Juice-Jacking: Trading Your Data for Power?

Juice-Jacking: Trading Your Data for Power?

There are few things in everyday life that instill panic in us more than seeing the low battery indicator on our mobile phone. This is especially troubling during travel, when your mobile device might be frequently switching between cell towers and Wi-Fi and chewing up more battery than usual. To help us with this problem, charging stations have graciously been made available for free, in many public places. While this free charge can breathe life back in our digital existence, it can also be the point at which your device becomes victim to a cyber attack called juice-jacking.

What is Juice-Jacking?

Juice-jacking happens when someone connects their mobile device to a USB charging station that has been modified to not only charge the device, but to also copy data from…

Attack Of The Light Bulbs: How IoT Devices Are Used As Internet Weapons

Attack Of The Light Bulbs: How IoT Devices Are Used As Internet Weapons

With the rapidly changing world of connected devices, known as the Internet of Things (IoT), many people do not realize that these “things” are actually computers. The smart light bulb, the IP video camera, and possibly your new car, are all computers. They have operating systems (usually Linux), processors, memory and a network interface.

It is important to realize that these “things” are computers because you need to protect them from cybersecurity attacks the same way that you protect a standard computer. All computers, including all IOT devices, have vulnerabilities. When those vulnerabilities are discovered and vendors release patches, frequently it is the end user who is responsible for installing those patches. Left unpatched, the IoT device is vulnerable to attack. 

Most of the big software companies like Microsoft, Apple, and Google have automatic patching systems that push patches out to vulnerable computers running their software, but most IoT devices do not. Even many home routers are not patched automatically which leaves home networks vulnerable to attack because they are directly connected to the Internet and are not behind a firewall.

So why would someone want to attack your IoT devices? Do attackers really want access to your light bulbs? You may be surprised that the answer is yes.

Rainbow Tables: The Password Conundrum Part 4

Rainbow Tables: The Password Conundrum Part 4

In the forth and final post in this series on passwords, I’ll talk to you about rainbow tables. I think the best way to get people to create and use good passwords is to teach them how passwords are cracked.

Long ago, when UNIX-like systems were used as shared servers and most people logged into them with “dumb terminals”, users could see who else had accounts on the system. This was convenient, especially in work or academic environments and acted as a directory of sorts. So if Alice wanted to send an email message to Bob, she would just log on to the system and look at a file called /etc/passwd. This file showed each person’s username, name, and other information. This file also contained each users password in the form of something called a hash. Trend Micro explains that, “Hash values can be thought of as fingerprints for files”. The hash is a mathematical representation of the password that cannot be reversed or

Multi-Factor Authentication: The Password Conundrum Part 3

Multi-Factor Authentication: The Password Conundrum Part 3

In part 1 of the Password Conundrum, we talked about how we all hate passwords and how we can never remember a strong, unique password for every website, system, and application that we use.

In part 2, we talked about how a password manager can solve this problem and make your digital life much easier and more secure.

In part 3, I’ll explain multi-factor authentication and how to use it.

You don’t need an MFA (Master of Fine Arts) degree to use MFA (multi-factor authentication). Sorry for the acronym humor. MFA requires a user to provide an additional means of authentication or verification, in addition to entering a username and password. 

Before we delve into MFA, let’s talk quickly about authentication.

How Attackers Access Your Accounts Using Credential Stuffing

How Attackers Access Your Accounts Using Credential Stuffing

Almost every day we see headlines about some sort of data breach. The public is now almost numb to this news and the reaction by the end users whose credentials were lost, is typically to reset their password and move on.

This is likely not good enough for most people, because, according to a January 2019 study by Yubico and Ponemon, 51 percent of the respondents reuse their passwords across multiple accounts.

So why is it bad to reuse passwords across multiple accounts? Because bad guys will take that long list of usernames and passwords from data breaches, and use them in an attack called credential stuffing. I know, this sounds like a bad Thanksgiving side dish full of conference badges. Trust me, it’s worse!

Credential stuffing is when an attacker takes a long list of usernames and passwords and, using an automated script, tries each pair on many popular websites. Those sites could be business or email related, like Google, Apple, and Microsoft. They could be social media accounts like Facebook, LinkedIn, and Instagram, shopping accounts like Amazon, or any other popular sites, like banks and payment tools like Venmo.

Once the script is successful at logging into a site, that username and password pair is saved for later review and use by the attacker against other sites. So let’s walk through an example. Let’s assume that Bob reuses passwords across many of his accounts. He has a password for work accounts and a separate one for social media accounts. After the LinkedIn breach a few years ago, Bob’s username and password were made public when miscreants posted the list of breached account credentials to the Internet.

A threat actor, named Mary, decided to take that list and run it through her credential stuffing script. Once the script completed its test, Mary found out that Bob had reset his LinkedIn password, as instructed, but was still using the same password for Facebook and Twitter. Since Bob isn’t using multi-factor authentication on those sites, Mary was able to successfully log into, and take over, or even just watch, Bob’s social media accounts.

This is a common attack method and underscores the need for everyone to follow good cybersecurity practices. Below are three ways not be be in Bob’s position.

If you follow these three tips, you will no longer be an easy target of credential stuffing attacks.

