Why Non-Cheaters Should Be Just As Worried As Ashley Madison Members

ashley_madison

Millions of accounts stolen from the adultery facilitation service Ashley Madison hit the dark web this week, causing angst for spouses, anxiety for the site’s users and social reflection from a variety of media sources. The information includes names, passwords, email addresses, credit card information for paid accounts, physical descriptions and profile information about users’ kinks and sexual fantasies.

Tools to search the massive database have already appeared, though it’s not clear how accurate those tools are and whether they are harvesting information themselves. Let’s look at some of the security implications of the leak.

Public Security Concerns

Many of the site’s users signed up with their work emails, probably in an attempt to keep their spouse or significant other from reading their messages. Approximately 15,000 of the leaked accounts are linked to email addresses with .edu, .mil or .gov accounts. This means the names and personal information of thousands of government employees are now online, making them a target for blackmail and identity theft.

Almost 2/3rds of the emails are from military addresses. The United States military has regulations against cheating on spouses, and the leak could lead to dishonorable discharges should the military decide to follow up. Several state and local government agencies have stated they will be looking into accounts that used email addresses linked to their employees.

Is the Data Legitimate?

Ashley Madison did not require email verification, and it’s not exactly difficult to sign up for a free account with someone else’s information. Confirming the information is difficult, since neither Ashley Madison nor their cheating users are likely to comment. On the other hand, people who were wrongfully signed up by others have no way to prove their innocence either.

Some of the leaked accounts contain data specific enough to trace back to individuals such as credit card information and is undoubtedly legitimate, but others are obviously faked. For example, someone signed up for an account using the name and email address of one of the fictional FBI detectives from the TV show The X-Files.

What Can We Learn?

Consider anything you enter online permanent. Some of the users in the leaked database paid a fee to Ashley Madison for a service that was supposed to delete their account and information entirely. Obviously it didn’t work.

Don’t advertise your computer system or service as totally private and unhackable. One of the reasons Ashley Madison was targeted was their advertisements touting the safety of users’ information. In any connected system there are ways for determined hackers to get in.

Don’t use your work email address for personal communication. Even if you’re not cheating on your spouse, it’s not a good idea. Most employers back up their email messages and accounts for security purposes.

About the author:

Scott N. Schober is a CEO, author and cyber security and wireless tech expert who regularly appears on popular TV news networks, radio programs and tech industry speaking engagements. He appears regularly on Bloomberg TV, CCTV-America, CTV News, ABC and more as a cyber security expert. His new book entitled Hacked Again will be available in the fall. Scott is also the host of a weekly cyber security video podcast called 2 Minute CyberSecurity Briefing on iTunes and Youtube.

Black Hat Conference Highlights

What-Color-Hat-

Last week cyber security experts gathered at the Mandalay Bay hotel in Las Vegas for the 9th annual Black Hat conference. While the major media focus was on the connected car vulnerabilities I discussed in a previous post,  there were many other important subjects covered. Let’s look at some of the highlights.

Android Fingerprint Sensor Hack

Some smartphones include fingerprint sensors that allow users to swipe their finger instead of entering passwords. FireEye researchers Tao Wei and Yulong Zhang presented evidence that fingerprint readers on many Android devices are vulnerable to attack. The sensors are not locked down, and the files controlling them are easy to hack even on unrooted devices. A clever hacker could install malware on a device and use it to steal the fingerprint of anyone who uses the sensor. Unlike passwords, fingerprints cannot be changed. Once a fingerprint is compromised, it’s compromised for life. Fingerprints are tied to someone’s identity on documents such as passports and police records. Manufacturers of the affected devices have issued patches to resolve the security flaws, but as more devices with fingerprint readers become available we’re sure to see more users affected in the future. More Info Here

Google Talks Android Security

In the wake of the Stagefright security flaw that exposes approximately 950 million Android devices, Android security chief Adrian Ludwig spoke about Google’s plans for fixing the bug. The company will update all its Nexus devices (including those that are WiFi only) and provide security support for all Nexus devices for a minimum of three years. With public confidence shaken, Ludwig also spoke about Android’s existing security features and security analysis for apps offered through the Google Play Store. More Info Here

