Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
Last month, Twitter was in the news with their very large Twitter data breach, and this month Elon has decided to turn off SMS-text based multi-factor-authentication (MFA) for users that don’t pay for a “Twitter blue” subscription. This is a terrible idea. Yes, SMS-texts have security issues with them (see the next paragraph for details), but they beat the heck out of no MFA at all. Yes, there are other times in our lives when it costs money to be more secure. There was a time when airbags were optional in cars, and they cost extra. That’s still the case in some luxury vehicles where you have to pay more for torso, knee or side curtain airbags. That being said, texting is not a high-cost thing to do. If twitter removes this form of MFA and can’t convince everyone to replace it with a different form of MFA, then we will have millions of people that had MFA for their Twitter account and now they won’t anymore. This is a step back for the cybersecurity of non-paying Twitter users. I don’t like steps back in cybersecurity for anyone.
While SMS-texts are not the most secure MFA option from a technology standpoint, I am a huge fan of them from a real-world standpoint. Other MFA options include an application on your phone such as Google Authenticator or Microsoft Authenticator that will generate 6-digit codes every 30 seconds instead of you receiving a text message. Make no mistake – the Authenticator apps are much harder to break than SMS-texting, but there is a “feature” that comes with the Authenticator apps that I don’t like at all – it’s called a “push notification”. What a push notification does is to bring up a prompt on your phone that states something like, “Are you trying to login on a new computer to your Twitter account?” and the user has to press a yes button or a no button. If the user pushes yes, then the new login to that person’s account is allowed. Here is where the issue lies – it’s too easy to just tap “yes.” With MFA that requires a 6-digit code, a cybercriminal can’t login as you without having that code. With a push notification, the cybercriminal can try to login to your account 100 times to prompt you with 100 push notifications, and you may click “yes” to one of them just to get the notifications to stop. This is called an MFA Fatigue attack, and 95% of the time I find users choosing to just click “yes” to be more concerning than the inherent insecurity of SMS-texts.
There are several take-aways from this:
App-based MFA that requires you to type in a 6-digit code is more secure than SMS texts, but SMS texts beat the heck out of no MFA at all.
If you do choose to use an Authenticator app and one of your accounts allows “push notifications”, BE VERY CAREFUL clicking “yes”. If you get lots of push notifications, someone has likely cracked your password to whatever service you are getting push notifications for. Change your password immediately.
If you must go without MFA for a given application, it is important to use a truly un-guessable password. There is a growing group of organizations, including Microsoft and NIST, that are recommending longer passwords (14+ characters) without any “complexity” requirements where numbers, special characters, etc. are required. I’m a fan of that kind of thinking, but you need to pick a password that isn’t guessable. Ilovecountrymusic is not a good password – that phrase is too common. musicairplanenewsreality is a great password, but you can’t use that example because I just sent it to thousands of people. Make up your own passwords. Check the tip at the end of this newsletter for some additional suggestions regarding passwords.
Until next month, stay safe!
Upcoming Speaking Events
Live events are back in action! Here is a list of the cities that I will be in for 2023. Please feel free to reach out if you have an event in mind.
February 8th, Mystic Lake Casino, Prior Lake, MN
March 7th-8th, San Diego, CA
March 13th-15th, Salt Lake City, UT
May 29th-June 2nd, Las Vegas, NV
June 16th-22nd, Dublin, Ireland
July 17th-18th, Orlando, FL
August 19th-20th, Honolulu, HI
October 22-24th, New Orleans, LA
Want to know more about phishing (and how to combat it)? Terrific reading here. Thanks to Bruce Schneier for having this article in his monthly newsletter.
It's about time! "This means that device and messages backups, notes, photos, voice memos, and more should be much better protected from third-parties when stored or synced across iCloud."
Cybersecurity Tip of the Month
A barrage of data breaches has left millions of usernames and passwords available for cybercriminals to take advantage of. In addition to this, poor password security practices can leave you vulnerable to being hacked. Put these suggestions into effect to help protect yourself and your data.
1) Start with a strong password. Make them long and complex, using lower and uppercase letters, numbers, and punctuation marks. Don’t use easily guessed information, and do not use any of these most commonly used passwords. You can also consider using a passphrase and substituting characters to make it more complex. For example, “My dog ate my homework” could be used as Myd0gat3myh0m3woRk!.
2) Use a different password for each account. If one of your passwords is stolen, hackers will try that password on multiple sites.
3) Use a password keeper. Password keepers such as Dashlane and 1Password are great tools to help keep up with password security. They can generate strong passwords, safely store them, evaluate the security of your existing passwords, and can alert you if your password has potentially been compromised. An added bonus is that you only have to remember one password!
4) Check “Have I Been Pwned” to see if any of your accounts have been exposed in a data breach. If so, change any passwords that may have been affected.