The 20 most common passwords leaked on the dark web

Posted on

As seen on securitymagazine.com by Maria Henriquez on April 29. 2022

Data breaches are at an all-time high. According to the Identity Theft Resource Center’s (ITRC) 2021 Annual Data Breach Report, there were 1,862 data breaches in 2021 — a 68% increase over breaches in 2020. And, new year-over-year results indicate a fast start to data breaches in 2022, as more than 90% of data breaches are cyberattack-related. 

When data breaches happen, emails and passwords associated with online accounts are also commonly leaked, leaving consumers at risk of phishing scams or identity theft.  According to Lookout, on average, 80% of consumers have had their email leaked on the dark web.

Here is the company’s list of the top 20 passwords found on the dark web, due to data breaches: 

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 12345
  6. 12345678
  7. 111111
  8. 1234567
  9. 123123
  10. qwerty123
  11. 1q2w3e
  12. 1234567890
  13. DEFAULT
  14. 0
  15. Abc123
  16. 654321
  17. 123321
  18. Qwertyuiop
  19. Iloveyou
  20. 666666

Do you spot your password on this list? The National Institute of Standards and Technology (NIST) has developed specific guidelines for strong passwords. According to NIST guidance, you should consider using the longest password or passphrase permissible (8–64 characters). Try different variations of a passphrase and avoid common phrases, famous quotations, and song lyrics.

BlackCat/ALPHV ransomware breaches 60+ organizations

Posted on

As seen on securitymagazine.com by Maria Henriquez on April 25, 2022

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) has compromised at least 60 entities worldwide, according to a new report by the Federal Bureau of Investigation (FBI), which details detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV.

BlackCat is the first ransomware group to successfully breach organizations using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing.

In addition, BlackCat/ALPHV ransomware leverages previously compromised user credentials to gain initial access to the victim system. According to the FBI, once the malware establishes access, it compromises Active Directory user and administrator accounts. The malware uses Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware. Initial malware deployment leverages PowerShell scripts, in conjunction with Cobalt Strike, and disables security features within the victim’s network. BlackCat/ALPHV ransomware also leverages Windows administrative tools and Microsoft Sysinternals tools during compromise; steals victim data prior to the execution of the ransomware, including from cloud providers where company or client data was stored; and, leverages Windows scripting to deploy ransomware and to compromise additional hosts.

Black-Cat affiliated threat groups typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.

The FBI recommends organizations:

  1. Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
  2. Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  3. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
  4. Use multi-factor authentication where possible.

Insider risk: Are you monitoring employees working outside your network?

Posted on

As seen on securitymagazine.com on April 29, 2022 by Jay Godse

Every employee is hired to do a job, but every employee also represents a potential risk to their company. In the past year, 68% of employers have noted an increase in insider attacks. The top attacks include fraud, monetary gain and IP theft and cost companies millions of dollars.  

One major reason for an increase in insider risk in the past year is remote work. Not only are people outside of their manager’s physical view, they are often working outside of their company’s network. Companies need a new approach to ensure they have the insights to help stop insider attacks. 

The Shift to Remote Work Creates Blind Spots 

With millions of people now working from home, the concept of work has changed forever. Weekly one-on-one meetings are now on Zoom, and there’s little water-cooler chatter. This means that managers may have a harder time identifying employees that may pose a threat to the company, and employees may feel less loyal to their employer. From small acts of theft such as sharing customer contacts with a competitor, to crimes such as embezzlement, remote work can make it easier for managers to miss signals that someone may be likely to act out. 

In addition to remote management, employees also have more technical freedom. For years it was the norm for employees to be logged into a computer from an office. When in the office, employees are automatically connected to the company’s network. This gives the company the ability to easily monitor the activity on each computer in a centralized way. CIOs can ensure that passwords are updated and sensitive files are not accessed by anyone who isn’t allowed to use them. HR managers are able to check email accounts and chat conversations to ensure no one is being harassed. And there is a trail of information should any employee decide to commit theft or fraud — from keystrokes to website visits — all of the information would be owned by the company. 

As the pandemic shifted millions of jobs to the home office, CIOs found that their computer networks became more difficult to maintain. There are costs and inherent security risks in VPN and other remote access, and so many companies have allowed employees to work each day on a computer that is not tied into the network. 

This creates a huge number of endpoint blind spots for companies. Individuals may log into specific company platforms, which can be traceable, but are also able to do whatever else they want on their computer with little or no oversight. Creating any kind of case would require some serious investigative work, including physically obtaining the computer from the remote employee.  