Defending Against Watering-Hole Attacks

Senior development engineer Aaron Hackworth at Dell SecureWorks detailed the methods and activities of a cyber espionage group based in China. Dubbed TG-3390, this group’s major strategy is to target organizations through web sites and services employees are known to use. The hackers attack the service and redirect traffic to a malicious web site. When someone visits from an IP of interest, the site installs malware on their machine. Once the hackers have access, they attack the domain controller and install keyloggers and back doors on any Microsoft Exchange servers. This allows the group to steal credentials so they can re-enter the network if discovered. Hackworth recommended removing all local administrator rights and switching to two-factor authentication (2FA) on all remote-access services thwarts the hackers’ ability to steal login information and regain access. More Info Here

Stealing Data with IoT Devices

According to Columbia University researcher Ang Cui, printers, Internet of Things (IoT) devices and other inexpensive network-capable devices can be hacked into radio transmitters. This hack uses I/O pins and a connected cable to generate radio waves that a receiver can pick up. Cui demonstrated the hack on an inexpensive printer, using the printer cable as an antenna and picking up the signal on a handheld radio. The most troubling part of this hack is because it works on devices that do not even have WiFi, hackers can target devices on the network that IT personnel may not even consider a vulnerability point. More Info Here

OPM Pwnie Award for Most Epic Fail

In a year of massive data breaches, the government’s Office of Personnel Management managed to take home the least-coveted award at the conference. In June the OPM announced that background check records on 25.7 million current, former and prospective government employees and contractors had been stolen by hackers with close ties to the Chinese government. The hackers managed to stay in the system for over a year, and unnamed sources told ABC news the records of top administration officials and current and former cabinet members were compromised. Not surprisingly, the award went unclaimed. More Info Here

About the author:

Scott N. Schober is a CEO, author and cyber security and wireless tech expert who regularly appears on popular TV news networks, radio programs and tech industry speaking engagements. He appears regularly on Bloomberg TV, CCTV-America, CTV News, ABC and more as a cyber security expert. His new book entitled Hacked Again will be available in the fall. Scott is also the host of a weekly cyber security video podcast called 2 Minute CyberSecurity Briefing on iTunes and Youtube.

Stagefright Bug Takes Center Stage On 950 Million Android Devices

Android Stage Fright

A series of bugs and security loopholes in the Android operating system could allow hackers to take control of up to 95% of Android smartphones simply by sending an MMS message with malware attached.

What is the Stagefright bug?

Stagefright is the name of the Android operating system’s media library, which the bug is named after. It affects all Android devices running version 2.2 and up and there is currently no patch. The recipient doesn’t even have to open the message. By default the Android operating system downloads unread messages, triggering the malware. An attacker could send the MMS with malware attached, take control of the phone and delete it before the user is any wiser.

When will the bug be resolved?

The mobile security company Zimperium Labs discovered the flaw and alerted Google in April. Google is working on a patch for its Nexus devices, but it won’t be available until next week. For other device manufacturers, it could take a lot longer.

Very few manufacturers run vanilla Android on their devices. Most devices have customized software that will require testing. Google will provide the software fix to the manufacturer, which then must test the update on their devices. The manufacturer will apply the update to the base version of their OS, then test each individual product line. After the manufacturer is finished, they send the update to the wireless carrier. Sometimes carriers do their own testing before pushing the update out to users. It could be weeks or months before non-Nexus devices see an update. The cost of testing means some older devices may never get it.

What can you do to protect your device now?

The key to protecting your smartphone is preventing the device from automatically downloading MMS messages from the server. Open your default messaging app and press the Menu button. Select Settings and look for an “Auto-retrieve” checkbox. Some devices may have the option under “Advanced settings.” Unchecking this box will stop the device from downloading the messages, allowing you to delete messages from any numbers you don’t recognize before you open them. If you can’t find the setting, contact your wireless carrier or device manufacturer for assistance.

