Question of the Day: How do I become a security specialist (ethical hacker, malware researcher, digital forensics, etc.)

First things, do you like solving puzzles, do you like a challenge, can you stare at a screen for many hours, poring through code, logs, etc?

Were you the sort of child that liked to take things apart to understand how they worked, and more importantly could you put them back together again, without having left over pieces, and did the thing still work at least as well as it did before?

Do you look at things and think, well that should work as expected if I follow the logic, but, if I do this instead, it will bypass that logic and let me access another part of the site/code or infrastructure?

Or, maybe when hearing about a new threat, you quickly see how it works and how you can either slow it down, or stop it dead in its tracks using simple techniques or processes, or by using an existing security control in a different way?

If you answered yes to several or more of the above, then you might have the right mindset for a career in cyber security as an ethical hacker, social engineer, malware analyst or in digital forensics and incident response. If you didn’t answer yes to one or more of the above, don’t worry, you can still work very successfully in other areas of cyber security, just probably not as an ethical hacker or in incident response or malware research.

“If you have the right mindset, you can be taught the skills,
but it is very hard to teach a mindset…”

So, if you do have the right mindset, how should you develop the required skills to get into cyber security?

First, decide, do you like technology or the human side of the problem. That will be your first step. If you are lucky you might be able to do both…

The next step is dependant on the answer to the first question. If technology, then you need to become very familiar with as many operating system, applications, programming languages as you can (you don’t have to be proficient in all of them to start off, just pick one or two for starters).

If the human side is more your bag, then learn about cons, social engineering, and psychology in as much depth as you can. Then try some of the techniques on friends and family (without breaking the law).

After that, find a mentor, someone that is skilled in the discipline you want to learn, soak up as much knowledge from them as you can.

Read everything you can on the subjects, if available, go on courses, go to events, conferences, local meets to meet likeminded people, be they newbies like you, or security professionals with a decade or more of real world experience to mine for tips and tricks, etc.

If you are looking at doing malware research, ethical hacking or forensics, you will find lots of CTF and analysis challenges that are freely available, do as many as you can; when you fail (and you will) learn from the failure, it won’t be the last time. Even the best fail often, but they always learn as much (if not more)  from the setbacks ass the successes. Often doing security work is hard and even boring, but when you solve a problem (reverse a malware and understand how it works and how to stop it, or gain access to a system or network, or identify how a bad guy or girl got in, the rush is amazing).

Expect to have to start in a junior role, maybe even working on an IT Helpdesk, doing patching, hardening, server/system builds, etc. We all have to start somewhere.

I started by building and configuring PC’s (building them and installing the OS and applications, configuring them, etc.) Then I moved on to reviewing hardware and software for the same company (doing research, etc.), then I got involved with security (malware at first), worked on the IT Helpdesk, did AIX support (a Unix flavour), and finally I built and ran the Internet Security team (defence, as well as ethical hacking). It takes 5-10 years to become proficient enough with a wide range of operating systems, applications, hardware, networking, security tooling, attack methods, malware analysis, and so on. Be patient, don’t take shortcuts, as it will not help you in the long run.

You don’t need degrees or certificates to do well in this area, you do need the right mindset, be willing to learn and experiment, and work long and odd hours, as the job will not be your usual 9-5 one. I left school at 16 and have no degrees or diplomas and have only been on two cyber security courses in over 31 years of working in this field. (One on advanced hacking and the other on advanced digital forensics, both of which I attended to confirm that what I had learnt and been doing for over 20 years (at that time), being mainly self-taught, was right after all, it was! In fact I taught the course instructors a few things that they didn’t know)

Be very wary of the problem of stress; this is a major risk when working in cyber security, especially in Incident Response. Burn out is quite common, if you don’t manage stress correctly.

One thing I will strongly recommend is to look back in history, see what has happened in the past, both from breaches, attack methods, malware types and tricks, etc. There is very little that is “new”, most of the things you will encounter will build on old (tried and trusted) tricks and methodology; usually just updated to the latest OS versions, applications, etc. or re-used to take advantage of the new victim pool (ones that were not around or didn’t take notice the first, second or third time that technique was used).

