seem that hackers are focusing their efforts on targets with deeper pockets than you or I. Sinclair Broadcasting is the latest infrastructure victim to have their operations significantly disrupted by a ransomware attack that took dozens of televisions stations completely offline for hours in various markets across the country. As one of the largest media companies in the US, Sinclair owns and operates nearly 300 stations in the US, and according to unverified reports from inside sources at Sinclair, many of the stations are connected via a common Active Directory structure that allowed attackers to jump from station to station, encrypting servers and paralyzing the the affected station’s ability to broadcast any of its regularly scheduled programming.
What this means for you
Sinclair doesn’t own any stations local to Southern California as far as I can tell, so most of us probably went about our weekend blissfully unaware that a ransomware attack locked down an undisclosed number of stations. Though they as of yet have not released specifics, it’s possible they are the latest victims to run afoul of a new RaaS (Ransomware as a service) called BlackMatter which, perhaps not coincidentally, has also shown up in a new advisory from CISA, the FBI and the NSA that warns of threat actors using the new platform to target critical infrastructure, including two recent attacks on agricultural targets in the US. While these attacks may not impact you or I directly, infrastructure attacks are definitely worthy of our attention as they can and will cause widespread disruption to activities and services we take for granted, and in some cases like hospitals or law enforcement agencies could actually be life-threatening. And here’s something you may not have considered – each of these attacks most likely started with and individual getting tricked into giving up a password that gives the hackers a toehold, and that is all they need. Unfortunately, in this increasingly complicated technology landscape it is becoming ever more difficult to keep passwords safe, mainly because we are always being asked for them. How many times a day are you confronted with a password request that makes you question it’s legitimacy? It’s a challenge to keep up with technology on a good day, but when the hackers have you on guard 24/7, you really can’t afford to not pay close attention.
Unfortunately, there isn’t any silver bullet or magical tip I can provide to help you here. It’s most important to know where and when a service might ask for a password, and how to recognize legitimate requests based upon having more than just a passing familiarity with applications and services that require passwords that protect sensitive data or privileged access. If anything, err on the side of not entering a password if you aren’t 100% certain. Additional protection will come from using multi-factor wherever it is made available to you, and of course, using unique, hard to guess passwords for all your important services.
Warning: this article will melt your brain. Consume in small portions and rest frequently. Or skip to the end for the simple advice.
In the not so distant past of technology, the account name you used to access your service or software was usually a single word. Sometimes it was your name, or some variation of first initial and last name, or it was something you got to choose like “soccermom72” or “sunnysdad” or “bruins4ever” etc. As online services grew in popularity and the number of people needing accounts exploded, most service providers realized they no longer needed you to pick a name (and suffer through finding one that wasn’t already taken) as you were already providing them with a unique identifier, so they got rid of all the “catmom2013” ID’s in favor of using your email address. From a technical perspective, this makes perfect sense, but for many users, this can lead to confusion and frustration if you aren’t keeping careful track of your passwords, or worse, using the same password for everything.
When an email address is more than just an email address
Microsoft, Apple and Google are the primary causes of email-as-account-name confusion, especially if you’ve created an account with those services using an email address that has nothing to do with any of those providers. For example, when setting up a new Windows computer, one of the first things it does is ask if you have a Microsoft account, and if you don’t (or think you don’t) it asks you to put in your email address and it will create one for you. So you put in your email address that you’ve had for years (something-at-aol-dot-com?) and the set up process has you create a password for this new account. Many people misread this prompt as “enter your current email” password, and don’t realize Windows is actually asking you to create a new password for your new Microsoft account, but also, typing in your email password (Twice? Why is it asking me to enter it twice?) works, because as far as Microsoft is concerned, your current email password will also work as your new Microsoft password. Do you see where this is going?
So now you’ve got a new Microsoft account that uses your email address and password as the login. “Convenient,” you think. “One less password to remember.” Until you need to change your email password because maybe it got hacked, or your IT consultant warned you to stop using it. Whatever, you’ve changed your email password. Then you go to log into your Windows computer, which is using that same password, right? Wait. Why isn’t this new password working? I just changed it and I know I wrote it down correctly! OK, I’ll try the old one. Why is that working? But the old password doesn’t work for my email now? WHAT IS HAPPENING?!?!
