Just as we have always suspected, we now have solid evidence that your cell phone is spying on you and forwarding your information to the ChiComs. Again, it doesn’t matter how careful you are, there are security leaks. It may be on your end, it may be on the other end, but it is inevitable that there are ways for black hats to gain access to your stuff.
I know that there are some out there who think they are more clever than the other side, but is everyone you do business with just as smart? What about their employees? Your phone? The government employees handling your information?
How much of your stuff is being read, unbeknownst to you? I assume that governments with their unlimited resources can see whatever they want, no matter how hard I try to secure it. I just want to make my stuff harder to steal than most people’s, so maybe the thieves spend their time on the lower hanging fruit.
As apps that do all of the heavy lifting for you become more widespread, the threats to your accounts become more pronounced. This software allows even amateurs to get into the cybercrime business. The software and the scams are becoming ever more sophisticated, with some of them catching even the most wary people.
As one business owner found out when he lost more than $120k, these guys are getting pretty good at suckering people in. Thinking that you are smarter or that you can’t possibly be fooled is a mistake.
He received a call from a person claiming to be from the Chase fraud department and asking to verify a suspicious transaction.
The 800-number matched Chase customer service so Mullenaux didn’t think it was suspicious when the person asked him to log into his account via a secured link sent by text message for identification purposes. The link looked legitimate and the website that opened appeared identical to his Chase banking app, so he logged in.
Thinking about this now and preparing a security plan is the best way to defend yourself. In this case, a password manager would have known the site wasn’t legit, and would not have filled in his credentials. That may have been the red flag he needed to realize he was being suckered. Most of us know that we shouldn’t give our credentials to someone who contacts us, but this new breed of con man is using a combination of misdirection and deceit to trick us into letting our guards down. Using computer tools to aid us in spotting fake login sites is the way to go, IMO.
Just when you think you are done talking about information security for awhile, the bad actors come along and prove you wrong. The latest is that black hats are targeting users of valuable sites with phishing ad and search engine results on Google and other search engines. The scam is that you search for your favorite website’s login, and the first hit is a phishing site that grabs your login information before forwarding you to the legit site.
What’s interesting to me is that Google, YouTube, and other sites are busy clamping down on reports of the 2020 election, COVID vaccines, and everything else under the sun, but are actively allowing ads on their sites that are actual theft.
The best defense to this is the use of MFA that uses FIDO 2.0 or higher. The article that I linked to above says that hardware keys are cumbersome, but I have thus far found them easy to use, and certainly no more difficult than the authenticator apps that are out there. Another thing the article gets wrong is that all MFA is subject to “man in the middle” attacks. That may be true of authenticator and SMS versions of MFA, but the YubiKey system is not subject to man in the middle attacks, because the system uses the two keys of public key encryption to ensure that both parties are legitimate. I am sure that other hardware keys are available that do the same thing, I just have no experience with them.
In the latest of the data breaches, T Mobile reports that 37 million customers had their names, billing addresses, emails, phone numbers, dates of birth, T-Mobile account numbers and information describing the kind of service they have with the wireless carrier stolen in a data breach. T-Mobile claims that no social security numbers, credit card information, government ID numbers, passwords, PINs or financial information were exposed.
PayPal also had a data breach of 35,000 customer files. Names, dates of birth, addresses, Social Security numbers, tax IDs and phone numbers were all exposed. The accounts were breached using a credential stuffing attack, likely using one of these cracking tools. Now I doubt many of my readers use PayPal, considering their antigun stance, but it still illustrates how active hacking is.
Still, I recommend that you change your password if you are a customer of one of these services. Please make sure it’s a secure one.
You have locked your credit reports, haven’t you? Even if you aren’t a T Mobile customer, please do so. I would also recommend that you pull each of your credit reports every year. The law says you can do so, free of charge, every year.
Your phone rings. The caller ID is one you recognize as being from Chase bank. The call sounds legit:
A few seconds later the phone buzzes and it’s a text message from 227895 number which is the same number you always receive the verification code from.
You quickly type it in to confirm that it is in fact you. You sure are glad that the Chase Fraud department is working overtime, you think to yourself….
