Category: Tips For Everyone

  • Password Length: More than Just a Question of Compliance

    Password length is a topic we’re asked about a lot, and that makes sense because it can be quite confusing. There are several different compliance models that organizations use – from PCI to NIST to OWASP and more. Each has its own standards for password strength and password length.

    When it comes to penetration testing, weak password recommendations often are more rigorous than compliance standards, and this leads to a great deal of stress, especially for organizations that have already spent time and effort in implementing password rules that meet the compliance standards they’ve chosen.

    Why So Many Different Standards?

    First, speaking from experience, penetration testers see firsthand how weak and reused passwords are often a key part of achieving access over an entire domain (i.e. having administrative powers to view, add, edit, and delete users, files, and sensitive data, including passwords, for an organization’s Active Directory environment). While this is the type of success that pentesters strive to achieve, the true goal of a penetration test is to show organizations weaknesses so that they can close exploitation paths before malicious attackers find them.

    For this reason, Raxis penetration tests recommend passwords of at least 12-16 characters for users and at least 20 characters for service accounts. Of course, we recommend more than length (see below for some tips), but Raxis password cracking servers have cracked weak passwords in minutes or even seconds on internal network penetration tests and red team tests several times this year already. We don’t want our customers to experience that outside of a pentest.

    Post-It Notes With Passwords on a Monitor

    On the other hand, compliance frameworks are just that – frameworks. While their aim is to guide organizations to be secure, they do not endeavor to force organizations out of compliance with a stringent set of rules that may not be necessary for all systems and applications. For example, a banking website should require stronger credentials and login rules than a store website that simply allows customers to keep track of the plants they’ve bought without storing financial or personal information.

    If you read the small print, compliance frameworks nearly always recommend passwords longer than they require. It’s unlikely, though, that many people read the recommendations when working on a long compliance checklist when they have several more items to complete.

    Times are Changing

    Of course, time goes on, and even compliance frameworks usually recommend at least ten-character passwords now. The PCI (Payment Card Industry) standards that are required for organizations that process credit cards now require 12 character passwords unless the system cannot accept more than eight characters. PCI DSS v4.0 requirement 8.3.6 does have some exceptions including still allowing PCI DSS v3.2.1’s seven-character minimum length that is grandfathered in until the end of March 2025.

    This is a good example of PCI giving companies time to change. It’s been well known for years that someone who has taken the time and expertise to build a powerful password-cracking system can crack a seven-character password hash in minutes. This leaves any organization that still allows seven-character passwords with a strong threat of accounts becoming compromised if the hash is leaked.

    OWASP (the Open Web Application Security Project), which provides authoritative guidance for web and mobile application security practices, accepts 10 characters as the recommended minimum in their Authentication Cheat Sheet. OWASP states that they base this on the NIST SP 800-132 standard, which was published in 2010 and is currently in the process of being revised by NIST. Keep in mind that OWASP also recommends that the maximum password length not be set to low, and they recommend 128 characters as the max.

    The Center for Internet Security, on the other hand, has added MFA to their password length requirements. In their CIS Password Policy Guide published in 2021, CIS requires 14 character passwords for password-only accounts and eight character passwords for accounts that require MFA.

    Other Factors

    This brings up a good point. There is more to a strong password than just length.  

    Digital screen showing a key

    MFA (multi-factor authentication) allows a second layer of protection such as a smartphone app or a hardware token. Someone discovered or cracked your password? Well, they have one more step before they have access. Keep in mind that some apps allow bypassing MFA for a time on trusted machines (which leaves you vulnerable if a malicious insider is at work or if someone found a way into your offices).

    Also keep in mind that busy people sometimes accept alerts on their phones without reading them carefully. For this reason, Raxis has a service – MFA Phishy – that sends MFA requests to employees and alerts them (and reports to management) if they accept the false MFA requests.

    MFA is a great security tool, but it still relies on the user to be vigilant.

    Raxis’ Recommendations

    In the end, there are a myriad of ways that hackers can gain access to accounts. Raxis recommends setting the highest security possible for each layer of controls in order to encourage attackers to move on to an easier target.

