Welcome to Cyber Security Today. This is the Week In Review edition for Friday January 22nd. From my studio in Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the full podcast, click on the arrow below:
With me this week is guest analyst Dinah Davis, vice-president of research at Arctic Wolf. In a few minutes we’ll talk about how to prevent crooks from taking over employee and customer accounts. But first a look at some of the week’s top news:
Canadian firms continue to be dogged by ransomware. A number of ransomware gangs in the past seven days listed firms here as having been hit. As proof they posted what they say are files stolen from the firms, which they are threatening to release unless the victim companies pay a ransom. While some firms contacted by ITWorldCanada acknowledged they suffered a cyberattack, they didn’t confirm it was ransomware.
The security firm Emsisoft published its annual report on the state of ransomware in the U.S.. It calculates that at least 2,354 American federal, state and local governments, healthcare facilities and schools boards were hit by ransomware. That doesn’t include the businesses that were hit.
Having proper backups and mandating two-factor authentication as extra protection to protect logins goes a long way to reducing the odds of being victimized, the report says.
Most listeners know about the hack of a company called SolarWinds, and how the attackers used access to its Orion network management software to get into government departments and companies. A couple of American cyber experts told me this week that one of President Joe Biden’s top priorities will be to rid federal departments of any Orion-related compromises.
Separately, FireEye released a report saying the group behind that hack also exploited a vulnerability in Microsoft’s Office365. That vulnerability was in part the way these attackers got into the system of a security company called Malwarebytes. One of the techniques involved password guessing to take over login accounts.
More on passwords: The person who administers the user forums for a software development project called the OpenWRT project had his account hacked. The attacker was able to copy the email address of all the software developers on the forums. The administrator had a good password, the company said, but that wasn’t enough.
That’s where I want to start this week’s discussion with Dinah Davis. The topic is account takeovers.
There are lots of ways to hack into an organization, but attackers like tricking people into giving away their usernames and passwords. That way they can get into email and into systems that hold valuable data. It’s estimated that since 2017 over 80 per cent of hacking-related data breaches leveraged stolen or weak passwords.
One problem is the number of passwords people have. Some surveys say people over 55 have at least 12 passwords. Younger people tend to have fewer. No matter what the number its hard to remember them all. So people take shortcuts. They re-use passwords for many accounts, they use easily guessable passwords like their last name, their company name or the word ‘password.’ That’s bad because hackers exploit shortcuts to take over accounts.
I asked Dinah to describe some scenarios where people do bad things.
Imagine, she said, an executive named “Trevor” who works for a company called Acme. His dog’s name is Cupcake, so he uses variations of that as passwords, like “cupcake!” and “cupcake15.” So do his wife and children. His company may have a policy of using strong passwords with numbers and exclamation marks, but if Trevor re-uses his password or its guessable, he brings that weakness into the company.
If an attacker wants to hack Trevor they might start following him on his social media accounts, she said. They notice that Trevor plays fantasy football. They recognize that the site that he uses was recently breached. So they go onto the dark web and buy all the usernames and passwords for that breach. Once they have the data, they can find Trevor’s account. And they notice that the password is “cupcake!!!”. They learn Trevor has a dog named Cupcake.So they guess — correctly — this might be a common password for him.
Trevor’s firm does mandate the use of two-factor authentication. But the code is sent to employees’ phones by SMS text, which can be intercepted. The hackers use that to get into his email. They see Trevor has been asked by his firm to pay a $1 million invoice. The hackers send an email to Trevor pretending to be the firm getting the money asking him to transfer it to an account they control.
From there we talked about safe passwords, the use of password managers and the proper way two-factor authentication should be configured.
To hear the full discussion click on the Play arrow above.