Bringing Remote Workers Closer 

The combination of physical distance from the office as well as working outside of the network makes it too easy for employees and other insiders to be emboldened. At the same time, many people have dealt with a variety of stressors over the past two years, from the pandemic to adjusting to a work-from-home environment. Without the ability to meet in person, managers need a new way to ensure employee well-being and raise red flags if employees appear to be a risk to the company. 

Update management training: For example, managers should receive updated training to help them make better connections with remote employees, help them to successfully onboard new employees and look for changes in behavior or signs that someone is unhappy.  

Create risk best practices: Everyone in the company should be made aware of insider risk and be given information about how to report potential risks to the correct people in the organization. 

Invest in remote insider risk technology: Especially important, companies need to invest in technology that provides the insight that is missing outside of the network. Insider risk technology that works at the endpoint or device level ensures that there are no more blind spots, and companies have the ability to monitor and identify possible issues. Predicting risk is a multi-faceted challenge. For example, for emails to be a marker of risk, the count, the timing, the attachment types, the recipients, the content sentiment all play together to attribute an action as risk. It’s not a manual task and hence unique solutions are required. What’s more, insider risk technology built for remote work can help companies that are victims of an attack — enabling them to quickly and easily build a case. 

Insider risk has changed considerably with the rise of remote work, and it’s important for companies to change, as well. With updated communication, management, and technology in place, companies can stop insider risk and embrace the positives of remote work. 

A 3-step approach to cyber defense: Before, during and after a ransomware attack

Posted on

incident-response-freepik1170x658v6.jpg

As seen on securitymagazine.com on May 3, 2022 by Andy Stone

It was not too long ago when ransomware attacks were at the bottom of everyone’s radar. Today, cyberattacks — specifically ransomware attacks — dominate headlines as they’ve become more sophisticated, direr and more frequent. What warranted less than 10 minutes on the agenda in the C-suite is now arguably among the most pressing issues that organizations face around the world. 

As we’ve seen with the cyberattacks on the Colonial Pipeline, Springhill Medical Center and JBS Foods, the effects of cybercrime go beyond a hefty price tag. Oftentimes, lives and livelihoods are also at stake. Although organizations have recognized the clear risks that cyberattacks pose, there is still a gap in understanding the security measures that need to be in place to mitigate these attacks in the first place as well as what to do when they happen — because they will happen.

In my own experience, formulating a before, during and after approach is key to organizational sanity and survival in a world increasingly dominated by ransomware attacks. In this article, I’ll walk you through the template I use to assess each phase of my ransomware mitigation plan. 

Before: Beware Business as Usual

For organizations that have never experienced a cyberattack, the preparation phase often can fall behind. Yet preparation is paramount to mitigate the growing risks of a ransomware attack in today’s digital world. Companywide buy-in is the first step to bolstering defenses and ensuring a quick response when faced with an attack. When implementing preventative measures, here are the five core areas to keep top of mind:

●    IT hygiene: Once threat actors gain access to an environment, they look to exploit key systems and sensitive data. Performing good data hygiene and having a well-defined patch management program are crucial to preventing breaches. Often, by the time a vendor releases a patch, cybercriminals have already been made aware of a vulnerability. Given this tight timeframe, critical patches should be made within 24 hours, while other levels of criticality range in the timeframe expected, but should be made no more than 30 days later.

●    Multi-factor authentication: It has been said that employees are the weakest link in cybersecurity as poor password management practices can create vulnerabilities. With multi-factor authentication, an added layer of security protects against issues that arise when the same password is used across multiple accounts.

●    Admin credential vaulting: In addition to poor password management practices, improperly secured shared resources can create vulnerabilities. Vaulting credentials and admin credentials provide extra safeguards for credentials of shared resources on your network, offering a repository with passwords automatically refreshed after each login.

●    Consistent logging: Security and access logs are crucial before and after an attack. They provide critical indicators of compromise to help identify a potential adversary before an attack is launched. Additionally, a good logging solution can help identify the source of an attack and provide required proof of compliance to regulatory agencies. However, it’s not enough to just maintain security logs, they need to be protected as well.

●    Fast analytics: Quick, real-time analytics leveraging security logs will help spot suspicious behavior and send timely alerts on potential attacks. Implementing a fast analytic platform across three vectors: the endpoint, the network and the end user, can help you spot indicators of compromise and allow threat hunters to eradicate threats before an attack is launched and data is compromised.

●    Critical employee training: Set clear Internet and email policies and issue relevant end-user awareness training for employees across the organization. Follow up-to measure efficacy and use that information to identify weak spots where additional training may be needed. However, it’s critical to understand that employee education isn’t enough. Executive management and boards must also be trained via tabletop exercises on how events will unfold and how to respond during a cyber attack.