    We recommend the following rules for passwords along with requiring MFA for all accounts that access sensitive data or services:

    1. Require a 12-character minimum password length.
    2. Include uppercase and lowercase letters as well as numbers and at least once special character. Extra points for the number and special character being anywhere but the beginning or end of the password!
    3. Do not include common mnemonic phrases such as 1234567890, abcdefghijkl, your company name, or other easily guessable words. Don’t be on NordPass’s list!
    4. Do not reuse passwords across accounts, which could allow a hacker who gains access to one password to gain access to multiple accounts.

    There are two easy ways to follow these rules without causing yourself a major headache:

    1. Use a password manager (such as NordPass above, BitWarden, Keeper, or 1Password amongst others). Nowadays these tools integrate for all of your devices and browsers, so you can truly remember one (very long and complex) password in order to easily access all of your passwords
      • These tools often provide password generators that quickly create & save random passwords for your accounts.
      • They usually use Face ID and fingerprint technology to make using them even easier.
      • And they also allow MFA, which we recommend using to keep your accounts secure.
    2. Use passphrases. Phrases allow you to easily remember long passwords while making them difficult for an attacker to crack or guess. Just be sure to use phrases that YOU will remember but others won’t guess.

    And I’ll leave you with one last recommendation. On Raxis penetration tests, our team often provides a list of the most common passwords we cracked during the engagement in our report to the customer. Don’t be the person with Ihatethiscompany! or Ihatemyb0ss as your password!

  • Entering the Metaverse: You are the Real Commodity

    In case you’ve been locked in a cave for the past few months, I’m writing to warn you that the metaverse is nearly here. And by “nearly here,” I mean that it has been here for years in one form or another. The difference now is that Facebook changed its (corporate) name and the media has decreed that the metaverse shall be its new shiny object for a while.

    Reality 2.0?

    As to whether the metaverse is a cause for concern or celebration, the answer is both. It will certainly bring exciting new opportunities, especially on the social front. People have a need to interact with each other – as evidenced by the success of social media — and this technology promises to make it more convenient and fun. Imagine being able to feel like you’re sitting next to a family member who is, in reality, 2,000 miles away. 

    There are other benefits as well. For example, doctors might perform complicated surgeries for patients on the other side of the world. We could all climb Mt. Everest, dive the Great Barrier Reef, or trek to Machu Picchu without exposing ourselves to the existential dangers or creating more environmental impact. Our imaginations are really the only limits in a virtual world.

    As an ethical hacker and penetration tester, however, I can’t help but see the downside risks as well.

    Yes, it will be hacked.

    Starting with the obvious, all the same threats that exist in the current tech world will exist in the metaverse, and there’s a chance others may be created. For example, a phishing attack could provide an attacker with permissions to control your bank account or even become you by controlling your avatar. It will become extremely important to validate people that we interact with since “becoming” someone else’s avatar could be very convincing even in a real-time conversation.

    Blockchain technology seems like the odds-on favorite to protect against identity theft and fraud in the virtual world, but that will bring its own set of issues. So, the cat-and-mouse games between good and evil will carry on, but the stakes could get higher as we entrust more of our lives and ourselves to the metaverse.

    “Beyond the overtly malicious threats, it’s important to remember that the new virtual world is not being created as a social experiment or an act of altruism. It is big business, plain and simple.”

    Mark Puckett

    Like any responsible corporate leaders, Zuckerberg and company are only willing to invest incredible amounts of money because they intend to make a profit that justifies the risk. It pays to think about the ways they might go about that.

    Business in, business out.

    There have already been at least two $1M+ “real estate” transactions in the metaverse. For now, these investments are mostly speculative. However, as innovations in augmented reality (AR) bring it into the mainstream, they could pay enormous dividends.

    One reason is because reams of data will be captured in real time about the users and their environment.  Your location, the people you talk to, the items you browse at stores, the billboards you look at, the writing you read, and the words you speak can all be potentially stored. Images of bystanders that have not agreed to be recorded could be facially recognized and stored. 

    Certainly, controls will be in place to protect privacy, but a cyberattack could put this data at risk. There’s also the very real possibility that the people who own the virtual real estate will use the information they gather to control the way we experience it. 

