You’ve most likely have seen and checked the box for “Save My Password”, “Remember My Login Credentials”, or something similar. Many of us still do it because hey, why not save ourselves a few keystrokes? Fact is these saved logins could be compromised during data breaches and we would never know until a public article is released or you receive an email notification that looks just like a phishing scam, but is actually legit and you end up not changing your password anyway. Wouldn’t it be great if our browsers, apps, or services notified us of compromised credentials as soon as it hits the dark web or earlier than a public article or email notification?

Firefox Lockwise does just that in it’s latest release, Firefox 70. Their independent service Firefox Monitor service will scan saved login credentials stored in Firefox Lockwise password manager and warns users of exposed credentials in data breaches listed through their partnership Have I Been Pwned. The downside is that the feature only works for credentials saved prior to being exposed in data breaches. Firefox users will be notified of exposed credentials via an alert in Firefox Lockwise that reads “Passwords were leaked or stolen…”

This is a great feature and all browsers, apps, or services that allow the saving of credentials should have some accountability in the services that they provide. Let’s say you are a trusted entity for example. If I write down my password on a piece of paper and entrust it to you to hold onto, I trust that you will keep it safe by taking the proper measures to protect it from prying eyes, being stolen, or shared with those whom I did not authorize to see. If somehow my password was exposed, yes shame on me for entrusting it to you, but like we entrust our money to our banks, you were made accountable for keeping that password safe and I should be notified in a timely manner if it was exposed in any way. In this case, the trusted entities are the numerous websites and businesses that store our credentials, Firefox is just a password keeper that takes the accountability of the trusted entities into their own hands by providing a great service to their valued users.

Accountability must be taken by any person, business, or service when it comes to holding something of value and keeping it safe. Recall my last post where I phrased “Convenience is the enemy and users are the weakest link.” Convenience doesn’t have to be the enemy, but how it is practiced and utilized today, it is. If we can somehow make convenience our friend and take accountability, users can become stronger links. Mozilla Firefox has the right idea. Create a password manager that people will use conveniently because it will make them better users by notifying and enforcing them to reset their passwords when their credentials have been exposed.

Source:
Bleeping Computer – Firefox to warn when saved logins are found in data breaches

I recently experienced a tragic loss that has led me to wonder why this question and topic is so undervalued. Cybersecurity today is growing, yes, but it is still undervalued, misunderstood, and misconfigured. But why do people and businesses undervalue it? What makes it so confusing that it is misunderstood? Why are the things we use every day misconfigured and leaving us vulnerable? The answer is of my own opinion and experiences. Something must be done to raise Cybersecurity Awareness to a higher level.

“Convenience is the enemy and the user is the weakest link”

I’m coining this phrase as my new moto and some of you may have already heard a similar one before. I encourage you to share this phrase with everyone you know. Why? I learned recently to never assume that someone already knows. They probably might already know, but they probably don’t. Information is good, not bad, not useless, however information can be undervalued if it’s not presented correctly. Much like Cybersecurity today, it is being misrepresented to the public as something you need to protect your business from financial loss and more or less, your digital identity. Cybersecurity risks are far greater than just protecting a business’s assets, devices, or digital identity. It is also about protecting the end user from falling victim to cyber threats. It is undervalued because it is misunderstood.

For example, cybersecurity awareness programs today promote an understanding of what harm threat actors, phishing, and malware can do to your device or the integrity of your digital identity, but what about your real identity or your life? What if we started raising cybersecurity awareness to protect lives and not devices or company assets? Don’t get me wrong, all those are important too, but if you had to choose between a bag of money or saving your life, what would you choose? It’s misunderstood because we don’t make it personal and until you lose something or someone one, you won’t understand it.