If you want to learn about web application testing, then there a several training VMs out there, such as SecurityShepherd that will test your skills in a safe and secure environment quite legally.

On the subject of legality, whatever you do, do not be tempted to step over the line and do something illegal with your skills, as you will constantly be looking over your shoulder waiting for law enforcement to apprehend you. It will also make you less employable in the cyber security world.

You don’t have to be a black hat to be a skilled hacker or to understand how an attack is done or how malware works. As I said earlier in this episode, good ethical hackers may be able to think like a bad guy or girl, they just don’t act like one, in other words you don’t need to break the law to be very skilled in any security field.

After that, expect a lifetime of learning, building on and refining you existing skills, and as things are right now, you will have a long and productive, well paid career helping to counter the bad guys and girls, rather than being one of them…

Anyone that states that you “need to be a thief to catch a thief” or that you “need to be a poacher to be a gamekeeper” or any of the other examples, I say to them, rubbish! There are very few real world cases where being an ex-criminal has made a difference that hasn’t or couldn’t have been made, more effectively by a good researcher that can think like a bad guy or girl, but hasn’t gone over to the dark side to prove their skills.. In fact many of those that were caught, even though the press made them out to be some form of Uber hacker or malware writer, the vast majority had very poor skills, they often used other criminals code/techniques to carry out the attack… what most of us in cyber security would call “script kiddies”…

You can make a difference, be on the right side, help defend and protect those in society that are often the victims of the many cyber crimes that happen each and every minute of every hour or every day…

To quote Del Boy Trotter, from Only Fools and Horses, You know it makes sense, don’t be a plonker

If you think I have missed anything important, or I should add something to this article, please let me know.

Insurance, Silent Cyber, and Refused Claims, Oh My!

This is a companion blog posting to my Episode 1 Podcast about Insurance, etc. which can be found on the Podcast page of this site, or on all good podcasting platforms, including Google, Apple, Spotify, Pocket Casts, etc.

Disclaimer

I am not an insurance specialist, I am a techie with over 30 years of real-world experience in malware, over 15 years of ethical hacking experience and over 10 years of digital forensics (incident response) as well as working for a large cyber insurer for over 2 years (note past tense) where I worked hand-in-glove with underwriters, brokers and claims staff in helping them understand cyber risks, defences and remediation. I also used to meet with CISOs, IT Security Managers and Risk Managers/Legal Council to understand their risks and processes, procedures, technologies, business partners, supply chain and cloud/outsourced services.

I run my own business; I do not work for an insurer or sell insurance (of any type). However, when I did work for an insurer, along with being the cyber risk specialist assisting underwriters, brokers and claims adjusters. I also trained many cyber underwriters, helping them to understand the technology, the lingo (acronyms) and what are the right questions to ask (and what are good answers), when to ask them, and to who (so that they could have meaningful risk dialogue with CISOs, IT Managers, etc.) The underwriters then can understand the answers given and price the risk appropriately, rather than just fearing a worse case scenario, and pricing according to their fears/expectations (which is far better situation (both on cover/limits and pricing) for the insured/client too)!

“Silent” Cyber

For those of you that are not in the insurance industry, you may not be aware of this term and what the implications are to existing (non-Cyber) policies, such as Property, Casualty, D&O, Kidnap and Ransom or Crime.

In simple terms, Silent Cyber is used to describe the case where cover for Cyber threats is not explicitly mentioned in the policy wording/coverage. As the insurers would say, these non-Cyber policies do not have “affirmative” cover.

What this means to you as a policy holder is that the insurer may not honour a claim if it is Cyber related for a non-Cyber policy (even if you have a Cyber extension to that non-Cyber policy). Why, because the wording and terms and conditions in force will be those from the master policy (the non-Cyber one/the main policy). This can cause claims to be rejected, as can be seen in the next section of this article.