    “Reams of data will be captured in real time about the users and their environment.  Your location, the people you talk to, the items you browse at stores, the billboards you look at, the writing you read, and the words you speak can all be potentially stored. Images of bystanders that have not agreed to be recorded could be facially recognized and stored. ”

    Mark Puckett

    As just one practical example, imagine that you, in the form of your avatar, look at tents and camping gear in a store window. Without entering any information or clicking on any links, you’ve given a strong signal of interest. You might then start to notice mountains on the horizon, virtual trails along your path, and receive invitations to joins clubs with similar interests.

    Sooner or later, you’ll find coupons for real-world excursions in your mail. You may even realize that some of your virtual friends are just skilled marketers or even bots.

    Hearts and minds in the mix.

    Now consider that it might not be a product, but a political candidate or point of view you’re being sold. Such an immersive experience puts a lot of power into the hands of the people who control that world.

    The most important point to remember about the metaverse is that you and I are its most important commodities. That’s why it’s helpful to know up front how much of ourselves and our privacy we’re expected and willing to give up as payment for the experience. 

    The good news is that, despite the media hype, we won’t all awaken one day as avatars. Just as social media consumed us bit by bit, so too will this new virtual world. My hope is that we truly learn the lessons from the former to improve our experience with the latter.

  • What Companies Should be Telling Investors about Cybersecurity

    As a customer, how much do you know about how major corporations handle your personal data? If you’re a shareholder in a company (or several), do you have any idea how well it is prepared for a cyberattack? What is the company protocol for publicizing a security breach?

    For the vast majority of Americans, the likely answer is no on all counts. And here’s the worst part: You won’t find out by reading their official filings with the Securities and Exchange Commission (SEC) or hear the topic come up on a quarterly earnings call.

    A recent study confirmed what a lot of us have known for a while – a lot of publicly traded companies still refuse to reveal the true nature of the threats they face and what they’re doing to mitigate them. Despite increasing pressure from the SEC, the report suggests that most would greatly prefer to stay silent, even after a breach has occurred.

    The report was assembled by the National Association of Corporate Directors (NACD), Security Scorecard, Cyber Threat Alliance, Diligent, and IHSMarkit. These organizations and companies are arguing for more cybersecurity transparency. In my view, this action is long overdue as ransomware and other serious threats grow in both frequency and severity, according to the authors.

    To be clear, as a CEO, I understand why some corporations worry they’ll face a competitive disadvantage if they are too forthcoming about risk. As a professional penetration tester (ethical hacker), I also appreciate their concerns about giving the bad guys in my line of work information that might be exploited or even help cybercriminals better understand the value of data they’ve stolen.

    On the other hand, I am also an investor and a customer. Wearing all these hats makes me frustrated that the government and Corporate America haven’t come up with a solution that puts everyone on a level playing field – including the people who are shouldering much of that risk in the form of their investments.

    In my view, that solution could be as simple as providing answers to three simple questions that would help me, as an investor or potential investor, decide whether to put my money on the table.

    • First, what assets do you have that are most at risk from a cyberattack? This might be intellectual property that can be stolen, customers’ personal information, the money in your corporate bank account, or all of the above and more. And it should address the potential impacts on upstream and downstream vendors and customers. The most important issue here is knowing that the company understands what it has to lose.
    • The next question follows logically: What are you doing to protect those assets? This doesn’t have to be a laundry list that describes each security layer in detail, but it should give readers a sense that the security is appropriate to stop the types of threats it anticipates. Again, what I really want to know is that the company is doing what’s necessary, not just providing a generic response that restates the question.
    • The third and perhaps most important question is whether the security has been evaluated and validated by experts outside the company. Former President Ronald Reagan famously described his policy toward the Soviet Union as “trust but verify” and that’s appropriate in the world of cybersecurity as well. Though we have to trust companies to be candid and truthful, there is a lot of value in having professional third parties provide independent analyses.

    Simply answering these questions is no guarantee that the company won’t be breached, but there is great value in the asking. For one, it keeps cybersecurity top-of-mind in the c-suites, ensuring that it factors into all major company decisions. It also gives policy makers a clear idea about our nation’s cyber resilience and exposes major shortcomings that can be addressed with legislation or regulation. And it provides peace of mind for people who are considering placing their hard-earned money in the company’s hands.

    In the wake of the far-reaching SolarWinds and Colonial Pipeline breaches, now is an excellent time to ask Congress and the SEC to work with publicly traded companies to find a workable disclosure template that better protects all of us.

