Subscribe to this bi-weekly newsletter here!
Welcome to the latest edition of Pardon The Intrusion, TNW’s bi-weekly newsletter in which we explore the wild world of security.
And the yearly ritual continues.
The list of worst passwords for 2020 is here, and it’s every bit awful as you would expect.
According to an analysis of 275,699,516 passwords by NordPass, a password manager service from the makers of NordVPN, it’s becoming amply clear that a lot of people are still banking on simple, easy-to-guess passwords despite the constant threat of data breaches and other security threats.
Coming in at number one is “123456,” and it was used 2,543,285 times. Ouch!
“123456789,” “picture1,” “password,” and “12345678” round up the remaining top four spots, with “picture1” being the lone new entrant that would take about three hours to crack using a brute-force attack.
But a password combination of letters and numbers is still a weak password as long as it can be deciphered.
“Your weak password can be used for credential stuffing attacks, where the breached logins are used to gain unauthorized access to user accounts,” says Chad Hammond, security expert at NordPass.
“If you fall victim to a credential stuffing attack, you might lose your Facebook or another important account with all its content. Also, your email address could be used for phishing attacks or for scamming your family and friends, who may very well fall for it, as the email will supposedly be coming from you.”
I get it. Remembering unique, strong passwords for a gazillion online accounts isn’t easy, especially this year with the shift to remote work.
In a separate study published by NordPass last month, an average user was revealed to have around 100 passwords, up 25% from last year. That’s a lot to keep track of!
So what can be done to beef up your security? Use a password manager and turn on two-factor authentication wherever possible. At the same time, don’t make the same mistake I did by not noting down the backup codes.
What’s trending in security?
US President Trump fired the director of the Cybersecurity and Infrastructure Security Agency, Bumble and Cisco fixed critical bugs, and Zoom agreed to enhance its security policies after falsely claiming its video calls were protected by end-to-end encryption.
- US President Donald Trump fired Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency (CISA), for calling the recent November 3rd elections “the most secure in American history.” [Twitter]
- Back in September, a German hospital patient died in what was alleged to be the first case of a ransomware attack directly responsible for a death. But investigation into the “negligent homicide” case has now revealed the patient’s health condition was so poor “the delay was of no relevance to the final outcome.” [WIRED]
- Twitter hired legendary hacker and L0pht collective member Peiter “Mudge” Zatko as its security chief. [Reuters]
- Muslim Pro, a popular Muslim prayer and Quran app with over 98 million downloads, said it will no longer share granular location data with X-Mode, a company that sells that data to defense contractors and the US military. [Vice]
- The US Justice Department (DoJ) seized $1 billion in Bitcoin from an anonymous hacker by the name of “Individual X,” who stole it from the Silk Road dark web marketplace before it was shut down by the FBI in 2013. [DoJ]
- Certificate Authority Let’s Encrypt has warned that phones running Android versions prior to 7.1.1 Nougat won’t trust its root certificate starting in 2021, locking them out of many secure websites. [TNW]
- Security flaws in the Bumble dating app exposed 95 million users’ info, including some people’s Facebook data. Worse, it took the company over six months to address the issue after it was notified in March. [Forbes]
- Cisco fixed a bug in its Webex conferencing app that could have allowed unauthenticated remote attackers to join ongoing meetings as “ghost” participants and spy on potentially sensitive company secrets. [IBM]
- Zoom agreed to enhance its security policies as part of a proposed settlement with the US Federal Trade Commission (FTC), after the company was accused of falsely claiming its video calls were protected by end-to-end encryption. [FTC]
- Ransomware gangs have blogs where they publish data stolen from companies that refuse to make an extortion payment. Now, a crime group has started using hacked Facebook accounts to run ads publicly pressuring their ransomware victims into paying up. [Krebs on Security]
- Criminal gangs that offer ransomware-as-a-service (RaaS), aka renting ransomware to other groups, have grown so popular that there are currently around 25 RaaS offerings being advertised on the underground hacking scene. [Intel 471]
- The European Parliament announced new rules for exporting surveillance technologies, such as spyware, outside of the EU. The intention is to limit authoritarian regimes from secretly getting their hands on European cyber-surveillance tools. [CyberScoop]
- A hacking group that researchers believe is working for Vietnam’s government ran almost twenty fake websites and several Facebook pages in an attempt to gather information on visitors and infect some of them with malware. [Volexity]
- The last fortnight in data breaches, leaks and ransomware: Americold, Big Basket, Brazil’s Superior Court of Justice, Campari, Capcom, Cencosud, Coil, Compal, Managed.com, Miltenyi Biotec, The North Face, and Vertafore.
Data Point
Healthcare systems, educational institutions, and private sector firms are fighting a steady stream of hackers, who are locking critical systems and threatening to publish sensitive information if their demands are not met.
Now according to Sophos 2021 threat report, several ransomware operators have taken up extortion as a side-hustle. What’s more, entry level cybercriminals having access to ransomware-as-a-service (RaaS) type tools are set to become a more dangerous threat.
Over the past quarter, the average ransom payout has risen by 21%, a figure the firm said can be skewed by just one or two very large ransom attacks. The average ransom payout for Q3 2020 is about $233,817.30 (payable in cryptocurrency). A year ago, the average payout was $84,116.
That’s it. See you all in two weeks. Stay safe!
Ravie x TNW (ravie[at]thenextweb[dot]com)