CyberheistNews Vol 13 #03 [Eye Opener] Password Managers Can Be Hacked Lots of Ways and Yes, You Should Still Use Them

Cyberheist News

CyberheistNews Vol 13 #03  |   January 17th, 2023

[Eye Opener] Password Managers Can Be Hacked Lots of Ways and Yes, You Should Still Use ThemStu Sjouwerman SACP

By Roger A. Grimes.

The recent hack (at least 7th) of the LastPass password manager has lots of people wondering if they should use a password manager. Password managers can be hacked lots of different ways and I'll cover many of them in this posting. And knowing this, you should still use a password manager.

Why You Should Use a Password Manager

The average person without a password manager has less than 10 passwords (or password patterns) that they use on over 170 unrelated sites and services. And most of those passwords are fairly weak by today's password recommendation standards.

In a given year, hackers will compromise one or more of the web sites a user belongs to (the user and site is often unaware of the compromise), and so attackers will learn one or more of a user's passwords over time. Those passwords (or password patterns) can be used by hackers to more easily compromise the user on other web sites and services.

For example, a hacker compromises the web site a victim uses to get advice on raising monkeys as a pet or buying NFTs and that same shared password is used to compromise the employee's Amazon, bank and work accounts.

This detailed post continues covering the following topics, click below:

  • Password Manager Hacks
  • Local Hacking Attacks
  • Remote Attacks
  • Vendor or Remote Storage Attacks

The TL;DR Conclusion

Yes, password managers can be hacked. Yes, password managers can be a single point of failure. But the risks they mitigate (i.e., weak passwords reused across multiple unrelated sites and services) far outweigh the risks incurred if you don't use a password manager. If you are worried about your password manager vendor's cloud-based solution being compromised, use a password manager that doesn't store your passwords anywhere else but on the devices where they are used.

Just because password managers can be hacked doesn't mean they shouldn't be used.

If you're interested in learning more details about password managers and attacks against them consider watching my webinar, "The Good, The Bad, and the Truth About Password Managers." I'll be covering password manager features, hacks against password managers, and how to best use a password manager to get the best defense.

[CONTINUED] Blog post with links:

The Good, the Bad and the Truth About Password Managers

We strongly recommend that you use a password manager to reduce password reuse and improve complexity, but you may be wondering if it's really worth the risk. Is it safe to store all of your passwords in one place? Can cybercriminals hack them? Are password managers a single point of failure?

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, for this new webinar where he'll walk you through these questions and more. He'll also share a new password manager hacking demo from Kevin Mitnick, KnowBe4's Chief Hacking Officer, that will reveal the real risks of weak passwords.

In this session you'll learn:

  • What your password policy should be
  • Features you should be looking for in a password management tool
  • The real risks password managers pose
  • How hackers can exploit password manager weaknesses
  • Why password management is key to building a strong security culture

Date/Time: TOMORROW, Wednesday, January 18, @ 2:00 PM (ET)

Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterwards.

Register Now!

21% Of Federal Agency Passwords Cracked in Their Security Audit

Some excellent work here. An internal U.S. government agency audit showed that a fifth of passwords were easy to crack. Their recently published study showed that hashes for well over 80,000 AD accounts included passwords like Password1234, Password1234!, and ChangeItN0w!

The results weren't encouraging; 288 of the affected accounts had elevated privileges, and 362 of them belonged to senior government employees.

The audit uncovered another security weakness—the failure to consistently implement multi-factor authentication (MFA). The failure extended to 25—or 89%—of 28 high-value assets (HVAs), which, when breached, have the potential to severely impact agency operations. "It is likely that if a well-resourced attacker were to capture Department AD password hashes, the attacker would have achieved a success rate similar to ours in cracking the hashes," the final inspection report stated.

Like I said above, this is excellent work. It shows the need for a password policy adapted to real life which does not necessarily means you need to change them every 90 days, because that gives an incentive to create weak passwords. Much better to create a longer passphrase that you can keep for an extended period of time and use that for your password manager.

You can now check for your weak passwords at no cost. Find out here [VIDEO]:

[New PhishER Feature] Turn the Tables on the Cybercriminals with PhishFlip

Cybercriminals are always coming up with new, devious phishing techniques to trick your users. PhishFlip is a new PhishER feature that allows you to respond in real time and turn the tables on these threat actors. With PhishFlip, you can now immediately "flip" a dangerous attack into an instant real-world training opportunity for your users.

Your users are likely already reporting potentially dangerous emails in some fashion within your organization. You can now combine your existing PhishRIP email quarantine capability with the new PhishFlip feature that automatically replaces active phishing threats with a new defanged look-alike back into your users' mailbox.

The new PhishFlip feature is included in PhishER—yes you read that right, no extra cost— so now you can turn the tables on these threat actors and flip targeted phishing attacks into a simulated phishing test for all users. This new feature dramatically reduces data breach risk and the burden on your IT and InfoSec teams.

