This Week In Cybersecurity

This week on Between The Hacks: Will the head of CISA be fired?, Microsoft discourages SMS MFA, The North Face credential stuffing attack, a new smishing campaign revealed, and The Perfect Weapon becomes a documentary.

Top U.S. Cybersecurity Official Expects To Be Fired

Christopher Krebs heads the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Krebs, “worked on protecting the election from hackers but drew the ire of the Trump White House over efforts to debunk disinformation, has told associates he expects to be fired, three sources familiar with the matter told Reuters.”

According to the New York Times, there was speculation in Washington this week, that Krebs was high on President Trump’s list of officials to be fired after CISA released a statement from a government-led coordinating council saying that “there is no evidence” any voting systems were compromised and that the 2020 election “was the most secure in American history.”

Krebs joined the Department of Homeland Security in 2017 after working at Microsoft, where he directed cyberpolicy.

Additionally, Valerie Boyd, the DHS assistant secretary for international affairs, and Bryan Ware, the CISA assistant director for cybersecurity, have resigned, reports CNN.

Microsoft Discourages Use of SMS And Voice MFA

Multi-factor authentication (MFA), also known as two-factor authentication (2FA), is used to better secure user accounts from password attacks.

This week, Microsoft’s Alex Weinert wrote in his blog, “Today, I want to do what I can to convince you that it’s time to start your move away from the SMS and voice Multi-Factor Authentication (MFA) mechanisms. These mechanisms are based on publicly switched telephone networks (PSTN), and I believe they’re the least secure of the MFA methods available today.” This is a call for websites and apps to phase out SMS MFA in favor of stronger options such as a smartphone authenticator app. It is also a call for us, as end users, to choose stronger methods of MFA where they are available.

The weaknesses of SMS for MFA have been know for a long time. There have been numerous cybersecurity conference talks on the topic and Krebs On Security reported on The Limits of SMS for 2-Factor Authentication back in 2016.

While SMS is arguably the weakest form of MFA, it is still better than just using a username and password. Bitdefender wrote, “even vulnerable SMS-based MFA is better than no MFA at all.”

The North Face Suffers Credential Stuffing Attacks

The North Face resets passwords after a credential stuffing attack. The outdoor-gear retail giant, The North Face, disclosed that they forced a password reset for an undisclosed number of customers in response to a successful credential stuffing attack on October 9th.

A company spokesperson told BleepingComputer, "The perpetrator was not able to view any credit or debit card numbers, expiration data, nor CVVs, because that information is not kept on copy on thenorthface.com."

Threatpost reached out to The North Face for clarification and reports, “Beyond customers’ email addresses and passwords, cybercriminals may have accessed information stored on customers’ accounts at thenorthface.com. This includes details on products that have been purchased on the company’s website, items that have been saved to “favorites,” as well as customers’ billing addresses, shipping addresses, loyalty point totals, email preferences, first and last names, birthdays and telephone numbers – all data that is ripe for abuse when it comes to developing social-engineering tricks for phishing attacks.”

To learn more about credential stuffing attacks, read this article from Between The Hacks.

Mobile Payment Smishing Attack

As Between The Hacks addressed earlier this year, smishing (SMS phishing) attacks are on the rise and we are all vulnerable targets.

According to Naked Security, one of the latest smishing campaigns has the attackers sending victims an SMS text message, pretending to be from the victim’s mobile provider. The message states, “We haven’t received your recent bill payment, please update your details at [malicious URL] to avoid additional fees.”

If the victim clicks on the link, they are presented with a login screen that attempts to trick the victim into unwittingly providing their login credentials to the attacker.

To learn more about smishing, read Between The Hacks’ article entitled, How to Identify and Protect Against Smishing.

Tip of the Week

The Perfect Weapon: HBO Documentary

Between The Hacks’ Tip of the Week for July 4th was David Sanger’s book, The Perfect Weapon. At that time, we reported that the book was also being released as an HBO documentary later in 2020. Well the time has come and the movie is this week’s Tip of the Week.

If you have not yet read the book, add it to your list, it’s a “must-read.” Even if you have read the book, watch this documentary because it even addresses topics from 2020, after the book was published. Rather than being a video version of the book, this HBO documentary is more like a sequal as it covers some of the same back story but delves into the challenges of 2020.

You can watch the official trailer below and you can watch The Perfect Weapon on HBO.

Picture of the Week