Refused Claims

There have been two recent cases reported where the insurer has declined to pay a claim in relation to the NotPetya attacks back in June 2017, these are Hiscox vs DLA Piper and Modelez vs Zurich.

Despite what the press and other media has claimed, in both cases that the policy was a cyber policy and the reason stated by the press or other media for the claim being declined was down to an “act of war, or hostile action”.

From what I have found out, neither of these claims are in relation to Cyber Insurance policies, in fact they both are related to Property policies (which are, even with a cyber extension added on, not the same as a dedicated Cyber Policy.   Very sloppy reporting, which doesn’t help anyone…

So, this has resulted in every person and their pet of choice making statements, such as “well, what is the point of buying insurance as the insurer will weasle their way out of having to pay” and “there is no point in buying cyber insurance, as I’ve seen what happened to the claims from Mondelez and DLA Piper”.

Expecting wide-ranging/expert Cyber coverage from a Property policy is like expecting wide-ranging/expert Health insurance from your House and Contents policy! Not surprisingly you will not get comprehensive health cover backed by experts in this area. It’s a bit like expecting your gardener to offer health screening (without them being a medical practitioner).

A few days a go a written statement was sent to SC Media UK (owner of the SC Magazine) in which Kylie O’Connor, the head of group communications at Hiscox stated “The dispute we are in with DLA Piper, is not about a cyber policy and has nothing to do with a war exclusion.” This just proves that the press and other media were (shock, horror) making things up so that they could publish (without little things like “facts” get in the way!

However, in the case of Norsk Hydro, they do have a dedicated Cyber policy, and therefore are covered under that policy (up to their limit, and after taking into account any excess, waiting period, and loss adjustment).

Why do companies invest in cyber insurance?

Well, for lots of reasons, including the ones listed below:

  • Hacking (external or internal misuse)
  • Physical loss of data (left on train, back of cab, accidents (sending data to the wrong person, etc.)
  • Data corruption or eraser (cost to recover or recreate), even paying for ransomware decryption keys.
  • Business Interruption, such as DDoS, Ransomware, etc. including loss of business
  • Costs for first response (forensics, legal, PR), etc. covered under the policy
  • PCI and other fines covered (where legally allowed)
  • Bricking (where a device becomes unusable due to a firmware or other update failing).
  • Legal or contractual requirements (from industry, business partners, etc.)
  • In some cases the insurer will offer services/solutions/products to help the insured improve their overall security posture/maturity for free (as part of the policy) or at a discounted price.

At the end of the day suffering a cyber breach has almost become “normal” and “expected” as not a day seems to go by when we don’t hear about yet another breach (new or historical); a good cyber insurance policy can help offset the risk and related costs for such breaches/incidents.

Then there are new risks/attacks such as CryptoJacking and Password Spraying (O365 and GSuite targeted via IMAP and even if 2FA or MFA is enabled they may be able to get in to your account).

What are  the ways that companies could avoid falling into this crevasse?

Check the policy you have is fit for purpose, check with your insurer or broker. I strongly suggest that you ask your insurer or broker which scenarios/risks you are covered for by the policy and if you identify gaps in your existing coverage decide if the cost of taking out extra insurance is a good risk/benefit trade-off or solution.

Check that the coverage includes first response (forensics, legal and PR services), that you have enough cover for business interruption, including lost business and remediation costs. Also consider the brand/reputational damage and knock-on customer effects, loss of trust, etc.

Check to see that the policy will cover financial fraud, such as BEC/Fake CEO, employee fraud, if not, find a crime policy that includes this. Crime policies are not the same as a Cyber policy as what they cover is different, or from a different perspective.

Make sure that the Limits, waiting period and excess is suitable for your business needs.

Don’t go for the cheapest, especially if the insurer/broker only ask 5-10 questions and doesn’t sit down with your CISO or IT Manager, etc. to discuss the answers afterwards (very few questions can be answered yes or no; they are usually a bit of both and the answer may vary across a typical organisation), as may the questions that should be asked by the Insurer or Broker.

