Credential stuffing is when known passwords and usernames are used to try to take over online accounts. Recently an organization had almost 200,000 customer accounts compromised like this.
Learn more about it and what to do to protect yourself.
Tag: cybersecurity
Have you ever wondered what happens when you click on a link from one of thos Amazon text messages that say your account is suspended? Here I run through one of those so you understand what they are doing.
TLDR; They capture anything you put in the form, login info, social security number, credit card, whatever.
Do not try this at home – This was done from a secure computer that is resistant to viruses. Some of these links CAN try to infect your computer or phone.
I had a chance to sit down at BH 2021 and chat with Scott Schober, whom I have known for quite a few years now. I always enjoy our conversations and find they get me thinking about things in a new light. Enjoy!
I have been hearing some interesting things from the RSA conference this year. That is nothing new, as RSA is a great source for the latest in cybersecurity technology and a wonderful place for education. Unfortunately, I was not able to attend RSA this year; however, one trend that I have heard about involves something near and dear to my heart, and it concerns me.
On more than one occasion now, I have been told that this year, well respected speakers have said, on stage, that Multi-Factor Authentication (MFA) can stop 99% of phishing attacks. This is not only a foolish statement, but a dangerous one. It is also not the first time I have heard this claim or the first time I have addressed it.
Looking back to 2018 when I first read the headline, “Google: Security Keys Neutralized Employee Phishing” from Brian Krebs, I have had serious issues with how MFA is explained. That article started with this quote, further misleading people:
“Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.”
Not only are statements like this misleading, but they are also just plain wrong and even dangerous.
Ironically, shortly after this article was published quoting Google telling us about how MFA keys did such a great job eliminating phishing, the marketing giant launched the sale of these same MFA keys. This was not an accident, but rather a clever marketing scheme.
I do not want to give the wrong impression here. I actually really like MFA and recommend it to people all the time. I support the FIDO Alliance wholeheartedly and use Yubikeys myself. The issue is that it is not the silver bullet that some people claim it to be. While it can be effective at stopping some phishing attacks and other very specific types of attacks, it is mostly useless against the vast majority of them. MFA protects account logins – that is all.
Why would I make such a bold statement? It is simple really. While MFA helps to prevent accounts from takeover due to lost, stolen or weak credentials, it does nothing to counter a person clicking on a link to a malware-infected website, opening an infected document or wiring money to bad actors. According to the FBI , between June 2016 and December 2021, there were over $43 billion in losses due to Business Email Compromise (BEC). While the name implies that accounts were compromised, the majority of times these scams are pulled off by simply spoofing the name of an email account, not actually having access to the real account. MFA does nothing to stop a spoofed account from asking someone to transfer funds or buy gift cards.
Another huge part of email phishing is the distribution of malware. This most commonly happens by getting the targets of the emails to click on a link in the email or by opening an infected document and enabling active content or macros. None of these scenarios are impacted by MFA in the least.
By telling people that MFA will stop 99% of phishing attacks, we are doing a great disservice to people by giving them a false sense of hope. Executives could come back from the conference and tell their staff that if they implement MFA, they can cut in other places, which is a really dangerous message.
Phishing cannot be stopped by a single technology or even a mix of technologies. The best we can do is to manage the problem and reduce the risk through a mixture of technologies and by helping individuals spot these attacks through education and practice. A focus on a good, strong security culture within the organization can do far more than simply enabling MFA; although these measures are an important part of a strong security program.
As security professionals, it is our duty to be objective about how effective security controls are and not fall for marketing messages that are meant to promote products. Snake oil is still too prevalent in our industry to let our guard down.
Every February, the city of Las Vegas plays host to many of the biggest names in consumer electronics at the annual CES conference. For many organizations, this is the show where they release their new cutting-edge products or show their vision for the future. From the latest in smart toasters to AI-powered concept electric vehicles, this show covers it all. In 2020, over 4,500 organizations participated in the show, which encompassed over 2.9 million square feet in venues all around the Las Vegas strip.
This is heaven for a geek like me, and I was finally able to attend the show this year. My goal, besides just geeking out at the new technology, was simple. I wanted to chat with vendors about the security of their products, especially those that are being targeted for home use. In the age of internet-connected refrigerators and cheap cloud-connected home security cameras, we are connecting Internet of Things (IoT) devices to the internet at an amazing pace. It is estimated that there are over 46 billion connected devices out there, an average of 10 devices per household. With all of these connected devices being installed in our homes, I had hoped that security would be a significant focus, however, even now, this does not appear to be the case.
Why Security Is a Concern in These Devices
You might ask yourself why security would be a concern with these devices. I mean who really cares if a refrigerator has a security vulnerability, what is the worst that can happen if a fridge gets attacked? Well, unfortunately a lot of things can happen, and few of them good. Here are a couple of scenarios.
Imagine going to the refrigerator to get a cold glass of milk, and on the screen is a message saying if you do not pay some cybercriminals several hundred dollars soon, your fridge would stop working. This is called ransomware and while not a serious threat to your typical household appliances right now, it is just a matter of time. Ransomware has become one of the biggest threats to networks in organizations in modern times, and there is very little keeping them from targeting homes as well. With the cost of refrigerators rising to several thousand dollars, who would not pay a few hundred to keep it from becoming trash? If you are relying on a warranty to fix this, you are likely out of luck, just as if someone broke into your home and wrecked it.