Misconfiguration. Don’t forget that social media and other websites out there are not paying you for your privacy. They are getting paid to collect public and private data on you and their websites, servers, computers, payment systems, and services are configured to do just that. In some cases, their own technology is not configured to secure that data they collect off of you and allowing threat actors to pry into your life, social engineer you, and scam you of your financial assets and most importantly, your life or the lives of others. Right, you’re smarter than that, but what about your brother, sister, mom, dad, aunt, uncle, grandma, and grandpa or any of your loved ones? It only takes one to make it personal.

Even if they already know, tell them anyway. Much like “I love you”, tell them every day and remind them anyway. I share my experience to make an impact hoping that you don’t undervalue Cybersecurity next time. If you do, research and ask so you can better understand it. If you’re going to continue using social media, configure your devices and your social media settings on the web and mobile devices to make your information private, disable location sharing/tracking, and block invites from strangers. “Convenience is the enemy and the user is the weakest link”, remember this phrase and think before you click.

What are Hardware Security Keys?
Before reading on to uncover whether or not I think they are safe, lets cover what Hardware Security Keys actually are. In a sense, they are physical keys in the form of a USB key (or stick/drive, call it what you will) or wireless dongle that utilizes NFC (near-field communication) to communicate wirelessly. These physical keys function as another type of multi-factor authentication (MFA) or two factor authentication (2FA) by using a WebAuthn standard to secure your Google, Facebook, Dropbox, and Github accounts. Instead of entering an authentication code, you plug the USB key into a USB port or authenticate via NFC and it authenticates who you are and grants access to your accounts.

Should you use one?
The right question is, “why don’t you have one?”. As of today (2019), Hardware Security Keys are as safe as you can get when in comes to securing your accounts. With WebAuthn as the new standard, this form of security is highly resilient to man-in-the-middle attacks because unlike it’s predecessor, the Universal 2nd Factor (U2F), it doesn’t require a traditional password to authenticate. This means, even if a hacker knows your password, the only way to authenticate is with the hardware security key. Also, because the private key material is at no time accessible to software running on the host machine, this also makes it resistant to malware.

Yes, there are some cons to this. One problem is that if the hardware security key is lost or stolen, regaining access to your account will be a pain. However, this is also a pain for the hacker. The other problem is if the hackers knows your password and has your key, they could gain access to your accounts and delete or de-associate your hardware security key, but the likelihood of this happening is pretty slim.

There are other backup methods that exist to help you regain access in the event that you ever lose your hardware security key. Some hardware security keys, such as Google’s Titan Bundle, provide a two keys (a primary and a back up). Other methods include the ability to associate multiple keys to allow you to authenticate your login which can be then used to de-associate a lost/stolen key (the loophole is that if the hacker with the stolen hardware security key gets access to your account first and removes all your keys…again, very slim chance). When setting up your hardware security key, backup methods to regain access to your accounts are usually setup which include a set of one-time hand-written or printed recovery codes that you must enter in a particular order to regain access, which is my preferred method.

So are they are really safe?
A good thing to keep in mind is that no cyber security tools are 100% guaranteed to keep you safe. There are so many other factors out there that could rend these tools useless, but overall I think they are still your safest bet if you really need to protect your accounts. Even though there has been recalls on the Google’s Titan Security Key due to a misconfiguration and Yubico’s Yubikeys because of insufficient randomness after powerups, these issues have been patched and the manufacturers have offered free recalls and replacements. In the end, the goal is to make it harder for hackers to access your assets.

Sources:
How-To-Geek – Hardware Security Keys Keep Getting Recalled; Are They Safe?
Wikipedia – WebAuthn
yubico – Losing Your YubiKey

Since the discovery of the critically acclaimed Spectre and Meltdown, four distinctive security exploits: ZombieLoad, Fallout, RIDL, and Store-to-Leak Forwarding, have been discovered and exploited with the newest being ZombieLoad. The official name for all these attacks is called Microarchitectural Data Sampling. Today’s blog will mostly cover what the ZombieLoad attack is, how it works, and how to protect your devices against Zombieload.