During: As the Attack Unfolds

An organization’s exact business continuity and disaster recovery plan will depend on its business and the specific breach, however, there are steps that should be taken across the board regardless of industry or sector. As an attack plays out, the organization’s business continuity and disaster recovery plan will need to be put into action. At this point, containing the attack and locking down the environment is the first step. Isolate impacted systems on the network without fully shutting down systems or turning off the power as this could reduce the ability to forensically analyze those devices later. In addition, here are four other steps you should take:

  1. Put your backup communications plan into action: If your email systems are down, continue communications within your organization using your backup communications plan. Use this method to inform leaders and internal stakeholders of the attack.
  2. Mobilize your emergency response team: This team will look different depending on your organization, but each person on the team should have clear marching orders. This team may include legal counsel, forensic experts, corporate communications and other key players.
  3. Initiate your external communications plan: Get in contact with authorities, cyber insurance providers, regulators, media and other critical partners to inform them of the situation. The plan should also include notifications to affected customers and businesses. Be sure to have a clear statement drafted that details the situation and your subsequent plan of action.    
  4. Start the forensic process: Triage impacted devices for forensic review. The sooner your team can identify what type of attack was launched and its severity, the sooner your team can apply patches. 

After: Steps to Recovery

There’s only one thing that matters after an attack, and that’s SPEED. While having the proper precautions in place to prevent an attack and respond to an attack are essential, it’s equally as critical that organizations plan for recovery. As part of a solid disaster recovery plan, organizations should have a recovery environment that has been staged, tested and ready to go, providing a tried-and-true way to get back online right after an event. Once an attack has run its course, you may be faced with a choice to pay a ransom. Whether you decide to pay or not, at this point, you’re also working to minimize damage and get back online as quickly as possible.

Of note, in many cases, an organization will not be able to reuse production devices that may have been implicated in an attack. As a result, having a clear line of sight into an additional recovery kit should also be planned. 

Based on your response plan, you’ll need to prioritize which systems should be recovered and restored first. There will be a number of application dependencies that will need to be worked through. As you continue the forensic process, it will be important to work in tandem with the proper authorities, including regulatory agencies and authorities. As you begin the restoration process, make sure to do so in an offline environment that allows teams to identify and eradicate any persistent malware infections.

Throughout the whole recovery process, communication will be key. Be sure to consistently communicate progress each step of the way to all affected parties. This includes but is not limited to employees, customers, investors and business partners. It’s also important to keep any affected service providers or suppliers in the loop and ensure they take the necessary steps to prevent another breach.  

Looking ahead

It’s almost naïve to think that your organization won’t be affected by a cyberattack or breach at some point. Cybercriminals will undoubtedly continue to innovate and evolve, and we can expect ransomware to get even more creative and capable of even greater damage. Although we can’t predict the next big ransomware attack, we can certainly prepare ourselves by continuing to evolve our cybersecurity strategy. 

Social networks most likely to be imitated by criminal groups

Posted on

As seen on securitymagazine.com by Maria Henriquez on 4/20/22

Social media networks have now overtaken shipping, retail and technology as the category most likely to be targeted by criminal groups, according to new research from Check Point.

The Brand Phishing Report for Q1 2022 highlights the brands that criminals most frequently imitated in their attempts to steal individuals’ personal information or payment credentials during January, February and March 2022.

So far this year, LinkedIn has been related to more than half (52%) of all phishing-related attacks globally, marking the first time the social media network has reached the top of the rankings.

It represents a dramatic 44% uplift from the previous quarter when LinkedIn was in the fifth position and related to only 8% of phishing attempts. LinkedIn has now overtaken DHL as the most targeted brand, which has fallen to the second position and accounted for 14% of all phishing attempts during the quarter.

The report highlights an emerging trend toward threat actors targeting social networks, even more than shipping companies and technology giants like Google, Microsoft and Apple. 

Below are the top brands ranked by their overall appearance in brand phishing attempts:

  1. LinkedIn (relating to 52% of all phishing attacks globally)
  2. DHL (14%)
  3. Google (7%)
  4. Microsoft (6%)
  5. FedEx (6%)
  6. WhatsApp (4%)
  7. Amazon (2%)
  8. Maersk (1%)
  9. AliExpress (0.8%)
  10. Apple (0.8%)

Security leaders are not surprised that threat actors are targeting social media networks now. “It makes sense for attackers to use LinkedIn as a hook for socially engineered phishing attacks, as it is generally accepted as a usable, professional platform,” says Hank Schless, Senior Manager, Security Solutions at Lookout. “However, it’s not that different from any other social platform where an attacker can create a fake but convincing profile and message one of your employees with a malicious link or attachment.”