Another scenario is a cybercriminal using your device and network to attack other organizations. A Distributed Denial of Service (DDoS) attack is where a bad actor sends a lot of internet traffic to a target, crashing their website or even making their network so slow that they are unable to function. Cybercriminals can use these attacks to extort money from victims, or they may just pay for a service to cripple the target. These attacks are often made possible through the use of botnets, or large groups of infected devices with internet access that the bad actors control and the frequency of the attacks is up. There was a 173% increase in these attacks just between Q3 and Q4 of 2021
(https://portswigger.net/daily-swig/report-ddos-attacks-increasing-year-on-year-as-cybercriminals-demand-extortionate-payouts). Yes, your trusty fridge might have a dark side, attacking hapless victims while also keeping your vegetables fresh, and you may never know it.
These devices can also be used as a way to get inside your network and to help cybercriminals steal information from you, or to spread viruses within your home network as well. Not only are refrigerators a possible target, but any internet connected devices can be used for these purposes and more. Imagine cybercriminals being able to access video or audio feeds from security cameras, or any device in your home that has a camera or microphone built in. This has happened and will continue to happen again.
Alarmingly, many small businesses also use these consumer-grade devices within their organizations, never considering the risks they are taking. From a cost standpoint, this makes sense as enterprise-level cameras and devices can cost twice as much or more, and offer features that small businesses really do not need.
What I Discovered at CES
I was hopeful that somewhere in the 2.9 million square feet of electronics showroom, I would find at least some manufacturers who really touted the strong cybersecurity of their product as a key feature. I was sorely disappointed. What I did find was a lot of blank looks and referrals to other people who were also unable to answer any meaningful questions about the security of their products.
Some of the key questions I asked these vendors were related to how long they expected to support security updates on the devices they are selling, how they handle someone reporting a security issue to them and how security patches were installed.
OK, I get it, these are often salespeople or marketing people, not security gurus. I did not expect them all to have answers to my questions right away. However, I was hopeful that someone at the show could answer some basic questions. In most cases, I was mistaken. Not one vendor I spoke to could tell me how long they would commit to providing security patches for the products that were for sale. While this may not be as critical in a cheap webcam (it is still an issue), where it was very critical, such as connected electric vehicles and cars being manufactured by companies both small and large, there was also no commitment.
It is important to understand that automobile manufacturers are increasingly leaning on technologies such as self-driving features, which make use of computer controlled accelerating, braking and steering, among other things. One major automotive group has called themselves a, “sustainable tech mobility company”, not just a car manufacturer. When I asked about future updates for these vehicles, I was told that they would be supported for, “Quite some time”. Imagine that 12 years from now, it is discovered that a bad actor could access your vehicle via the wireless hotspot or smart phone app, and take over your steering, gas pedal and braking, all while you are driving down the road. Now imagine if the auto manufacturer has stopped supporting security updates to that vehicle. While this sounds like a scary thing worthy of the tinfoilest of hats, if we do not ask the questions now and get some commitment from the manufacturers, we could find this as a real issue. As recently as 2015, Chrysler recalled 1.4 million vehicles after a couple of car hackers were able to disable a vehicle while it travelled down the road at 70 miles per hour. Sometimes the tinfoil is not overkill.
Even if vehicles are not being taken over while driving down the road, other issues still arise. I happen to have a car that is high on the list of those stolen. As a matter of fact, my Dodge Challenger is almost three and a half times more likely to be stolen than the national average here in America. This is in part because they have been shown to be very easy to steal by simply programming a new key to the car. You do not even need to have another key present to do this. In less than a minute, through a flaw in the infotainment system, thieves can add their own key and drive off. Dodge has issued a security recall for this issue where they no longer allow additional keys to be added to the car once locked down, however, while friends with 2019 and 2020 cars have received notifications about the update, I have not received notice for my 2016 model. Until I do, I will not drive my car to the airport, a prime spot for thieves of these cars.
This issue is not just limited to the organization that makes my car. The more computers we put in cars, regardless of the manufacturer, the more likely issues like this will arise. This is why we need a commitment for future security fixes.
Moving away from vehicles, I also spoke to several smart home device manufacturers, including those who made smart door locks, and none of them were able to confirm a commitment for future support.
My Conclusions
All of the walking, all of the questions, and all of the research I did at CES illuminated a couple of things. First was that security is not a key part of these manufacturing organizations’ culture. If security were a key part of the organizational culture, I would have received far less blank stares when I asked even the most basic security questions, even from salespeople. This is a trickle-down effect where a strong and good security culture at the top levels of management eventually influences those throughout the organization.
The second thing is that people are not asking about security when making purchases. If they were, the staff at the booths would have been more prepared to answer them. This is a trickle-up effect. If people do not care to ask for improved security, the salespeople and marketing teams are not going to waste time learning about questions they do not have to answer. As unfortunate as this is, I cannot blame them for this.
As consumers, it is time that we start asking questions about the security of our devices, especially when we are connecting them to our home networks. These are the same home networks where we do our banking, tax filing and other potentially sensitive things. Along with asking about security, it is time that we show these manufacturers that it is an important issue, by buying items that do promote security over those that do not. Many of these smart home devices are sold based on the lowest possible price point being the winner, however, as consumers, it would be very beneficial for us to spend an extra dollar or two for devices that are serious about security. Once this becomes a differentiator with buyers, manufacturers will find it much easier to invest time in security research, and may be far more likely to commit to support of the devices for several years down the road.
Do you have thoughts on the future of security in consumer devices? Let’s hear them in the comments.