Your bank account has just been cleaned out because the hackers that spoofed you just transferred all of the money in it to an offshore account.
These bots can target Banks, Credit cards, Apple Pay, PayPal, GoDaddy, Amazon, Coinbase, and virtually any platform that is “secured” with the SMS version of 2FA or MFA. The process for these bots is so streamlined that just about anyone with virtually no IT knowledge (script kiddies) can quickly get this bot up and running. The hackers no longer have to even be fluent in English or converse with their victims on the phone to con their way in.
At this point, we are all used to recorded voice calls, SMS authentications, etc., and we don’t think twice about it. Some of these bots are open source, with instructions on how to run them, but a black hat can pay a few hundred bucks to get a good one that is pre-configured and comes with tech support. With these SMS Bypass Bot calls as a service, any wannabe hacker can pull it off fairly easily with very little tech background or hacking skills needed.
So a hacker gets himself a computer system with a high end graphics card and installs one of these password cracking programs, and armed with the information from a data breach, soon has your login credentials. So for less than $1,000 and about 2 hours’ work and a few hours of letting the cracking tool find valid credentials, he now has your username/password pair.
Now he initiates the MFA calling bot, and soon has your one time pin. Call it a $1500 investment, a day’s labor, and a week of elapsed time, and he just made off with the contents of your bank account. How much was in there? Twenty thousand? Forty? Or only a couple of thousand bucks?
Since many countries have an average annual income that is far less than $10,000 a year, even $850 is a month’s pay and is certainly worth a criminal’s time. Now imagine that he is likely doing this a hundred times a week.
Credential stuffing is the automated use of stolen username and password pairs purchased online. Since many users will re-use the same password and username/email, this sort of thing is frequently successful.
Since these people reused passwords, they exposed their accounts. It didn’t have to happen, but they weren’t using secure password practices.
In our discussions of securing our information, we have discussed that there are multiple ways to authenticate a user. There are actually three main ways to authenticate someone:
Things in your possession, such as a badge or smartphone
Things you know, such as a password or PIN
Things you are (inherence), such as fingerprints, facial or voice recognition
Where you are. Some forms of MFA use your location. If your IP address isn’t correct, the system will reject you.
What you are doing. This is called Risk based authentication. The system looks at a host of attributes about the login attempt (time of day, IP address, device identification, etc.) and assigns a risk score. If the score is too high, the login attempt is denied unless it can be authenticated using one of the other methods above. A day shift employee logging in from Starbucks at 2am on a Sunday and attempting to access files he normally wouldn’t would trigger an MFA request from the system.
Multifactor authentication is simply a method of using more than one of the above methods to secure your stuff. In order to gain access to your information, a black hat would need to possess or have knowledge of more than one of them. A couple of examples:
At the hospital, to gain access to patient medical records, I need to know my password and swipe my identification badge and the RFID tag inside of it. A thief would have to get an authorized employee’s password and my ID badge in order to gain access to medical records. Even then, only the patients who are assigned to me (or my department) are visible to me, and even then only if I am on an IP that belongs to my hospital or a partner organization.
What many companies do: you need the password, and the company sends a text to your cell phone containing a 6 digit PIN that expires relatively quickly, say 2 minutes or so. This is to verify that the person logging in not only knows the password, but is in possession of the legitimate user’s cell phone.
There are weaknesses to all of the above methods. The employee’s badge RFID code be read or intercepted and spoofed, and since it doesn’t change unless a new badge is issued, is not as secure as we would like.
This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access. While some text messages are encrypted user-to-user – think iMessages between iPhones or WhatsApp messages – SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content. Unfortunately, SMS messages are easy to intercept. Even Microsoft is advising people to stop using SMS as a method of MFA.
Biometric MFA data has one large weakness- your retina, voice, and finger prints never change. If the hash of the image can be spoofed or copied, the black hat has your data forever. That isn’t secure.
The most secure MFA is a hardware key. There are many out there, and the way that they work is both simple and complex. Currently, the most secure method of hardware key MFA is carried out with a protocol called Universal 2nd Factor, or U2F. The method used here is something very familiar to old school Internet fans who remember the PGP encryption software: public-key cryptography.
