Account and INFO Security

Earlier in the year, I was talking about using a password manager to secure your passwords. I have been using LastPass for the past 8 years. As I discussed previously, LastPass had a security breach last summer. That breach involved the exposure and loss of their customer database. This handed the black hats all of the encrypted data of their customers. It was simply a matter of time before the bad guys used password cracking tools to decrypt customer password files.

So I did the sensible thing and changed all of my passwords, beginning with the most sensitive ones: email passwords, passwords to financial websites, and on down the list to the least important. It took several weeks to change hundreds of unique passwords. I also changed the master password. The next step that I took was to add MFA by using Yubikey. All of my data is now secure, and anything they have is no longer relevant.

I don’t blame LastPass for the fact that they had a breach. Everyone is a target, and a company like LastPass is a bigger target than most. No, what made me upset was that the breach happened in August, but they didn’t disclose it until November. They denied that the bad guys had gotten encrypted password wallets at first, then finally admitted in December that the password wallets had been lost. So the bad guys had our vaults for months before LastPass bothered to tell anyone. Months to brute force passwords, time to steal, and time is all they need.

They still are slowly releasing information in dribs and drabs. It comes out that the database was stolen because one of their engineers was permitted to have access to the servers from his home computer. That computer was compromised, which allowed the hackers to access corporate information. Now, password vaults are all encrypted and no one but the user has access, but still. Who does this? Home access to sensitive information? There is also the fact that they hid this information for over 9 months. That’s just too shady for me.

I didn’t want to change from LastPass, but this is the last straw. They just are not trustworthy. This isn’t the time to be cute and try to spin this from a PR perspective. This is a much bigger deal than just bad publicity. People’s information that YOU are supposed to safeguard is at stake. I no longer recommend LastPass as a viable password vault application.

LastPass is no longer for me, and it shouldn’t be for you, either. I want cloud storage of my passwords, because it allows portability between laptop, cell phone, etc. So I switched my password wallet over to 1password. The cost is $60 a year for the family plan, which allows up to 5 people to use the account. 1password is also compatible with Yubikey.

Your master password in a password wallet is the one that is used to encrypt the digital vault that stores your passwords. It may be your PGP passphrase, if you are old school enough to be using that software. Whatever your reason, a strong password is important. My master password is not actually a word. I use pass phrases. Let me explain: Suppose that I pick a mashup of the opening to the Gettysburg address and a nursery rhyme:

Four score and seven years ago, our fathers brought forth on this continent a new nation, Mary had a little lamb, its fleece was white as snow

The master password is made by mashing it into numbers, letters, and symbols. Words that are numbers become numbers, that are symbols become symbols, the remaining words, I just use the first letter, like this:

4 s & 7 y a, o f b f o t c a n n, M h a l l, i f w w a s

Now take out the spaces, and your new master password is: “4s&7ya,ofbfotcann,Mhallifwwas” It’s easy to remember, nearly impossible to guess, and at 29 characters is very difficult to brute force. This password is also guaranteed not to be on a list of common passwords that many black hats use to guess passwords. A long, difficult to crack master password buys you time to make the data it is protecting obsolete. That’s what I did. All of my master passwords are AT LEAST 25 characters long.

The black hats are large in number, and stealing personal data is the new currency. Make yourself as difficult a target as possible.

Our phones ARE spying on us

The gun sales site Gunauction.com has had its database breached. The data exposed belonged to 550,000 users, including customers’ full names, home addresses, email addresses, plaintext passwords, and telephone numbers.

My advice is that you make sure that you change your passwords for that site using password best practices.

Just as we have always suspected, we now have solid evidence that your cell phone is spying on you and forwarding your information to the ChiComs. Again, it doesn’t matter how careful you are, there are security leaks. It may be on your end, it may be on the other end, but it is inevitable that there are ways for black hats to gain access to your stuff.

I know that there are some out there who think they are more clever than the other side, but is everyone you do business with just as smart? What about their employees? Your phone? The government employees handling your information?

How much of your stuff is being read, unbeknownst to you? I assume that governments with their unlimited resources can see whatever they want, no matter how hard I try to secure it. I just want to make my stuff harder to steal than most people’s, so maybe the thieves spend their time on the lower hanging fruit.

As apps that do all of the heavy lifting for you become more widespread, the threats to your accounts become more pronounced. This software allows even amateurs to get into the cybercrime business. The software and the scams are becoming ever more sophisticated, with some of them catching even the most wary people.

As one business owner found out when he lost more than $120k, these guys are getting pretty good at suckering people in. Thinking that you are smarter or that you can’t possibly be fooled is a mistake.

He received a call from a person claiming to be from the Chase fraud department and asking to verify a suspicious transaction.

The 800-number matched Chase customer service so Mullenaux didn’t think it was suspicious when the person asked him to log into his account via a secured link sent by text message for identification purposes. The link looked legitimate and the website that opened appeared identical to his Chase banking app, so he logged in.