This weeks decipher:

Microarchitectural Data Sampling – A bug that exploits critical vulnerabilities found in Intel processors that allows attackers to steal sensitive data and keys directly from your processor.

ZombieLoad – an attack that resurrects your private browsing-history and other sensitive data and allows the leaking of information from other applications, operating system, virtual machines in the cloud and trusted execution environments.

RIDL – an attack that allows leaking of information across various security domains from different buffers, such as line-fill buffers and load ports, inside Intel processors. It demonstrates attacks on other applications, the operating system, other virtual machines and trusted execution environments.

Fallout – an attack that allows the reading of data an operating system recently wrote and to figure out the memory position of the operating system strengthening other attacks.

Store-To-Leak Forwarding – an attack that exploits CPU optimizations introduced by the store buffer to break address randomization, monitor the operating system or to leak data when combined with Spectre gadgets.

Speculative execution – a feature found in Intel Processors that is used to help the processor predict what a program needs next to improve performance.

It affects every Intel processor made since 2011. These processors can be found in all MacBooks, large number of Windows PCs, most Linux servers, many Chromebooks, and even virtual machines in the cloud. Some exceptions are AMD and ARM processors, which are not yet affected by the ZombieLoad Attack.

How does the ZombieLoad attack work?

Weaknesses in speculative execution, which is widely used, is exploited to steal data from the processor. The exploit occurs when the processor speculates what request for operation is needed in the next few milliseconds. To save processing time, the processor then executes those speculated operations. This is the weakness exploited.

By executing the speculated operations before they are actually needed, the results or data of these operations are stored into the CPU’s short-term memory caches. The ZombieLoad attack allows attackers to read those results and steal the data directly from the CPU’s short-term memory caches.

The results of those data can be used to view:

• What websites a person is viewing in real time
• Browser history
• Website content
• User keys
• User passwords
• Disk encryption keys

You can see a clip of it in action on ZombieLoadAttack.com, also linked in the sources below.

Protecting your devices from the ZombieLoad attack

Because this occurs within the short-term memory cache of the CPU, this attack is not easily detectable. Both antivirus software and internet security suites cannot scan for the vulnerability and mitigate the risks. Basically, if you purchased an Intel CPU or a computer with an Intel CPU manufactured from 2011 onward, you are vulnerable.

However, there are fixes in place that have been deployed all over Windows PCs, Android devices, Macs, Linux, and Chromebooks. For more information visit the Techradar’s article by Matt Hanson on “How to protect your  devices against the ZombieLoad attack” in the link below.

Conclusion

Sometimes cyber attacks on system vulnerabilities aren’t as apparent. The Spectre and Meltdown attacks have made us aware and prompt us to discover new security exploits. Knowing these exploits helps cybersecurity analysts and technology

Sources:
tom’s guide – ZombieLoad Attacks May Affect All Intel CPUs Since 2011: What to Do Now
ZombieLoad Attack
CPU.fail
Techradar – How to protect your devices against the ZombieLoad attack

Anti-Virus software’s are still undervalued and misconceived today. “They cost too much” or “I have to subscribe yearly?” or “They slow my system down and take up too much space.” The right question end-users should ask themselves are “How much is my data worth?” and “How does this protect my assets?” 

Over my 10 years of experience working in computer retail, individual IT profession, and as an employed IT professional, I have noticed that about 2 out of 10 end-users have anti-virus. Most of the time, 1 of 2 know what it does or how to use it. Time and time again, end-users purchase new machines that come with a free 30-45 day trial or none at all and either assume or are told that Windows Defender is enough to protect their data and assets. Is your data and assets worth more than the price of a yearly subscription? 

