May 31, 2022
Good morning, everyone!
The latest critical vulnerabilities:
Patch All the Things!
Credential Stuffing attacks are on the rise
General Motors is among the latest organizations to report a data breach:
US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers' information and allowed hackers to redeem rewards points for gift cards.
Identifying GM as the “victim” in this scenario is misleading on two counts, (1) GM corporate data wasn’t stolen, rather its customers' personal information was stolen, and (2) this wasn't the result of an actual attack on GM information systems, but rather a standard credential stuffing attack.
You are probably asking yourself, What is a credential stuffing attack?
In this type of attack, cyber criminals use combinations of user names and passwords (“credentials”) stolen in past data breaches, to break into other sites where individuals reused these same credentials. This is why re-using passwords across multiple sites is so dangerous. If that password gets stolen from one site, it can be used to log into other sites.
How do you protect yourself? Two ways:
(1) Don’t re-use passwords, particularly on important websites that contain sensitive information (e.g., DOB, SSN, financial data, health data). Try not to re-use even part of a password, as it makes that partially-new password easier to crack than a brand-new one.
(2) Monitor your data that shows up on the dark web (the Internet black market). There are commercial services that will do this for you for a fee, but you can also sign up free of charge to https://haveibeenpwned.com to check if your email or other user name has shown up in a data breach, and get notifications if it shows up later.
Do it for others, if not for yourself
I often see people shrug their shoulders when I talk about securing home computers and devices. They say things like “I don’t have anything important on that computer” or “I don’t care if someone can see the camera feed from my front porch, it’s on the street!”
It’s not just about protecting your data; it’s also about preventing the bad guys from using your devices to attack others. Say what? Yep, sometimes the only way you know that your device has been compromised is when the FBI shows up at your front door with a warrant to seize all the computers in the house. I was reminded of this fact when this story from 2016 The Chinese Hackers in the Back Office was referenced in an online conversation with colleagues:
“When they first told us, we said, ‘No way,’” Mr. Cate said one afternoon recently over pizza and cheese curds, recalling when he first learned the computer server his family used to manage its welding business had been secretly repurposed. “We were totally freaked out,” Ms. Cate said. “We had no idea we could be used as an infiltration unit for Chinese attacks.”
It’s not just small-business servers, though, frequently “smart” devices such as webcams are hijacked by cyber criminals and put into botnets (networks of smart devices often used to attack commercial and government networks) – the most famous example is probably the Mirai botnet:
The Mirai botnet, composed primarily of embedded and IoT devices, took the Internet by storm in late 2016 when it overwhelmed several high-profile targets with massive distributed denial-of-service (DDoS) attacks.
I know that all of YOU take security seriously, or you wouldn’t have read this far today! But think about this the next time you hear someone else disparage the need for cyber security at home. It’s naive to think that you don’t have anything valuable on your home network – everything has value to someone somewhere, even if it’s just to use your device to attack a bigger target. Don’t let the bad guys use your stuff to commit crimes.
Secure Your Stuff!
Hope this gives you something to think about this week!
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