Per a recent updated report from the FBI and CISA, the telecomm hacks that had been previous announced (and most likely missed amidst the election and holidays) are now being regarded as much worse than previously thought, and that there is no anticipated ETA as to when the hackers can be evicted from the various compromised infrastructures. As such, the FBI and CISA are recommending everyone avoid unencrypted communications methods on their mobile devices, which includes SMS messaging between Android and Apple phones, and carrier-based cellular voice calls (which have never been encrypted).
What this means for you
If you are like 95% of the world, you are probably thinking, “Well, if China wants to know about the grocery list I texted to my spouse, they are welcome to it,” or “I’ve got nothing to hide,” or even more naively, “I’ve got nothing worth stealing.” Most people do not consider just how much they communicate via unsecured text – banking two-factors, prescription verifications, medical complaints to doctors, passwords to coworkers, driver’s license pictures, credit card pins – the list is endless, and extremely valuable to threat teams like Salt Typhoon, the APT allegedly behind this huge compromise. The reason that this is a big deal is that we as a society (at least in America) have grown overly comfortable with this lack of privacy, and on top of that, the market has encouraged a fractured and flawed approach to communications between the various community silos we have created for ourselves online. What you might not know is that messaging from iPhone to iPhone, and Android to Android, are fully encrypted, as well as messages in WhatsApp, Facebook Messenger and Signal, but as you consider your circle of family and friends, how many of them are on the same platform and use the same messaging apps to communicate? How many of your two-factor codes arrive via SMS?
To address this latter issue, you should move any multi-factor codes to an app like Microsoft or Google Authenticator (if the platform even allows it – many banks do not yet support apps). This process will be painful and tedious, but probably most important in terms of improving your personal safety. The messaging problem is not so “easily” solved at least from a friends and family perspective, but for business communications, you should consider moving everything to a platform like Microsoft Teams, Google Workspace, Slack, etc. And stop sharing passwords via text. More information to come as we learn more about the severity of this telco hack.
Image Courtesy of Stuart Miles at FreeDigitalPhotos.net
Ever since they were hacked in 2023, genetics and ancestry website 23andMe has been more or less moribund, going from a high of $16 per share to $0.29 today and the resignation of their entire board of directors last month. When we last wrote about them in December of last year, the beleaguered DNA testing company had to revise their initial statement about only getting a “little” hacked (1.4M records) to admitting that they got majorly hacked (6.9M records). As you can imagine, this didn’t bode well for their marketability.
Why are we talking about them again?
It’s been nearly a year since the initial data breach, and judging by the lack of faith the recently departed board of directors had in the company’s founder, they aren’t likely to return to full potential any time soon, if ever. If you were one of the millions of people that sent them your DNA to analyze, you’ve probably already reaped whatever benefits (positive and negative) you will likely get from 23andMe, but they may not be done making money from your data. While they claim that much scientific good has been generated if you were one of the many who consented to allow your de-personalized data to be used by researchers, you may want to consider the consequences of letting a company who’s security practices led to their current downfall continue to have access to your data. Because you do have the option of asking them to delete your data. And seeing as you paid them for the privilege of providing your data, it seems rather mercenary for them to then take your data and continue to sell it without compensating you. Rather, they got hacked, exposed your confidential information, and then continued to (somewhat) operate. If you’d like to see some consequences, you can do your part by asking them to delete your data which can be done merely by logging into your account on their website and submitting that request. Do it. If a majority of their customers were to do this, perhaps it will send a warning to competitors to do a better job with your precious data, and a message to our government about doing a better job protecting our privacy.
Image courtesy of geralt at Pixabay
The past few days I’ve been working with several clients who are in various stages of being compromised or having their online accounts attacked. The recent surge of activity is possibly related to the recent RockYou2024 “publication” wherein a file containing nearly 10 billion passwords was posted to a popular online hacking forum on July 4th. Analysis of the new file demonstrated that the bulk of the data is a compilation other breaches, including the previous release of this compilation, RockYou2021, which contained over 8 billion passwords at the time. Regardless of whether it’s old or new, many people will continue to use old passwords across multiple accounts for years if they aren’t forced to change them, so it’s a good bet that a large majority of the information in this file is quite usable, adding significant firepower to any hacker’s arsenal.
