BTH News 03April2020

Zoom sees rapid growth with lots of growing pains, the FBI warns of teleconference hijacking, a data breach exposes GE employee data, for the third week in a row, we saw a rapid increase in COVID-19 Coronavirus phishing and cyberattacks, and Marriott reports a data breach…again.

Obsolete Computers Used in U.S. Elections: Kill Chain-The Cyber War on America's Elections

“Voting is our capability to have a peaceful transfer of power. If you don’t have that, the alternatives are revolutions.” - Harri Hursti

Last week, HBO released Kill Chain: The Cyber War on America's Elections , a documentary that covers a 15-year analysis of voting machines in the United States. Many of the voting machines used in U.S. elections are vulnerable to attack and they are being targeted by nation states and other threat actors. Follow cybersecurity expert Harri Hursti in the HBO Documentary Kill Chain: The Cyber War on America's Elections , as he explains and demonstrates the weaknesses in many voting machines. In the documentary, Hursti is described as, “one of the world’s top experts on hacking techniques and voting security. For decades, he has been investigating vulnerabilities in U.S. election systems.” states the documentary. In addition to Hursti, the film features an impressive roster of cybersecurity experts including, Jeff Moss, Matt Blaze, Sandy Clark, and Mikko Hypponen, to name a few.

BTH News 20March2020

This week we saw more COVID-19 malware and phishing attacks, a cyberattack against the U.S. Health and Human Services Department, anew and growing botnet that recruits IoT devices, credit card skimming on websites and a security firm re-breaches over 5 billion records.

  1. Malware: A malicious app that supposedly tracks Coronavirus victims, is actually demanding ransom payment from Android users. via @gcluley

  2. Cyberattack: Cyberattack Hits U.S. Health Agency Amid COVID-19 Outbreak

  3. More Patches: Adobe Releases Critical Patches for Acrobat Reader, Photoshop, Bridge, ColdFusion -

  4. Botnet: Zxyel Flaw Powers New Mirai IoT Botnet Strain -

  5. Credit Card Skimming: NutriBullet and others caught in online credit card skimming attack!

  6. Data [Re]Breach

Working From Home

If you’re reading this in March, 2020, you are probably practicing social distancing and self-isolation due to the COVID-19 Coronavirus that is spreading around the globe. And, if you are not in the hospitality and food service industry, you are likely working from home (WFH) and maybe for the first time. For some, the idea of working in your pajamas at the kitchen counter with a mug of coffee is a dream come true; for others, it’s a true nightmare. No matter where you are on that spectrum, we are all going through this together (by being apart) and a few tips might make your work from home time productive, both personally and professionally.

BTH News: 13March2020

It’s Friday the 13th, we are in the midst of a global pandemic, threat actors are leveraging public fear in phishing attacks, and data breaches and critical vulnerabilities make the news!

COVID-19: Coronavirus or Computer Virus?

As the COVID-19 Coronavirus threatens to become a global pandemic, Internet criminals are leveraging this tragedy to spread their own kind of virus and digital attacks to prey on the fears and generosity of people around the world.

What is Happening?

Attackers are using phishing campaigns to target businesses and individuals. One example, reported by BleepingComputer, shows how  scammers created a…

Shark Caught in Phishing Scam Shares Cautionary Tale

An employee of Shark Tank star Barbara Corcoran thought it was a routine wire transfer. The email request did not look unusual, and the amount of the transfer did not raise suspicion. But it was a clever scam, and nearly $400,000 was deposited into the bank account of a phishing scammer. Corcoran, who is well known as one of the “sharks” on ABC’s TV show, Shark Tank, shared details of a cybersecurity breach at her company with ABC News.

"This morning I wired $388,000 into a false bank account…

Business Email Compromise (BEC)

In the world of cybersecurity, there are some pretty creative and interesting terms such as, phishing, juice-jacking, rainbow tables, credential stuffing, and botnet. However, there is one type of phishing attack that was given a name without anyone from a marketing team in the room. That is the Business Email Compromise (BEC) . I almost fell asleep while typing that last sentence!

While the name is not very sexy, the attack is simple to execute and can be very costly to the victim. In fact, according to a 2018 FBI report, BEC attacks have earned scammers over 12 billion dollars. BEC is a type of phishing attack with the goal of tricking the victim into sending money…

New Report: Employees’ Poor Password Practices Put Businesses Around the World at Risk

LastPass has released its third annual Global Password Security Report where they analyzed over 47,000 businesses to share interesting and helpful insights into employee password behavior at businesses around the world. The report is free but you will have to give up some contact information to download it.

The key takeaways are:
Businesses still have a lot of work to do in the area of password and authentication security.
Businesses are increasing their use of multi-factor authentication (MFA) but employees still have poor password hygiene.

The Six Days of Cybersecurity Gifts

This is the time of year when many of us wind down our busy work schedules and focus a little more on family and giving. In the spirit of giving, here are six cybersecurity gifts that you can buy for family, friends, or yourself.

Obligatory Disclaimer: I will not benefit in any way if readers purchase these products, they are just suggestions based on my use and testing.

HOME ROUTER

Your home router is the one device that protects your home’s digital assets from the dangers of the Internet. It is a very busy little device; constantly fighting off attacks and managing your…

Juice-Jacking: Trading Your Data for Power?

There are few things in everyday life that instill panic in us more than seeing the low battery indicator on our mobile phone. This is especially troubling during travel, when your mobile device might be frequently switching between cell towers and Wi-Fi and chewing up more battery than usual. To help us with this problem, charging stations have graciously been made available for free, in many public places. While this free charge can breathe life back in our digital existence, it can also be the point at which your device becomes victim to a cyber attack called juice-jacking.

What is Juice-Jacking?