Password Managers (The Password Conundrum: Part 2)

Password Managers (The Password Conundrum: Part 2)

In part 1 of the Password Conundrum, we talked about how we all hate passwords and how the crazy cybersecurity wonks tell us that we have to do unreasonable things like:

  1. Make passwords that are so complex that you can’t possible remember (long and multiple character sets)

  2. Make a unique password for every one of the 10’s or hundreds of sites and applications that we use, oh, and they all have to be long and strong which means we won’t remember them.

Today we are going to explain how you can achieve this and actually make your life more secure and much easier than back when you had to remember all of those passwords or look them up on a spreadsheet on your computer’s desktop. Enter, the Password Manager!

The Password Conundrum: Part 1

The Password Conundrum: Part 1

Long Passwords, Short Memories

The password is something we all love to hate. Many of us have to create hundreds of passwords and we are told by the paranoid cybersecurity experts to make them long and use all of the character sets on your keyboard so that they are not easy to guess. This also makes them difficult to remember, so what do most people do? They re-use passwords—which is also a big no-no.

While we all know these general rules, most people don’t know why they exist and what the real risks are. In this blog, I will help you understand the importance of following the rules when developing your list of passwords. 

Three Tips for Creating a Good Password

Below are three tips for creating complex and hard-to-hack passwords. 

  1. Make them long: There is some debate over the best minimum length of a password. Analysis from security expert, Troy Hunt, has shown that many of the sites we use, do not require very long passwords. However, research from Georgia Tech Research Institute (GTRI) shows that the

Sextortion Revisited

Sextortion Revisited

Lately, a handful of friends and colleagues told me they received an email that claiming that a malicious hacker had installed malware on their computer through a porn site. The email showed one of the recipient’s passwords and explained that the hacker has access to the recipient’s webcam and has a log of all of their keystrokes. Then the hacker gives the recipient two choices: 

  1. Ignore the email and a video of the recipient, visiting the porn site will be sent to all of the recipient’s contacts.

  2. Or, pay a ransom in bitcoin, and the hacker will delete the video.

This email scam that has been a popular phishing attack in 2018. As cybersecurity reporter, Brian Krebs, blogged about back in July, “Here’s a clever new twist on an old email scam that could serve to make the con far more believable.” 

If you happen to receive one of these emails…

Protecting Yourself Online

Protecting Yourself Online

Securing endpoints has always been a challenge as they have been a favorite target of attackers. The problem of vulnerable computers goes far beyond securing your computer and home network. Any Internet connected computer that has been compromised, could be used as part of a botnet to attack and take down other Internet systems or even slow down large parts of the Internet. Cybersecurity is bigger than all of us and is the responsibility of everyone for the good and welfare of the Internet at large.

Home Network Segmentation: A Must In The IoT Era

Home Network Segmentation: A Must In The IoT Era

Over my career, in addition to teaching computer science at the undergraduate and graduate levels at numerous universities, I have also created and managed some corporate cybersecurity education programs. In both I've found that getting the more critical concepts across to people is most effective when the message is personalized and can be applied at home as well as in their work.

Why Network Segmentation Makes Sense in Your Home 

Network segmentation is a simple concept that has been used by network administrators for decades, but only recently have we seen a real need to apply this concept in the home. There are a number of contributing factors:

1.     The rapid growth of Internet of Things (IoT) devices being added to home networks.

Phishing 2018

Phishing 2018

Phishing attacks have long been an effective way for attackers to trick people into divulging sensitive information or infecting a system with malware. Malware can give an attacker remote access to protected systems and networks, encrypt a user’s data and charge a ransom to decrypt the data, or use that system as part of an attack against other systems.

In March of 2017, Google stated that its machine learning models now can detect and stop spam and phishing with 99.9% accuracy. However, this is a cat and mouse game that has been played for years by the spammers/phishers on one side and the spam filter developers on the other side. Once the defenses get better against the latest spam attack methods, the spammers change their tactics to bypass the filters.

Below is an example of a fairly obvious spam email

General Cybersecurity Tips to Prevent Malware Infection

General Cybersecurity Tips to Prevent Malware Infection

Use firewalls and firebreaks (network segmentation): Place devices behind firewalls to protect them from untrusted networks, such as the Internet. And, use network segmentation—splitting a network into separate networks that are isolated, not connected—so a compromise in one part of the network won’t compromise the other (i.e. human resources and finance). This works much like a firebreak, which is…

FBI Router Reboot Recommendation

FBI Router Reboot Recommendation

As I am sure you have heard, the FBI is recommending that anyone with a home router or small office router, reboot them. If you are not familiar with this FBI recommendation, then there are a few links at the end, to get you up to speed.

The reason for the FBI's reboot recommendation is that a piece of malware, named VPNFilter, has infected hundreds of thousands of routers all across the Internet. Rebooting an infected router forces the malware to reload which will initiate an attempted connection to malware command and control (C&C) servers. The FBI has already taken control over some, if not all of the C&C servers so the reloading of the malware will do two things. 

Anatomy of a Phishing Attack

Anatomy of a Phishing Attack

Phishing is the use of social engineering to obtain personal information for the purposes of identity theft. Phishing typically comes in the form of an email, disguised to look as if it was sent by a trusted source, and requesting personal information or authentication credentials.

As the tools to detect phishing become more effective, the phishing attacks themselves are becoming increasingly advanced and more difficult to identify.

This paper will show how a recent phishing attack from October 31, 2012, is representative of the type of attack that is not detected by spam filters and is likely to trick many recipients.