Tech Friday with Dave Hatter- December 11th 2020 - SPONSORED BY INTRUST IT


  • Billions of credentials stolen highlight the issue of password reuse:
    • SpyCloud recovered over 9 billion credentials from more than 640 data breaches affecting 270 million users
    • 29% of the compromised credentials involved password reuse in more than one account
    • Sadly, 94% of these passwords were exact matches. The remainder were slight variations of the original password making them easy prey
    • Often, many of the leaked login credentials were predictable based on information accessible about people
    • As we see year after year, the most common passwords are “123456”, “123456789” and “qwerty”. They were used by over 125 million accounts
    • In some cases, large numbers of accounts used default passwords that were set when an account was created and then not changed
    • Password reuse is a significant problem that exposes users to account takeover (ATO) 
    • If a compromised account belongs to a privileged user (think administrator), an attacker may be able to access credentials for many users thus allowing them to conduct credential stuffing attacks against many systems
    • "We’ve learned a lot in the past couple years about better authentication experiences and it’s time to put those lessons into action worldwide. Killing the 90-day password rotation will curb password management fatigue. Checking passwords against breach data and forcing resets when exposures are found could help people understand the risk their poor passwords pose and enforcing stronger new passwords that follow NIST recommendations will help users make better choices" said David Endler, chief product officer and co-founder of SpyCloud
    • Endler also recommended multi-factor authentication (MFA) and the use of password managers. He said "Companies need to not just offer multi-factor authentication but encourage users to opt-in. The security community has for a long time recommended password managers, but we need to be more vocal about them, and even offer them as an employee benefit to encourage strong password hygiene"
    • What you should do:
      • Use a strong, unique password for each site/app/system/platform
      • Use a secure password manager like LastPass to create and manage strong, unique passwords
      • If you don't use a password manager, use passphrases rather than passwords because they are harder to crack and easier to remember. For example: 1L0v355KRCTh3T@lkSt@t10n!
      • Enable Multi-factor authentication (MFA) everywhere you can
      • Don't change strong passwords regularly unless there is indication of breach
      • Never share passwords
      • Never use the same password for work and personal accounts
      • Search the Dark Web for leaked credentials. Tryhttps://haveibeenpwned.com/
  • Local governments forced offline after ransomware targets web host
    • Several government agencies had their website knocked out thanks to a ransomware attack
    • Managed.com is a third-party hosting company that provides website hosting services for several governments
    • Managed.com was hit with REvil ransomware that knocked out all of their web hosting services taking the government agencies out with it
    • Managed.com wrote "Upon further investigation and out of an abundance of caution, we took down our entire system to ensure further customer sites were not compromised"
    • Government agencies impacted include Brown County, Indiana; Columbus County, North Carolina; and Jackson County, Oregon and the Arizona Judicial Branch
    • Managed.com said that only a few websites were affected by the ransomware and had no estimate for service restoration
    • It does not appear that any of these agencies internal systems were breached as a result of this attack
    • Managed.com wrote "Our Technology and Information Security teams are working diligently to eliminate the threat and restore our customers to full capacity" and "Our first priority is the safety and security of your data. We are working directly with law enforcement agencies to identify the entities involved in this attack. As more information is available, we will communicate directly with you."
    • Some of the affected governments have established backup websites
    • Ransomware continues to be huge threat as ransoms increase and it now includes the threat of doxxing
    • A good, tested backup is the best cure for ransomware 
    • Read the Managed.com statement here:https://status.managed.com/
  • New study illustrates once again that many "smart" devices are a privacy and security dumpster fire:
    • "The Internet of things (IoT) describes the network of physical objects—“things”—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the Internet" - Wikipedi
    • As many traditional devices become "smart" and can connect to the Internet, you should ask yourself if you really need your refrigerator online
    • Experts estimate there will be 75 billionIoTdevices by 2025
    • Many of these Internet of Things (IoT) devices are rushed to market with little to no security
    • Hackers love these "smart" devices because they are easy to hack, always on, and often have high band-width connections making them perfect for botnet attacks
    • They are often hard to update and users are unaware that they need to be patched and secured
    • Casey Ellis, CEO of Bugcrowd said "IoTsecurity has been horribly flawed ever since it first became a thing, largely because of the pace that new products have to go to market, and the fact that designing security is seen by vendors as ‘slowing things down"
    • Palo Alto Networks’ Unit 42 reserachers warned that over 50% ofIoTdevices are vulnerable to attack which is a "ticking time bomb"
    • Before you start adding "smart" devices to your network, you should think about the implications
    • IoTdevices are being attacked in many ways:
      • Hackers may compromiseIoTdevices to use them to attack other devices and networks (botnets)
      • Hackers attempt to compromiseIoTdevices to get into your network and attack other devices
      • Hackers may try to steal data from a device
      • Hackers may use anIoTdevice to spy if it has a microphone or camera
    • These attacks have caused new concerns about the vulnerability of millions of “smart” devices that are increasingly appearing in homes and businesses
    • Many toys (dolls, cars, drones, TVs, games, etc.) are increasingly connected to the Internet
    • Many "smart" toys include microphones, cameras and/or video camera
    • Major security flaws in popular smart doorbells are putting consumers at risk of being targeted by hackers inside their homes, according to Which.
    • UK consumer group Which warned about IoT doorbell devices being sold on marketplaces such as Amazon and eBay that could easily be hacked or disabled
    • They tested 11 devices purchased from popular online marketplaces in the UK. Brands tested included Qihoo, Ctronics and Victure
    • Which found a variety of issues and two of the devices could be hacked to attack other devices on the network
    • The Victure Smart Video Doorbell, a best seller in the UK, was sending users' home network names and passwords to servers in China
    • Read the Which report here:https://www.which.co.uk/news/2020/11/the-smart-video-doorbells-letting-hackers-into-your-home/
    • The Shodan search engine makes it easy to find and target insecure devices
    • ManyIoTdevices are notoriously insecure and are infrequently, if ever updated once deployed
    • The onus for security updates is on the owner and can be difficult, buyer beware
    • Martin Hron, an Avast researcher, recently reverse engineered a $250 Smarter coffee maker
    • Hron wrote "I was asked to prove a myth, call it a suspicion, that the threat toIoTdevices is not just to access them via a weak router or exposure to the internet, but that anIoTdevice itself is vulnerable and can be easily owned without owning the network or the router"
    • Hron was successful. When the machine is connected to the network, the burner turns on, it spouts hot water, the bean grinder starts grinding, and it displays a ransom message while crazily beeping.
    • Unplugging it is required to stop the madness
    • Hron said "With the pace ofIoTexplosion and bad attitude to support, we are creating an army of abandoned vulnerable devices that can be misused for nefarious purposes such as network breaches, data leaks, ransomware attack and DDoS."
    • Like any Internet connected device, you must ensure that you install patches and updates on the device
    • "It’s going to be very difficult to convince consumers to patch their refrigerator" - Matthew Prince, CEO of security provider CloudFlare Inc.
    • If you have one or more IoT devices that you are concerned about, you can disconnect them from your network as a security measure and continue use them as a regular device
    • Watch the hacked coffee maker here:https://www.youtube.com/watch?v=bJrIh94RSiI&feature=emb_logo