For most folks that don’t daily marinate their brains in technology, it’s a common mistake to think that using your email address for an account name confers global login capabilities to your services with your email address and password. It does if you use the same password and never change it, but the moment any of the services insist on a password change, confusion is imminent. And here’s something that will really bake your noodle: if you set it up right, your email credentials can actually do this with a lot of services and keep in sync with password changes! But it has to be a certain type of email address (Microsoft, Google or Apple powered) and the services all have to have that capability (usually labeled as “login with your XXXX account”). This was a very popular authentication method in the early 20-teens, but once major password leaks started occurring, more services were shying away from “single sign-on” as folks were having their entire online lives stolen with a single password. In reality, most people will have a mixture of single sign-on services and regular logins, all using their email address as the login name. And if they don’t make a point of recording passwords used with particular services (especially if those services don’t ask for passwords often), human memory will just mash all of it together under “email address and this password.” Even writing it down is confusing sometimes, especially if you look back later at your notes and see the following, “Microsoft account uses Gmail address and this password,” or “Google account uses my AOL email address as login.” Wait, my email doesn’t come from Google, it comes from AOL, doesn’t it?!?
What’s the solution to this madness? Password trackers and unique passwords, and understanding that just because an account is using your email address as a login, it doesn’t necessarily mean that it’s using the same password. In fact, if you are “doing it right”, nothing should have the same password unless you are using a collection of services that are designed specifically to authenticate against email services that provide single sign-on capabilities. Still confused? You are in good company. Just take good notes, track your passwords, and make sure you have C2 on speed dial when things get weird.
Image by Gerd Altmann from Pixabay
I’ve mentioned the breach monitoring service “Have I Been Pwned” several times in past articles, and it continues to be a valuable service in finding out if any of my credentials have been exposed in any of the numerous breaches that have occurred over the past 7 years, as well as any new breaches that occur going forward. What’s disheartening for folks like me who have a keen interest in cyber security is that though this service is free, Have I Been Pwned only has 2M subscribers, out of a possible 3.6B unique email addresses in their database, meaning that less than 1% of potential users are utilizing the service. Hopefully that will change now that both web browser Firefox and password manager 1Password will start to heavily feature HIBP lookups directly in their interfaces.
What this means for you
Because they know I manage many hundreds of passwords as part of my business, my clients always ask me which password manager I use. Unfortunately for them, I can’t recommend Passpack, primarily because it isn’t designed for the average consumer. In the past, I’ve recommended LastPass or Dashlane, but with 1Password’s built-in integration of HIBP look-ups and wide availability on all major platforms, it seems like an obvious recommendation, to the point where I am considering migrating our business password management to them. Keep in mind that it’s not free, but there are family and team plans in case you feel like leading the way for your corner of the internet.
I’m also asked frequently about which web browser to use. Up until recently, I was a huge Google Chrome advocate, and I still use it on a regular basis on one of my laptops, but I have recently switched to Mozilla Firefox as my main workhorse browser, primarily for the expanding set of security and privacy features like the above-mentioned HIBP integration and Firefox’s own identity containers which can help to stop advertisers from snooping your cookies and history while you surf the web. It’s also very fast and a bit better at managing its RAM usage, unlike Chrome and Microsoft’s Edge, both of which are notorious memory hogs. If you are considering switching to Firefox, keep in mind that there are still some sites and services, especially in-house business solutions that may not run consistently, so always know where your Internet Explorer and Chrome shortcuts reside in case you need to fallback to another browser. Fortunately all three can safely co-exist, so it’s worth giving it a spin.
Finally, if you haven’t added your email address to Have I Been Pwned, you really should, even if you are afraid of what you might find out. The initial dismay is worth the longer-term gains in security.
It’s a new year, and I’m sure every one of us made at least one small promise (if only whispered to ourselves at 12:01am on Jan 1) to be better or do better at something this year. I can help you out with an easy one that will definitely improve your security profile, and I’m pretty sure a safer you = a more healthier you (at least digitally).
Let’s talk about the foundation of personal security: the Password.
Change that password. You know the one. The one you use everywhere. Change it! Make it hard. There are dozens of methods for coming up with one. Here’s one:
- Pick your favorite quote (or one you have memorized), use the first letter from each word. How about, “Twas the night before Christmas” which gives us “Ttnbc” – 5 characters, a good starting point.
- Randomize the capitalization in a way you can remember. How about reverse camel caps? “tTnBc”.
- Since we need 8 characters minimum, let’s add two numbers, and since we’re talking about Christmas, let’s add “24” on the end (or the beginning, it doesn’t matter).