  • Three Questions to Ask Before Connecting a Device to the Internet

    “In theory, even our refrigerators could turn against us and order low-fat ice cream instead of our Ben & Jerry’s.”

    Raxis Lead Penetration Tester, Scottie Cole

    I’m a gadget guy with a lot of IT experience, which of course makes me the pro bono tech troubleshooter for every friend and relative within 100 miles. It also means I’m the guy they call when they want to connect their latest gizmo to the Internet.

    I don’t usually mind helping, but I often find myself wondering if people are putting enough thought behind this race to connect to the Internet of Things (IoT). 

    Ha! Just kidding. I know for a fact that most aren’t putting any thought behind it.

    The allure of convenience, the snob appeal of being an early adopter, and the FOMO factor make it incredibly easy to sell these devices. But there’s no incentive to also talk about security issues – and that’s a big problem. 

    So, as a public service, I’m taking off my gadget-geek gear and putting on my professional hacker hoodie. Before you connect any device to the Internet, ask yourself these questions (and answer them honestly):

    Will I really use it as much as I think? This is about more than simply being frugal. The less you use a device or an associated app, the more likely you are to miss important updates and leave security patches uninstalled. You might not be paying attention, but hackers surely are. Which brings up a second question . . . 

    Can I secure it? Why don’t we pose that question to Alexa? Oh, wait. Can we trust her? Really, we only have a pinky swear from the company that she’s not spying on us. And that’s a potential problem with many devices. Even as a security professional, I can only control the security on my end. If it’s a centrally administered service, I have to also trust the company to protect access to the device as well. That’s why it pays to really read what they have to say about security. And that raises a third, even more important question . . . 

    What am I putting at risk if it’s hacked? One of the great IoT ironies is that some of the products sold under the guise of making us more secure are often the most vulnerable to attack. That means security cameras can turn into spy cameras. The ability to lock our doors remotely means they can be unlocked the same way. In theory, even our refrigerators could turn against us and order low-fat ice cream instead of our Ben & Jerry’s.

    A more urgent concern is that any device connected to your network can become a pathway for unauthorized access. If you think that’s unlikely, watch my colleague Scott Sailors hack a wireless mouse. From a practical perspective, that means you should segment your network so that, if your toaster is hacked, you’re not putting all your bank and credit card data at risk as well. 

    The reality is that connected devices are improving our lives dramatically and we haven’t even scratched the surface of their real capabilities. It’s exciting to realize that more and more devices are becoming smarter and more capable. In order to fully enjoy the advantages of being connected, we simply need to be realistic about our abilities, mindful of the risks we take, and diligent about mitigating them effectively.

    Companies hire the team here at Raxis to identify vulnerabilities and correct them before hackers can take advantage. As individuals, it’s up to us to do it ourselves.

    Of course, you can also call on a friend or relative to help. (Not me, though. I’m all booked up through the end of the year.)

  • What is Least Privilege Access?

    This week, we’re continuing to explore some of the most common vulnerabilities the Raxis team has discovered during thousands of penetration tests across the US. In the video above, Brian Tant, our chief technology officer, discusses the principle of ‘least privilege access’ and why it’s an essential component of an overall business cybersecurity strategy.

    Hopefully, you’ve watched the video and have a better understanding about why you should restrict permissions as much as possible and still allow team members to get their jobs done. If you still have questions or want to learn more about protecting your corporate network, please reach out.

    The Raxis team brings years of hacking and penetration testing experience to the table. We can use that experience to improve your skills and make your environment more secure.

    Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

    Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

  • Notes From a Hacker: Yes, You Have to Use Your VPN – and Here’s Why

    Right now, across the globe, there are millions of exasperated IT helpdesk workers on the phone with an equal number of frustrated colleagues who are working from home, some for the very first time. I don’t have exact numbers, but I’m willing to bet that the most common issue they’re discussing is problems logging onto a company’s virtual private network (VPN). From my own experience, at least some of those end users (maybe you included) are asking, “Do we really have to do this?” 

    The answer is, yes, you do. And, because your IT team is likely overwhelmed right now, I’ll step in and share just a few reasons why a VPN helps keep your company safe from people like me.

