The Saga of Joe Public, A Social Media and Email Tragedy

This is a story about Joe. Joe could be any one of us. During the day he is a nose-to-the-grindstone, focused, and hardworking employee. After work, however, he is careless and free, enjoying all that social media has to offer: posting photos, catching up with friends, reading the links his friends on social media post, and yes, he does enjoy the occasional cat video. He is active on his email account too.

Unfortunately, Joe is not really keen on cybersecurity hygiene. He clicks on any link he gets via email or social media without checking the URL first. He makes his life easy by using the same password for all his different accounts. Two-factor authentication is too much work and why would he need it anyway. Nobody would hack a regular guy. Since he is so friendly, his social media account is open to the public, so everyone knows everything about him. What he had for his birthday dinner last night; where he was born; his mother’s maiden name; and even the name of his first pet. 

Although Joe seems to be the life of the party when it comes to social media, Joe was not ready for the party crasher. After work, as Joe was ready to relax and catch up on some email, he discovered he could not login – password failed. That’s strange. He had not changed the password to his email account. Ever. So, he decided to check his Facebook account to see if anyone else was having trouble with their email provider. And what do you think happened to his Facebook account? He was locked out of Facebook too. As he sat back to ponder what was happening, a friend from high school called. His friend asked why he was sending out emails pretending to be a Nigerian prince looking for money? He also noticed that Joe started posting advertisements on social media for the Pink Princess Palace. That’s when Joe figured out that he had been hacked! How could this have happened to him?

The hacker could have come in from many different attack vectors. After checking the website, https://haveibeenpwned, Joe noticed that his username and password were compromised in 17 different breaches. Since he used the same username and password for every site, it was easy for the hacker to take over his email and social media. Also, the hacker could have just used Joe’s username combined with all the information on Joe’s Facebook profile to answer the typical “security” questions many web applications use for password resets. 

What does Joe do now to get back into his accounts and secure them? First, he should get in touch with his email and social media providers to let them know what happened to regain access to the account. This could even involve sending Facebook a copy of his Driver’s License to prove his identity. He will need to change his password to a nice long pass phrase – 16+ characters. He will also need to change his password on all his other accounts because the password has been compromised. Next, he should set up two factor authentication for all email and social media; and any other account he doesn’t want breached (like his bank and investment accounts). Two-factor authentication involves having the web service send a text with a one-time code. Even better, Joe would use a third-party application like Duo or Microsoft Authenticator. 

To do this on your Facebook account for example, you need to login to your account. Click the arrow icon in the top-right corner and select “Settings & Privacy” and click “Settings.” In the left-hand navigation bar, choose “Security and Login.” Scroll down to the “Two-Factor Authentication” section and click “Edit” next to “Use two-factor authentication.” Follow the instructions from there based on the way you choose to receive your notifications. All email and social media apps have this option. 

Now that Joe has so many usernames and passwords to remember, he decided to use a password manager to help him out so that he only needs to remember one long password. He downloaded Bitwarden to his computer and added the Bitwarden extension to all his browsers so that he has his secure passwords wherever he goes. 

Joe is so excited about securing his email and social media that he tells his brother, John Q, and the rest of his friends so that they don’t have to go through similar torture. Joe has since become the lead blogger for the Cybersecurity Evangelist.

This article was originally published in the Sierra Vista Herald and can be found here.

The Saga of the Stolen Stingray

Protect It: I imagine one day I’ll own a 1970 Corvette Stingray. It will have its own garage. I’ll lock the garage doors when I’m not using it to make sure it’s safe. I’ll put an alarm on the building—to be sure. And I WON’T leave the keys in it!

Hijacked: A few months ago, my mother-in-law told me her email “broke.” For a few days, she hadn’t received any emails in her Outlook Client. So, I took a peek at her Cox webmail. I found a message stating the account was locked, due to suspicious activity. After a couple hours with tech support, we were able to get in. We found the account had been sending hundreds of spam emails every day. A criminal had hijacked her mail.

Recently I read a blog post in Dentaltown from a dentist victimized like this. His email account had become an unwitting offender. How did this happen to them? Will it happen to you? How can you prevent it?