In public-key cryptography, instead of using just one key, we use a pair of keys — one key is used to lock something away digitally and only the second key in the pair can unlock it. I can keep one key — my private key — and put the public key out there for you to use. Since only my private key can unlock anything locked up by the public one, once you lock it, no one else can use the key I left out there but the person in possession of the private key.
These keys are called a key pair and are mathematically linked. I can create as many public keys from a private key as I want, but you no one can recreate my private key from a public key. Genius, right? So how does this apply to MFA?
Key pairs can be created using software, but in the case of U2F, the private key is generated using a unique secret that is embedded during the manufacturing process and is hardwired into the circuitry of the hardware key, which is what makes it so secure.
So how it works is that you register for an account using the system that we are all familiar with- a user ID and password. Don’t forget to use a strong password. Then you register your hardware key. The server then sends a challenge consisting of a random number and an AppID to the user’s device. The hardware key then generates a nonce and hashes it together with the AppID and the secret key that is hidden in its electronic brain using HMAC-SHA256 to create a private key that is specific to that AppID. From this private key, a public key is derived, along with a checksum. This is returned to the server, who stores it for later. The next time you go to that website, the server will verify that the hardware key is the same one that it has dealt with before by sending you the public key, thus making sure that the server is valid and securing you from a man in the middle attack. Why? Because the domain is hashed together with the device secret password, so if you’re on a phishing website, the token will generate a different key, and the checksum will fail.
If the information was sent from a legitimate server, it should result in the same public key since the secret inside the device didn’t change. The device will then encrypt the challenge sent by the server with the private key and send it back to the server. Now both parties have verified that they are indeed talking to the people they think they are.
Since each nonce and checksum is unique to that login request, they change every time. This makes sure that your key cannot be spoofed. It’s like using a one time pad for MFA. All cryptographic operations happen inside the token. By the time the private key leaves the token, it already has been hashed using SHA-256, so even if the user doesn’t know that the client is compromised, it’s still safe to use the token.
Because of the nature of this system, it ensures that you are protected from:
Phishing
Spear phishing
Keyloggers
Credential stuffing
Brute force and reverse brute force attacks
Man-in-the-middle (MITM) attacks
No matter how you keep your passwords, they are vulnerable to being discovered or stolen. A hardware key that is properly setup will make the possession of the password irrelevant without possession of the key. If you lose the key, it is worthless without the password. The key also prevents you from logging into phishing sites, because it confirms for you that the site you are giving your credentials to is the legitimate one.
When you use a hardware key, always register two of them to each account, then lock one away in your safe. This insures that, should you lose the hardware key that you carry around, you aren’t permanently locked out of your accounts.
For right now, the most secure method of authentication is to use a unique user ID and password for each account you have. The password should consist of the four character types, random, and be at least 16 characters. Your passwords should change periodically. You should enable hardware key MFA for any sites and applications that support them, and use SMS MFA for any that do not. Although SMS MFA is flawed, it is better than not using MFA at all.
Internet crime is increasing, and the best defense is to harden your systems to the point where others are easier targets than you.
This is yet another installment of the passwords series that I have been working on. I recently asked some of the people in comments how they secure their passwords. I got a few variations of “I don’t use technology” as an answer. They fell into the following general categories, with most people falling into more than one of them:
I use secure passwords for important stuff, but I use one common password for everything else
I write my passwords in a notebook, using a special code that only I am privy to.
I don’t use a computer or a smartphone to do financial stuff
I am too smart and/or savvy to get sucked into a phishing/spoofing scheme. I never click on or answer anything that looks odd. Instead, I call the number on the back of my credit card.
I am a small fish. No one is going to waste time with me when there are so many businesses out there to rip off, and they are the big payday.
Let’s talk about them one at a time. The first one: “I use secure passwords for important stuff, but I use one common password for everything else.” This is a trap that I myself fell into at one point. Here is the basic pitfall: All the black hat needs is to access one of your “unimportant” accounts to access so many others. Back in 2014, Home Depot was compromised when credentials stolen from one of the retailer’s vendors were used to access their computer system. The files of their customer database were stolen. It was a gold mine, containing point of sale records, credit card numbers, names, addresses, login information, and passwords. The breach cost Home Depot nearly $180 million.