    The most common threat someone faces on unsecured WiFi networks is a man-in-the-middle (MitM) attack, where a hacker inserts himself into the data stream between two endpoints. You’ve probably been cautioned about public WiFi – coffee shops, airports, etc. – for that very reason.  Trust me, it will work on your home as well.

    A successful MitM attack allows a bad guy to intercept or modify data in transit, including credentials or financial information. In fact, most wireless attacks are perpetrated with the goal of acquiring MitM access to user data. A VPN connection encrypts your data and makes it much harder for a hacker to steal.

    MitM is similar to another threat known as the “Evil Twin” attack. This is sometimes referred to a rogue access point that exploits how wireless endpoints behave. When a phone, laptop, or tablet joins a wireless network, it will remember that connection. From that point forward, the endpoint will send out beacons looking for that network.

    Unfortunately for you, it’s easier than you think to trick your devices. We can use tools such as Mana or the WiFi Pineapple to respond to create a fake access point. Your device will associate with it as though it was the legitimate network. From there we have a MitM and can intercept or modify data in flight, or even create fake captive portals to capture credentials.  

    Other tools help attackers go after wireless networks directly by sending de-authentication packets, which cause devices to disconnect. When they attempt to reconnect to the network, they must re-authenticate. This process involves a four-way handshake in which a hashed form of the Pre-shared Key (PSK) is exchanged. A hacker can capture this handshake and attempt to crack it offline using tools such as Hashcat. If the hash is cracked, the PSK is revealed in cleartext.

    The most widely used is the Aircrack-ng suite of tools which includes Airmon-ng for capturing wireless traffic, Aireplay for injecting wireless packets, and Aircrack for cracking the PSK. Other tools such as WiFite offer a menu-driven interface that automates a wide variety of attacks.

    You may be thinking these tools are rare and hard to find, but that’s not the case. Both hardware and software are readily available and relatively cheap. They’re also very simple to set up and operate. 

    My point is that it can be relatively easy for a hacker to compromise your home WiFi. By contrast, your IT security team has a number of safeguards in place to protect you and the company’s network from the tools and tactics I described above. Extending that protection to those working remotely is the reason you have to use your VPN.

    Does that mean you can’t be hacked? Certainly not. But it does make my job a lot harder and it probably will cause me to move on – to another employee, another method of attack, or best case, another company.

    Preferably one that doesn’t use a VPN for remote workers.

     

  • Raxis COO Shares WFH Cybersecurity Tips on Columbus, Ohio’s Fox 28

    “Protect your data in the same way you protect your health.” That’s the main message our own Bonnie Smyre delivered today in an interview on Good Day Marketplace, a popular television show in the Columbus, Ohio area.

    Raxis COO, Bonnie Smyre, on Good Day Marketplace

    Bonnie explained to host Shawn Ireland and her audience that hackers and scammers know that Americans are worried about COVID-19 and are hungry for reliable information now. That’s why it’s important to only visit sites you know are safe and never click links inside unsolicited emails. She also talked about the importance of keeping personal information off your work devices.

    Bonnie cautioned that, even though slow Internet speeds can be frustrating, don’t disable spam and virus filtering or endpoint protection in hopes of speeding things up.

    Check out Bonnie’s full interview below here: https://myfox28columbus.com/sponsored/good-day-marketplace/gdm-raxis-information-security

  • Celebrate National Cybersecurity Awareness Month Through Security

    Each October the NICCS (National Initiative For Cybersecurity Careers And Studies) leads National Cybersecurity Awareness Month (NCSAM) . This year the focus is on personal accountability and taking proactive steps both at home and at work. Raxis is joining in the fun by offering tips that we all can try at home and in the workplace (or school), no matter our age or what we do.

    Computer & Smart Phone Basics

    These tips are the same ones you’ve been hearing for years, but it’s always good to have a reminder.

    Apply updates to your devices. The IT department at your office is likely handling this there, but it doesn’t hurt to check and be sure your operating systems and software are running current, patched versions. This is also important for your personal devices. Watch for notifications that it’s time to update your operating system and keep software that you buy up to date. Almost all software has a place (Updates, Preferences, Settings) where you can check to see if you are on the current version. Most vendors watch for security news and provide patches and updates as soon as they fix issues. And don’t forget smart devices, such as phones, tablets and household products like cameras and lighting systems. Such devices can be easy to overlook, and hackers often focus on them because they know that.