Is Stagefright the only vulnerable part of the Android OS?

There are no confirmed cases of hackers using it, but the sheer number of vulnerable devices makes this a major security flaw. Zimperium Labs indicated in a blog post that others had previously uncovered bugs in Stagefright, and that it is possible the bug could be in use.

 

About the author:

Scott N. Schober is a CEO, author and cyber security and wireless tech expert who regularly appears on popular TV news networks, radio programs and tech industry speaking engagements. He appears regularly on Bloomberg TV, CCTV-America, CTV News, ABC and more as a cyber security expert. His new book entitled Hacked Again will be available in the fall. Scott is also the host of a weekly cyber security video podcast called 2 Minute CyberSecurity Briefing on iTunes and Youtube.

Chrysler Recalls 1.4 Million Hackable Cars But Is It Enough?

hacking_ahead

Car companies have a history of large scale recalls for their products. After all, the safety of their customers fall directly on the shoulders of automakers so why take a chance? But what about computer glitches or even hacks? When is proactive too proactive and when is it not even enough?

Some of today’s cars come equipped with the option to connect to the Internet, but are they safe from hackers? Connected cars can access wireless broadband networks via built-in cellular modems. They allow passengers to stream audio and video, access traffic information and navigate using a touchscreen on the dash. Cyber security experts worry that these connected cars lack adequate digital security and are vulnerable to malicious hackers.

Last week two white hat hackers demonstrated the ability to take control of critical functions on a 2014 Jeep Cherokee to a Wired Magazine reporter. Hackers Charlie Miller and Chris Valasek were able to disable the transmission, spray the windshield with wiper fluid and even engage and disable the brakes. The pair will be presenting details on how they accomplished the hack at next month’s Black Hat cyber security conference in Las Vegas.

The pair said the hack seems to work on any Chrysler vehicle equipped with the Uconnect entertainment system. The Unconnect uses Sprint’s network, and an attacker can scan the carrier’s network for vulnerable targets using a Sprint phone as a WiFi hotspot. Once an attacker has the vehicle’s network information, they can wirelessly overwrite the firmware in the device and take control of the vehicle’s functions from virtually anywhere. Even more alarming, a skilled hacker could program the compromised Unconnect to scan, locate and attack other vehicles through Sprint’s network like a computer worm.

Several years ago Miller and Valasek demonstrated hacking different vehicles through the diagnostic port used by mechanics. Some in the automotive industry scoffed at the potential threat because the hacker would need physical access to the vehicle and the port. Now the prospect of remote hacking has the industry spooked.

Miller and Valasek have been working with Chrysler since they discovered the vulnerability, and the automaker has issued a patch that closes the security loophole. However, the pair plan to release parts of their code at the Black Hat conference for peer review. The released code will allow potential digital carjackers to access some of the less dangerous attacks.

Chrysler has issued a recall notice for over 1.4 million vehicles urging owners to install the software update. The patch requires the vehicle’s owner to take it to the dealer or download it onto a USB thumb drive, so many vehicles will probably remain vulnerable at the time of the conference. If you own one of these vehicles and aren’t sure if it needs the patch, you can check by entering your vehicle’s VIN number into this website here.

There is no doubt that connected cars are traveling on a highway where old tech thinking and new tech thinking must eventually merge. On the one hand, obscure security holes detected in your PC’s OS usually results in an immediate and unconsented updates to your computer. This is for your own good. Malware and viruses are hardly life threatening on any PC but the same cannot be said about a connected car. The dangers have been clearly demonstrated by many car hackers past and present even if they are not an immediate threat to your ’98 Corolla.

So why hasn’t the auto industry defined and implemented procedures to auto update or at the very least, allow consumers to easily update their connected vehicles easily and securely?