Credential Stuffing: These email accounts fell victim to what we call a “credential stuffing attack.” It’s often performed by software known as “bots.” See, websites should be storing your username/password pairs (AKA “credentials”) in an encrypted database, but they often don’t. It’s like storing a 1970 Corvette Stingray in your garage (keys in the switch), and then leaving the door wide open. You’d never do that, but websites do—all the time!

Darkweb Dump: Criminals break into those websites and scoop out your credentials. Then, those same criminals dump your credentials on the darkweb. Other crooks snag these breached credentials from darkweb, Amazon-like sites. They then code their bots with lists of credentials, including yours. Finally, the bot logs into your email account.

Picture this:  You use your Gmail address as the username to log into scrapbook.com. Then, you use the same password for scrapbook.com that you use for your Gmail account. A criminal breaks into scrapbook.com. If the database isn’t encrypted (the doors were left open), the thieves steal your credentials. In essence, the criminal drove away in your beloved Stingray! It happened because you used the same key for every door you own: Your house, your Stingray garage, your business office, your mailbox…  You get my point? Worst of all, you left a copy of the key taped to the front door of your house, right in plain sight.

Unique Passwords: We often recommend in these articles that you make sure and use unique passwords for the bucketload of websites you log into. Certain sites are more critical, for example, your email account, as well as your bank account and other accounts containing your financial information. Use a password manager like Bitwarden. If you use a long, unique passphrase, instead of a short password,  and you use a different passphrase for each site you visit, then you reduce the chance of becoming a credential stuffing victim.

Passwords Are Like Dental Floss

Flossing is Hard: Passwords are the dental floss of the internet. They take precious time to use, everyone hates them, they cause mild discomfort, and the consequence of negligence could spell doom. Not immediate doom. But eventual in inevitable doom. Oh and by the way, China knows your password! Your favorite one. The really complex one you made up 6 years ago that combines your sister’s phone number, your son’s birthday, and the exclamation point at the end. They also know your other favorite one. “Sweetie”.

Password Strength: Last week I gave you a tripwire you could use to foil a ransomware attacker with a strong password.  Continuing the theme, this week we discuss the importance of password hygiene.  Password hygiene involves the strength, uniqueness, and practices of passwords.

The Longer the Better: Compare password hygiene to dental floss hygiene – make them long, change frequently, and don’t share. When it comes to length, longer = stronger. In fact, length is more important than complexity.  So instead of using a complex array of gibberish letters, numbers and symbols, the best practice is to create a passphrase.  A passphrase is a list of unrelated common words. It is easier to for you to remember and harder for a computer to crack. In this example from www.xkcd.com/936/ , the password Tr0ub4dor&3 is difficult to remember but can be cracked in 3 days.  However, if we tie four common unrelated words together like “correct horse battery staple”, it would take 550 years to crack.

Don’t Re-use Your Floss: You may question, “If I create one strong passphrase, I could use it for all my accounts and I’ll be safe?” Well, not exactly.  That’s where the second part of “treat-passwords-like-dental-floss” comes in. Don’t share. Today, you have so many accounts with passwords to remember.  You have your email, company login, bank, investment, social media, gaming … the list goes on.  Major breaches like LinkedIn and DropBox have exposed your username (typically your email address) and password.  The information from these breaches eventually ends up on the Dark Web available for any cyber-criminal to peruse. To see if your email address is on the Dark Web, you can check it at www.haveibeenpwned.com.   A trusted advisor can offer Dark Web checks for your business domains. 

Try It Everywhere: When the hacker acquires your credentials, they will test them against popular websites hoping you reused the password. Maybe you have a Wells Fargo, or Merrill Lynch account with the same username and password. If they succeed, the consequences could be disastrous.

Password Managers: You may want to reconsider letting your browser manage your passwords. The saved password feature of browsers is great for ease of use for you – and a cyber-criminal.  These passwords are stored in clear text in the browser can easily be stolen.  

Consider the Consequences: Since there are so many long passwords to remember, using a Password Manager can ease your password woes.  A Password Manager can create, encrypt, store, and autofill your passwords for multiple accounts and make it harder for hackers to get them.  Password managers can also protect you from Some recommend free managers are:  Apple Key Chain,  Bitwarden and KeePass.  You may hate to floss. You may hate password hygiene. But until there is something better, consider the consequences.