    Set passwords/passcodes on your computers and smart devices. Your kids may “hack” your phones by entering the passcode that you’ve told them and posting amusing Instagram photos, but, when you misplace your phone while out, you will appreciate setting that passcode so that a stranger doesn’t have access to your private information including sending texts, reading your emails, or erasing your phone for their own use. The same applies to computers. Step away for a few moments, and you don’t know if someone has stopped by to look at your private downloads or browser history.

    Use strong passwords. While on the topic of passwords, please don’t use 12345 or Password1. It’s often tempting to set easy passwords or the same password for every login to save time and make passwords easier to remember. Hackers count on that. Some websites allowed hackers to guess many passwords until they find the right one, and, once they have it, they may try it to login to your other accounts or even sell the password to other people. Raxis gives tips on setting passwords that are easy to remember but hard for others to guess here: The Weakest Link in the Password Hash.

    WiFi Networks

    Nowadays all sorts of places from coffee shops to hotels have free WiFi guest networks. It’s convenient to join these, and you can do that safely if you follow a few rules. While connected to these networks, there is a chance that a hacker could be watching your internet traffic, including passwords as you login to sites and private information that you enter in websites or upload to the cloud. If you’re logging in to check a score or find the closest pizza parlor, there’s probably nothing for a hacker to steal. But if you plan to stay on the WiFi network for a while or do anything that may be private, Raxis advises you use a VPN tool such as Private Internet Access (PIA) while connected to the guest WiFi network. Tools such as PIA have apps for your phones and tablets as well as software for your computer, and they often charge a low monthly or annual fee so that you can use the service at any time. Once you connect to the guest WiFi network, start PIA, and it will encrypt your internet traffic so that an attacker attempting to watch your secure data only sees gibberish.

    Setting up a home WiFi network. When setting up your WiFi network at home, either through tools from your local cable, phone or satellite service, or with your own wireless router, be sure to set a strong password (see above) on the administrative webpage where you set up the WiFi network. Though these sites appear to be personal for your home, the signal often travels outside and to neighbors’ houses. If you leave the site with no password or an easily guessable password, someone nearby could change your settings. Raxis also advises that you set a password to join your home wireless network. Though you’ll likely share this with friends and family, it makes it harder for someone nearby to join without you knowing.

    Use WPA2. Your router setup likely has several options for the wireless security protocol and sometimes defaults to a weak protocol. The WEP and WPA protocols are about 20 years old, and exploits are easily available on the internet. Several varieties of WPA2 are available on most routers, and any of these should work well for a home network.

    Social Engineering & Phishing

    Many hackers and thieves look for a simpler way to get the information and access they want.

    Email, fax and phone (calls & texts) phishing campaigns have become very realistic and are often difficult to distinguish from legitimate messages. Hackers can steal your information by talking you into telling them, tricking you into entering your private information, such as credentials, on their malicious webpage, or even automatically stealing credentials or infecting your computer when you open a link that they send you. At Raxis we advise our customers to stop and think before acting. Many companies, such as banks and stores, provide contact numbers and forms that you can call to confirm the information.

    It may seem brazen, but the easiest way to get access to businesses, apartment buildings, or other shared spaces, is to act like you belong and see if someone lets you in. Once inside, it’s often rare for people to confront others about whether they belong there. Raxis recommends not holding locked doors for people you don’t know as well as keeping confidential information and keys hidden in case someone does gain access. If someone appears suspicious to you, you don’t have to confront them. Let a security guard, receptionist, or someone in authority know.

    The most important thing to remember is, to quote the Department of Homeland Security, “If you see something, say something.” This is the case whether at work or at home. Check with your manager or IT department or check with your neighborhood watch or HOA. If you are not sure about an email from your bank, contact them about it; if it’s a scam, they may want to inform other customers. If you see someone acting suspiciously, report it or ask around.

    Raxis provides more information in the following series of blog posts:

    Stay Safe & Secure Out There!

