The Myths of Multifactor Authentication

Hopefully by now, everyone has at least heard of multifactor authentication.  But most people are not using it.  Google says that about 10 percent of GMail customers use it.  Based on our customer base, the adoption level for Office 365 users is higher, but not great.  And the adoption for other software is horrible.

To be clear, there are many different forms of multifactor authentication.  The most common but least secure is a text message sent to your phone, unencrypted, with a one time PIN.

While this is WAY better than just using a password, this can be compromised and has been in many cases.  Almost always, this is a targeted attack on a high value (either money or position) victim.  But not always.

A less common multifactor authentication method is to use an authenticator app on your phone.  That way nothing is transmitted at all, except during the initial setup and stealing your phone number does not allow an attacker to use your multifactor authentication.  They would have to physically steal your phone and it would need to be unlocked.  There are many free authenticator apps including from Microsoft, Google, Facebook and others.

So why aren’t people using multifactor authentication?

  1. Lack of awareness.  Computer folks understand the risk and how to deal with it, the average person does not.
  2. Fear.   People don’t like change, especially in situations where they don’t understand what or why.
  3. I’m not a target.  The reality is that everyone is a target because these hackers send out millions of emails a day.  They have no clue who their victim will be, for the most part.
  4. Only large companies need it/can use it.    Actually, it doesn’t take much.  Consumer services like Amazon, Facebook and GMail all support it.  Almost all banks support it.  There is a small learning curve, but once you get the hang of it, it is simple.
  5. It’s not perfect.   That’s true, but brushing your teeth is not perfect either.  Still, most people brush.
  6. I think the biggest issue is it’s not convenient. To some degree this is true.   But, as I often say when I am interviewed, is having an attacker empty your checking account or retirement account inconvenient?  More inconvenient than taking the extra few seconds to use multifactor authentication?

The good news is that it is not an all or nothing thing.

Start with your bank or brokerage account.

Add email.

Once you get used to it, it is not a big deal and way less inconvenient than having to deal with having all of your personal (AKA nude) photos posted online as many celebs have learned.

As Nike says, JUST DO IT!

Facebooktwitterredditlinkedinmailby feather

Yet Another Hosting Provider Hit By Ransomware Attack

SmarterASP.net, a web hosting provider with over 400,000 customers, was infected by ransomware over the weekend.

They are, at least, the third provider to be hit by such an attack.

Affected user web sites are down and the company’s website was also down.

Customers logging in might see a directory listing that looks like this

The encrypted files have the extension kjhbx, except for the ransom note below:

The company has not returned calls so it is unclear if they paid the ransom or are restoring from backups.

If this is like the previous hosting provider attacks, it will likely take weeks for them to restore all the data – if it all can be restored.

A2Hosting and iNSYNQ are two other hosting providers that were attacked earlier this year.

In 2017 South Korean hosting provider Nayana paid a ransom of over $1 million after they were attacked.

Hackers understand that if they can get a hosting provider to pay, the payday is likely a lot larger than attacking you or me.  As a result, attacks against cloud service providers are likely going to continue.

There is no obvious notice on the company’s homepage of the attack and for good reason – it is not terribly good for business.  They are likely hoping that this disappears off the radar and they can continue signing up customers.  There is a note buried on the support site, here.  It says don’t bother to call us or email us, we are kind of busy right now.

So what does this mean for you?

First of all, check your cloud provider’s contract that you signed – either without reading it or without caring.  It probably says that they will not charge you while your web site is down.  Beyond that, you are likely on your own.  Maybe your contract is different, but I doubt it.

You can try suing them for damages, but in light of the contract, that probably will go no where.

*IF* you have cyber risk insurance WITH  network business interruption coverage, you will probably be able to collect on your policy, but only if you have that coverage.

From some of the earlier attacks, it took the providers *WEEKS* to recover all the data – if they were able to recover it at all.

ARE YOU OKAY WITH YOUR WEB SITE BEING DOWN FOR A COUPLE OF WEEKS?

ARE YOU OKAY WITH SOME OTHER CLOUD SERVICE PROVIDER THAT IS KEY TO YOUR BUSINESS BEING DOWN FOR A COUPLE OF WEEKS?

ARE YOU OKAY WITH LOSING SOME OR ALL OF YOUR DATA FOREVER?

Assuming the answer to these questions is no, it is up to you to figure out a business continuity plan.  Assuming your data is permanently gone, it is up you to figure out what to do.