With LinkedIn moving up the list of platforms used in phishing-related attacks, Schless suggests organizations update their acceptable use policies (AUPs) to protect employees and mitigate the risk of web-based attacks.

“Cloud-based web proxies such as secure web gateways (SWGs) that are fed by rich threat intelligence datasets can help organizations build dynamic AUPs and protect enterprise data,” Schless says. “SWG is a critical solution to have in the modern enterprise security arsenal as it acts as a way to block accidental access to malicious sites, and can also be a safe tunnel to protect users from modern web-based threats such as ransomware, other malware, and phishing attacks.” 

Electric vehicles are taking over. Hackers are waiting

Posted on

As seen on securitymagazine.com by Robert Nawy on 4/20/22

Electric vehicles (EV) are a vital part of the present (and future) state of the U.S. auto market. After decades of hope and hype, the rapid adoption of electric vehicles is finally upon us. In 2011, there were only 16,000 battery and plug-in hybrid electric vehicles on the road. In mid-2021, that number had grown to over 2 million vehicles. In fact, auto executives expect over 50% of U.S. vehicles to be all-electric by 2030. 

The Bipartisan Infrastructure Deal includes $7.5 billion to plan and build a robust network of EV charging stations, a sizeable down payment toward developing a nationwide system. But of what of the extensive and complicated network needed to service those electric vehicles?

It took decades for a hodgepodge network of gas stations to crisscross the nation, with policies and procedures created by individual oil companies before proper government oversight or planning ensued. A state or nationwide electric vehicle charging network will require thorough planning and significant investment. Despite lofty goals, projected EV usage increases and plans to keep them rolling along America’s highways, one crucial challenge remains woefully undiscussed: EV charging station cybersecurity.

Last month, a 19-year-old tech security specialist used TeslaMate, a third-party software app, to successfully hack into 25 Tesla vehicles in more than a dozen countries. It was the first reported incident of a third-party app being used to hack and obtain access to vehicle data and controls, a clear indication of the risks associated with EVs.

Tesla is hypervigilant about cybersecurity, yet hackers still found a way to compromise their systems. As electric vehicles become an even larger portion of the automobile market, a disturbing cyber threat is the installation of potentially unprotected EV charging stations across the country. Without a heavy emphasis on cybersecurity, these stations could become a hacker superhighway.

Electric vehicles adoption to increase

In a nutshell, EV charging infrastructure is a device (or set of devices) that waits for another device to connect and begin communicating without a 3rd party firewall or other cybersecurity devices to act as a shield — all those technologies must be built into the charging station itself. As seen with MS Windows, a third party is often necessary to secure technologies like this as the tech itself tends to lack proper cyber protection.

The complexity and rapid adoption of EV charging stations/technologies make them especially vulnerable to attacks as certain security measures may be overlooked. Electric vehicle charging stations appear highly vulnerable to hackers. Last year, the U.S.-based Colonial Pipeline fell victim to a foreign-fronted cyberattack due to a single compromised password. This one vulnerability halted fuel supply processes in the Eastern U.S. and cost the company $4.4 million in ransom. Now, think of a hack that could cripple EV charging stations across California. More open doors provide more opportunities for hackers to break into and potentially control sophisticated EVs.

The demand for electric vehicles is rising dramatically. According to Gartner, EV charging stations are expected to increase from 1.6 million units in 2021 to 2.1 million units this year. It also predicted that electric cars (battery-electric and plug-in hybrid) shipping would rise to 6 million in 2022, a 50% increase over 2021. Furthermore, at COP26 in November 2021, the Zero Emission Vehicle Transition Council announced that vehicle manufacturers will commit to selling only zero-emission vehicles by 2040 and earlier in leading markets.

One incentive to boost EV adoption essentially rolls out the red carpet for hackers. Today, EV drivers can save or earn money by giving the power stored in their battery back to the grid or supplementing their home or office’s electric needs. Unfortunately, this connectivity opens doors to cyberattacks from data breaches. 

The best way for cybersecurity leaders to protect charging stations from security breaches is to consistently monitor for cyberattacks — both known and unknown. For instance, utilities use technology like IPKeys Cyber Partners’ evolving VSOC (Vehicle Security Operations Center) platform. This software enables cybersecurity for the post-production phase. It is critical to ensure the security of connected vehicles and the smart mobility ecosystem, allowing companies to monitor their entire infrastructure and vehicles in real-time, utilizing automotive-specific analytics to detect cyber threats.

