- Shared Security Podcast
- Posts
- New Episode Alert (copy 82)
New Episode Alert (copy 82)
We hope you're not reusing passwords... 🔥
Weekly Blaze PodcastEpisode 99December 16 2019
The Password Reuse ProblemUS Government Internet of Things Security RecommendationsSmart Lock Security Disaster
If you're like other listeners of this podcast, you care about the privacy and security of our friends and loved ones. And one of the best gifts that you can give is a product that can help provide more peace of mind about our personal data and the wireless devices that we all use each and every day. A gift that you should consider is a Silent Pocket Faraday bag, wallet, or key fob which is designed to block all wireless signal providing a stylish way for your friends and family to be more secure. And as a listener of this podcast you can take 15% off your holiday order right now by using discount code "sharedsecurity" during checkout at
.
Password reuse continues to be a major problem
A recent announcement from Microsoft is shining a light on
. Microsoft reported that 44 million Microsoft Azure and Microsoft Services accounts were vulnerable to account hijacking due to the use of compromised passwords that were found in previous data breaches. The Microsoft identity threat research team had checked billions of valid credentials against lists of cracked or exposed passwords from previous data breaches which identified 44 million matches which means that 44 million people may have used the same password, not just with their Microsoft account, but for many other services as well. Microsoft did the right thing here and reset the passwords for each vulnerable account, but it goes to show that most people are still reusing passwords and not enabling multi-factor authentication. Microsoft even points out that 99% of identity attacks could have been avoided by enabling multi-factor authentication. Which by the way, is freely available for Microsoft Azure and Microsoft Services accounts.
In related news,
Not surprisingly, 72% of people reuse passwords in their personal life while nearly half (49%) of employees simply change or add a digit or character to their password when prompted by their company every 90 days, which is, when most employers require password changes. The other part of this research I found interesting was that despite that there is technology like password managers, more availability of multi-factor authentication, and even more awareness being spread about the dangers of password reuse, people are still trying to memorize passwords, write them down on paper, or document them in Word docs, emails, and spreadsheets. Most people still have a hard time understanding the technology and tools that we have to help manage passwords so they are resorting to these bad habits. Now there have been lots of progress to eliminate passwords over the last year or so but we have a long way to go until passwords are eliminated altogether.
And to put all of this into perspective, there was a story all over the national media last week about a family's Ring camera that was quote unquote "hacked" where
. While definitely a scary situation, there are two points I want to clarify about this story. First, Ring (as in the company) was not hacked. Ring confirmed that there was no breach of their systems and the cameras themselves haven't been hacked either. Second, this is a story to highlight the exact problem I'm talking about on this episode, and that is, password reuse and how compromised passwords are used to gain access to other apps, even Ring camera's. What most likely happened is that the same user name and password that the family set up for their Ring account was the same combination found in one of thousands of databases that are publicly available with credentials and passwords from previous data breaches. Automated tools and scripts are written by attackers to try these user name and password combinations on sites like ring.com until they find ones that work. Either that, or someone just simply guessed a weak password on the families Ring account or they had their credentials compromised through a phishing attack. Most likely though, password reuse is the culprit.
So, are you using a password manager and enabling multi-factor authentication so that you don't reuse passwords? If not, it's not too late to start! Do it now, as it's one of my most recommended pieces of advice to prevent becoming a victim of account hijacking due to password reuse.
And now a word from our sponsor, Edgewise Networks
The biggest problem in security that remains unsolved are flat networks in cloud and data centers, with unprotected attack paths that allow threats to move laterally to cause breaches.
But microsegmentation using network addresses is complicated and takes too much time.
But there’s a better approach… Edgewise “Zero Trust Auto-Segmentation."
Edgewise is impossibly simple microsegmentation … delivering results immediately, with a security outcome that’s provable.
At the core of Edgewise Auto-Segmentation is Zero Trust Identity, which allows workloads to communicate only after their software identity has been verified. Malicious or unapproved software is no longer allowed to communicate.
Identity-based protection provides more coverage with fewer policies to make Edgewise simple to deploy and manage. No changes to the application or the network are required. One solution protects virtual machines and containers, in the cloud and on premises.
To stop lateral threat movement and prevent breaches, visit
for a demo and see results within minutes.
US government recommendations for securing Internet of Things devices
It's the holiday shopping season and that means it's time for the US government to give us their warnings about all the technology we're about to unwrap for ourselves or purchase for our friends and families. I recommend taking their advice, as they do have some good recommendations that are always good to mention, especially around the holidays. First up is the FBI's recommendation on properly securing Internet of Things devices, Wifi routers, and Smart TVs. The basics that we talk about on this podcast all apply, change default passwords, use complex and unique passwords for all devices, put your "smart" devices on a separate network that's different than the network that your laptops and mobile devices are on, and change the default privacy settings on your Smart TV. In fact, the FBI goes as far to suggest disabling the microphone on your smart TV through the TVs settings and putting black tape over the camera.
In addition to FBI warnings, the FTC has sent out an advisory targeting parents who are purchasing Internet connected toys this holiday season. The recommendations include finding out if the toy has a camera and microphone, does it record and do you know when the camera or microphone is on or not. This is so that if one of these devices was compromised, parents can know something is not right and take immediate action. Other questions parents should ask about these toys include: does the toy let your child send emails or connect to social media accounts, can parents control the toy's setup, and can things like default passwords be easily changed. Lastly, the recommendations note that toy manufactures are required to comply with COPPA (the Children's Online Privacy Protection Act) if the toy collects personal information from anyone under 13 years of age. In these cases, the company is required by law to disclose its privacy practices, ask you the parent for consent, have means to protect and secure collected data, and give parents the right to have your child's personal information deleted.
Another "smart" lock device security disaster
Speaking of Internet of Things devices, here's something to think about before you purchase one of those "smart locks" to secure your home. Now, everyone knows my relationship with smart locks, and it's not good. If you don't know what I'm talking about
for my very personal story about a smart lock that failed during a hotel that I stayed at this year. But back to this story, there is
. The attack works by grabbing the secret key encryption algorithm from the mobile app (which anyone can download from the app store) and when it communicates over Bluetooth wireless, an attacker can grab the operator password to the door by intercepting the communication. Now the attacker has to be 10-15 meters from the victim to pull this attack off but it's still a pretty serious issue, especially when we're talking about the security of our home. To make matters worse, like many Internet of Things devices, this smart lock has no ability for it to be updated! So that means, if you purchased one of these locks you will need to either replace it or live with the risk. I don't recommend purchasing any type of smart lock for your home for this very reason. Time after time, these devices are always found to have some type of vulnerability which could leave your home at risk. Until device manufactures start developing security into their products, and allowing them to be updated, it's going to be a long time before I change my recommendation on these quote unquote "smart" locks.
NovemberMonthly ShowEpisode 94In episode 94 of our monthly show Tom and Scott discuss the 25 most dangerous vulnerabilities, the privacy of new “smart cities”, and which search engine keeps your searches more private? It’s DuckDuckGo vs. Google!
Watch this episode on our YouTube Channel!
Shared Security is now on GetVokl!
We live stream our monthly show on a new interactive video chat and streaming service called GetVokl!
to get notified when we will be live and to watch previous episodes!
Thank you to our sponsor
Silent Pocket!
Take advantage of this exclusive offer and help support this podcast!
Visit
to shop Silent Pocket's great line of privacy focused products.