Protecting your assets and information for at the cost of a subscription should be worth the cost. Having an Anti-Virus software is not just about protecting you from viruses even if you don’t do shady things or visit shady websites. Anti-Virus software adds another layer of security that protects you, your organization, and those on your networks against cyber threats such as: 

• Viruses that may slow your computers performance, corrupt data, and/or steal data and assets 
• Hackers who may steal and expose data and assets or sabotage systems/servers 
• Spammers/Phishers  who steal data and assets 

Great Anti-Virus software usually have secure firewall features and the most recent security updates to keep your device secure. Ensuring that your network is secured by a firewall on your router is absolutely essential as it adds another layer of security to your protective barrier. Having Anti-Virus software is essential and definitely lowers the risk of making yourself, your company, and your network vulnerable to cyber attacks. 

Sources: 
US Cert – Understanding Anti-Virus Software 
SecurityZap – 7 Advantages To Installing Anti-Virus Software On Your PC 

It’s tax season again and with it comes lots of tax fraud using stolen identities. Whether you are a tax preparer or a law abiding citizen filing taxes, you are a target to cybercriminals. Data breaches are occurring in increased numbers as cybercriminals target tax professionals to steal identities of innocent individuals to file fraudulent returns. What are some ways you can prevent data breaches? I listed 10 things below that you can do as a tax professional or individual filer, but also refer to my previous blog post: You’ve been hacked and probably might not even know it – How to identify hacks, prevent them, and protect yourself.

10 things you can do to prevent data breach and identity theft:

• Think twice and confirm you are opening safe links in emails.
• Always verify the senders email address for requests for private information.
• In addition, using a verified phone number not listed on the email, contact the sender to verify if they requested for the information.
• To make it even safer, make all communication verbal or in person so you can always verify who you are speaking to.
• Always secure client data or your own data by ensuring it is not left visibly on hardware or media devices.
• Logout and close out of all tax software after use.
• Use strong passwords that include passphrases, a combination of letters, numbers, and symbols on all computers and tax software programs.
• Use caution when granting remote access to your systems and verify access is being granted to trusted and authorized users with a business need to know.
• Use reputable and trusted tax software from your local retail store or the software company’s valid website.
• Safeguard your Electronic Filing Identification Number (EFIN).

Generated evil twins from data breaches are one of the worst cybercrimes. Taking simple steps can take you a long way when it comes to protecting data and identity. If a data breach has occurred to you or your firm, alert the Internal Revenue Service and state agencies in every state you prepare or file returns. Since I’m a Minnesotan, this article includes resources for the State of Minnesota’s tax website, but should you find yourself in a similar experience, please refer to your state governments website to report breaches and tax fraud.

Resources:
Identity Theft and Tax Fraud – State of Minnesota
Identity Protection: Prevention, Detection, and Victim Assitance – IRS

Millions of people around the globe today use social media everyday such as Facebook. What happens to the trust of those users whose private information and/or credentials have been compromised? Such failure to protect users data makes it vulnerable during cyber attacks. Whether it be Facebook, another social media, or any organization who holds private user information and credentials, that information could be yours.

On March 21, 2019, it was reported that 600 millions passwords of Facebook users were not protected and accessible to 20,000 Facebook employees. These passwords were also stored in plain text, which means it was plainly visible and unencrypted. Facebook reported that there were no signs of misuse and it was due to security failures. The issue was discovered in January 2019, Facebook reported.

The target here isn’t Facebook. It could happen to any other social media or organization. The importance is that organizations need to:

• Review security of private user data
• Timely notify users of their exposed credentials
• Prevent similar occurrences in the future (since this has occurred a few times in the past for Facebook)

Recall from my third blog entry about Credential Re-use. If poor security continues and users credentials and private data are not secured, this is a vulnerability. If a cyber attack were to occur and this information was compromised, the plain text passwords could be re-used across multiple sites that users may use the same exact credentials for. Let’s face it, many people only use one password.

It is important for organizations that store private information to remember that they must enforce strict security measures and review of applications developed to log user information. Such occurrences will surely hinder the trust of customers. Would you continue to trust and support an organization that has you sign a privacy agreement, but not actually keep your data private?