Passwords alone aren’t safe enough
While I was working to restore some semblance of security to my clients, one of the things I noticed was that the various bank accounts they accessed via the web or their phone did not have multi-factor security enabled, nor were my clients aware that it wasn’t actually turned on, or even available to be enabled. I was always under the impression that banks were forcing this on everyone, as it was a constant struggle for many of my clients who are accountants or financial professionals, but for at least one of my clients, all four banking accounts did not have the full multi-factor security login process enabled. On top of this, it was a struggle sometimes to actually enable the multi-factor as each bank buries the settings in their gloriously bad interfaces, and the instructions to turn it on aren’t always clear. And if someone like ME struggles with enabling this type of security, imagine what your elderly parents might be facing. Do yourself a favor: if you don’t know for a fact that you have multi-factor enabled for your banking accounts, log in and check, or call the number on the back of your credit card or debit card to find out. You might be surprised at how unsecure you were.
Image by Manuela from Pixabay
One of the most appalling practices in the current world of online hacking and phishing is the constant attacks on our elderly friends and family because the attackers know they are easy targets. Unfortunately, I don’t see technology becoming any easier for anyone, especially the elderly, so if they are going to continue using technology for things like shopping, paying bills and handling various elements of their health and property, see if you can get them to abide by some simple but critical rules when they get into unfamiliar situations. This may mean more calls to you on trivial things, but if you are like me, I’d rather that then getting the, “I’ve been hacked,” call.
Rule Number One: “Never trust popups on your devices that warn you about something scary and ask you to call a number.” None of the legitimate malware protection software on the market will do this. This is nearly always a scam. If they get something like this on their computer, tell them to take a picture of it and then just power off the device, manually if it won’t shutdown normally, and physically by unplugging the cord if that doesn’t seem to be working. These fake popups are meant to be frightening, disorienting and sometimes incredibly annoying. If the popup comes back after powering up their device (and it may, as many are designed to do just this) it may require some additional, technical expertise to get rid of it. For actual tech savvy users, it’s a quick fix, but it may be hard to explain over the phone if the recipient is flustered or otherwise frightened. If you can’t go yourself, it may require a visit from a local technician.
Rule Number Two: “Don’t “google” the contact number or email for important services.” All of the popular search services offer ad results at the top of actual search results that are often hard to distinguish from the legitimate information you were seeking. Bad actors are paying for ads that pretend to provide support for various commonplace companies. They will answer the phone as that service, including pretending to be Microsoft, Amazon, Apple, or Google in order to trick callers into giving them access to their devices. If your loved one is fond of using the phone in this manner, provide them with a printed list of known-good numbers for their most used services like their banks, pharmacies, etc, as well as including lines like “FACEBOOK: NO NUMBER TO CALL-DO NOT TRY” as a reminder that certain services are never available via phone.
Rule Number Three: “Always call someone you trust about anything on which you are uncertain.” Our loved ones often will refuse to call us because they don’t want to be a bother. Frequent calls may seem like a nuisance, but they pale in comparison to the absolute disaster you will both have to handle if they get hacked. I’d rather have dozens of calls of “Is this OK?” than the single, “I may have done something bad.” Reinforce their caution with approval, and if you have the time, perhaps explore with the caller what clued them into making the call. If it boils down to them just applying the above 3 rules, then score one for the good guys!
Image by Fernando Arcos from Pixabay
Depending on how long you’ve been using computers, you may well remember a time when, “Have you tried turning off and back on,” was the first thing you heard when trying to troubleshoot any issue. In the 90’s and into the 00’s this was the go-to first step of tech support. And then we entered what some of you might call the golden age of business computing ushered in by Windows 7, somewhat tarnished by Windows 8, and then, with Windows 10, an era that even I can look back on as a bastion of stability when compared to what we have now.
What the heck happened?
Two words: Internet and Cybercrime. I know, I know, both of those things have been around for a lot longer than Windows 10 and even Windows 7, but up until maybe 2012 or 2013, technology companies like Symantec, McAfee and Microsoft had the upper hand in that war. In 2013, with the arrival of the widely successful CryptoLocker-powered attacks, criminals understood what sort of money was at stake and poured all of their resources into cybercrime infrastructure that has evolved into a never-ending escalating battle of security breaches, software updates and increasingly complicated security rituals. All the while, technology itself has permeated every facet of our lives, resulting in things that we would have considered absurd 10 years ago, such as doorbells that require a two-factor login. Everything requires a password because everything is connected to the internet, and because of the ongoing arms race in cybersecurity, everything around us is constantly being updated in this frantic race with no finish line anywhere in sight. Long story short: expect to reboot your devices frequently going forward. There was a time when I could say, “Hey, reboot your computer every other week and you will be fine.” Nowadays, that guidance is, “Reboot your computer at least every 3 days, if not daily.” Microsoft Windows is being updated weekly, as are the major office productivity apps like Office and Acrobat, and not all of their updates are well tested – resulting in more crashing and rebooting until someone notices and issues yet another update to fix the previous update. If it feels excessive, it’s because it is excessive, but for the moment, we don’t have much choice. Right now, cybercrime has the edge, and it’s running everyone ragged.