We have read stories of some companies going out of business after one of these attacks because customers fled or they lost all of their data.  These are the minority, but it does happen.

Plan for it now because dealing with it after the fact is no fun.

AND, your cloud service provider is likely not liable, other than not charging you for the service that you are not getting.

Information for this post came from ZDNet.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending November 8, 2019

Comcast Testing Encrypted DNS While Lobbing Against It

Encrypted DNS (either DoH or DoT) has become a political hotbutton.  Recently Vice reported that Comcast is spending hundreds of thousands of dollars lobbying against it.  Mozilla is writing to Congress saying that what Comcast is saying is not true and most interestingly, Comcast is testing its own DoT and DoH services.  Apparently, what is important is that they can continue to sell your data and not much else.  Source: Vice

Smart Speakers Can Be Hacked By Laser

Researchers have DEMONSTRATED the ability to talk to your Alexa or Siri by silently pointing a laser at the microphone and modulating the laser so that the microphone thinks you are talking to it.  This will work through a window.  In one test they were able to control an iPad from 33 feet,  In another test, they were able to control a device from over 300 feet away.

The amount of mischief this could potentially cause is large.

The temporary solution is to hide your smart speaker so that no one can point a laser at it from outside your home, for example, and tell it to buy stuff or unlock the door or whatver.  Source: Wired

Facebooktwitterredditlinkedinmailby feather

Is Cyber Risk Insurance a Cure?

Let me cut to the chase – the answer is no.  It is a way to help pay for the damage, but that is about all.

In the article referenced below, the author thoughtfully explains the role of cyber risk insurance –  a post-fail risk offset.

The key word there is fail.

Failing in the sense of failing to avoid the breach in the first place.

The after affects of most breaches is damage control and lawsuits that go on for years.  Some percentage of companies – a small percentage – go out of business after a breach.  Usually there are scapegoats – someone or some people have to be fired.

While cyber risk insurance can help cover the costs of ongoing litigation, it won’t pay for the fact that executives are distracted for years.  Depending on the cost of the litigation, it might not even pay for all of the costs of litigation.  It won’t pay for you to find a new job and it won’t make customers come back to your brand.

Cyber risk insurance is an important tool but just a tool.  Like every other tool, it is important that it is the right tool.  While you can probably bang in a nail with a screwdriver, the results are likely to be sub-optimal.

And, since cyber risk insurance is typically not regulated, it is important that you get a hammer if you need a hammer.  Nothing is worse than making an insurance claim and having the insurance company tell you that it is not covered.  In the case of cyber risk insurance this happens more often than with some other forms of insurance.  This doesn’t mean that cyber risk insurance is useless, it just means that you need to buy from someone who is an expert in the area when you are buying coverage.  My first question of an insurance broker that you are considering using to buy cyber risk insurance is how many cyber risk policies did you write in, say, the last 3 months and what is the total dollar coverage of those policies.  Insurance sales people are commissioned.  If cyber risk insurance represents a small part of their paycheck, you can figure out the rest.  If cyber risk is not their primary focus, they are unlikely to take the time to become experts in the area.  It is a bit of a wild west.  You are pretty much on your own.

All that being said, it is much better to have the coverage in the unfortunate situation that you need it – it is just not a replacement for doing things right.

Most of the time, cyber crime is an opportunistic crime.  Believe it or not, Equifax was not specifically targeted.  But because they had a horrible cybersecurity program, they have spent over a billion dollars recovering from it.

I don’t think they had a billion plus dollars in insurance coverage, so insurance will not make them whole and it is unlikely to make you whole.  It will reduce the pain, but that is not the same time.

So what should you do?

#1 – implement a great cybersecurity and privacy program

#2 – get some cyber risk insurance because stuff happens.

But do it in that order.

Source: Dark Reading

 

Facebooktwitterredditlinkedinmailby feather

Expect Cellular Prices to Go Up; Service to go Down

This is really an informational piece, along with some whining on my part, since there is not much you can do about this.

The FCC today approved the merger between Sprint and T-Mobile, thereby reducing the number of cell carriers from 4 to 3.

The republican members of the FCC said that history not withstanding, this is good for you and me.

Somehow, they think, with less competition, carriers will be more motivated to spend billions of dollars upgrading their networks to support 5G.  They didn’t explain their logic.

It is likely true that the remaining cell phone companies will install some 5G cell towers in super densely populated areas like in the downtown areas of major cities, but beyond that, they have zero motivation to attempt to keep up with countries like China, which already has 10,000 operational 5G cell base stations.