On the other hand, Chrysler recalls 1.4 million vehicles based on the possible threat of a hack to those cars. No one has been injured and the hacking threat is still largely unproven but Chrysler is being very proactive here. Let’s just hope that connected car industry doesn’t shut down the entire auto industry before we can experience all the safety and conveniences that connected vehicles offer.

About The Author

Scott N. Schober is a cyber security and wireless technology expert, CEO of Berkeley Varitronics Systems, Inc. and author of Hacked Again. He has appeared on hundreds of television, radio and published news pieces as a cyber security expert and a presenter and panelist at many tech conferences.

37 Million Adulterers Potentially Exposed In Ashley Madison Hack

impactteam-580x657

Most everyone has heard of Ashley Madison, an online dating website that helps married people cheat on their spouse. If you are happily married like myself, you wonder who in the world would actually use this website, let alone provide your private and credit card info to them. The CTO of ALM or Avid Life Media that runs Ashley Madison has been quoted in the past as saying “I would hate to see our systems hacked and/or the leak of personal information” but it looks like he’s being quoted again today by the hackers who apparently breached Ashley Madison potentially exposing its 37 million users’ data. This blows my mind as the majority of their customer base claim to be in the United States which has a population of around 320 million people. That would make roughly 10% of all americans customers of Ashley Madison.

Late Sunday night on July 19th, AshleyMadison.com was apparently hacked by a group calling themselves The Impact Team. These hackers claimed not just names and credit cards numbers, but also addresses, users fantasies, nude pictures, conversations and more. The hackers are not demanding any kind of money ransom so what do they want? In a manifesto posted claiming ALM lied about a $19 fee allowing customers to completely erase their profile information, The Impact Team has vowed to release all of that supposed erased customer data unless ALM shutters all operations on Ashley Madison and EM or Established Men.

Ashley Madison offers several levels of customers protection they could also pay a charge of $19 to fully delete every email, photo and association to the site. Every month there are anywhere from 8,000 to 18,000 people that have opted for this $19 full erasure protection which translates to about $1 million dollars of revenue a year for Ashley Madison. To their credit this is a unique feature as typical dating sites do not provide any way to delete your digital footprint.

One could easily imagine if The Impact Team posted the compromised data how a scandalous mess would start to unfold. I think it is fairly safe to say any politician or celebrity that has used Ashely Madison’s service is probably sweating bullets right now over the potential media frenzy. This has the makings of another iCloud celebrity nude photo scandal.

Ashley Madison’s slogan is “Life is short. Have an affair.” Back in the days of ancient Israel adultery was punishable by death and it’s looking more and more like AshleyMadison.com’s days are numbered too. Perhaps instead of providing free credit monitoring services it would be more appropriate for AshleyMadison.com to provide free divorce certificates. I think for the time being they will have to postpone their announced IPO for $200 million until they can clean this cyberbreach mess up.

Subscribe to my weekly video 2 Minute Cyber Security Briefing Podcast on iTunes or Youtube. Visit www.CyberSecurityDictionary.com for more terms and definitions.

Are Metal Detectors Effective at Finding Cell Phones?

metal_detectors

From schools to board rooms to prisons, many organizations have an interest in controlling access to cell phones or keeping them out entirely. Many of them rely on traditional metal detectors to locate contraband phones, but how effective are they? Metal detectors work fine for detecting metal objects like knives and guns, but their drawbacks limit their usefulness in detecting cell phones.

False Alarms: Metal detectors cannot differentiate between cell phones and other metallic objects. They can be set off by keys, belt buckles, studs in clothing, jewelry and even internal medical devices like pacemakers and metal plates.

Composition: Metal detectors require a minimum metal content, and many phones have very little metal in them. They are mainly made up of glass and plastic, which do not trip metal detectors. When smuggling phones into prisons, smugglers further reduce the risk of detection by disassembling phones and smuggling the parts independently. Smugglers also wrap phones or their parts in electrical tape or dense material to make them more difficult to detect.

