CyberheistNews Vol 12 #24 [Heads Up] What About the Risks of Your Password Manager?



Cyberheist News

CyberheistNews Vol 12 #24  |   June 14th, 2022

[Heads Up] What About the Risks of Your Password Manager?Stu Sjouwerman SACP

In KnowBe4's new Password Policy eBook, "What Your Password Policy Should Be," we recommend that all users use a password manager to create and use perfectly random passwords. A perfectly random 12-character or longer password is impervious to all known password guessing and cracking attacks.

A human-created password has to be 20 characters or longer to get the same protection. Humans do not like creating or using very long (and sometimes also complex) passwords, so we recommend using a trusted password manager program instead.

A common question is if password managers are worth the risk of using them.

The answer, in our opinion, is yes. We believe that the increase in risks a person will get from using a password manager is offset by all the advantages, which decrease and thoroughly offset the risks from the disadvantages.

Let's look at the risks and advantages of using a password manager. They can be summed up as first the disadvantages:

  • User must obtain and install password manager
  • User must learn how to use password manager
  • It may take a user longer to create or input a password using a password manager (but not always true)
  • Subject to attacks
  • Password managers do not work with all programs or devices
  • If access to the password manager cannot be done (e.g., corruption, lost login access, etc.), the user loses all access to all login information contained therein at once
  • If attacker compromises the password manager, the attacker can possibly access and obtain all of the user’s passwords (and sites they belong to) at once

It is the last issue that presents the biggest risk in most concerned user’s minds -- single point of failure.

Next, the advantages:

  • Creates and allows the use of perfectly random passwords
  • Creates and allows the far easier use of different passwords for every site and service
  • Can be used to prevent password phishing
  • Can be used to simulate some MFA solutions so users do not need separate MFA programs or tokens
  • Can be shared among devices so passwords are where the user needs to use them
  • Passwords can be more easily and securely backed up
  • All passwords may be protected by MFA login requirement to password manager
  • May warn user of compromised passwords that the user was not otherwise aware of
  • Will warn user of identical passwords used between different sites and services
  • Can be shared with trusted person(s) in times of need, when original user is temporarily or permanently incapacitated or unavailable

It is a very real risk that someone's password manager could get compromised, and from that compromise, all of the user's passwords to all stored sites and services are stolen very quickly at once. That is a huge risk that must be measured and weighed by the admins or users who are using password managers.

CONTINUED at the KnowBe4 blog, with a form to download the new Password Policy eBook:
https://blog.knowbe4.com/what-about-password-manager-risks

Understanding the Threat of NFT and Cryptocurrency Cyber Attacks and How to Defend Against Them

A growing number of organizations worldwide are utilizing cryptocurrency for a host of investment, operational and transactional purposes. Seemingly overnight, technologies like non-fungible tokens (NFTs) emerged and just as quickly, cybercriminals learned how to capitalize on organizations' naivete for their own benefit.

Are you still not sure about the ins and outs of NFTs and cryptocurrencies? Should your organization even care? The answer is YES, and we are here to help you make sense of it all. Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, as he shares what you need to know to defend yourself in this new age of Web 3.0.

Roger will cover:

  • The business impact of NFTs and cryptocurrencies: What are they and why should you care
  • The various and increasingly popular attacks against NFT and cryptocurrencies
  • How you can best defend yourself and your organization from becoming the victim of an attack
  • The projected future of NFTs and cryptocurrencies

Stay up-to-date on the latest technologies and their hidden threats! Plus, earn CPE for attending this event.

Date/Time: TOMORROW, Wednesday, June 15 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3808653/26F4784C86D918E01E028B0029CCD40D?partnerref=CHN3

[CISA ALERT] Karakurt Ransomware Now Calls Your Business Contacts and Threatens Them

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and its partners have issued a joint alert on Karakurt, a data theft extortion group that harasses victims' employees, customers and business partners in order to pressure the victim to pay up.

"Karakurt actors have typically provided screenshots or copies of stolen file directories as proof of stolen data," the alert says. "Karakurt actors have contacted victims' employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate.

