At a glance.
- Public interest in identity protection.
- Privacy implications of Amazon’s Sidewalk.
- NCSC warns schools of cyber threat.
- RockYou2021 password leak.
Survey shows increase interest in defense against identity theft.
Security.org has released the results of their Identity Theft Consumer Shopping Study, and the data shows that in 2020 there were over 20 million cases of identity theft in the US, a 67% increase from 2019 no doubt fueled by the surge of COVID-19-related scams. 93% of victims reported the theft, usually to a private company. Researchers also found that 20% of Americans plan to buy identity theft protection services, which could lead to an estimated $4.1 billion increase in revenue for the industry.
Walking the line between access and privacy.
The Washington Post offers an in-depth look at Amazon’s new offering, Sidewalk. The technology, which has been lying in wait inside Amazon devices for years, transforms Echo smart speakers and Ring security cameras into “Sidewalk Bridges.” This allows users to connect with their neighbors’ devices, creating a wireless mesh network completely separate from WiFi offering services like increased smart light range, access to the Level smart lock, and even tracking services for users with dementia. Sidewalk is equipped with triple-layer encryption, but experts have their doubts about its security, especially given that as of today, unless the user opts out, Amazon is automatically activating it on all supported devices. There’s no question it could become a tantalizing target for hackers, and with the amount of data being transferred, it raises major questions regarding surveillance. Matthew Guariglia, a policy analyst at the Electronic Frontier Foundation, explains, “As long as Amazon is storing all that data…all of that can be accessible to police. It’s impossible to think of things as just private or public surveillance anymore.”
It’s worth noting that Amazon is neither the first nor only provider to seek to create a mesh network from the devices they provide their users.
NCSC releases warning for educational institutions.
In response to the recent surge in cyberattacks on educational institutions, the UK’s National Cyber Security Centre (NCSC) has issued an update to its ransomware guidance, Infosecurity Magazine reports. The NCSC warns attackers are targeting VPNs and remote desktop protocol endpoints, taking advantage of unpatched system vulnerabilities, and deploying email attacks through phishing scams. Once a system is infiltrated, threat actors are using tools like Mimikatz, PsExec, and Cobalt Strike to allow lateral movement without detection. The NCSC recommends schools protect themselves by employing multi-factor authentication, antivirus, and regular system updates.
Largest password leak ever could, in fact, RockYou.
CyberNews reports that a hacker just leaked what might be the largest database of stolen passwords in history: a 100GB TXT file containing over 8.4 billion entries. Likely cobbled together from multiple breaches, the compilation has been named “RockYou2021,” an allusion to 2009’s RockYou data breach that leaked a comparatively meager 32 million passwords. The leak makes it easy for threat actors to conduct credential stuffing or password spraying operations, and since so many users recycle the same passwords across multiple sites, attacks could potentially impact billions of accounts. For anyone concerned their login credentials might have been leaked, CyberNews has created a personal data leak checker.
A number of industry experts have commented on the RockYou dump. We heard from Will LaSala, Director of Security Solutions at OneSpan, who points out that this year’s two big leaks probably mean that we’ve surpassed last year’s totals:
“We saw the number of stolen credentials reach an all-time high last year at 15 billion and with breaches this year including the COMB Data Leak of 3.2 billion credentials and now the RockYou2021 data leak of 8.4 billion passwords, I estimate the figure to be closer to 25 million leaked credentials floating around on the dark web at the moment.
“The threat posed by these leaked credentials falls largely on web and mobile applications as well as the platforms they run on, which have security holes and backdoors that hackers leverage stolen credentials to compromise. We know hackers follow the money trail and we especially encourage consumers and organizations to closely monitor their financial and banking applications. Technologies such as multi-factor authentication can help protect accounts from stolen credentials, while technologies such as application shielding can help protect applications from being attacked by malicious actors, even if the device itself is compromised.
“Organizations can also help protect their customers by ensuring their risk analytics technologies are up to date and that they are checking real-time transactions across all applications and channels, looking for anomalies and patterns that are the hallmark of an attack. Hackers often comb dark web forums for leaked credentials, which they use to launch ransomware attacks and it is crucial that consumers and organizations implement these important security measures to protect high value accounts. Consumers shouldn’t rely on password checker tools as the data isn’t likely up to date and untrustworthy. They should also avoid ‘strong password’ generators; the passwords generated are often unreliable, easy to hack, and can be stolen at a moment’s notice with little to no indication that it has been compromised.”
Saryu Nayyar, CEO of Gurucul, says, in effect, look, change your passwords already:
“Today is the day to change all your passwords. You may have been putting this off thinking you are not affected. You are. We all are. Now you have an excellent reason – to protect your privacy and your assets. Anything and everything will come out so waste no time. Change all your passwords immediately. And please make sure they are unique and complex!”
David Stewart, CEO of Approov, sees in the leak another argument for multifactor authentication:
“It may be the biggest username/password breach of all time but it won’t be the last. Outlawing passwords is not a short-term solution to this problem. Instead, ensure that usernames/passwords on their own are not enough to gain access to backend systems. Adding a requirement for appropriate and independently verified factors to gain access to your servers will ensure that your business is not affected by credential stuffing attacks based on breaches such as RockYou2021.”
Rajiv Pimplaskar, CRO of Veridium, notes the correlation of a spike in password leaks with spikes in data breaches and ransomware attacks:
“With the recent explosion in both the magnitude and frequency of data breaches and ransomware attacks, it’s not surprising that password leaks are coincident. Verizon’s Data Breach Investigations Report (DBIR) indicates that over 80% of data breaches rely on lost or stolen passwords. Ransomware attacks have increased by over 72% propelled by remote work since COVID19 began and ZDNet research indicates that over 50% of such attacks also included credential theft and Man In The Middle (MITM) attacks.
“Any security system is only as strong as the weakest link. Companies and users need to treat these developments as a wake-up call to end their overblown reliance on passwords. Passwordless authentication methods such as phone as a token and / or FIDO2 security keys are now commonly available. Such solutions create an un-phishable connection between the user and the IT system and eliminate the need for a password thereby reducing the attack surface and making the environment more resilient against cyber attacks. Also, these authenticators offer less friction as compared to traditional Multi Factor Authentication (MFA) which improves user experience and productivity.”
Saumitra Das, CTO and Cofounder of Blue Hexagon, offers some perspective. While the leak is of course nothing to dismiss as unimportant, the heavens aren’t falling, either:
“Any password leaks of large volumes are always alarming to hear and should be taken seriously; our own investigation of this report has shown that quite a large number of accounts passwords are recycled from previous breaches and not necessarily active.”
We might add that his remarks also serve as a reminder that reusing passwords increases vulnerability to credential stuffing.
“This is not to say that people should stop using biometric authentication altogether. Currently, there aren’t that many instances where your biometrics can be misused. However, as it gains popularity, the ramifications of biological data theft get more alarming. For now, it’s better to think about it as a tool of convenience rather than a security measure. It’s a good idea to set up 2FA and use both passwords and biometrics.”