Phone Size: While the fad for small phones is over in the general population thanks to smartphones, they are still in demand in prisons. Some cell phones are the size of a key fob or wristwatch. Their small size makes them easier to hide inside the subject’s body, and their low metal content makes it difficult for metal detectors to pick them up.

Coverage: Stand-alone metal detectors may not offer head-to-toe coverage, allowing people to hide cell phones in their shoes. Metal detector wands can detect phones anywhere on the body, but their range is limited to a few inches, so a thorough search requires passing the wand over the subject’s entire body.

Time: An employee using a metal detector wand can only scan one subject at a time and a thorough scan is relatively time-consuming. Some people also consider them invasive. This makes them unsuitable for locations with high traffic volume.

Cost: Stand-alone metal detectors are expensive and not portable. Both types require an active attendant, which makes them costly to operate.

If your organization needs to prohibit or control cell phone use, it’s best to use a detector made specifically for finding cellular devices. BVS offers mounted, walkthrough and handheld cell phone detectors that can find phones even when the devices are powered off. These devices are cost-effective and can detect a phone anywhere on the subject. Contact us today for more information.

About BVS:

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, and government organizations to manage secure facilities and maintain wireless networks.

Before You Deploy A Wireless Base Station, Read This.

stimulus_transmitter

With CTIA Super Mobility 2015 fast approaching, I thought it would be timely to review a checklist of must-have features for anyone in the drive test or wireless network deployment industries.

When setting up or testing a tower or wireless base station in an area where coverage is high and the network is operational, finding a test signal isn’t usually a problem. But site selection in remote areas, installation and testing of wireless equipment in locations where there is no signal from the network presents special challenges.

During the site selection process, choosing the wrong location can result in sub-optimal signal performance and penetration. Features such as landscape topography and existing radio transmitters can cause interference, so drive testing the area with a wireless receiver is essential.

Remote areas may not have a strong enough signal to test newly installed or malfunctioning equipment due to distance or radio interference. Large-scale natural disasters such as hurricanes, wildfires, long-term power outages and major earthquakes can knock out the network even in populated areas.

All of these situations have the same solution. Technicians need a portable transmitter system that can broadcast test signals. The transmitter ideally should have the following features:

  • Be capable of transmitting on all frequencies, channels and modulation the tower or base station has or will have. Cell towers and WiFi base stations can transmit on several frequencies simultaneously.
  • Multiple bands to speed up testing times. A dual or multi-band transmitter can cut drive test times in half.
  • Remote control capability. This means the operator does not need to be present to control the device. It allows a technician or aid to give commands to the transmitter and change settings while drive testing or away from the unit.
  • Battery backup so the transmitter retains its settings in case of a power loss.
  • Water-resistant and ruggedized for dependable operation in the field.
  • Adjustable power output.

Berkeley Varitronics Systems (BVS) designs and manufactures innovative RF analysis and wireless threat detection tools for businesses and government. BVS equipment helps organizations manage secure facilities and maintain wireless communication systems.

We will be exhibiting many new test transmitters and receivers including the new Squid-4G M2M Tester in the “M2M zone” booth 5050 at the CTIA Super Mobility Conference and Expo Sept. 9-11 in Las Vegas. Click here for a free pass courtesy of BVS. See you at the show!

Is Drone Skyjacking The New Hijacking?

Screen Shot 2015-06-23 at 6.23.41 PM

Right now most civilian drones are owned by hobbyists for recreational use, but many companies are exploring commercial uses. Drones have already been used for shooting nature documentaries and commercials, aerial surveys on remote properties, checking on crops for farmers and even delivering pizza. They have the potential to revolutionize many aspects of our daily lives. But drones haven’t escaped the notice of cyber criminals.

Why Are Hackers Targeting Drones?

Drones can carry small payloads, which often includes a camera for transmitting wireless video back to the operator. Cyber criminals might tap into the video signal and gain access to valuable surveillance information, or simply hijack the drone to steal it and its cargo or perform other illegal activities.

It seems certain that at some point drones will be required to carry identification information. When that happens, a cyber criminal might hijack a drone to avoid identification much like a street criminal would steal a car to perform a robbery.