- And we need a special character, how about the “@” symbol which looks like a Christmas ornament.
So now we have “@tTnBc24”. You’ll remember it because you created a small story behind the password, which will make it memorable. But Chris, you always say to use a unique password for every account! No problem, here’s how you do that, while still making every password you create memorable:
- For every unique account password you need to create, pick a string of 3 or 4 letters based on the name of the account (however you remember it, company name or type) – let’s say the first 3 letters, and always use the same rule. So for your Chase bank account, you’d add “Cha” somewhere to the password, either beginning or end.
- Before you tack it on the end of the password, pick a symbol that will act as the glue (or divider) between your specific account divider, let’s just say “+” because that makes sense right?
- Now you have “@tTnBc24+Cha”.
Use the above method for the accounts you access frequently, but don’t want to lower your security because of how valuable they are. Examples should include your email account (especially the one you use to send password resets/reminders to), anything that is attached to your money, accounts that has sensitive private information like insurance websites, and, most importantly, all of your social media sites, especially any in which you interact with friends and family.
If you are wondering if a password you’ve used in the past has been exposed, you can check https://haveibeenpwned.com if you know the email address to which the account was attached. This website is essentially a giant database of all the known data breaches over the past couple of years. If your email address raises a red flag, you should change the password you used for that account, especially if you used that same password elsewhere.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Despite the imminent arrival of Windows 10, thousands of businesses and organizations around the world continue to cling to Windows XP. In the business world, this position is increasingly dangerous to a company’s bottom line for a variety of reasons, but for the world’s most (arguably) powerful navy, it could be downright dangerous. The US Navy is actually paying Microsoft nearly $10M to continue to support and patch the expired OS, which was officially “put out to pasture” over a year ago. With over 100K Windows XP computers powering critical systems, the Navy still has a tremendous undertaking to phase the (un)dead OS out of daily operations.
What this means for you:
In a broader sense, it’s disheartening (and a little frightening) to think that our shores are being defended by warships powered by a 14-year old operating system, but the government, like our aircraft carriers, have never been capable of quick maneuvering, so this should come as little surprise to anyone. The fact that many businesses still heavily rely on XP despite repeated warnings from just about everyone in the industry is indicative of a larger problem, which is partly the industry’s fault, as well as a certain willful blindness we all share.
From an IT perspective, we’ve historically done a poor job preparing everyone for the security issues we now face, perhaps relying too heavily on tools and fixes, instead of emphasizing education and reforming business thinking. From an individual (and probably first-world) perspective, we’ve allowed ourselves to become increasingly reliant on technology to accomplish even the most basic tasks, and have built complex technological systems that support our daily lives that most of us can barely comprehend, let alone troubleshoot. A simple password hack can turn into a life-altering identity theft only because most of us fail to truly understand how everything is intertwined, and our personal veils of security are only as strong as the weakest password in your entire collection. The same can be said of your technology infrastructure: you are only as strong as the lowliest of forgotten XP machines on your network, and that isn’t very strong at all, regardless of how much you pay Microsoft.
Laptops and cellphones were once the sole domain of high-powered business executives, but thanks to the proliferation of high-speed internet and falling hardware prices, they are pervasive not only in professional environments, but in just about any walk of life. As you can probably guess, this also means an exponentially expanded attack surface for cyber criminals who are no longer focusing on traditional targets. Anyone who has a bank account or credit history is a potential victim, and younger targets can be exposed to potentially dangerous privacy invasions. Rather than enumerate the various ways in which your security and safety could be violated (we all have enough nightmares as it is), I’d like to focus on some positive actions you can take to make your mobile, digital life safer and more secure.
- Password protect your devices.
Even the most careful professional will misplace their mobile device on occassion. While passwords won’t stop determined hackers, it will keep most everyone else out until it can be recovered or remotely wiped. Laptops normally do not have remote wiping capabilities, so don’t stop at just a password for protecting these types of devices.
- Use built-in apps, or purchase location-tracking software.
Late-model Android and iOS devices have location tracking and recovery capabilities built-in, but they must be enabled. You can add location tracking or a “phone-home” program to your laptop, but it requires the device to be connected to the internet in order for it to report its location.
- Don’t store sensitive information on mobile devices.