Now the black hats have your name, address, telephone number, zip code, the name of your credit card company or bank, credit card number, user name, and password. They enter your login name and password into the computer database that they are using to crack other accounts, and they can now gain access to your other accounts. In fact, stolen credentials are often the most valuable things stolen during a data breach. Do you want to see if your credentials are being distributed on the Internet? Click here. The email that I use for day to day business has been compromised in 8 different data breaches. This information is very useful in spear phishing attacks like this one.
The use of computer assistance in breaching systems makes it easier, cheaper, and faster than ever before. The black hats are using GPUs and PCIe SDDs to attack large numbers of passwords in a short period of time in a method that is very similar to, and much more lucrative than BitCoin mining. This allows your life to be attacked with easy profits. Passwords that are invented by you using some code that you think is clever is easily cracked by a black hat with a computer.
Even in the event that you don’t use a computer or a phone, you are still vulnerable to social engineering scams that use the information from large data breaches like the Home Depot breach. The attacker contacts the victim disguised as a representative of some institution, trying to get as much personal info as possible. There’s also a chance that by posing as a bank or Google agent, he or she might get the password or credit card info right away. Contrary to other techniques, social engineering can happen offline by calling or even personally meeting the victim. 22% of all cyber crime is the result of social engineering.
Think you are too small of a fish to be a target? Think again. Targeting individuals is fast becoming the trend. A black hat can set up a computer to target you, having selected you from the list obtained from a previous company data breach, and can empty your bank accounts with less than a weeks’ work. What’s in your bank account? Twenty grand? More? Would a thief find that amount to be fair in exchange for a week’s effort?
Watch the show “To catch a thief.” People on that show always think that they are clever because they hide valuables, but the thief in this show always manages to find the hiding spots because they don’t search in the same way a homeowner does. Electronic information and its security works the same way.
No matter how you decide to do it, take the time to secure your accounts and your information using the best practices we have discussed here. You make think you are clever and have invented a system that no one else has ever thought of, but you are probably wrong.
the top 6 hackers in the US made more than $6 million in 2022 by stealing from individuals
600,000 people a year report that they are the victims of cybercrime.
70% of data breaches are on site breaches, not breaches of cloud assets
The top internet crime reported to the FBI in 2022 was phishing.
More than 80% of breaches that used hacking involved brute force or the use of lost or stolen credentials.
The most impersonated brand in phishing attacks is Outlook at 19%. In second place is Facebook at 17% while Office365 ranked third at 10%.
In 2020, the state with the most number of internet crime victims was California, with 69,541 victims and $621.5 million in losses as a result of internet crimes. Next is Florida with 53,793 victims, followed by Texas with 38,640 victims.
Here are some password security statistics:
Only 24% of US adults aged 16 to 50+ use a password manager.
53% of users around the globe have not changed their password in the last 12 months despite hearing about data breaches
42% consider an easy-to-remember password as more important than a very secure password.
In the same survey, 80% of people said that they will be concerned when their password is compromised. Yet, 48% said that they will not change their password if it’s not required.
42% of people think that their accounts aren’t worth a hacker’s time.
You carry a gun to secure yourself from armed robbers, yet you are 200 times more likely to be the victim of internet crime. Think about that for a minute.
When I was younger, I was told that locks are there to keep honest people honest. I look at passwords the same way. Make your passwords as secure as they can be, but know that a thief can target you and take your stuff with enough effort. Just try to make your stuff harder to steal than other people’s stuff. They will move on to more easily stolen loot.
Hackers have advanced to using computers to crack passwords. The black hats are using GPUs and PCIe SDDs to attack large numbers of passwords in a short period of time in a method that is very similar to, and much more lucrative than BitCoin mining. When you have to guess from billions of combinations, computer assistance is required, and they are very good at it. These tools are easily downloaded from the Internet, and each tool has its pros and cons.
Here is a list of the most popular password cracking tools.