Juice-jacking happens when someone connects their mobile device to a USB charging station that has been modified to not only charge the device, but to also copy data from…

Attack Of The Light Bulbs: How IoT Devices Are Used As Internet Weapons

With the rapidly changing world of connected devices, known as the Internet of Things (IoT), many people do not realize that these “things” are actually computers. The smart light bulb, the IP video camera, and possibly your new car, are all computers. They have operating systems (usually Linux), processors, memory and a network interface.

It is important to realize that these “things” are computers because you need to protect them from cybersecurity attacks the same way that you protect a standard computer. All computers, including all IOT devices, have vulnerabilities. When those vulnerabilities are discovered and vendors release patches, frequently it is the end user who is responsible for installing those patches. Left unpatched, the IoT device is vulnerable to attack. 

Most of the big software companies like Microsoft, Apple, and Google have automatic patching systems that push patches out to vulnerable computers running their software, but most IoT devices do not. Even many home routers are not patched automatically which leaves home networks vulnerable to attack because they are directly connected to the Internet and are not behind a firewall.

So why would someone want to attack your IoT devices? Do attackers really want access to your light bulbs? You may be surprised that the answer is yes.

Rainbow Tables: The Password Conundrum Part 4

In the forth and final post in this series on passwords, I’ll talk to you about rainbow tables. I think the best way to get people to create and use good passwords is to teach them how passwords are cracked.

Long ago, when UNIX-like systems were used as shared servers and most people logged into them with “dumb terminals”, users could see who else had accounts on the system. This was convenient, especially in work or academic environments and acted as a directory of sorts. So if Alice wanted to send an email message to Bob, she would just log on to the system and look at a file called /etc/passwd. This file showed each person’s username, name, and other information. This file also contained each users password in the form of something called a hash. Trend Micro explains that, “Hash values can be thought of as fingerprints for files”. The hash is a mathematical representation of the password that cannot be reversed or

Multi-Factor Authentication: The Password Conundrum Part 3

In part 1 of the Password Conundrum, we talked about how we all hate passwords and how we can never remember a strong, unique password for every website, system, and application that we use.

In part 2, we talked about how a password manager can solve this problem and make your digital life much easier and more secure.

In part 3, I’ll explain multi-factor authentication and how to use it.

You don’t need an MFA (Master of Fine Arts) degree to use MFA (multi-factor authentication). Sorry for the acronym humor. MFA requires a user to provide an additional means of authentication or verification, in addition to entering a username and password. 

Before we delve into MFA, let’s talk quickly about authentication.

How Attackers Access Your Accounts Using Credential Stuffing

Almost every day we see headlines about some sort of data breach. The public is now almost numb to this news and the reaction by the end users whose credentials were lost, is typically to reset their password and move on.

This is likely not good enough for most people, because, according to a January 2019 study by Yubico and Ponemon, 51 percent of the respondents reuse their passwords across multiple accounts.

So why is it bad to reuse passwords across multiple accounts? Because bad guys will take that long list of usernames and passwords from data breaches, and use them in an attack called credential stuffing. I know, this sounds like a bad Thanksgiving side dish full of conference badges. Trust me, it’s worse!

Password Managers (The Password Conundrum: Part 2)

In part 1 of the Password Conundrum, we talked about how we all hate passwords and how the crazy cybersecurity wonks tell us that we have to do unreasonable things like:

  1. Make passwords that are so complex that you can’t possible remember (long and multiple character sets)

  2. Make a unique password for every one of the 10’s or hundreds of sites and applications that we use, oh, and they all have to be long and strong which means we won’t remember them.

Today we are going to explain how you can achieve this and actually make your life more secure and much easier than back when you had to remember all of those passwords or look them up on a spreadsheet on your computer’s desktop. Enter, the Password Manager!

The Password Conundrum: Part 1

Long Passwords, Short Memories

The password is something we all love to hate. Many of us have to create hundreds of passwords and we are told by the paranoid cybersecurity experts to make them long and use all of the character sets on your keyboard so that they are not easy to guess. This also makes them difficult to remember, so what do most people do? They re-use passwords—which is also a big no-no.

While we all know these general rules, most people don’t know why they exist and what the real risks are. In this blog, I will help you understand the importance of following the rules when developing your list of passwords. 

Three Tips for Creating a Good Password

Below are three tips for creating complex and hard-to-hack passwords. 

  1. Make them long: There is some debate over the best minimum length of a password. Analysis from security expert, Troy Hunt, has shown that many of the sites we use, do not require very long passwords. However, research from Georgia Tech Research Institute (GTRI) shows that the

Sextortion Revisited

Lately, a handful of friends and colleagues told me they received an email that claiming that a malicious hacker had installed malware on their computer through a porn site. The email showed one of the recipient’s passwords and explained that the hacker has access to the recipient’s webcam and has a log of all of their keystrokes. Then the hacker gives the recipient two choices: 

  1. Ignore the email and a video of the recipient, visiting the porn site will be sent to all of the recipient’s contacts.

  2. Or, pay a ransom in bitcoin, and the hacker will delete the video.

This email scam that has been a popular phishing attack in 2018. As cybersecurity reporter, Brian Krebs, blogged about back in July, “Here’s a clever new twist on an old email scam that could serve to make the con far more believable.” 

If you happen to receive one of these emails…

Protecting Yourself Online

Securing endpoints has always been a challenge as they have been a favorite target of attackers. The problem of vulnerable computers goes far beyond securing your computer and home network. Any Internet connected computer that has been compromised, could be used as part of a botnet to attack and take down other Internet systems or even slow down large parts of the Internet. Cybersecurity is bigger than all of us and is the responsibility of everyone for the good and welfare of the Internet at large.