The Future?

Even though a dedicated Cyber policy is a far better bet in today’s incident/breach strewn world, there are some things that they still don’t cover.

I want to see the Insurance industry step up and make Cyber policies more inclusive; it would be better if Crime cover was also included (including not only crime and fraud due to hacking, but also fraud due to social engineering or insiders/insider collusion). This should include BEC/Fake CEO and Invoices, etc. even when NO hacking or breach has occurred!

In Summary

Organisations need to ensure (no pun intended) that the existing Insurance policy or policies they have are fit for purpose and will actually pay-out when needed. You need to purchase the right policy type for the right risk, as otherwise you could end up in the same situation as DLA Piper and Mondelez… If in doubt check with your insurer or broker, before it is too late!

Update 15th April, 2019: It has come to my attention that Merck is also suing their insurer for refusing a claim; again it is NOT a Cyber policy, it is in relation to their Property policy.

The Curse of CryptoJacking!

Since around the end of 2017 there arose a new threat to organisations and individuals alike, cryptojacking; with Ransomware starting to become less favoured as a mass-attack method, the Bad Guys n Girls were looking at new ways to make money with the least amount of work and risk as possible.

So, in 2018 we saw a huge jump in a new tactic; this was the use of scripts and malware to “mine” cryptocurrency using your or your organisations systems (usually without your knowledge, or approval). We also saw the move towards targeted Ransomware attacks, often asking for huge ransoms to be paid to get access to your data, on your systems, or hosted/cloud based servers.

So, what is CryptoJacking, what is cryptocurrency “mining”, and what does it mean to you and your systems or organisation, do you need to be worried, and what can you do to help reduce the risk from this new threat?

Let me explain:

Hopefully you all know about cryptocurrencies, at least at the basic level? If not, or for those of you that know the basics, here’s a more in-depth look at it (but not too deep), it should also help those of you that don’t yet know about cryptocurrencies.

Cryptocurrencies

When most people are asked about what they know about cryptocurrencies, they will usually reply that they know of, or have heard of Bitcoin (and possibly they may also mention Blockchain, which is not a cryptocurency at all, it is the Distributed Ledger [transaction log] used by all cryptocurrencies, and it can be used for lots of other things too, but that’s another story).

In simplest terms a cryptocurrency (like Bitcoin) is a digital currency that unlike other currencies, is decentralised (no single person or entity has control over it), unlike real “phyiscal” currencies (British Pound, US Dollar, Euro, etc.). It is also, for most purposes anonymous (that’s why the cyber criminals like to use them). It instead relies on Blockchain and what you might call a democratic method of recording and approving all transactions.

Cryptocurrency Mining

“Mining” in the world of cryptocurrencies is the act of “approving or validating a transaction and adding it to the  blockchain” each validation or approval of a transaction earns new cryptocurrency for the miner.

To do this is a case of using huge amounts of processing power; unlike “physical” mining, where you have to expend manual effort, cryptocurency mining is all done on a computer. There are many crypto-mining groups and individuals, often with dedicated “rigs” to carry out this activity. One of the real-world concerns with crypto-mining, is that because the systems used are “maxed-out”, they require lots of power and as a by-product produce lots of heat; requiring extra power to cool the room they are housed in. This, it is suggested, may also affect (increase) global warming!

Cryptojacking

Cryptojacking is when your site, server or application has been compromised (hacked), either via a vulnerability (bug), weak or default credentials (maybe re-used credentials), poor security controls such as open ports (that shouldn’t be), social engineering (phishing, vishing or smishing, etc.) Once compromised an unauthorised script, binary or other file is uploaded and executed (run); this then starts to crypto-mine using your systems processor to carry out intensive processing to validate transactions (mine cryptocurrency).

So what, I hear you say?

Well, for one thing, if it is an end point (laptop, workstation, etc.) it will slow to a crawl, now image this happening on a webserver, database server, etc. Now throw in the scenario of Cloud (where you are often charged by the CPU cycle), imagine what your next bill from them will look like. It will be between hundreds and thousands of time more than your “normal” bills! All the while the Bad Guys n Girls are making money and slowing (and possibly damaging) your business…

Now there are Worms that perform cryptojacking! Worms are automated malicious code that can move from system to system without human help.