Long-time readers will notice that it is pretty rare for me to post good news to this blog. I’m sure good technology things happen every day, but we don’t get called when something is working properly, and the mainstream media usually don’t report on anything but bad news. Fortunately for us – because let’s face it, we are sorely in need of “W’s” in the fight against cybercrime – a prominent hacking group responsible for thousands of cyberattacks worldwide resulting in more than $120M in ransom payments has been dismantled by a joint law enforcement operation led by the UK and US. The action resulted in what they are calling a complete dismantling of the APT (advanced persistent threat) known as Lockbit.
What this means for you
On top of seizing control of nearly all of Lockbit’s operational assets, including 34 servers, 200 cryptocurrency accounts and arresting 2 Russian nationals, they actually converted Lockbit’s own dark website into a “reverse” leak site that touted the task force’s takedown of the APT as well as posting their own countdowns to when additional data on the Lockbit crew would be leaked to the internet, turning a commonly used cybercrime tactic back on the criminals. Before the site was “pwned” by authorities, it was used by Lockbit to publish a list of its victims and ransom countdown timers.
This was no small effort – it required coordination between 10 countries and at least three major law enforcement agencies. It will hopefully result in some of the victims being able to recover encrypted data and maybe discourage some portion of the cybercriminal element from continuing operations, but let’s be realistic – this APT was one head of a massive hydra, and the assets neutralized were a fraction of the compromised computers and accounts used as zombies or command and control servers across the globe. In the above-mentioned “Operation Cronos” action 14,000 rogue accounts were shut down. For perspective, a cybercrime botnet was discovered in 2009 that was comprised of nearly two million computers. That number has likely been dwarfed many times over by now. It’s too early to declare victory by a longshot, but as the old proverb instructs, “How do you eat an elephant? One bite at a time.”
Image by Schäferle from Pixabay
Back in October of this year, we wrote about DNA testing company 23andMe’s reported data breach. Initially thought to “only” impact 1.4 million people, 23andMe has revised that estimate to a whopping 6.9 million impacted users that had data exposed including names, birthdays, locations, pictures, addresses, related family members, but not, as the company has strenuously emphasized, actual genetic data. I’m fairly certain that little nugget is not providing the relief they might hope.
Why this should matter to you
Even if you nor any immediate family is a 23andMe customer, it’s important to understand why this data breach is particularly noteworthy. 23andMe wasn’t hacked in a manner that is more commonplace for large companies – hacked or stolen credentials for someone inside the company that had privileged access, but rather through a mass breach of 14,000 customer accounts that were secured by passwords found in dark web databases, ie. these stepping-stone customers were using the same passwords that were exposed in other breaches and leaks. The hackers used those compromised accounts to essentially automate a mass cross-referencing data harvest that in the end, exposed data on nearly 7 million 23andMe customers. This last data exposure is on 23andMe – it would seem they didn’t anticipate the built-in cross-referencing services that the genetics testing company offers would be turned against itself. Also, there was the minor omission of not enforcing multi-factor authentication to secure everyone’s accounts, which might have compensated for the poor password discipline of its customers. The two take-aways? Unique passwords and multi-factor authentication should be the minimum security requirements you should expect from any service that contains your valuable data.
Image courtesy of geralt at Pixabay
If there is one thing that the Internet excels at, it is putting any information – old and new – literally at your fingertips. Conversely, one of the things it does a terrible job at is qualifying that information, to the point where it becomes increasingly difficult to weed out the good from the bad. If you use technology as part of your work, you must continue to fight valiantly to stay internet and tech savvy just to keep yourself safe, and unfortunately for you, technology security is evolving so quickly even us experts are struggling to keep everyone as savvy as they need to be in 2023. I could bore you to tears with the constant cavalcade of new technology pouring into business these days, but my job is to point out what’s important, and right now, security continues to be priority one.
You should know these new terms. Study like there will be a test on Friday!
Endpoint Detection & Response (EDR) is what the security industry is calling the next generation (really, this generation) malware protection you might have known as “antivirus” back in the late 2000’s and 2010’s. Today’s cyberthreats bear very little resemblance to the viruses we feared in the previous decades, and as such EDR platforms are built to not only detect known viruses, but also monitor suspicious behaviors and information patterns using constantly updated algorithms to spot possibly undocumented but malicious activity. Where the previous generation antivirus may have scanned your computer once a day and quarantined the files it could identify, EDR platforms are built to monitor all activity constantly and act immediately, up to locking down the affected PC and sending out warning flags to security personnel.