Automotive cybersecurity is still a relatively new domain, developing quickly to keep up with the fast-paced technological developments in the industry and the increasing number of cyber incidents. Unfortunately, traditional automotive safety regulations and security standards do not sufficiently cover the cyber threats related to modern-day connected vehicles.

EV charging infrastructure is as vulnerable to suffering from cyber threats as any other connected device. Still, the complexity and quick evolution of the technology and connected devices put this technology, especially, at risk. They will require the same type of monitoring and protection to ensure they do not open doors for cybercriminals to walk through, whether on the device itself or through a third-party app. As the use of electric vehicles grows and EV charging stations are installed across the country, it’s imperative that we focus on advanced cybersecurity measures to keep drivers safe and secure the critical data our vehicles contain.

Nations scramble to take a lead in 6G technology

Posted on

As seen on globaltimes.cn by Zhang Hongpei on March 23, 2022

As 6G, the next-generation communication technology, is widely expected to achieve commercialization around 2030, various nations are ramping up research and development efforts, despite the absence of clear technical routes or unified international standards.

The next three to five years will be crucial for seizing the high ground in the field and cultivating an industrial foundation, experts said, as they called for close cooperation with international standards agencies and platforms, embracing openness and win-win partnerships.

Amid the ongoing Global 6G Conference, which is being held online from Tuesday to Thursday, more than 100 communication technology experts from China and abroad are discussing the development and vision of 6G, focusing on possible network architecture, wireless transmission routes and other issues.

The revolutionary technology, expected to be 10-100 times faster than 5G in terms of data transmission speed, will integrate with advanced computing, big data, artificial intelligence (AI) and blockchain, set to make up for desired applications that fall short of expectations in the 5G era.

Among the nations that are preparing for 6G, China is taking a leading position based on the huge investment and technological reserves of its mobile operators and equipment makers, industry watchers said.

During its earnings briefing earlier this month, China Unicom executives said that the company attaches great importance to network upgrading and evolution, while carries out tracking and research on 5G-A and 6G technologies. 

For equipment providers, Chinese technology giant Huawei began R&D on 6G as early as 2019. In 2020, Huawei joined hands with China Unicom and Galaxy Aerospace for an air-space-ground integration strategic partnership agreement to jointly develop 6G.

“Enterprises are accelerating their forward-looking stances on 6G, but now it is not time for them to disclose their innovational achievements, which are at the initial stage,” Ma Jihua, a veteran tech industry analyst, told the Global Times on Wednesday.

“There is not yet a clear technology route and different countries are mainly focused on pushing ahead with their R&D,” Ma said, noting that China aims to have a major standard-setting role in the 6G era.

In January, a high-tech lab in Nanjing, capital of East China’s Jiangsu Province, announced a major achievement related to 6G-oriented terahertz 100/200Gbps (gigabits per second) real-time wireless communication, which led to the world’s fastest real-time transmission for terahertz real-time wireless communication that’s been publicly reported.

The achievement has a wide range of prospective applications. It can be installed in satellites, unmanned aerial vehicles and space ships, which can be applied to high-speed wireless communication scenarios between satellite clusters, between the sky and Earth, and between satellites over distances of more than 1,000 kilometers.

Chih-Lin I, chief scientist of China Mobile Research Institute (CMRI), said at the conference that the next three to five years will offer a “window” for 6G technologies, and this period will be key to seizing the technological heights.

She suggested that China should maintain its influence accumulated in international standards organizations in the 3G-5G eras, enhance cooperation with relevant international standards organizations and platforms, and fully promote 6G in the direction of global unified standards and ecology.

“The world is likely to agree on 6G standards around 2028, and from 2020-2025, China will likely focus on proposing 6G standards as well as research of related technologies,” Xiang Ligang, director-general of the Beijing-based Information Consumption Alliance, told the Global Times. 

“The country will not lag in 6G development at any stage, whether in technical research or infrastructure construction,” he added.

The international organization that’s involved with telecom technologies – 3GPP – is expected to initiate R&D of 6G international technical standards around 2025 before the expected commercialization around 2030, according to a white paper issued last year by the IMT-2030 (6G) Promotion Group, under the guidance of the Ministry of Industry and Information Technology (MIIT).

China, the world’s biggest internet and smartphone market, granted 5G licenses for commercial use and started 6G R&D in 2019. It has built the largest 5G mobile infrastructure in the industry, with 1.43 million 5G base stations rolled out as of the end of 2021, accounting for over 60 percent of the global total.

