Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
In this issue:
Month's News in Review
Upcoming Speaking Events
Must Read Articles This Month
Cybersecurity Tip of the Month
Enjoy this month's newsletter? You can use this link to post on social media or send to friends! Thanks for sharing!
This Month's News in Review
23andMe, and a cybercriminal apparently.
23andMe is the latest company to fall under a cybercriminal breach, and this one appears to contain millions of user records. The attack appears to be a familiar one called a “credential stuffing attack.” Here is how this type of attack works:
A user sets up the same username (usually an email address) and password at lots of websites.
One of those sites gets breached, and the passwords are stolen by a cybercriminal.
The passwords are posted online for lots of other cybercriminals to see.
A cybercriminal starts trying those usernames and passwords at lots of different sites to see if they work.
The cybercriminal finds a website where a user reused their username/password. If a user used the same password at multiple sites and didn’t have MFA turned on, their account is compromised.
TCE Strategy has performed incident response services for attacks such as this. Usually, the success rate of such attempts is around 0.5%, meaning that only one in 200 attempts by the cybercriminal is successful. The problem is this: if a site has 14 million accounts (as 23andMe claims to), a 0.5% success rate would equate to 70,000 breached accounts. That’s a lot of accounts. As stated above, the cybercriminal claims to have millions of user records, but there is not proof of that claim as of today. What is clear is that there was a significant breach of data at 23andMe, and that the cybercriminal is claiming to use the data to somehow target Ashkenazi Jews. A few weeks later this cybercriminal claimed to have another set of data targeting “people who come from Great Britain, including data from ‘the wealthiest people living in the U.S. and Western Europe.’” There are a number of issues to unpack here:
The laws requiring 23andMe to protect user data are inadequate. They can state that they are “committed to safety and security” all they want, but actions speak much louder than words. Furthermore, laws themselves will not change corporate behavior. Laws + enforcement of those laws + sufficient penalties for breaking those laws will change corporate behavior. What is a “sufficient” penalty? One that makes it in 23andMe’s financial best interest to spend a lot more time and money on protecting their users’ data.
We have far too many users reusing passwords. Password keepers such as Dashlane or 1Password are specifically designed to make it easy to use different passwords everywhere. NOTE: TCE Strategy does not recommend that you use Apple Keychain or Google Password Manager, as they are easy to defeat if a cybercriminal physically steals your phone and knows the code to unlock your phone. This was covered in more detail in our March 2023 newsletter.
Item #1 above comes down to who you choose to vote for in various positions of government. Items #2 and 3 above are within your power to fix today. Turn on MFA everywhere, and get a good password keeper.
Cisco Backdoor Password Flaw
In other news (and speaking of a complete lack of good password use), Cisco has egg on their face yet again in that their developers are hard-coding passwords into systems. That means that every installation of a given piece of hardware or software has a “backdoor” password. As soon as that password is leaked (or guessed), then everyone using that piece of hardware or software is vulnerable to attack. If that piece of hardware or software is Internet facing, all hell generally breaks loose in short order. This month, the issue is in a Cisco product called Emergency Responder, but they have had this issue before in products such as PCP and a type of Cisco Switch. In fact, TCE Strategy recently used a known flaw such as these to crack the passwords within an older Cisco switch, although the word “crack” is a little melodramatic, as no password guessing was needed. We just ran the switch’s config file through the known decryption key for this model Cisco switch. This type of flaw is honestly inexcusable on Cisco’s part. When a hardware or software manufacturer uses the same default password (or a hard coded password, encryption key, etc.) in every copy of a particular product, it is the same behavior as if a car company used the identical car key for every car they sell. Imagine if you bought a shiny new car and found out that it had been stolen because the car company failed to make a unique key for every car. That is what is going on here.
Google and Apple Encourage Biometric "Passkeys"
While we are on the topic of passwords, Google and Apple are teaming up to encourage end-users to ditch passwords altogether and go with biometric “passkeys” instead. Long term, I think this is a good idea. Short term, there are likely to be some growing pains here. Again, while passkeys are good, storing them in Apple Keychain or Google Password Manager is not. You can store passkeys in password managers such as Dashlane or 1Password.
Until next month, stay safe!
Upcoming Speaking Events
Here is a list of the cities that I will be in over the next few months. Please reach out if you have an event in mind!
October 26th-27th, Bentonville, AR
November 1st-4th, Albany, NY
November 27th-30th, Key West, FL
December 4th-6th, Indianapolis, IN
February 27-29, 2024, Clearwater, FL
This is an important list of how companies get breached in the real world. If you are a business exec that wants to ask your IT team about their cybersecurity posture, start with these!
Wow! So who is on the hook for this? What is the price these companies pay for sending out infected electronics from their factories? Not enough. "In January, security researcher Daniel Milisic discovered that a cheap Android TV streaming box called the T95 was infected with malware right out of the box, with multiple other researchers confirming the findings.
Cybersecurity Tip of the Month
National Cybersecurity Awareness Month
October is National Cybersecurity Awareness Month and even though it’s nearly over, now is a great time to reflect on some general best practices for improving the strength of your personal cybersecurity, courtesy of CISA (Cybersecurity & Infrastructure Security Agency):
Use Strong Passwords:Strong passwords are long, random, unique and include all four character types (uppercase, lowercase, numbers and symbols). Password managers are a powerful tool to help you create strong, randomly generated passwords for each of your accounts and will encrypt passwords, securing them for you!
Turn on MFA: You need more than a password to protect your online accounts and enabling MFA makes you significantly less likely to get hacked. Enable MFA on all your online accounts that offer it, especially email, social media and financial accounts.
Recognize and Report Phishing:Be cautious of unsolicited messages asking for personal information. Avoid sharing sensitive information or credentials with unknown sources. Report phishing attempts and delete the message.
Update Your Software:Ensuring your software is up to date is the best way to make sure you have the latest security patches and updates on your devices. Regularly check for updates if automatic updates are not available.
Be sure to check out the CISA website linked below for additional cybersecurity resources and follow them for more content related to National Cybersecurity Awareness Month!