"The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients. Upon payment of ransoms, Karakurt actors have provided some form of proof of deletion of files and, occasionally, a brief statement explaining how the initial intrusion occurred."

Unlike many similar gangs, Karakurt doesn't encrypt the stolen data after stealing them, and instead relies solely on threatening to damage the organization and its customers and partners by publishing the data online.

Continued at the KnowBe4 blog:
https://blog.knowbe4.com/karakurt-adds-irritating-phone-calls-to-its-crimes

[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users' mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us Wednesday, June 22 @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With PhishER you can:

  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user's inbox.
  • Easily search, find and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, June 22 @ 2:00 PM (ET)

Save My Spot!
https://event.on24.com/wcc/r/3714077/D13A6A36D4029E581EDBAB8547533245?partnerref=CHN

[BUDGET AMMO] WSJ: "The Biggest Mistakes Companies Make With Cybersecurity—and How to Avoid Them"

There is a fantastic article in the Wall Street Journal that finally covers some of the biggest cybersecurity mistakes that KnowBe4 has talked about these last 10 years. Here is a short excerpt and then a link to the full article that I strongly recommend you send to your C-level exec who own the InfoSec budget.

"Every manager knows it by now: Cyberattacks are frequent and dangerous. You need tough defenses to stay safe. Every manager knows it. But they still get things wrong with cybersecurity. All the time.

"In our research at the Massachusetts Institute of Technology's Sloan School of Management, we study how managers should build organizations that are resilient to cyber threats, and have found a number of concepts that managers routinely get wrong, leading to wasted resources, poor decisions—and potentially catastrophic cyber vulnerabilities.

"Much of the problem, we believe, comes from managers seeing security as simply a matter of buying the right software, or tightening defenses, instead of taking steps to make safety a top priority for the whole company and strengthening the business so that it can withstand attacks and bounce back strongly.

Here’s a look at six of those mistakes—and how to avoid them:

  1. Focusing on tech instead of employees

CONTINUED AT:
https://www.wsj.com/articles/company-mistakes-cybersecurity-11654279659

By the way, the WSJ just published a podcast series that tells the story of a Russian hacker who won big by committing cybercrime and the U.S. officials who eventually caught him. Very interesting:
https://www.wsj.com/articles/introducing-hack-me-if-you-can-a-new-podcast-series-11654892516

[Free Tool]: Is Your Organization Ready for a SOC 2 Compliance Audit? Find Out Now!

You already have challenging compliance requirements and having enough time to get your audits done is a continuous problem.

According to the most recent ACA Compliance Group Report, "Key Trends and Forces Shaping Risk and Compliance Management," 44% of firms are being asked to show proof that security controls are in place to protect customer data in the cloud.

The Statement on Standards for Attestation Engagements no. 18 Trust Services Criteria (SSAE18) framework is designed to help you do just that. Often, organizations use this framework to obtain a System and Organization Controls 2 (SOC 2) certification.

If you're trying to wrap your head around how to best meet compliance requirements for the SSAE18, you likely have a lot of questions. You want answers and need guidance on how to best meet the requirements to get your organization ready for an audit - fast.

Find out your organization's audit readiness now!

KnowBe4's new Compliance Audit Readiness Assessment (CARA) is a free tool that helps you gauge your organization's readiness in meeting compliance requirements for the SSAE18 framework. The assessment guides you through a subset of specific Control Components of the SSAE18 requirements to help you identify areas within your current environment that may need attention.

CARA asks you to rate your readiness for each requirement and then provides an analysis of your results. It also provides guidance to help you create and implement controls to help get your organization ready for a SOC 2 compliance audit.

Here’s how CARA works:

  • You will receive a custom link to take your assessment
  • Rate your organization's readiness for each requirement as Met, Partially Met, or Not Met
  • Get an instant analysis and summary of potential gaps in your cybersecurity preparedness
  • Receive a personalized report with control guidance suggestions to help you meet compliance
  • Results in just a few minutes!