No real surprise there, as the technique is the same as we saw with many of the Ransomware Worms in 2017 and 2018 (such as WannaCry and NotPetya). It is an obvious evolutionary step. In fact the same exploit code is being used (EternalBlue, which was stolen from the NSA by the ShadowBrokers).

What do you need to do?

  • Harden and patch all systems, applications and cloud infrastructure.
  • Use unique passwords for all access; even better use two or multi-factor authentication (not SMS based).
  • Regularly check you systems for high or unusual CPU usage (beyond the normal range).
  • Install and run anti-malware, end-point/server protection, and on servers enable and configure the firewall and if it is a web server protect it via a Web Application Firewall too.
  • Remove all default accounts and sample content on web and database servers, etc.
  • Close off ports for remote administration, or put them behind a VPN.
  • Stay aware of new threats and countermeasures, both specific and generic.
  • Train and test your staff; they are often the first and last line of defence.
  • If you have cyber or crime insurance, check that cryptojacking is covered by the policy (most cyber insurance policies currently do NOT cover this)…

Until next time, stay safe out there!

What Cyber Threats and Trends Might We See in 2019?

‘Tis the season to get out the crystal ball and play at being the cyber equivalent of “Mystic Meg” (no that’s not me in the picture).

For 2018 I predicted a number of things that were spot on, these included the following:

  • The change from mass ransomware campaigns to more targeted ones asking for higher ransom payments.
  • The move from ransomware to cryptomining/cryptojacking as the primary monetisation payload/method.
  • GDPR being used for extortion/blackmail attempts.
  • Organisations still not focussing on the basics and best practice for their industry/vertical and wondering why they suffered security breaches/incidents.

So what will 2019 bring, according to OMG?

  • More targeted extortion attempts; Ransomware, GDPR, DDoS, etc. All with higher ransom being demanded.
  • Organisations will still be mainly focussed on the latest, must have “shiny toys/technologies” rather than dealing with the basics and best practice for their industry/vertical.
  • A mainstream move towards two or multi-factor authentication, as password theft is increasingly seen as the main way that bad guys and girls get in; other than social engineering (phishing) or via the supply-chain/business-partner. This move will be required due to massive Credential Stuffing attacks in 2018 fuelled by the many data breaches where user ids and passwords were stolen.
  • More supply-chain breaches as a method to gain access to the intended victim organisation.
  • Cloud service breaches and/or take-downs and mis-use by the Bad Guys n Girls.
  • The skills-gap and staff shortage will increase, again. And those of us in the industry will be in demand and frequently head-hunted or just pestered by desperate recruiters that don’t read your LinkedIn profile and still approach you with roles that you are not interested in or have the skills/background for.
  • More Business Email Compromise attacks (aka Fake CEO/CFO, etc.); these will rake in far more money in 2019
  • Artificial Intelligence and Machine Learning will continue be touted as “The” solution to deal with cyber threats and breaches; they are useful but generally too prone to false positives (detect things that are not an issue) and more worryingly false negatives (don’t detect what they should do).
  • The Internet of Things will start to “grow-up” as manufactures start to bake in security and offer it as a differentiator to competing products/services.
  • However, despite this we will continue to see IoT devices/infrastructure used as an attack platform and I suspect that we will start to see volumetric DDoS attacks exceed 2Tbps (largest so far was 1.35Tbps against Github in 2018). 
  • We may well see some critical infrastructure attacks (outside of Ukraine) that are successful, and that cause major outages and/or physical damage/loss of life.
  • Too many organisation thinking that using a single Cloud provider will give them a fully resilient infrastructure; it won’t. Just like having multiple data-centers, you need multiple Cloud providers (this should be part of your Business Continuity and Disaster Recovery Plan), no single-points of failure!
  • GDPR will finally start to bite (hard) and organisations that should have already been following industry best practice for data/privacy will finally do something about it (well, most of them)!
  • Blockchain will be finally recognised as not being the solution to everything!
  • Increase in use of Sextortion, Bomb and other extortion/blackmail emails/calls, despite the fact that most Sextortion campaigns did not net piles of bitcoin as those behind them expected.
  • More social-media scams mainly focussed around crypto-currency giveaways; like the many Elon Musk themed ones we saw in 2018.
  • People will still mainly fail to learn from history; we will see yet more old techniques/technologies dusted off and re-used by the Bad Guys n Girls, for victims that weren’t around (or paying attention) the last time it was successfully used…

