Passwords So Good You Can’t Help But Reuse Them

We’ve just fallen in love with our passwords we just want to use them again and again and again. Unfortunately, some companies more interested in security aren’t letting us do that. We discuss on the latest episode of CISO/Security Vendor Relationship Podcast.

This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our guest this week is William Gregorian (@WillGregorian), CISO, Addepar.

Thanks to this week’s podcast sponsor CyberInt

The high ROI is what makes spear phishing campaigns so attractive to threat actors. Read our breakdown of TA505’s latest series of attacks. CyberInt has been tracking various activities surrounding this and other similar attacks where legit means were used to hack international companies in the retail & financial industries.

Got feedback? Join the conversation on LinkedIn.

On this week’s episode

How CISOs are digesting the latest security news

Chris Castaldo of 2U and a former guest on the show posted this great story of TripAdvisor invalidating user credentials if a member’s email and password were found in publicly leaked data breach databases. Is this a great or bad move by TripAdvisor?

Ask a CISO

On LinkedIn, Chad Loder, CEO, Habitu8 posted an issue about the easy deployment and ubiquity of cloud applications. He argues it’s no longer Shadow IT. It’s just IT. And securing these cloud tools you don’t manage nor know about requires a lot of education. Is Shadow IT inevitable. Should we lose the name? And is education the primary means of securing these services?

It’s time to play, “What’s Worse?!”

One of the toughest rounds of “What’s Worse?!” we’ve ever had.

Close your eyes. Breathe in. It’s time for a little security philosophy.

Mike posed a “What’s Worse?!” scenario to the LinkedIn community and got a flurry of response. The question was “Would you rather have amazing, quality cybersecurity incident response in 24 hours or spotty, unreliable response in one hour?” I wanted to know what was Mike’s initial response and did anyone say anything in the comments to make him change his mind?

For quite a while, IT security experts have been touting the value of two factor authentication (2FA) as a better way to keep data safe than simply using passwords alone. We have even spoken about it here. In its most popular form, 2FA sends a confirmation code to your phone, which you must then enter into the appropriate log-in confirmation window within a short amount of time. This is like having a second key to the safe, like many bank vaults used to have.

But security is a never-ending horserace, and it probably comes as no surprise to most that even 2FA is not invincible, and that hackers can indeed bypass it and have made this ability public knowledge. A presentation to the Hack in the Box Security Conference held in Amsterdam in May 2019, featured a video showing how two pieces of software work to bring the two authentication keys together, thus destroying its integrity.

In one instance, a tool called Muraena does the phishing work, intercepting an unsuspecting person’s browser-clicks and setting up the form for the 2FA code to be entered. Then, a second tool, called Necrobrowser tracks the accounts of thousands of people, and finds the right phone numbers to send the authorization code to.

Though there are other, more sophisticated ways to defeat Two Factor Authentication, security experts say this Muraena/Necrobrowser combination makes it easier for low-level hackers to get in on the action. This spreads the crimewave to the more numerous, lazier criminal population.

Two Factor Authentication is still a much better way of protecting access to websites than passwords alone, but certain companies already in the know, like Google, insist that employees carry a physical USB key as their second factor.

Check out lots more cloud security tips sponsored by OpenVPN, provider of next-gen secure and scalable communication software. OpenVPN Access Server keeps your company’s data safe with end-to-end encryption, secure remote access, and extension for your centralized UTM.

It’s time to measure the risk

Chelsea Musante of Akamai asks, “What would you say to someone who thinks their risk for credential abuse / account takeover has decreased because they’ve implemented MFA (multi-factor authentication)?”