Source:
Millions of Facebook passwords exposed internally

With tons of mitigation strategies out there, organizations often wonder which strategies to implement. A good baseline to follow are the Essential Eight as recommended by the Australian Cyber Security Centre, an Australian Government. It should be implemented not only because it makes it harder for cyber attackers, but it can save time, money, and efforts spent on large-scale cyber vectors, making the Essential Eight a cost-effective choice.

The Essential Eight:

1. Application Whitelisting – to control and only allow authorized software to execute, blocking all other unauthorized applications.
2. Patching Applications – ensures applications are up-to-date to remediate new security vulnerabilities.
3. Configuring Microsoft Office Macro Settings – to block un-trusted macros in documents from installing malware.
4. Application Hardening – blocking flash player, ads, and java on web browsers to protect against vulnerable application functionality
5. Restricting Administrative Privileges – limit administrative access to systems to only authorized individuals.
6. Patching Operating Systems – ensures operating systems are up-to-date to remediate new security vulnerabilities.
7. Multi-factor Authentication – authenticates user identity and provides strong access controls through tokens, biometrics, and dual passwords.
8. Daily Backups – critical piece as it maintains the availability of critical data and provides a disaster recovery strategy.

No mitigation strategy is guaranteed to prevent all cyber security attacks due to many factors. But these simple and basic strategies will definitely help to mitigate cyber vectors. If you can ensure good practice of these strategies, you’ve already thicken the first layer of security for your business. Upon implementing the baseline, you can then pursue other business continuity plans to better secure your business’s assets in the case that this first layer is breached.

Sources:
https://acsc.gov.au/infosec/mitigationstrategies.htm
https://www.fortinet.com/blog/industry-trends/the-essential-8-asd-s-strategies-to-mitigate-cyber-security-incidents.html

Remember that one time you left your phone at the coffee shop or maybe you almost did? Remember visiting that website on your mobile phone and randomly received a pop-up informing that “You’ve been infected! Please click here to remove the virus!”? These examples and many others have happened to most of us, but when they happened did you secure your phone immediately after or ensure it was still secured?

Mobile Phones are literally a mobile personal handheld computer and a high population of the world owns mobile phones making mobile security a must. We use our phones conveniently for almost everything from browsing, payment, bills, emails, messaging, social media, e-shopping, navigation, home automation, you name it…it’s probably on the list. Our phones probably contain the most private data about us than our wallet, purse, or your mother. How do you ensure the security of all this information?

7 Basic Tips To Secure Your Mobile Phone/Device:

Set a Password – If you don’t already have a password set on your phone, set it now. That one time you left your phone at the coffee shop and your phone wasn’t locked with a password. Someone could have sniffed through all your private information and if you stored your payment information or use your phone to make payments at cash registers, someone could have made multiple charges without your consent. Setting a password ensures that no one can physically or virtually access your mobile device without first unlocking it with a password, PIN, or pattern that only you know.

Anti-Malware Protection – Whether you are using an iPhone or Android device, both are at risk to malware. That’s right iPhone users…even you. Purchase and install an accredited Anti-Malware application from your phones official app store. This can protect your mobile device from many types of malware attacks, attachments, and prevent infection.

VPN – If you browse a lot, consider purchasing an accredited VPN app from your phones official app store. This will ensure that any e-shopping you do, data you enter and send, or sites you visit are encrypted protecting your private information and the privacy of your browsing.

Use Official App Stores – Official App Stores have very strict policies as to what can get published on to the app store. Very rarely will they pass an app that is malicious. When using a third party app store, this security is not guaranteed as malicious apps could be published on these non-official app stores. This is a high risk to you as you could install a fake app posing as an official app or installing an app that isn’t verified through security policies before being published.