Zero-Trust Networking is a relatively new security concept that upends the traditional concept of assuming the devices on your office network should be, by default, allowed access to that network because those computers are “inside the firewall.” Zero trust security basically states that all devices must constantly prove they are safe and legitimate before they are granted access to any protected information or services. The moment they aren’t able to do so (perhaps because of a malware infection or installation of unauthorized software or failed password attempts) zero-trust systems may restrict access to various systems or applications, the internet, or even access to the device itself.
Security Information and Event Management (SIEM) is a security service that insurance companies are increasingly looking for when underwriting clients. Though the name seems to imply otherwise, this is not about throwing a party for security, but instead this is a platform that gathers the large amount of data that your various technologies and services generate as you and your organization uses them, aggregates that data into massive, searchable database that is then scanned by even more algorithms and humans to spot unusual events, security breaches and other items of interest before they have time to turn into front-page news and business destroying events.
Image by Free stock photos from www.rupixen.com from Pixabay
One of my favorite story tropes is where the main character is magically transported back in time, enabling them to use their “modern-day” scientific knowledge to appear powerful and gain advantage over the relatively primitive denizens of their new surroundings. The most famous, well-known example would be the Wizard in The Wizard of Oz, but this idea appears throughout literature and film as far back as 1889 in Mark Twain’s A Connecticut Yankee in King Arthur’s Court. I’m also known to repeatedly quote Arthur C. Clarke (who also used this trope in his seminal work Childhood’s End), “Any sufficiently advanced technology is indistinguishable from magic.”
It’s not magic but it might as well be
The information security industry is currently abuzz with quantum computing talk, particularly so because of President Biden signing into law the “Quantum Computing Cybersecurity Preparedness Act” at the close of 2022 which instructs government agencies to begin preparing their security to withstand quantum-computing powered encrypting breaking tools. For most of us, quantum computing sounds like something you would read about in a Clarke novel, and if you try to get into the details, it might as well be sorcery. The second line of the Wikipedia article literally states:
Classical physics cannot explain the operation of these quantum devices…
Quantum computing – Wikipedia
And there are probably very few of us who could even begin to explain how today’s computers work, let alone one powered by quantum physics. Knowledge is power, and we are increasingly at the mercy of devices that are essentially magical to us, and more so to the ones that control the knowledge and technology that powers them. This is particularly relevant with regards to the vast amount of valuable data locked in LastPass’s stolen but encrypted data vaults. If I could tie it to another famous movie trope, imagine bank robbers attempting to crack a massive, steel vault with a fancy laser drill while counting down the seconds until the lock is drilled through. Substitute quantum computing for the drill, and hackers for the bank robbers, and you have today’s unfolding scenario: an escalating technology arms race that requires federal laws to be passed and a select few wizards anointed to make sure we are kept safe. Wizards are traditionally feared and respected in fiction for good reason, and as in Baum’s famous tale, not necessarily always operating with everyone’s best interests in mind. Does it require you to understand quantum computing, to become a wizard, just to keep yourself safe? No, but keep your eyes on the wizards (and their handlers – kings, presidents, lawmakers, etc.) to make sure they wield their power ethically and safely.
Image generated by deepai.org based on the single word “Wizard”
If you were confused about what exactly was stolen in 2022’s LastPass breach – join the club. I think much of the confusion is stemming from the damage control LastPass is attempting to do around their massive data exposure that happened in August and was revealed to the public in December. We know that much of the info that was stolen was unencrypted – login names, email addresses, URLs, etc. and there was some debate as to whether or not the hackers stole encrypted data that contained actual passwords. I’ve had several folks tell me point blank that the passwords weren’t exposed and that LastPass is still safe. Well, guess what – we can put that misconception to bed now. LastPass has dropped another bombshell – one of their devs got hacked and the hackers used the dev’s compromised home computer to gain access to LastPass’s Amazon secure cloud storage to steal the encrypted password vaults of 30 million customers.
What this means for you
There’s a whole lot of gobbledy-gook in the LastPass release – it reads like technical explanations filtered through an army of lawyers and PR flacks (because it was), and beats around the bush on the most important part: LastPass is confirming that Hackers have exfiltrated everyone’s encrypted password vaults – and as I have been warning you about since I learned about this – it is only a matter of time before someone brute-forces their way into someone’s encrypted vault and is rewarded with the password trove within. And they have all the time in the world to do this, which means you have much less time to change any passwords that were stored in LastPass. Hackers will target high-value password vaults first – they will look for ones that have lots of bank account logins or other potentially lucrative access points, but you can bet they will put computers to grinding out every single vault, big or small – because they can, and they have the resources to make this investment pay off.
Stop reading. Go change your passwords.
Image by Gerd Altmann from Pixabay