Network maintenance staffers at the local subsidiary of China Mobile in Tongling, East China's Anhui Province test antennas for 5G base stations on December 13, 2021.  As of early December, the Tongling subsidiary had built over 650 5G stations, enabling full coverage in Tongling's rural hot spots. Photo: cnsphoto

Network maintenance staffers at the local subsidiary of China Mobile in Tongling, East China’s Anhui Province test antennas for 5G base stations on December 13, 2021. As of early December, the Tongling subsidiary had built over 650 5G stations, enabling full coverage in Tongling’s rural hot spots. Photo: cnsphotoMIIT head Xiao Yaqing has vowed to strengthen international telecom cooperation in 5G R&D and applications, and to create a globally coordinated industrial ecosystem for there to be a safe, open and more mutually trusting environment.

China will take part in global efforts to push for common standards and the maturity of new technologies, Xiao told a press conference in February, noting that many Chinese companies including Huawei and ZTE have joined up with other industry peers including Nokia and Ericsson.

Technology Alliance Says It Is Closer to Killing Off Passwords

Posted on

As seen on wsj.com by Katie Deighton on 3/22/22

A group of technology companies including Apple Inc., Alphabet Inc.’s Google and Microsoft Corp. says it is a step closer to eliminating what many people call one of the worst aspects of the internet experience: passwords.

The Fast Identity Online Alliance has for nearly a decade worked on a system that lets users log into their online accounts simply by using the unlock mechanisms of their smartphones or computers. Rather than sending a password over a network susceptible to outside interference, users connect a public “key,” which sits on the account service provider’s server, to a private one, which cannot be removed from their device.

Previous versions of the group’s system still required people on new devices to enter passwords for each account before they could go password-free. Now, it says it has found a way to let users log into online accounts with their faces, fingerprints and PIN codes straightaway, even on brand-new devices.

The update “means that users don’t need passwords anymore,” said a white paper by the alliance, called FIDO for short. “As they move from device to device, their FIDO credentials are already there, ready to be used.”

The alliance, which represents more than 250 members, has been trying to reduce reliance on passwords since 2013, when six companies including PayPal Holdings Inc. and Lenovo Group Ltd. came together to develop a new, safer industry standard for online authentication.

Passwords create not just friction on the information superhighway, critics have long complained, but real frustration and even abandoned accounts when consumers forget their secret codes. They also still leave users, businesses and other organizations vulnerable to hackers and other bad actors.

Security solutions such as two-factor authentication, in which users typically supplement passwords with push notifications or codes sent by apps or texts, bring their own drawbacks. Plenty of people seem uninclined to opt in.

“Even though we know in 2022 that passwords are inherently insecure and creating lots of problems, getting people to actually secure them is still a challenge,” said Merritt Maxim, vice president and research director at research firm Forrester Research Inc., where he specializes in security and risk.

Passwords are “the cockroaches of the internet,” Mr. Maxim said—irritating, hardy and worth taking the time to kill.

Some companies have developed passwordless options using FIDO standards.

Microsoft last September began letting consumers sign into their accounts with the company’s authenticator app and software, physical security keys that plug into computer ports, or SMS and email verification codes, rather than passwords.

And when a user logs into eBay, the company detects whether a user’s device supports FIDO. If so, a pop-up asks if he or she would like to enroll in passwordless authentication using his or her device’s password, PIN, facial recognition or fingerprint. Those who agree are then prompted to use that method on subsequent logins—no account passwords required.

EBay said that login completion rates have improved since it introduced FIDO technology in 2020, and that opt-in rates were higher than for text-based two-factor authentication.

But a completely passwordless world is still far off, said Forrester’s Mr. Maxim. FIDO’s vision mostly relies upon account holders having their own connected devices, which is not true for all users globally, he said. And while the system does not share users’ biometric data with account service providers, some privacy-minded users may hesitate to use their faces and fingerprints to unlock everything, he said.

The alliance tested which language, icons and information makes people feel most comfortable with switching on FIDO, said Andrew Shikiar, the group’s executive director and chief marketing officer.

“People need to adjust from doing what they know—just entering passwords—to doing something that they know how to do, but don’t really connect with logging in,” Mr. Shikiar said.

Some apps already let users substitute typing in their passwords with their device-unlock mechanisms, which helps establish “passwordless” user behavior. But those apps still transmit passwords behind the scenes, leaving accounts vulnerable to hacking, Mr. Shikiar said. FIDO, by contrast, does not send any human-readable information, including passwords, over networks when users switch it on, he said.

The alliance has also introduced workarounds for people who use shared devices. The updated technology lets users turn their phones into authenticators that can log into accounts on computers using Bluetooth, which would let users access accounts without passwords on a library computer, for example.

