On December 15, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) issued a Secure by Design Alert and guidance on “How Manufacturers Can Protect Customers by Eliminating Default Passwords.”

The guidance was created by CISA to “urge technology manufacturers to proactively eliminate the risk of default password exploitation by implementing principles one and three of the joint guidance, ‘Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software”:

  • Take ownership of customer security outcomes.
  • Build organizational structure and leadership to achieve these goals.

It is CISA’s conclusion that if software manufacturers implement these two principles, they “will prevent exploitation of static default passwords in their customers’ systems.” Since threat actors are exploiting default passwords, CISA is urging manufacturers to proactively eliminate them so customers can’t use them, and they can’t continue to be exploited. According to CISA, “Years of evidence have demonstrated that relying upon thousands of customers to change their passwords is insufficient, and only concerted action by technology manufacturers will appropriately address severe risks facing critical infrastructure organizations.”

May software developers listen and respond to CISA’s urging to help keep their customers safe from known threats.

Do you use 123456 as a password? We hope not, as it was the number one most common leaked password on the dark web according to a recent article from cnbc.com. Other common passwords were 111111, ABC123, and, of course, Password. The list of 20 common passwords was identified by the company, Lookout, from passwords found on the dark web as a result of data breaches. Why are we using such easily guessed passwords? We may all be suffering from a bit of “password fatigue,” which Wikipedia defines as “the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to logon to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine (ATM).”

So, what can you do if you have password fatigue? It is important not to use the same password across multiple websites or apps. Other tips include avoid using common, obvious passwords such as a set of consecutive numbers or letters. When you create a password, try to use a phrase that only you would understand or remember. Another tip is to try to avoid using passwords that contain personal information such as names of pets, children, or birthdays. Keeping a list of passwords on your phone or computer is also not recommended, so consider using a password manager. Finally, many apps now allow for the use of multi-factor authentication, which can add an additional level of security.

When you are educating your employees about the importance of maintaining a complex password or passphrase, share this story to show why it is so important and to emphasize not to use same or similar passphrases across multiple platforms. It is not just a matter of getting into the company’s systems, but also one of national security.

This week, Microsoft shared research “that it is likely” that Iranian-backed hackers launched attacks against more than 250 U.S. and Israeli defense contractors and global maritime companies through Office 365 accounts, and were successful 20 times.

The Iranian-backed hackers used a “password spraying” techniques, that is, rapidly spraying the account with compromised passwords to see if one will work. It is disappointing to see how often this technique works to access an account. The reason why it works is because employees are using the same password across different platforms, which the hackers know, and when a password is compromised and sold on the dark web, they know where and when to use it, with devastating consequences.

Microsoft predicts that Iran and its hackers will continue this activity, particularly against defense contractors and the shipping and maritime industries.

Educate your employees on how important their passphrases are to company data and national security as foreign adversaries are using these easy techniques to gain valuable company data as well as data important to national security.

A new report from Beyond Identity focuses on old, but very important issues—ending  access rights to network systems by terminated employees and the rampant sharing of passwords.

According to the report, it is estimated that almost 25 percent of previous workers still have access to their former employers’ networks through work accounts. This is concerning on many levels, including the ability for former employees (especially disgruntled ones) to have access to current company data to be able to use it, disclose it, and use it against the company.

The report also highlights that many employees continue to share their passwords with their co-workers. A whopping 41.7 percent of the 1,000 companies surveyed stated that passwords are shared with colleagues, contractors, family, and friends. This statistic blew my mind.

Take away from this report: 1) don’t share your corporate password with anyone else, and educate your employees to keep their passwords secure; and 2) tune up your processes around access controls, including by terminated employees.

It has been reported by Bloomberg Law that the Colonial Pipeline ransomware attack was caused by a “single compromised password.” The Colonial Pipeline ransomware attack had consumers hoarding gasoline and disrupted distribution of gas along the east coast. One single compromised password.

Colonial Pipeline paid $4.4 million in ransom following the attack, although the Department of Justice (DOJ) was able to recover $2.3 million of that payment  by seizing the crypto wallet used by the attackers. A payment of $4.4 million because of one single compromised password.

What is worse is that the account the password was connected to was not an active account, but could still be used to access the network. I am surmising, but this usually happens when someone leaves the company and the account and access is not terminated. The initial user may have used the password across platforms, the password was compromised and obtained by DarkSide on the dark web, and presto!, they can go into Colonial’s system with the valid password undetected.