Even with legal drones one of the biggest security concerns is their current lack of traceability. Here in the United States, a civilian drone entered the restricted area around the White House during the early morning hours of January 27th and crashed on the lawn. Officials had no way of identifying who it belonged to or what their intentions were. The crash turned out to be an accident and the operator turned himself in the next morning, but it was a wake-up call for security experts. Other operators aren’t so benign. In the United Kingdom police have already confirmed high-tech burglars are using drones to identify houses vulnerable to break-ins.

Why Are Drones Vulnerable to Hacking Attempts?

Unlike simple remote-controlled helicopters, drones have their own computing power. Think of them as flying smartphones without the screen. They have GPS capabilities and can fly along pre-programmed paths, or the operator can manually control them from afar using WiFi signals. If a drone loses control signals from the operator it can return to a designated location on its own.

On the same day the drone crashed on the White House lawn, a cyber security expert uncovered a flaw in Parrot® drones that allowed malware to kill their engines and make them fall from the sky. If the drone is high enough, the malware can restart the engines and take control of the drone.

This isn’t the first time Parrot drones have been used in a drone hack. Two years ago, a legal hacker released instructions on how to build a Parrot drone capable of tracking down other drones and hijacking them using wireless signals. Dubbed SkyJack, the hijacker drone monitors wireless signals and targets MAC addresses registered to Parrot drones. It can force the targeted drone to disconnect from the device controlling it and connect to the hijacker’s signal.

The problem is lack of stringent security measures built into drone operating systems. Many drone models have no security or rely entirely on weak WiFi security measures. As drones become more popular and widely used, drone manufacturers must take the threat of potential drone skyjackers more seriously.

About Us

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, and government organizations to manage secure facilities and maintain wireless networks.

How Do You Set Up A “No Phone Zone”?

image description

Cell phones are a modern marvel, but they can also be a tremendous problem for any organization trying to enforce security or safeguard confidential information. The effects of contraband cell phones can be tremendous. Cell phones have been used to intimidate witnesses in criminal courtrooms, break prisoners out of jail and steal classified information.

The private sector isn’t immune to the risks of smuggled cell phones. Attendees use them to record concerts. Students use them to cheat on tests. They’re also unwelcome guests in call centers, secure facilities and confidential meetings. The infamous “47 percent” quote that may have cost Republican candidate Mitt Romney the 2012 Presidential election was secretly recorded on a cell phone at a private fundraiser where phones were prohibited.

Ineffective Detection Tools

The major challenge in keeping cell phones out is they are easily concealed inside clothing and handbags. The recent mobile trend is toward larger smartphones, but feature phones are still readily available and some models are smaller than a credit card. These old-school devices are primitive compared to modern smartphones, but they are capable of sending and receiving texts, recording audio and taking pictures and video.

Conventional metal detectors can find many phones, but walkthrough units are bulky and not portable. Handheld wands are portable, but their range is limited to a few inches so an operator must sweep the detector over the subject’s entire body. Both types will alert to other metal objects.

Most cell phone detectors rely on radio frequency signals to locate devices, but they are ineffective if the phone is powered off or has the wireless antenna disabled. Fortunately, there are tools available to specifically uncover hidden cellular devices, even if they’re not transmitting

Effective Detection Tools

The BVS SentryHound is a portable cell phone detection system that scans subjects as they walk between two posts. It’s very similar to the anti-theft scanners retailers use to prevent shoplifting, but instead of security tags it detects ferromagnetic compounds inside the phone. The posts have a single row of LED lights running their entire length. When the SentryHound finds a device, it sounds an audible alert and illuminates the section of lights closest to the phone. It can also trigger an external device such as a security camera or remote alarm.

The Manta Ray is a handheld cell phone detector that also detects ferromagnetic compounds. Operators can use it to scan handbags, luggage and small parcels without opening them. Buckles and studs will not trigger false alarms.