Thinking about this now and preparing a security plan is the best way to defend yourself. In this case, a password manager would have known the site wasn’t legit, and would not have filled in his credentials. That may have been the red flag he needed to realize he was being suckered. Most of us know that we shouldn’t give our credentials to someone who contacts us, but this new breed of con man is using a combination of misdirection and deceit to trick us into letting our guards down. Using computer tools to aid us in spotting fake login sites is the way to go, IMO.

Just when you think you are done talking about information security for awhile, the bad actors come along and prove you wrong. The latest is that black hats are targeting users of valuable sites with phishing ad and search engine results on Google and other search engines. The scam is that you search for your favorite website’s login, and the first hit is a phishing site that grabs your login information before forwarding you to the legit site.

In this case, it is users of the password manager “Bitwarden” and 1password that are the targets, but I have seen reports of similar attacks with other password managers, banking sites, and others. Recent research has shown that threat actors are using Google ads to fuel their malware delivery campaigns for initial access to corporate networks, to steal credentials, and for phishing attacks.

What’s interesting to me is that Google, YouTube, and other sites are busy clamping down on reports of the 2020 election, COVID vaccines, and everything else under the sun, but are actively allowing ads on their sites that are actual theft.

The best defense to this is the use of MFA that uses FIDO 2.0 or higher. The article that I linked to above says that hardware keys are cumbersome, but I have thus far found them easy to use, and certainly no more difficult than the authenticator apps that are out there. Another thing the article gets wrong is that all MFA is subject to “man in the middle” attacks. That may be true of authenticator and SMS versions of MFA, but the YubiKey system is not subject to man in the middle attacks, because the system uses the two keys of public key encryption to ensure that both parties are legitimate. I am sure that other hardware keys are available that do the same thing, I just have no experience with them.

You will note that Microsoft warned of this back in July and recommended the use of FIDO (Fast ID Online) 2.0 protocols for MFA. This rules out many authenticator apps as well as SMS methods of MFA. Note that the YubiKey 5 uses FIDO 2.0.

Be very, very wary of the websites that you are using. The crooks are getting more and more inventive every day.

In the latest of the data breaches, T Mobile reports that 37 million customers had their names, billing addresses, emails, phone numbers, dates of birth, T-Mobile account numbers and information describing the kind of service they have with the wireless carrier stolen in a data breach. T-Mobile claims that no social security numbers, credit card information, government ID numbers, passwords, PINs or financial information were exposed.

PayPal also had a data breach of 35,000 customer files. Names, dates of birth, addresses, Social Security numbers, tax IDs and phone numbers were all exposed. The accounts were breached using a credential stuffing attack, likely using one of these cracking tools. Now I doubt many of my readers use PayPal, considering their antigun stance, but it still illustrates how active hacking is.

Still, I recommend that you change your password if you are a customer of one of these services. Please make sure it’s a secure one.

You have locked your credit reports, haven’t you? Even if you aren’t a T Mobile customer, please do so. I would also recommend that you pull each of your credit reports every year. The law says you can do so, free of charge, every year.

Your phone rings. The caller ID is one you recognize as being from Chase bank. The call sounds legit:

A few seconds later the phone buzzes and it’s a text message from 227895 number which is the same number you always receive the verification code from.

You quickly type it in to confirm that it is in fact you. You sure are glad that the Chase Fraud department is working overtime, you think to yourself….

Your bank account has just been cleaned out because the hackers that spoofed you just transferred all of the money in it to an offshore account.

These bots can target Banks, Credit cards, Apple Pay, PayPal, GoDaddy, Amazon, Coinbase, and virtually any platform that is “secured” with the SMS version of 2FA or MFA. The process for these bots is so streamlined that just about anyone with virtually no IT knowledge (script kiddies) can quickly get this bot up and running. The hackers no longer have to even be fluent in English or converse with their victims on the phone to con their way in.

At this point, we are all used to recorded voice calls, SMS authentications, etc., and we don’t think twice about it. Some of these bots are open source, with instructions on how to run them, but a black hat can pay a few hundred bucks to get a good one that is pre-configured and comes with tech support. With these SMS Bypass Bot calls as a service, any wannabe hacker can pull it off fairly easily with very little tech background or hacking skills needed.

So a hacker gets himself a computer system with a high end graphics card and installs one of these password cracking programs, and armed with the information from a data breach, soon has your login credentials. So for less than $1,000 and about 2 hours’ work and a few hours of letting the cracking tool find valid credentials, he now has your username/password pair.

Now he initiates the MFA calling bot, and soon has your one time pin. Call it a $1500 investment, a day’s labor, and a week of elapsed time, and he just made off with the contents of your bank account. How much was in there? Twenty thousand? Forty? Or only a couple of thousand bucks?

Since many countries have an average annual income that is far less than $10,000 a year, even $850 is a month’s pay and is certainly worth a criminal’s time. Now imagine that he is likely doing this a hundred times a week.

It’s just that easy.

The password manager run by Norton has seen hackers breach its customers’ information in a credential-stuffing attack.

Credential stuffing is the automated use of stolen username and password pairs purchased online. Since many users will re-use the same password and username/email, this sort of thing is frequently successful.

Since these people reused passwords, they exposed their accounts. It didn’t have to happen, but they weren’t using secure password practices.