But if the user is unable to use his or her phone, or doesn’t have one, then the login experience would likely remain as it is today, Mr. Shikiar said.

“But let’s remember that getting rid of passwords is a journey and not a sprint,” he added.

Ukraine and US targeted by cybersecurity attacks in run-up to Russian invasion

Posted on

As seen on theverge.com by James Vincent on Mar 8, 2022

New reports have emerged of hacking campaigns linked directly and indirectly to Russia’s war in Ukraine, with the stories shedding more light on an opaque element of the invasion: cyberwarfare. Many experts predicted that Russia would launch significant cyber attacks in Ukraine, shutting down the country’s electrical grid for example. But while large-scale operations have not materialized, reports of smaller forays are beginning to emerge.

On Monday, Google said it had uncovered widespread phishing attacks targeting Ukrainian officials and Polish military. Security outfit Resecurity Inc also shared evidence of a coordinated hacking campaign targeting US firms that supply natural gas (a commodity that has become critical as Western sanctions bite down on Russian energy exports). In both cases, attacks could be linked to groups associated with Russia and its allies. GOOGLE ATTRIBUTED THE ATTACKS TO RUSSIAN HACKING GROUP FANCY BEAR

Google’s Threat Analysis Group (TAG) said the phishing campaign targeted users of UkrNet, a Ukrainian media company, as well as “Polish and Ukrainian government and military organizations.” Attacks were carried out by groups including Belarusian outfit Ghostwriter and Russian threat actor Fancy Bear. The latter group is associated with Russian military intelligence agency GRU, and was responsible for the 2016 Democratic email hacks.

“Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter,” wrote Google’s Shane Huntley in a blog post. “This activity ranges from espionage to phishing campaigns. We’re sharing this information to help raise awareness among the security community and high risk users.”

The campaign targeting US natural gas firms successfully infiltrated more than 100 computers belonging to employees and former employees. As reported by Bloomberg News, motives for the operation are unknown, but Resecurity described the work as “pre-positioning” — hacking machines to prepare for a larger operation of some sort.

The attacks began two weeks before the invasion of Ukraine, and securing a foothold in US gas suppliers would certainly offer plenty of opportunities for geopolitical leverage. As European nations have sought to wean themselves off Russian natural gas as part of a range of economic sanctions, energy firms in the United States have stepped up their supply, making the US the world’s top provider of liquefied natural gas or LNG.

Resecurity CEO Gene Yoo told Bloomberg he thought the attack had been carried out by state-sponsored hackers but did not speculate on who that might be. Bloomberg itself notes that one of the hackers involved had ties to attacks carried out by Fancy Bear (though under its moniker Strontium, as given by Microsoft’s security research team).

10 steps to reduce cyber risk

Posted on

As seen on securitymagazine.com by Maria Henriquez on February 18, 2022

Russian-state-sponsored cyber actors have targeted U.S. cleared defense contractors (CDCs) to obtain sensitive information, according to an advisory released by the Federal Bureau of Investigation (FBI), Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA). 

In the advisory, the federal agencies detail the industries and information Russian actors have targeted, common adversary tactics, detection and incident response actions, and mitigation recommendations.

The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources. These CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in several areas, including: command, control, communications, and combat systems; Intelligence, surveillance, reconnaissance, and targeting; weapons and missile development; vehicle and aircraft design; and software development, data analytics, computers, and logistics.

Russian state-sponsored cyber actors have used common but effective tactics to access target networks, including spearphishing, credential harvesting, brute force/password spray techniques, and known vulnerability exploitation against accounts and networks with weak security.

Threat actors take advantage of simple passwords, unpatched systems and unsuspecting employees to gain initial access before moving laterally through the network to establish persistence and exfiltrate data.

To reduce risk and protect critical assets, CDCs can follow 10 best practices:

1. Implement Credential Hardening

A. Enable Multifactor Authentication 

  • Enable multifactor authentication (MFA) for all users, without exception.

B. Enforce Strong, Unique Passwords 

  • Require accounts to have strong, unique passwords. 
  • Enable password management functions, such as Local Administrator Password Solution (LAPS), for local administrative accounts.

C. Introduce Account Lockout and Time-Based Access Features

  • Implement time-out and lock-out features in response to repeated failed login attempts.
  •  Configure time-based access for accounts set at the admin level and higher. 

D. Reduce Credential Exposure

  • Use virtualization solutions on modern hardware and software to ensure credentials are securely stored, and protect credentials via capabilities.

2. Establish Centralized Log Management

  • Create a centralized log management system. 
  • If using M365, enable Unified Audit Log (UAL). 
  • Correlate logs, including M365 logs, from network and host security devices.