Keep Your Phone Up-To-Date – To ensure that your phone has received all it’s security updates, you should always keep your phone up to date and install updates as soon as possible. These updates could include patches to vulnerabilities found in your mobile devices operating system or hardware.

Disable “Unknown Sources” For Android Devices – This should always be disabled as you should not install applications from Unknown Sources. The exception is if you trust the source and know what you are downloading and what the risks are, but to be safe disable this option.

Don’t Jailbreak Your iPhone – Jailbreaking can opening cool features to your phone, but at the same time it also exposes your phone to vulnerabilities. Security protocols could be bypassed which is not intended by the manufacturer and in turn weakening the security of your device.

Next time when you forget your phone at the coffee shop, most you’ll lose is the device as your phones information should be secured now if you followed the basic tips above. If you visited a malicious website unintentionally, you’ll be protected by your Anti-Malware application. You don’t have to take drastic measures to ensure the security of your mobile phone or device. These basic tips will surely do you more good and save you quite a few headaches.

Sources:
PCWorld – How to prevent mobile malware in 3 easy steps
Malwareytes LABS – Top 10 ways to secure your mobile phone
Webroot – Bad Apps: Protect Your Smartphone from Mobile Malware

Has your interest and concern for cybersecurity sparked yet? These visual real-time threat maps may widen your perspective and maybe even drop your jaw. Every second, someone or some organization is being attacked from hackers worldwide. Attacks don’t just happen in or from the U.S. and sometimes we are not the victims. Want to see who is attacking who? What industries are the most targeted? What types of attacks are occurring most frequently? There are many threat maps out there by great cybersecurity organizations, but I will list my top 5 threat maps below and a brief overview of what each offers.

Kaspersky

First on the list and my favorite, Kaspersky Lab has the most interactive and visually appealing real-time map. The map provides you with options to select the type of On-Access Scan, manually spin the globe to view and select any country in the world, or if that’s too much eye candy for you, the option to toggle to a flat map view. It also provides statistics on attacks, data sources, and recent buzz feeds on cyberattacks. Their data is based on their anti-virus/malware and scanning services at Kaspersky Lab.

FireEye

Although not as visually appealing as Kaspersky’s or most others, it is very simple and clean. I provides real-time data on the top 5 industries being attacked in the past 30 days, the type of attacks, and current number of attacks. Not too much going on in this map, but it is easy on the eyes to see who the attackers are and who is getting attacked.

Norse

My second favorite is probably Norse Corp’s map, IPViking. It includes detailed information about live attacks that show the timestamp, attacker’s organization, location, IP address, and the target’s (victim) location, service, and port number. Various other information includes attack targets, attack origins, and attack types which shows you the most frequent type in a transparent bar graph style.

Arbor Networks Digital Attack Map

Unlike the others, this map allows you to travel back in time to see a history of attacks up to four years. This map is a history book compared to others, but it provides you with options to choose three types of attacks, filter attacks by color, bandwidth, shape, and other historical data. This map can be an eyesore for some as it is hard to see the attack lines and who is attacking who. With the correct filters, it can be simplified. Their data is provided by 270+ Internet Service Provider customers worldwide.

ThreatCloud

Definitely a favorite for it’s simplicity and visual appeal. ThreatCloud’s site provides you with the option to filter the top target of attacks by country and view it’s average infection rate, most frequent attack source, and the type of attack. It also displays a real-time chart that displays the time, type of attack, source, and target of the attacks.

Has your perspective widen a bit or your jaw still dropped? When you visually see how many attacks happen every second of the day, it’s not wonder why Cybersecurity is a growing occupation. Cyberattacks happen everyday and it is important that people take preventative measures to protect their assets and organizations to properly secure themselves to mitigate daily cyberattacks.

Sources
Kaspersky – Cyberthreat Real-Time Map
FireEye – Cyber Threat Map
Norse – IPViking Cyberthreat Map
Arbor Networks Digital Attack Map
ThreatCloud – Live Cyber Attack Threat Map