We constantly are told how important passwords are. I like to use long passphrases. We are told not to use the same passwords across platforms. We are told not to use passwords that are related to anything we post on social media or online platforms. We are told all of this for a reason. Because one compromised password can cause a gas shortage, a meat shortage, contaminated water, millions of dollars paid in ransom, and disruption to our lives. Do your part and focus on password management for yourself personally, as well as for your employer.

After incidents of Zoom “bombing,” including a recent intrusion by hackers to disrupt a church service with foul content (don’t these guys have better things to do?), it has been reported that hackers are now taking advantage of the surge in the use of Zoom for videoconferencing to spoof Zoom invites to try to obtain users’ credentials.

First, when using any videoconferencing platform, you may wish to consider requiring that a password be used to get into the conference in order to reduce the risk of Zoom bombing.

Second, when receiving a videoconference invitation, as with any other email you receive, treat it like a potential phishing email that is a scam. Check to see who sent it to you, that it is someone you know and trust, and that the email address is correct, and don’t click on the invitation unless you are expecting it. Further, no videoconference invitation is going to request your user name and password, so just as you would not give your user name and password to a random email phishing for information, the same is true for accepting Zoom or other videoconferencing platform invitations.

Finally, when logging in to a videoconference, check that you are logging in to the actual site, and not a fake link that has been sent by a hacker.

Hackers are creative and up to speed on the technology businesses are using, particularly during the pandemic. Be aware that they are going to use all their creativity in new ways to try to spoof and scam you. Educate your employees on the newest tricks and encourage their continued vigilance to avoid becoming a victim of old tricks using new technology.

It has been reported by Troy Hunt, the security researcher who provides the “Have I Been Pwned” free breach notification service, that 1.4 million passwords and personal information of customers of GateHub, a cryptocurrency wallet service provider, and 800,000 customers of EpicBot gaming bot provider RuneScape are for sale on the web.

According to Hunt, that personal information includes email addresses and passwords that were cryptographically hashed with bcrypt, as well as two-factor authentication keys, mnemonic phrases, wallet hashes, user names and IP addresses.

Security researchers are suggesting that users of these two services change their passwords as soon as possible, replace mnemonic phrases, change passwords of any other sites where the same password may have been used, and be wary of spear-phishing attacks.

I am not a big fan of putting all of one’s passwords in one place, but many people use password managers. If you use Last Pass (see previous blog posts about Last Pass here and here), be aware that it was recently advised by a Google Project Zero researcher that there was a vulnerability that made it possible for websites to steal credentials using a Chrome or Opera extension. (Last Pass subsequently announced that it has addressed the identified vulnerabilities.)

This means that when visiting a website, because of a vulnerability in the pop-up mechanism, the website may use the password from the last website visited instead of requiring the user to put the new password into the site to gain access to the account.

The risk of this vulnerability is clickjacking, which occurs when “you can leak the credentials for the previous site logged in for the current tab.” When users click on the link, it might open a malicious link instead of a trusted site.

Many security experts are fans of password managers as a way to manage complex passwords. I am always concerned about the risk of storing all passwords in one place and the possibility that they could be compromised in one fell swoop, which has happened before to Last Pass. When using a password manager, consider adding the additional security measure of multifactor authentication as well.

The “security principle” under the General Data Protection Regulation (GDPR) requires that organizations process personal data securely by means of “appropriate” technical and organizational measures. This month, the United Kingdom’s Information Commissioner’s Office (ICO) issued new guidance focused on two specific measures the ICO recommends that companies consider in complying with the GDPR security requirements: encryption and passwords. Continue Reading UK Information Commissioner’s Office Issues Guidance on Use of Encryption and Passwords in Connection with GDPR

California lawmakers have taken the lead in trying to address privacy and security issues with Internet of Things (IoT) devices (which we have been writing about for years), by passing the country’s first IoT security bill, which is now headed to Governor Brown’s desk for signature by September 30.

One of the issues addressed by the bill is the fact that IoT devices, such as routers, home security systems, televisions, refrigerators, and other home appliances come to your home with a default password. Many people do not take the time to change the password and therefore, the password stays on the default one. The California bill statutorily requires IoT manufacturers to enable stronger passwords on IoT devices so they are not as easily hacked.

A botnet called Owari is specifically designed for, and able to easily crack default or weak passwords of IoT devices. A default password is not designed to continue to be used by the consumer. Manufacturers of IoT devices assume that consumers will change the passwords on their IoT devices to a unique password for the customer. By using the default password provided by the manufacturer, consumers are putting themselves at risk of intrusions into their IoT devices and the data on those devices being stolen or used.

When purchasing an IoT device, follow the manufacturer’s instructions on how to enable your own password on the device, and as in all cases of anything connected to the Internet, the password should be complex to deter intrusions and theft of data.