    As the holiday season gets closer, focusing on cybersecurity is not just for the month of October. When we focus on security in our daily lives, we can work together to make things more difficult for hackers and thieves. Let’s all do our part

  • Helping Nonprofits and Other Growing Businesses Understand Security Risks

    I’m excited that NTEN, the Nonprofit Technology Network with more than 50,000 community members, invited me to be a guest blogger this week.

    It’s important that nonprofits avoid the mindset that leaves so many businesses vulnerable. Specifically, I’m talking about the idea that they are too small or have too little money to be of interest to scammers, hackers, and other cyber criminals. The truth is that the bad guys often don’t discriminate, and you may have something they want more than money.

    For example, if you keep detailed donor records, that personally identifiable information (PII) might be devastating in the wrong hands. A skilled hacker or social engineer can do a lot with names, email addresses, and phone numbers alone. Add in Social Security numbers or bank account information, and you may be sitting on a gold mine for a malicious actor.

    Some of today’s most serious threats are driven by political goals more than financial interests. In many cases, these are well-financed state-sponsored attacks, and your organization may have data that can help them breach a government agency’s security or social engineer their way into a large corporation.

    And forget about hackers leaving you alone because of your mission. After my years in the cybersecurity sector, I’m no longer shocked at how low some of these black hats will go. We’ve seen hospitals and health care organizations, charities, churches, schools, and other do-good groups fall prey.

    The saddest part is knowing that some of these attacks were successful for the very reasons the organizations thought they would never happen. To a hacker, the idea that you’re too small to notice may mean they see you as an easy target, even if you’re only one step toward their larger goal.

    If you’re a nonprofit leader, board member, or even a volunteer, please take a moment to check out the article above. You may find some nuggets that will help you help your organization avoid a breach. And that may be the most important contribution you can make to your favorite cause.

  • Public USB Charging Ports & Their Potential Security Risks

    How many times have we found ourselves with a nearly depleted mobile device and no charger cable? Despite the array of adapters and cables that are available, on occasion we are found without our charge cable and a nearly dead phone or tablet battery. Increasingly, public locations are providing native USB convenience charging stations for the modern day smart device. It’s a common oversight to plug our devices into these public charging outlets without considering the risks in doing so.

    What have you done??

    Honestly, odds are, you’re simply charging your phone as expected. But the truth is you just don’t know. This is due to the nature of the USB interface and the fact that it has the capability to transmit both power and data.

    Charging ports that seem innocent enough can be a hot bed of disaster waiting to happen. By exploiting the USB data connection to your device, malware can easily be transferred onto your device revealing critical information to a malicious actor. You would likely never even know.

    That charging device might not have even been placed by the establishment that you assume has placed it. A bad actor could simply drop the device in a public area waiting for the unassuming person to walk by and plug in their device.

    The reality is that most charging ports are legitimate and pose no real threat, but you also never know for sure.

    Here are some suggestions to keep yourself safe while using a public charging station:
    • Do Not plug your device’s USB cable into an untrusted USB port, such as those commonly found on public charging stations.
    • Always carry your own charging cable and wall adapter with you.
    • If you use a public station, practice situational awareness and assess the threat level of interfacing with the charging station.
    • When you plug your device in, never agree to trust the source or allow it any type of control on your phone. These functions vary by device type and model.
    The Threat of Malware

    The installation of malware is a key way to gain unauthorized privileges on a device. Be it a charging port, a free or found USB drive, a link in an email, or a malicious website. Cyber criminals are getting increasingly savvy in their attack vectors. This means you must be even more diligent than ever before to protect yourself from this emerging threat.

  • Dual LG 5K Monitors on the 2016 MacBook Pro

    The new LG UltraFine 5K monitors with the USB-C/Thunderbolt 3 ports are simply amazing. A perfect match for the 2016 MacBook Pro with TouchBar.

    Unfortunately, I lost a little time trying to set them up as they had worked once using both of the ports on the right side of the MacBook Pro. Then, one monitor stopped working. It was always the 5K monitor that I plugged in second, leaving me with the use of only one monitor. Even after a reboot, only one of the monitors would work.  