In addition to setting up centralized logging, organizations should:

  • Ensure PowerShell logging is turned on.
  • Update PowerShell instances to version 5.0 or later and uninstall all earlier versions of PowerShell. 
  • Confirm PowerShell 5.0 instances have module, script block and transcription logging enabled.
  • Monitor remote access/Remote Desktop Protocol (RDP) logs and disable unused remote access/RDP ports.

3. Initiate a Software and Patch Management Program

  • Consider using a centralized patch management system. Failure to deploy software patches promptly makes an organization a target of opportunity, increasing its risk of compromise. 

o Subscribe to CISA cybersecurity notifications and advisories to keep up with known exploited vulnerabilities, security updates, and threats.

4. Employ Antivirus Programs

  • Ensure that antivirus applications are installed on all organizations’ computers and are configured to prevent spyware, adware, and malware as part of the operating system security baseline.
  • Keep virus definitions up to date.
  • Regularly monitor antivirus scans.

5. Use Endpoint Detection and Response Tools

  • These tools allow a high degree of visibility into the security status of endpoints and can be an effective defense against threat actors.

6. Maintain Rigorous Configuration Management Programs

  • Audit configuration management programs to ensure they can track and mitigate emerging threats. Review system configurations for misconfigurations and security weaknesses. Having a robust configuration program hinders sophisticated threat operations by limiting the effectiveness of opportunistic attacks.

7. Enforce the Principle of Least Privilege

  • Administrator accounts should have the minimum permissions they need to do their tasks. This can reduce the impact if an administrator account is compromised.
  • For M365, assign administrator roles to role-based access control (RBAC) to implement the principle of least privilege. 
  • Remove privileges not expressly required by an account’s function or role.
  • Ensure there are unique and distinct administrative accounts for each set of administrative tasks.
  • Create non-privileged accounts for privileged users, and ensure they use the non-privileged accounts for all non-privileged access (e.g., web browsing, email access).
  • Reduce the number of domain and enterprise administrator accounts, and remove all unnecessary accounts.
  • Regularly audit administrative user accounts.
  • Regularly audit logs to ensure new accounts are legitimate users.
  • Institute a group policy that disables remote interactive logins and uses the Domain Protected Users Group. To assist with identifying suspicious behavior with administrative accounts:
  • Create privileged role tracking.
  • Create a change control process for all privilege escalations and role changes on user accounts.
  • Enable alerts on privilege escalations and role changes.
  • Log privileged user changes in the network environment and alert for unusual events.

8. Review Trust Relationships

  • Review existing trust relationships with IT service providers, such as managed service providers (MSPs) and cloud service providers (CSPs). Threat actors are known to exploit trust relationships between providers and their customers to gain access to customer networks and data.
  • Remove unnecessary trust relationships.
  • Review contractual relationships with all service providers, and ensure contracts include:

o Security controls the customer deems appropriate.

o Appropriate monitoring and logging of provider-managed customer systems.

o Appropriate monitoring of the service provider’s presence, activities, and connections to the customer network.

o Notification of confirmed or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks

9. Encourage Remote Work Environment Best Practices

  • Regularly update VPNs, network infrastructure devices, and devices used for remote work environments with the latest software patches and security configurations. 
  • When possible, require MFA on all VPN connections. 
  • Monitor network traffic for unapproved and unexpected protocols.
  • Reduce potential attack surfaces by discontinuing unused VPN servers that adversaries may use as a point of entry.

Note: For additional information, see joint NSA-CISA Cybersecurity Information Sheet: Selecting and Hardening Remote Access VPN Solutions

10. Establish User Awareness Best Practices

  • Provide end user awareness and training. To help prevent targeted social engineering and spearphishing scams, ensure that employees and stakeholders are aware of potential cyber threats and how they are delivered. Also, provide users with training on information security principles and techniques.
  • Inform employees of the risks of social engineering attacks, e.g., risks associated with posting detailed career information to social or professional networking sites.
  • Ensure that employees know what to do and whom to contact when they see suspicious activity or suspect a cyber intrusion to help quickly and efficiently identify threats and employ mitigation strategies.

Bonus: Apply Additional Best Practice Mitigations

  • Deny atypical inbound activity from known anonymization services, including commercial VPN services and The Onion Router (TOR).
  • Impose listing policies for applications and remote access that only allow systems to execute known and permitted programs under an established security policy.
  • Identify and create offline backups for critical assets.
  • Implement network segmentation.
  • Review CISA Alert AA20-120A: Microsoft Office 365 Security Recommendations for additional recommendations on hardening the M365 cloud environment.