1. John the Ripper
Featured in many popular password cracking tools lists, John the Ripper is a free, open-source, command-based application. It’s available for Linux and macOS while Windows and Android users use a version of the software called Hash Suite.
John the Ripper supports a massive list of different cipher and hash types. Some of those are:
Unix, macOS, and Windows user passwords
Web applications
Database servers
Network traffic captures
Encrypted private keys
Disks and filesystems
Archives
Documents
There’s also a Pro version with extra features and native packages for supported OS. Word lists used in password cracking are on sale, but free options are available as well.
2. Ophcrack
Ophcrack is a free and open-source password cracking tool that specializes in rainbow table attacks. To be more precise, it cracks LM and NTLM hashes where the former addresses Windows XP and earlier OSs and the latter associates with Windows Vista and 7. NTLM is also available, to a certain degree, on Linux and freeBSD. Both of these hash types are insecure – it’s possible to crack a NTLM hash in less than 3 hours with a fast computer, but there are still companies out there that use this hash, simply because they are too cheap to upgrade to newer, more secure software.
As you can see in the screenshot above, it took Ophcrack merely six seconds to crack an 8-symbol password while using a rainbow table that includes letters, numbers, and uppercases. An 8 symbol password using upper, lower, and numerical characters has 62^8 combinations (218.3 trillion possible combinations) doing nothing more than adding in symbols and increasing the number of characters to 10 would make the password 500 million times more difficult to crack. That six seconds becomes 5,700 years.
The password 9136668099 is 10 characters long and only made of numerical characters, and took 4 days to crack. Imagine how much longer that would have taken, had upper, lower, and special characters been added.
This tool comes with free Windows XP/Vista/7 rainbow tables and a brute force attack feature for simple passwords. Ophcrack is available on Windows, macOS, and Linux.
3. Cain and Abel
Downloaded almost 2 million times from its official source, Cain & Abel is another popular tool for password cracking. But contrary to John the Ripper, it uses GUI, making it instantly more user-friendly. That and the fact that it’s available on Windows only makes Cain & Abel a go-to tool for amateurs, also known as script kiddies.
This is a multi-purpose tool, capable of many different functions. Cain & Abel can act as a packet analyzer, record VoIP, analyze route protocols, or scan for wireless networks and retrieve their MAC addresses. If you already have the hash, this tool will offer a dictionary or brute force attack option. Cain & Abel can also display passwords that are hiding beneath the asterisks.
4. THC Hydra
The biggest selling point of THC Hydra is the large number of protocols it supports. This is an open-source network login password cracking tool that works with Cisco AAA, FTP, HTTP-Proxy, IMAP, MySQL, Oracle SID, SMTP, SOCKS5, SSH, and Telnet, to name but a few.
The methods available with THC Hydra include brute force and dictionary attacks while also using wordlists generated by other tools. This password cracker is known for its speed. It can even run checks on different protocols simultaneously. THC Hydra is available on Windows, macOS, and Linux.
5. Hashcat
The world’s fastest password cracker, Hashcat is a free open-source tool that’s available on Windows, macOS, and Linux. It offers a number of techniques, from simple brute force attack to hybrid mask with wordlist.
Hashcat can utilize a computer’s CPU and GPU at the same time. This makes cracking multiple hashes simultaneously much faster. But what makes this tool truly universal is the number of supported hash types. Hashcat can decipher MD5, SHA3-512, ChaCha20, PBKDF2, Kerberos 5, 1Password, LastPass, KeePass, and many more. In fact, it supports over 300 hash types.
But before they can crack your passwords, black hats need to have the password hash. Here are some of the most popular tools for getting hash:
Mimikatz. Known as a password audit and recovery app, Mimikatz can also be used for malign hash retrieval. In fact, it might as well extract plaintext passwords or PIN codes.
Wireshark. Wireshark enables packet sniffing. It is an award-winning packet analyzer used not only by hackers but also by business and governmental institutions.
Metasploit. This is a popular penetration testing framework. Designed for security professionals, Metasploit can also be used by hackers to retrieve password hashes.