The SentryHound and Manta Ray are ideal for temporary and permanent “no phone zones.” They allow operators to scan subjects and their possessions quickly and effectively, without labor-intensive searches or compromising the subject’s privacy and dignity.

 

About Us

Berkeley Varitronics Systems (BVS) designs and manufactures innovative, RF analysis and wireless threat detection tools for businesses, and government organizations to manage secure facilities and maintain wireless networks.

LastPass Hacked And Why I Have Never Used It

lastpass

I have always felt the concept of LastPass as well as other password managers makes sense for users that would otherwise create simple ‘easy to remember’ passwords as opposed to long strong complex passwords with a password manager. Surely, having numerous passwords in the cloud encrypted is better than jotted down on a sticky note that resides under your keyboard, right? The reason I personally do not use password managers like LassPass is the distant fear of a major hack. What if my password manager gets hacked and a hacker gets my master password? This would be tantamount to giving a thief the keys to my front door when I am heading off to vacation.

It seems my fears, as well as many other security experts’ fears have come to fruition with the announcement that LastPass was a victim of a targeted attack in which user information was compromised. On Monday, June 15th, LastPass announced through a blog post that hackers had breached their databases and compromised email addresses and password reminders as well as encrypted master passwords. Apparently, they discovered the breach after detecting rather suspicious activity on their network.

What can hackers do with the compromised information?
Unfortunately, there is a percentage of LastPass users that will undoubtedly be the victim of targeted email phishing attacks as a result of this breach. Phishing is an effective, focused attack where the cyber thugs send victims emails with an embedded link that fools users into revealing more data. LastPass users have been informed by LastPass about this breach and they recommend that users update their LastPass master password. Cyber thieves have already keyed in on this and are no doubt, readying focused email phishing attacks that might have a message:  UPDATE your LastPass master password immediately. An unsuspecting LastPass user may click on the attachment and be redirected to a site that looks awfully close to LastPass but is just there to collect more information from naive users. They would be prompted to enter their old master password and then asked to create a new complex strong secure password. Now the cyber hackers have the master password without having to steal it or decrypt it. The unsuspecting users have hand-delivered this information directly to the hacker’s servers.
Even though they did not get all the encrypted individual passwords, the breach could also result in other compromises such as unlocking a user’s email account where you need the email address and password reminder allowing them to gain access to your email and a trove of other valuable private information.
If the hackers are truly advanced there is a chance, although unlikely, that they can hack the encryption to crack the master password. This is extremely difficult, but then again, who would have thought a security company that provides encrypted password protection would ever be hacked in the first place? To make matters worse, this is actually the second breach that LastPass has faced. Four years ago, LastPass also faced a targeted attack.
What can LastPass customers do?
I highly recommend to anyone reading this to change your LastPass master password. Do not use passwords based on any personal information such as your spouse, child, or pet’s name, birthday, address, etc. Also make sure your password is not anything that can be easily obtained from a search or pulled from social media. Your master password should be at least 15 alphanumeric characters and have a mix of numbers, symbols, with both upper and lower case characters. Keep in mind, 80% of ALL security breaches involve stolen and weak passwords.
It is important if you are accessing your LastPass account remotely or from another device to utilize multi-factor authentication. This is an added layer of security that requires a single one time password that is sent to your mobile phone as a text, for example.
At the end of the day we all live in a corrupt world where cyber thieves prey on the innocent. This breach will certainly be a wake up to many users. I personally use a little black book that is kept under lock and key in a locked safe, in a locked room, in a locked building that is monitored 24/7 with cameras/DVR’s and an alarm. I change my long & strong passwords every three months and am a bit paranoid. I was not always this paranoid until my company was hacked; credit card, debit card, checking account, twitter account, web site, etc. I decided to share my trial and errors in being a victim of repeated hacks and what practical steps people can take to protect themselves.
Look for my upcoming book entitled Hacked Again and in the meantime, subscribe to my 2 Minute Cyber Security Briefing video podcast on on iTunes or Youtube for the latest cybersecurity news and tips.