Security experts at Black Hat Asia 2021 discuss phishing schemes and passwords on World Password Day.
Black Hat Asia 2021 was an all-virtual event this year due to conronavirus restrictions. This year, the event happened to include World Password Day on May 6. While this day is typically reserved for promoting safer password practices, security experts at the event provided a sobering perspective on cybersecurity, including complex password requirements. The bottom line is that we are making it increasingly difficult for people to make good security decisions.
Security experts Ken Munro (Pen Test Partners), Troy Hunt (Have I Been Pwned), Hunt’s daughter and Vangelis Stykas (colleague of Munro) ran through a scenario highlighting how easy it is to hack into an IoT device. Munro, Hunt and his daughter simulated changing the geolocation of a child from tennis practice to the middle of the ocean. It is a parent’s worst nightmare, thinking they know where their child is only to have it seem like they teleported somewhere else. The trio exploited an insecure direct object reference vulnerability in an IoT device.
On top of this, Stykas successfully compromised an API flaw in the TicTocTrack kids watch. He was able to make a voice call through the device with zero interaction needed from the user. He then compromised other accounts by changing an identifier parameter. The patch addressing this actually created an even nastier regression bug.
There are two major contributing factors to the ease in which threat actors gain access to our devices. Phishing schemes are fast becoming a really big problem. Even legitimate emails from companies can be perceived as phishing emails, which makes it difficult for users to know which links are safe to click and which ones are not. This is what threat actors rely on, and right now, it’s working. Since threat actors aren’t going to change something that is working, it’s incredibly important for businesses to do everything they can to distinguish themselves from would-be attackers.
The other half of phishing schemes has to do with manufacturers, too. It’s not just that someone clicked a bad link, it’s that someone clicked a bad link and doesn’t know that the device they’re using has a known vulnerability that hasn’t been patched. To be fair, sometimes a user simply hasn’t updated their device, which is often the case with businesses.
The second way threat actors gain access to our devices and information is with bad passwords. We’ve talked about this for a long time, passwords are important and password managers are the best way to keep track of all of your account information. This prevents you from recycling passwords, which becomes a problem when only one of your accounts is compromised, but others are now exposed because they share a password.
Again, there’s another aspect to this problem: Password criteria. Humans are not engineered to generate and remember random passwords, we need to have a connection to it. So when stringent requirements are imposed, like periodic password updates with minimum lengths, mixed case, numbers and symbols, we resort to using things we know, things we remember. The problem with that is that a threat actor can use publicly available information (for example, a social media profile) to guess what your password is. Luckily, most companies are switching to multi-factor authentication to make hacking accounts more difficult. Bonus: You can still use a password manager with 2FA.
The biggest problem with cybersecurity today is that as things move to the digital realm, we foolishly believe that we are more secure, that we have a better understanding of it all. But the reality is that we just add insecurity because no one teaches us how to be secure online. Most people assume someone else is handling it or it doesn’t apply to us. This is exactly why businesses need to put a bigger focus on cybersecurity training for employees. When they know how to be secure at work, they learn to be more secure at home and are less likely to bring a threat actor to the office via an infected device.
Businesses are fast-tracking digital transformation, they aren’t just going paperless, everything is becoming data-driven and virtual. Criminals will always exist in the physical world, and there’s no reason to think that they won’t always be in the digital world as well. We do everything we can to protect our homes, our brick-and-mortar buildings, the tangible things that mean something to us. When we start to treat digitization with the same respect and same attention to security, then will we see improvements.