The best defense against password cracking is using a strong password. Using enough symbols and different types of characters ensures that even the fastest computer won’t crack your account in this century. And since remembering multiple strong passwords is unlikely, the best bet is to use a reliable password manager. Multi-factor authentication (MFA) is still a pain in the rear for any hacker, so adding that to your arsenal will go a long way to making things more secure. More on MFA later.
Here is the continuation of password security. So you have a password manager, which has some serious advantages:
You have secure passwords that are 12 to 20 characters long,
made up of upper and lower case letters, numbers, and symbols
are random(ish) by not containing dictionary words or their variants (like p@$$woRd)
You can have a different password for every online account, stored away in an easy to use and retrieve format
You can also store answers to challenge questions in your wallet. When the bank challenges you to name your third grade teacher, you can respond with “Mrs. Smith” or you can answer the challenge with a random string of characters stored in your password wallet. Look at the “notes” field (not from my real account or wallet).
Down there in the “notes” section, I will put the challenge question and its answer. I always use the “generate random password” feature to generate a random password and use that as the answer to the challenge question. Good luck guessing that, hacker bitches.
All of your passwords are secure in your encrypted password wallet. Or are they?
LastPass was recently hacked, and a black hat used the credentials of an employee that was compromised in a phishing attack to gain access to and download their entire database of encrypted user files. I’m not blaming LastPass for that one- it could have happened to any company, and to their credit, at least they came clean and let everyone know.
This created two problems for LastPass users. Now that the black hats had the files, there are two ways that they can access them:
They can try to brute force the master password for the file. This is where a strong master passphrase works to your advantage. If you are smart, as soon as you learn of the breach, you change the most important of your passwords (master password, followed by bank and email accounts, then others) before they get a chance to guess the master passphrase. By the time they have your passwords, you have already changed them and it won’t matter.
Since LastPass encrypted file doesn’t encrypt the websites, only the login, password, and notes, the weakness here is that the black hat can do a targeted fishing attack similar to what was done to this Australian woman or this woman who was targeted by a man claiming to be a Chase fraud investigator. These attacks can be quite convincing.
To guard against someone compromising some or all of your passwords, you can use Multifactor Authentication (MFA). All MFA is, is a second way of ensuring that the person who is accessing an account is the authorized user. The most common of those is sending a code by SMS. You enter your password, then you get a prompt to enter a code or pin that’s sent to your phone number. After you type in the code, you’re in. Simple, right?
This is because SMS messages rely on the security of phone networks and phone companies. Both, sadly, are notoriously easy to access. While some text messages are encrypted user-to-user – think iMessages between iPhones or WhatsApp messages – SMS messages are in plain text form. Plain text messages are not encrypted between sender and receiver, so if attackers can intercept the message, they can read the content. Unfortunately, SMS messages are easy to intercept. Even Microsoft is advising people to stop using SMS as a method of MFA.
It’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms. These mechanisms are based on publicly-switched telephone networks (PSTN), and they are the least secure of the MFA methods available today. That gap will only widen as MFA adoption increases attackers’ interest in breaking these methods and purpose-built authenticators extend their security and usability advantages. Plan your move to passwordless strong authentication now – the authenticator app provides an immediate and evolving option.
Alex Weinert of Microsoft
Don’t rely on just a password. Don’t rely on one password. There are tons of scammers out there who want access to your stuff. Keep it as secure as you can make it.
The authenticator app still relies on you being in possession of your cell phone, and in my opinion creates a single point of failure- the loss of your phone, that places both the password wallet and the means of MFA in someone’s possession.
I don’t worry about the three letter agencies getting my stuff. If they want it, they are going to get it. They don’t need to steal my passwords, they aren’t going to spoof my phone, and they aren’t going to use my IOT devices to spy on me. You know what they are going to do? Present a national security letter to my bank, my employer, Google, my ISP, and anyone else they feel like, and the companies involved are going to tell them anything they want to know.
The purpose of the security I am writing about is protection from scammers who aren’t the government.
Still, there will be a future post on MFA, since this one is getting a bit long. On a side note, this series of posts represents my ongoing research into ways for securing my information. I tend to research and look into things that I am adopting. I figure that you can benefit from my research efforts.