Don’t have nightmares, remember that 80-90% of all security breaches/incident I have dealt with could have been avoided by just following best practice and doing the basics… This includes taking (and testing) backups, educating (and testing) your staff, patching your systems, applications and writing secure code, good Identity and Access Management, and so on…

Helping the Hackers – Password Re-Use is Widespread!

Some interesting, but not surprising findings from F-Secure:

They found that many users were re-using passwords even though they knew the risk of doing so, and I quote:

“59% reuse passwords across multiple accounts, even though 91% say they understand the risks of doing so.”

You can read the full article from F-Secure here: https://blog.f-secure.com/how-to-keep-your-passwords-from-being-an-attackers-key-to-your-account/

Please, please do not make a hackers job easier by using the same password on multiple sites; if you must use the same password at least enable 2FA (Two Factor Authentication)/MFA (Multi-Factor Authentication)* on the sites where you do this, as this will make it harder for the hackers to compromise (take-over) your account(s).

The problem is, if you use the same password on multiple sites, it allows the bad guys and girls to carry out what is known as “Credential Stuffing” attacks….once they have found a valid set of credentials for one site that you use, they will try the same ones on other sites…

It is better if you use not only 2FA/MFA, but also a Password Manager to store and create strong unique passwords for you (belt and braces, folks!)

You can even enable 2FA/MFA on the Password Manager, so if that is stolen, the bad guys and girls can’t gain access to that either… Belt, Braces and Super-glue 😉

* One factor authentication, is something you know (user id and password), Two or Multi-Factor authentication, is something you know, and something you have or are (such as a one-time password/key/token, biometrics, smart card, hardware or software token, certificate, etc.) Unless the Bad Guys and Girls can gain access to the second factor, they can’t sign in as you…

Question of the Day: Are Passwords the New Exploit?

The quick answer is NO, they are not, however as with most things it isn’t quite as simple as that, let me walk you through how things have changed over the last 10+ years and how passwords have NOW become the main exploit technique (other than unpatched systems/application, config/coding errors and end-users). To start we need to go back into cyber history…

Back in Time…

Let’s go back to the 80’s, 90’s and early 00’s and look how passwords were captured and misused:

As an ethical hacker (penetration tester and web application tester), I have over 15 years of experience and “hacks” to call on to cover this.

In the years prior to 2005, most passwords were stolen via Social Engineering (Phishing, etc.) or via hacking a system/application and using that as a pivot point (beach-head) to scour an organisations network for the password file (usually imaginatively called password.txt, password.doc or password.xls, yes really!) or to find other vulnerable or insecure systems (including ones with default or weak credentials).

This file usually would contain either personal passwords for the user of that system, or if I was really lucky it would be the password file for the system administrator, IT manager, help-desk, or other technical resource that had the much sought after “root”, “admin” or other privileged account credentials to allow me to escalate my privileges (upgrade them from user or other restricted account access level).

In the best cases this could then be used to become “Domain Admin”; which means that I would have unrestricted access to ALL systems on the Domain (Microsoft Active Directory)… Once I had that level of access, it was “Game Over”, as I could do anything; access ALL the systems and ALL the data on them!