Take your first step towards understanding your organization's readiness for a SOC 2 compliance audit now.
https://info.knowbe4.com/soc2-compliance-audit-readiness-assessment-chn

[New APWG Report] Phishing Attacks Reach an All-Time High, More Than Tripling Attacks in Early 2022

Reaching more than 1 million attacks in a single quarter for the first time, new data on phishing attacks in Q1 of 2022 show an emphasis on impersonation and credential theft.

The Anti-Phishing Working Group (APWG) collects data from a range of security vendors to provide the industry with insight into the current state of phishing attacks. It's latest quarterly report for Q1 2022 shows some "firsts" we've not experienced before in the explosive growth in phishing attacks. According to the report, in Q1 of this year:

  • The number of phishing attacks rose by 15% to over 1 million (1,025,968 total phishing attacks) for the first time
  • The number of unique phishing email subjects increased 25% to just over 53K, possibly indicating a greater focus on spear phishing attacks, tailoring email subjects to get the attention of their victim recipients
  • The number of brands attacked has dipped below the previous record set in September of last year, but has been growing since a massive dip occurred in December, putting brand impersonation on target to surpass last year's number early
  • Impersonation attacks on social media were up 74% from the prior quarter to represent nearly half (47%) of such attacks

CONTINUED at the KnowBe4 blog:
https://blog.knowbe4.com/phishing-attacks-reach-an-all-time-high

AI Trained on 4Chan Becomes 'Hate Speech Machine'

This week, VICE reported something pretty horrible. A guy trained GPT using millions of 4chan posts, and then turned the resulting monstrosity loose and let it post directly to the highly controversial message board.

Yannic Kilcher, an AI researcher and YouTuber, used more than three million recent 4chan threads from /pol/, one of the most horrific portions of the already-notorious site. Kilcher wasn't exactly surprised by the results.

"The model was good in a terrible sense," Kilcher said in a video he uploaded last week. "It perfectly encapsulated the mix of offensiveness, nihilism, trolling, and deep distrust of any information whatsoever that permeates most posts on /pol."

AI researchers said it was an unethical experiment using AI. "This experiment would never pass a human research ethics board."

Here is the VICE article for a good shiver:
https://www.vice.com/en/article/7k8zwx/ai-trained-on-4chan-becomes-hate-speech-machine


Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: THIS IS SCARY GOOD. Check out this incredibly realistic, real-time deepfake technology showing Simon Cowell!:
https://www.flixxy.com/amazing-deep-fake-technology-americas-got-talent.htm?utm_source=4

PPS: Excellent review of the must read Security Culture Playbook on Goodreads:
https://www.goodreads.com/review/show/4747487754

Quotes of the Week  
"The only real failure in life is not to be true to the best one knows."
- Buddha - Philosopher (563 - 483 BC)

"The important thing is not to stop questioning. Curiosity has its own reason for existing."
- Albert Einstein - Physicist (1879 - 1955)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-12-24-heads-up-what-about-the-risks-of-your-password-manager

Security News

Old Dog, New Trick: Hackers Use Logons in URLs to Bypass Email Scanners

A new phishing method uses a decades-old special URL format to take advantage of how security solutions and email clients interpret URLs, tricking victims into clicking.

It's called the HTTP Authorization header and it's been around since 1999 as part of RFC 2616 which defined HTTP version 1.1. It specifies that an HTTP web request can contain a username and password in a URL just before the fully-qualified domain name. For example:

https://username:password@notarealdomainname.ext

Everything after the double forward slash and before the "@" is interpreted as authentication credentials. A new phishing method spotted by security researchers at Perception Point found that scammers were taking advantage of the "@," placing it in what would be perceived as the "middle" of a valid URL, only to trick email clients and scanning solutions into interpreting the URL as being benign, when it was anything but.

Take the idea of tricking a user into thinking they were going to be taken to the following URL:

http://www[.]office[.]com[/]login

But the URL actually reads:

http://www[.]office[.]com[/]login@maliciousdomain[.]com

More details and links at the KnowBe4 blog:
https://blog.knowbe4.com/hackers-use-logons-in-urls-to-bypass-email-scanners

FTC Warns that Scammers are Turning to Cryptocurrencies

The U.S. Federal Trade Commission (FTC) has warned that people have reported losing over $1 billion in crypto to scams since the beginning of 2021. The vast majority of these losses were due to investment scams, in which people are tricked into buying cryptocurrency with the promise of a large return.

Notably, younger people (aged 20 to 49) are more than three times as likely to fall for cryptocurrency scams than older people. When older people do fall for these scams, however, they tend to lose more money.

"Of the reported crypto fraud losses that began on social media, most are investment scams," the FTC says. "Indeed, since 2021, $575 million of all crypto fraud losses reported to the FTC were about bogus investment opportunities, far more than any other fraud type. The stories people share about these scams describe a perfect storm: false promises of easy money paired with people’s limited crypto understanding and experience.

"Investment scammers claim they can quickly and easily get huge returns for investors. But those crypto 'investments' go straight to a scammer's wallet. People report that investment websites and apps let them track the growth of their crypto, but it's all fake.

"Some people report making a small 'test' withdrawal – just enough to convince them it's safe to go all in. When they really try to cash out, they're told to send more crypto for (fake) fees, and they don't get any of their money back."

The FTC offers the following tips to help people recognize cryptocurrency scams:

  • Only scammers will guarantee profits or big returns. No cryptocurrency investment is ever guaranteed to make money, let alone big money.
  • Nobody legit will require you to buy cryptocurrency. Not to sort out a problem, not to protect your money. That's a scam.
  • Never mix online dating and investment advice. If a new love interest wants to show you how to invest in crypto, or asks you to send them crypto, that’s a scam.

New-school security awareness training can enable your employees to avoid falling for scams and other social engineering attacks. The FTC has the story:
https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2022/06/reports-show-scammers-cashing-crypto-craze

What KnowBe4 Customers Say

"Good morning, we are now a week into our company-wide use of the PAB, (Phishing Alert Button) and we have since run several phishing campaigns. It has turned out to be a game changer, and our boss is literally being stopped in the hall by employees providing positive feedback.

"Major move forward in our efforts here, and so far it has been implemented without any major issues. Happy Friday!"

- W.J., Analyst, Information Protection

The 10 Interesting News Items This Week
  1. From RSA: Phishing attacks will use powerful text generation, say machine-learning engineers:
    https://www.scmagazine.com/analysis/rsac/phishing-attacks-will-use-powerful-text-generation-say-machine-learning-engineers

  2. From RSA - Bruce Schneier: "Why AIs Will Become Hackers":
    https://www.darkreading.com/dr-tech/why-ais-will-become-hackers

  3. The U.S.-Russia conflict is heating up — in cyberspace:
    https://www.washingtonpost.com/opinions/2022/06/07/us-russia-conflict-is-heating-up-cyberspace/?

  4. NSA, CISA, and FBI Expose China State-Sponsored Exploitation of Network Providers, Devices:
    https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3055748/nsa-cisa-and-fbi-expose-prc-state-sponsored-exploitation-of-network-providers-d/

  5. How the Russia-Ukraine war makes ransomware payments harder:
    https://www.csoonline.com/article/3663032/how-the-russia-ukraine-war-makes-ransomware-payments-harder.html

  6. [VIDEO] Create your hyperreal avatar using advanced AI and use it anywhere:
    https://everyany.one/

  7. DOJ, FBI shut down marketplace for stolen Social Security numbers:
    https://therecord.media/doj-fbi-shut-down-marketplace-for-stolen-social-security-numbers/

  8. Exclusive: Pro-Russia group 'Cyber Spetsnaz' is attacking NATO government agencies:
    https://securityaffairs.co/wordpress/131967/hacking/exclusive-pro-russia-cyber-spetsnaz-is-attacking-government-agencies.html

  9. Massive Facebook Messenger phishing operation generates millions:
    https://www.bleepingcomputer.com/news/security/massive-facebook-messenger-phishing-operation-generates-millions/

  10. CISA exec: Lack of ransomware incident reporting is crippling defense efforts:
    https://therecord.media/cisa-exec-lack-of-ransomware-incident-reporting-is-crippling-defense-efforts/

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe To Our Blog


Anti-Phishing Guide ebook




Get the latest about social engineering

Subscribe to CyberheistNews