July 6, 2021
Good morning, everyone!
This week’s critical vulnerabilities:
Patch All the Things!
The dangers of using a single account to log into many accounts
I recently spoke to a professional group’s lunch meeting, and of course Password Hygiene was a major topic of conversation. It’s been so much in the news lately. One person in the audience asked a really good question:
What about websites that let you sign in using your Facebook or Google account, instead of creating a new account for that website?
Ah, good question! While I do generally advocate not creating accounts you don’t need, I absolutely do not recommend using a single account to log into other online accounts. Why is that?
(1) Sadly, many website developers don’t “bake in” good security. It’s easy for something to go wrong in the way the login process is implemented, leaving your login credentials to that other account vulnerable.
(2) Some web developers are actively trying to steal your credentials! Cyber criminals, remember? They steal for a living but they do it online. Here’s a recent great example. Google recently discovered that nine Android apps downloaded more than 5.8 million times from the Play marketplace were actually trojans designed to steal users’ Facebook credentials:
In a bid to win users' trust and lower their guard, the apps provided fully functioning services for photo editing and framing, exercise and training, horoscopes, and removal of junk files from Android devices…. All of the identified apps offered users an option to disable in-app ads by logging into their Facebook accounts. Users who chose the option saw a genuine Facebook login form containing fields for entering usernames and passwords.
Then, as Dr. Web researchers wrote: "These trojans used a special mechanism to trick their victims.... [T]hey loaded the legitimate Facebook web page [...] passed stolen login and password to the trojan applications [...] After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals.
Log in, log out
The story above illustrates another important tip I’d like to share: get in the habit of always logging out of online accounts when you are finished for the moment. Think of it like a light switch – you walk into a room, you turn on the light. You walk out of a room, you turn off the light. It’s a habit, right? Take that habit to your online world. You want to order something online? Log in, shop, check out, log out. Every. Time. When you don’t log out, you are leaving open an authenticated session that can be hijacked, just like the story above.
Yes, it’s a short newsletter this week. Hope you had a happy Fourth of July holiday weekend! I sure did ☺
Talk to you again soon!
Security Awareness Training Goes Live Again!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Thankfully, live training is making a comeback! So wherever you and your employees may be, I can deliver a fun and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