    I spent time on Google and Apple’s website trying to figure it out with zero luck, and then went on a tangent deleting plist files, clearing the PRAM, reseting the SMC, and trying to manually adjust monitor settings from the command line. No, you don’t need any of that.Even though it’s not all that related, I’m posting this on our information security blog with hopes that I save someone some trouble setting them up. It’s really simple – there are two Thunderbolt 3 buses on the new MacBook Pro. The two ports on the left create bus 0, and the two ports on the right create bus 1. You can see the currently connected devices in the System Information utility. Connect one of your 5K monitors to one bus, and the 2nd one to the other bus. Problem solved. For some reason I thought the port configuration was different, and I do think it would be nicer to have both bus 0 and 1 on each side of the machine so the cables would be more organized. Oh well.

    System Information reporting Thunderbolt 3 Bus connections

    I still don’t know why both monitors worked on one bus before. I didn’t use it that way very long, so I’m guessing it somehow was setup in 4K resolution. The Mac Pro works the same way, there are actually three Thunderbolt 2 buses on the system.In case anyone was wondering, I took the background images myself from Tortola and the Baths on a Canon 5D Mark III fitted with an L Series 28-135mm F/4 lens. They look simply amazing in 5K. Anyway, hopefully this helps someone!

  • The Weakest Link in the Password Hash

    Your password is strong – but is everyone else’s?

    We spend considerable time trying to make sure our passwords are strong. But we also need to spend time educating our user base on why password strength is important.

    It is not uncommon for a hacker to establish his foothold in an environment by first compromising a weak or insecurely stored password. Once a base level of authenticated access is established, it becomes a matter of time before privilege escalation is achieved.

    So, while your password might be a strong 16 character, alphanumeric with symbols stronghold, your administrative assistant might still be using s0ftc@t1 (which, by the way, would crumble under a modest brute-force attack in less than 48 hours) as hers. If we can get that weak password we can extrapolate from there and gain access to other accounts.

    Important lessons to teach:
    • Use of symbols to recreate letters (i.e.: @ for a, ! for i, etc) is not that useful. Rule based brute-force attacks use dictionaries and account for common character substitution techniques.
    • Longer is better – an 8 character password is trivial for a skilled hacker regardless of it’s complexity. Currently, adding a single character and increasing the length to 9 characters, extends the time it takes to crack the password to a couple of months.
    • Use random letters and numbers.
    • Capital letters should be used along with non-capitals, but refrain from making the first character the capitalized letter (we expect that and hack for it).
    Consider multiple roots

    One trick is to use a 10 character base such as:yyT73p@55c

    Now remember that (see next section for tips).

    Now make it unique. By adding a “-” or a “+” or “_” and then a system identifier such as:

    yyT73p@55c-dr0p (say, for Dropbox)
    yyT73p@55c+f@cE (for Facebook)
    yyT73p@55c_BoA (for Bank of America)

    Now you have a super strong random root, followed by a symbol with a dictionary word including caps and symbols if you wish.

    Using this formulaic approach it’s possible to take a 10 character root and create a different password by creating an easy to remember tag. Now your passwords are 14+ characters long and easy to remember.

    Consider rhyme and pattern

    One trick I use for remembering that root is putting it in a rhythm and rhyme pattern that makes sense to me. This was a trick taught to me by a security engineer years ago and it’s worked. In the case of : yyT73p@55c every third letter (and 4th at  the end) rhymes, and I have a pace to it.

    Different root for types of systems

    Now. If you want to supercharge the geek (and help save your butt from mass hack password releases) consider having a small handful of root passwords. Perhaps one you use for social, one for finance, and one for work.

    Using that approach still only requires you to remember 3 base passwords, but, in doing so, you’ve strengthened your password repertoire considerably.

    Change the root

    Regardless of the strength of our passwords it’s still best practice to change them frequently. Using the root system all you need to do is periodically change the root and you’ve reset any exposure to compromise you may have had.

    BONUS ROUND.

    If you really care about security for a specific site (say, your bank), use a unique username. It doesn’t have to be crazy. If you tend to use “sally15” as your main username try using your last name “sanders15” for the bank. Use the same password root as above – but now you’ve got a unique username and a unique password that is associated with that one service.

    The Struggle is Real

    Getting your employees to use strong passwords is an uphill battle, but it’s a critical one. Remember – we are looking for the weakest link. Once we get a toe in the door it’s usually all we need before we spread like cancer in your system.

    By utilizing a simple system, such as the one suggested here, you can increase the chances of your employees maintaining difficult passwords and strengthening their online security.