There were other ways for me to get passwords, the most common other way was to dump the password hashes from Windows or Linux (other UNIX flavours are available) and then “crack” them; this means doing either a so-called “dictionary” (using a list of known words/passwords until a match is found) or “brute-force” (trying every combination of letters, number and other characters until a match is found) attacks, or even using “rainbow tables” (Rainbow Tables are pre-computed password hashes in a database, these are used to simply compare the stolen password hash to those in the tables until a match is found), this is harder to do nowadays as hashes are often protected by techniques such as salting, which means the hash for “P4ssW0rd123” on one system, will not be the same on another server/system/site (as long as the salt is not the same on both).

Back to the Future…

So, what about password misuse since 2005 until today?

Over the last 10+ years we have seen numerous mega-breaches (as well as loads of smaller data breaches), this has meant that over 7 Billion sets of credentials (current best estimate) have now been stolen (user IDs and password combinations).

These data/credential dumps are widely used by cyber criminals (and other hackers) to carry out attacks using “credential stuffing”. You can see if your email address and credentials have been seen in on of these dumps on haveibeenpwnd (run by well respected security researcher Troy Hunt); this site has over 5 Billion sets of credentials that have turned up in data dumps from hacked/compromised sites/servers.

In summary, yes, nowadays passwords are the new exploit and we need to move beyond them,or at least make them less of an exploit…

What’s Credential Stuffing and Why Should I Care?

Credential Stuffing is a type of automated attack which is very similar to a “dictionary attack”; this is where a list (often huge) of passwords are tried one after another until the list runs out, the account gets locked out, or the hacker finds the correct (valid) password for the account.

The way that Credential Stuffing is different is that the hacker has a list of user IDs (often email addressed) and passwords dumped from a breach. They simply run these against each web site that they think you may have an account on.

I hear you say, “so what!”, well the problem is if you use the same userid and password on multiple sites, and that userid and password is compromised (stolen in a hack), the bad guys and girls now have your credentials for other sites where you have re-used the same password!

What Else are the Bad Guys and Girls Doing With Stolen Credentials?

As covered in a previous blog entry on “Sextortion“, stolen credentials (user IDs and passwords) are being used to add credibility to the email extortion scams. We will see this technique used for other scams, again to give “proof” that they have your data/access to your account or system, etc.

How do I Protect Myself?

There are a number of ways to reduce the risk of Credential Stuffing and related attacks (including Phishing and Social Engineering), these include:

  1. Never use the same password on multiple sites (known as password re-use), as you make is easier for the bad guys and girls to take over your accounts.
  2. Use strong, long, unique passwords for each and every site and store these in a Password Safe (and encrypted database), you can find out more about these in one of my other blog postings, here.
  3. Even better enable what is known as 2FA (Two Factor Authentication); sometimes called MFA (Multi-Factor Authentication). I hear you ask “what the hell is that?”Let me explain; when you use a user id and password, that is a single factor (something you know), the second factor, often a token or one-time code, is the second factor (something you have or are).This can include solutions such as Google Authenticator, Authy, Duo, RSA, Yubikey or even biometric controls such as Face Recognition, Fingerprint, Voice, etc.Using 2FA will mean that it doesn’t matter if your user id and password is compromised (as long as the site you are using uses 2FA and you have enabled it, and the site has implemented it properly so that it can’t be bypassed easily).

    Most large sites, including Google, Microsoft, Dropbox, Facebook, etc. all have 2FA support.BUT, don’t use a 2FA that sends you the one-time code via SMS (text message) as this can easily be captured, either via the network or via what it known as “SIM Porting” or “SIM Swapping”. This is becoming a major threat and has cost some victims the contents of their bank accounts, their bitcoin (or other digital currency) wallet contents… Also, Reddit were compromised via SMS based 2FA!

    This extra protection means that even if they have your valid user id and password for that site, they can’t access your account as they don’t have the second factor (only you do)… In theory this makes it impossible for anyone but you to gain access to your account on that site…However, as usual there are still ways (non-trivial) for the Bad Guys and Girls to get you to give them the second factor, but that’s another story!

Stay safe out there, and don’t make the “Bad Guys and Girls” job easier!