Here is a map of each city where at least one carrier has one 5g cell site.  Colorado’s was in front of Denver City Hall, but the carriers are working on turning on more sites.  Remember that (a) you must  have a 5G capable phone (Apple is rumored to be releasing one mid next year) and (b) be located OUTSIDE within a few hundred yards of that 5G cell site.

5G Coverage

 

For example, taking Denver (cuz I am partial to that), Verizon claims to have at least one cell tower live in 5 areas: Potter Highlands, Highlands, LODO, Central Business District, Capitol Hill and the Denver Tech Center.

Contrary to the FCC’s claims, none of these are rural;  rural customers should expect to see 5G cell sites sometime after never.  After all, I can’t even get broadband Internet and I am  only 20 miles from downtown Denver, but in a sparsely populated area.

Expect the combined T-Mobile/Sprint to fire about 10,000 to 20,000 people (according to Wall Street) as they close redundant stores and merge back office operations.  The union says the number is likely closer to 30,000.  You can’t really blame T-Sprint for doing that.

According to insiders, the FCC actually approved the merger in May, months before the Justice Department said the merger was anti-competitive, but the current administration is more willing to allow the market to do whatever it does.

The FCC did require Sprint to sell it’s prepaid phone business (used by people who don’t enough money to buy a traditional phone plan, hence not very profitable to anyone) to Dish and also to sell Dish some spectrum.  Dish is now planning on getting into the phone business as the satellite TV business continues to decline.  For the moment, since Dish has, well,exactly, zero towers, it is going to buy service from the 3 carriers who do have towers, but within the next 5-10 years, they will build out networks, likely in the same densely populated areas as where the current 5 G build-out is being done.

After all, the deregulation of Ma Bell worked well.  That business is completely in the toilet now and will probably disappear in a few years.

By the way, both Canada and Ireland reduced the number of cell carriers in their countries from 4 to 3 and prices went up for consumers in both cases.  I am sure it will be different here.

Sprint has been trying to merge itself into profitability for years now, but this time, they were smarter.  They hired a number of ex-FCC commissioners to lobby for them and dramatically ramped up their use of Trump’s DC hotel.   Hmmm.  What could possible be wrong with this?

Stay tuned.  This deal is still not completely done as a dozen State Attorneys General have filed suit to block the merger.  Whether the courts say that they have any standing in the matter is to be determined.  Source: Vice

 

Facebooktwitterredditlinkedinmailby feather

What is YOUR Guess of the Losses From Cybercrime? TOO LOW!

How much does cyber crime cost us anyway?  I rant about it all the time, but really, in dollars, what does it cost?  Different researchers give different answers and your mileage may vary, but here are some answers:

  • Cybercrime makes, AT LEAST, $1.5 trillion more than the drug trade
  • Cybercrime would rank as the 13th largest economy in the world based on GDP, just behind Russia and if other estimates are correct, it would be the 5th largest economy,  bigger than the UK, France, Brazil and 180+ other countries
  • Cybercrime is expected to reach $6 trillion by 2021, right behind the US and China.

Assuming you use the Internet, or at least a computer, you are likely part of the $1.5 trillion figure.  Or at least potentially.

The challenge is to get people to take the problem seriously.

A recent example in Denver was the story of a guy in the grocery store who took his eyes off his wallet for a minute (it was, apparently, in his shopping cart).  90 minutes later the crook had run up a $23,000+ bill on the stolen credit cards.  Worse yet, his bank, initially, would not give him back his money.  (After the story aired, including an interview with me,  on the local Fox affiliate, the bank changed its mind and credited his account).

I suspect he has a new appreciation for cybersecurity.

This story is repeated in our world on a daily basis.  After all, the $1.5 trillion loss does not happen to one person (unless he has a really large credit limit).  It happens via millions of small losses.

Rarely, people are targeted, but for the most part there is so much easy money out there that the bad guys don’t have to work very hard.

For example –

  • you do have two factor authentication turned on for your
  •    email?
  •    Bank account?
  •    Retirement account?
  •    Brokerage account?
  •    Amazon (Crooks have figured out how to get Alexa to buy them credit cards.  The technique is pretty cool)?
  • You don’t reuse passwords between sites, do you?
  • Do you use a password manager?

Just doing the simple stuff makes you a much less attractive target.

Source: Cybersecurityventures

 

 

Facebooktwitterredditlinkedinmailby feather