With any portable device, the chance of it falling into the wrong hands is high. If you don’t have an IT department managing your device and controlling what can be stored on it, you should inventory what is stored on the device (sensitive client info, photos, personal financial data, passwords) and consider whether you need that information to be stored on that device. If you do, make sure you observe #4.
- Encrypt any storage media.
All late-model Android and iOS devices have the capability to encrypt all data stored on the phone. It’s on be default on iPhones, but must be enabled manually on most Android devices. If you have to store sensitive data on your mobile device, make sure encryption is enabled and working. While it’s not completely necessary to encrypt your entire laptop hard drive, it is possible, and many financial service firms require it on their laptops. At minimum, store your sensitive data in an encrypted partition or folder, or on an encrypted thumb-drive.
- Back up your data.
Do I even need to qualify this particular practice? Backups should be stored separately from the hardware being backed up. It should be transmitted and stored encrypted if it’s internet/cloud based. It should be as frequent as the minimum period of data loss you are willing to lose, e.g. if you can’t stand to lose an hours worth of work, your backups should run on an hourly basis. Be aware of the performance hits this may have on your hardware and network bandwidth.
- Hide devices in parked cars or take them with you.
Mobile device thefts from parked cars is consistently at the top of all loss categories. Thieves know to target cars coming and going from office parks, universities, airports, and the retail/service businesses near these locations. Before you drive away from your work location to a Happy Hour or a quick bite or some grocery shopping, stow your laptop bag in the trunk or hide it in a hard to access part of the car. Don’t do this when you reach your destination, as the thief may already be there, watching for someone to do just that. If you can’t secure it or hide it properly, take it with you.
- Add a leash.
If you are highly mobile and work from many locations, it’s easy to misplace your smaller electronics, and sometimes even laptops. Add a colorful leash to your thumb drives so you don’t forget them, and maybe even consider the same for your phone if you are prone to misplacing it. If you have to take your laptop bag with you to a place where you don’t plan to use it (because of #6), attach the strap to something you will be using at that location, whether it be to your jacket or purse, or even to your leg if you are sitting in a location with lots of noise or distraction. It’s easy to forget work-related tools when you are focused on non-work activities.
- Be less conspicuous.
In open public places with crowds, conspicuous use of expensive mobile devices will flag you as a target for bold thieves. I’ve talked with victims whose laptops were pulled right out from under typing hands in a sidewalk cafe or picnic table, and have read numerous reports of smartphones and tablets being grabbed in broad daylight. If you want to work on your device in a busy environment, keep one eye on your surroundings, and place yourself and your device in a position where it will be less easy to snatch by a fleet-footed thief.
- Educate your friends and family.
Even though you may be cautious and secure, the people around you can undo your careful preparations with carelessness or even well-meaning intent. Be mindful of everyone around you who might not be as savvy as you in technology, and choose carefully how you interact with them via email, social media, and even device sharing. Work laptops are notorious for being infected by family members who don’t have the same security concerns as you do. Quieting a young child with your smartphone may seem like a good idea at the time, but maybe there is some other way you can entertain them that doesn’t involve your work phone.
- Report thefts/losses immediately.
Eventually, it will happen. Whether the device is stolen, damaged or infected and compromised, you should work immediately with the appropriate authorities and professionals to make sure you limit the damage, both to you and your organization, as well as any customers or clients who might be affected. Don’t wait.
Security firm Hold Security LLC is reporting that a cache of 360 million account credentials are up for sale on the black market. Of the 360 million identities, 105 million of them may be from a single data breach, the size of which rivals Adobe’s breach (153 million) from October 2013. Also on sale are 1.25 billion email addresses, a veritable treasure trove for spammers. In this particular case, the account credentials up for sale seem to be mostly comprised of account logins and unencrypted passwords, an important distinction as any buyer can immediately start using the data versus spending time unencrypting passwords.
What this means for you:
Given the sheer volume of account credentials compromised it’s highly likely one or more accounts you use is somewhere on that list, as well as the passwords associated with those accounts. According to Hold Security, they believe the organizations from whom this data was stolen are still unaware of the breach, so it’s even more likely you will be the last to know if you have been compromised. Rather than waiting around, I recommend changing your passwords on all your important online accounts to much stronger, randomized ones, such as can be created and managed by programs like internet-based LastPass or Passpack (my personal choice), or if you prefer to keep your passwords closer to home, desktop programs like Roboform or 1Password.
Image courtesy of Creativedoxfoto / FreeDigitalPhotos.net