See how you can best manage your user-reported messages.

Join us Wednesday, January 25, @ 2:00 PM (ET) for a live 30-minute demo of PhishER, the #1 Leader in the G2 Grid Report for SOAR Software.

With PhishER you can:

  • NEW! Automatically flip active phishing attacks into safe simulated phishing campaigns with PhishFlip. You can even replace active phishing emails with safe look-alikes in your user's inbox.
  • Easily search, find, and remove email threats with PhishRIP, PhishER's email quarantine feature for Microsoft 365 and Google Workspace
  • Cut through your Incident Response inbox noise and respond to the most dangerous threats more quickly
  • Automate message prioritization by rules you set into one of three categories: Clean, Spam or Threat
  • Easy integration with KnowBe4's email add-in button, Phish Alert, or forwarding to a mailbox works too!

Find out how adding PhishER can be a huge time-saver for your Incident Response team!

Date/Time: Wednesday, January 25 @ 2:00 PM (ET)

Save My Spot!

[Heads Up] Phishing Attacks Are Now the Top Vector for Ransomware Delivery

Phishing attacks are now the top vector for ransomware delivery, according to researchers at Digital Defense. Phishing emails can be highly tailored to specific employees in order to trick them into downloading malicious files.

"Phishing emails are easy to send and lure the unsuspecting victim in with minimal awareness of an attack," the researchers state.

"The carefully crafted device of a social engineering scheme, the emails are customized to specific targets and appear to be from legitimate, even familiar, senders.

"Faced with unmanageable email volumes, even many once-careful users fail to scrutinize incoming mail and note small changes that would otherwise be suspicious red flags. Once the victim opens an email from their 'bank' or 'internet service provider' and confirms a few account details – or even just clicks into the malicious fake site – the payload detonates and the work of stealing and/or encrypting sensitive data begins. Once this work is completed, users are locked out and a ransom note appears."

Full blog post with links:

Check Out the KB4-CON 2023 Agenda - Available Now!

Exciting news! We just released our full conference agenda for KB4-CON 2023, happening April 24-26 in Orlando, Florida. We've brought back some of your favorite sessions and have some new and exciting topics and speakers.

You'll hear from:

  • Dmitri Alperovitch - Founder and former CTO of Crowdstrike will show how he's used cybersecurity to elevate the conversation and create long term strategies with executives
  • Dr. Bilyana Lilly - Amazon bestselling author who will dive deep into how Russia uses cyberwarfare to destabilize the West
  • Rachel Wilson - Managing Director and Head of Cybersecurity for Morgan Stanley Wealth Management who'll give you actionable insights to prepare for and respond to the latest risks in the current cyber risk environment
  • Plus, crowd favorite and highest rated speaker in 2022 - Roger A. Grimes - back this year on the mainstage to show how to use better risk and data analytics to craft a data-driven defense

Our platform experts will also dive deep into security awareness training best practices, product tips and tricks, and even show how real organizations use KnowBe4 to strengthen their security culture.

View the full agenda here:

Conference admission is only $99, plus travel and hotel. There are a limited number of tickets, so register early to secure your spot!

Save My Spot:

[Ache In the Head] The Problems With Your Not-So-Secure Email Gateway

I have been doing some research on secure email gateways (SEG). The picture is not that pretty. I wrote a blog post that summarizes what I found. But to start with, just for fun, I asked ChatGPT what it "thought" of the SEG problem. This was the prompt: "Describe the issues of secure email gateways not catching malware and phishing attacks in 300 words."

You can read here what ChatGPT replied with. This is the unedited, quite interesting, answer. Also you will find the five points that are the results of my research:

Let's stay safe out there.

Warm Regards,

Stu Sjouwerman, SACP
Founder and CEO
KnowBe4, Inc.

PS: [COOL NEW STUFF] KMSAT Quarterly Product Update (December 2022):

PPS: [BUDGET AMMO] I was interviewed by BankInfo Security. Send this link to your C-level exec together with your budget approval request:

Quotes of the Week  
"In 100 or 200 years, everything will look radically different. Folks will look back and be blown away by how we used energy today. They'll say, 'Wait, you just burned it?'"
- Melissa Lott, Director of Research at Columbia's Center on Global Energy Policy

"When people talk, listen completely. Most people never listen."
- Ernest Hemingway - Writer (1899 - 1961)

Thanks for reading CyberheistNews

You can read CyberheistNews online at our Blog

Security News

[KILLER PODCAST] How Bill Browder Became Vladimir Putin's No. 1 Enemy

The history of How Bill Browder became Vladimir Putin's No. 1 enemy by James O'Brien. Armed with a true-life story cut straight from a bestselling thriller, listen as Bill grippingly recounts his tale from Red Notice in an extraordinary interview, which sees him placed on Interpol's most-wanted list, exposing crime, corruption and conspiracy at the highest levels of the Kremlin, and rededicating his life to find justice for his friend and lawyer Sergei Magnitsky, killed at the hands of the Russian government.

There's also the small matter of a missing $230 million... Buckle in.

[DID YOU KNOW?] There's A Brand-New Powerful New Feature in KMSAT Diamond Level

Last month our Product Team released the PasswordIQ feature for KMSAT Diamond.

PasswordIQ was inspired by the KnowBe4 password tools that IT pros use to check their Active Directory to see if their users are using shared, weak, or compromised passwords.

PasswordIQ can now continuously monitor your org for any detected password vulnerabilities in the Active Directory. It checks to see if users are currently using passwords that are shared, weak, or show up in publicly available data breaches.

PasswordIQ combines multiple password tools into one easy-to-use system that organizes this data on an intuitive dashboard within your KnowBe4 console. With PasswordIQ, administrators can establish a baseline of password issues and better manage the ongoing problem of password risk across users.

PasswordIQ is included—at no charge—with your full Diamond level subscription. More info, including a video at our support site:

Government Workers as Phishing Targets

Government workers are prime targets for social engineering attacks, according to Kaitlyn Levinson at GCN. Attackers use different tactics to target government employees in specific roles. Levinson quotes Rita Reynolds, Chief Information Officer for the National Association of Counties, as saying that customer-facing county employees might be more likely to assume that requests are legitimate, since they deal with so many people each day.

"Hackers prey upon the customer service aspect of county employees," Reynolds said. "That desire to be prompt and successful in filling the request can oftentimes result in a county employee maybe not paying closer attention to the authenticity of the email."

Reynolds added that county agencies should implement security best practices outlined by the Cybersecurity and Infrastructure Security Agency (CISA).

[CONTINUED] with links:

"Nuclear" Phishing in the Service of Russian Espionage

Reuters describes a cyberespionage campaign carried out by the little-known threat group researchers track as "Cold River." The group is circumstantially but convincingly linked to Russian intelligence services (possibly the FSB, although that's unclear) through its Russophone operations and the location of at least one of its personnel in the northern city of Syktyvkar, capital of the Komi region.

The effort involved attempted social engineering of U.S. nuclear researchers at the Department of Energy's Brookhaven, Argonne, and Lawrence Livermore National Laboratories. The campaign peaked in August and September, as Russian President Putin's nuclear threats reached their peak. It's unknown whether the campaign enjoyed any success: Reuters says that both the Department of Energy and the FSB declined to comment. The report says:

"Cold River, which first appeared on the radar of intelligence professionals after targeting Britain's foreign office in 2016, has been involved in dozens of other high-profile hacking incidents in recent years, according to interviews with nine cybersecurity firms. Reuters traced email accounts used in its hacking operations between 2015 and 2020 to an IT worker in the Russian city of Syktyvkar.

"'This is one of the most important hacking groups you've never heard of,' said Adam Meyers, senior vice president of intelligence at U.S. cybersecurity firm CrowdStrike. "'They are involved in directly supporting Kremlin information operations.'"

[CONTINUED] with links:

What KnowBe4 Customers Say

"I wanted to say THANK YOU from our cybersecurity team! We came to you with the list of requirements and you totally saved us from missing the deadline to get our annual training deployed. The only reason why I promised management that I could get this training out before end of year is because I have worked with Knowbe4 support before and I know the quality of customer support is top notch.

"You totally kept my faith in Knowbe4 by helping me get this training launched. I absolutely could not have done it without you. Thank you for delivering genuine, personal, and effective customer support in an era where everyone else has moved toward ineffective, automated, impersonal models."

- E.T., Admin

The 10 Interesting News Items This Week
  1. [EPIC FAIL] Researchers Could Track the GPS Location of All of California's New Digital License Plates:

  2. Moldova's government hit by flood of Russian phishing attacks:

  3. Armed With ChatGPT, Cybercriminals Build Malware And Plot Fake Girl Bots:

  4. Pro-Ukraine hackers leak Russian data in hopes someone will make sense of it:

  5. After ChatGPT and DALL·E, meet VALL-E - the text-to-speech AI that mimics anyone's voice from a 3-second snippet:

  6. UK's Guardian Tells Workers Their Data Was Compromised in Ransomware Hack:

  7. US House Reps introduce bill to fund research into cybersecurity and energy infrastructure:

  8. New York state adds $35 million to 2023 cybersecurity budget as attacks soar:

  9. Russian Hackers Attempt to Bypass OpenAI's Restrictions for Malicious Use of ChatGPT:

  10. 'Dark Pink' hackers target state and military organizations in Asia, Europe:

Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

Topics: Cybercrime, KnowBe4

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews