top of page

Cybersecurity news from the NTSC

AI.png

ChatGPT, Google’s Bard, and other technology engines use artificial intelligence and massive computing power to generate human-like responses to questions. The powerful software can understand context and nuances in languages and then display coherent replies. It has many applications, including chatbots, customer service, and content creation.

 

While this fast-growing type of AI is impressive and improving quickly, responses can sometimes be irrelevant, biased, or inappropriate due to the limitations of machine learning and biases found on the internet.

The above paragraphs were generated by ChatGPT but were edited by a human to convey what we wanted to say. The text was then improved by an AI-based grammar tool.

Cybersecurity Headlines.png
April 1 headlines.jpg

The cyber company BitSight says one in 12 webcams in the US and Canada are susceptible to being breached, allowing hackers to watch or listen to the user. In some cases, the user didn’t follow installation instructions correctly; in others, the cameras’ software was flawed. Make sure your home router is protected by a password, and do a web search for the most secure webcam brands before buying one.

 

 

By now, it’s clear that breaking news stories bring out phishing emails. With Silicon Valley Bank's and Signature Bank's collapseProofpoint says there has been a wave of fake emails using web addresses similar to the banks’ actual URLs. The phishing messages often target executives, accounting and personnel departments, and former bank employees with messages about transferring money and cryptocurrency.

 

 

And here are the most common passwords of 2023: password, admin, welcome, and p@ssword. SpecOpsSoft says…you know the drill…make your passwords long and don’t re-use them. Also, mix in some capital letters and symbols. Almost 20% of passwords use only lowercase letters, which aren’t as safe.  

Password Managers Graphic.jpg
Password Managers xpar.png

Readers of this newsletter ask us about password managers more often than any other cybersecurity topic. “Can this kind of software be trusted?” “Which one should I use?” “What happens if my password manager gets hacked?” (LastPass, a popular password manager, did get hacked recently.)

 

In case you’re not familiar, a password manager is software that helps users generate and manage their login credentials. Password managers generate and manage strong passwords across the user’s online accounts.

How did the password manager LastPass get hacked?

Read more in the Cyber Q&A section below. 

Click on the image below to download and print a PDF about password managers. 

NTSC _ Password Managers.001.jpeg
One more thing.png
April 1 cartoon opt.jpg
Answers readers cybersecurity questions.png

"I use the password manager LastPass. I’m confused and concerned. I read where LastPass got hacked. Some articles say I should cancel my subscription and enroll with another brand of password manager. Do I need to do that?”

Some experts, including Forbes and CNET, recommend you cancel LastPass and move to another brand. Sophos recommends that users read up about what happened and decide for themselves.

 

We’ve had so many readers ask about the LastPass breach that we decided to provide a technical explanation of what happened. If you’re not technically inclined, please skip to the next question!

 

This incident occurred because a hacker logged in to the LastPass Employee's password vault using the Employee’s master password. That required the LastPass Employee to approve a second type of authentication designed to protect the account. LastPass did not reveal what type of authentication was used.

 

Here’s how it all unfolded.

 

  • Years ago - The LastPass Employee created a Plex user account and installed the Plex Media server on his home computer. He did not use MFA on his Plex account and did not update the Plex software, but it remained on his computer.

  • May 2020 - Plex discovers a vulnerability and patches its software. Users are instructed to install the new version, but the LastPass Employee never did.

  • August 2022 - LastPass Incident #1. The LastPass Employee's corporate laptop was breached. The method that the hacker used to gain access to the computer is not known.

  • August 2022 - Plex is breached. Plex sent an email suggesting that everyone change their password.

  • August - October 2022 - LastPass Incident #2. The threat actor logged into the LastPass Employee's Plex account on the web, uploading malicious keylogger code, which got installed on the LastPass Employee's home computer. Keyloggers record everything a user types and transmit it to the hacker.

 

Next, on his home computer, the LastPass Employee logged into his LastPass account using his master password. The keystrokes he typed were sent to the hacker.

 

Next, using the characters recorded by the keylogging software, the threat actor logged into the Employee's LastPass vault. The Employee approved the second-factor authentication message.

 

Now, the hacker had access to the company's secrets, including Amazon security certificates and encryption keys — the crown jewels of LastPass’s business, which by the way, do not require multifactor authentication.

 

This breach could have been prevented if the LastPass Employee had used a “physical security key” to protect his LastPass account. A physical security key is a hardware device that must be attached to a computer to complete the log-on process. Hackers can’t get past that because they don’t have access to the hardware.

 

As part of their response, LastPass assisted the Employee “with hardening the security of their home network and personal resources." In summary, a critical path for this high-profile breach occurred because the user didn’t update software on this computer.

 

And what about LastPass’s customers? There is no indication at this time that LastPass users’ passwords were stolen. That’s because an essential step of a password manager’s functionality is stored on each user’s computer, not on the password manager's servers.

   

-----

 

“On many websites, you can put in a hidden email address, but it must be legitimate. How does this work, and should you do that to protect your primary email account?”

 

You can use these disposable email addresses to keep your personal email address private. Apple’s “Hide My Email” can generate unique, random email addresses forwarded to your personal email account. This way, you don’t have to share your email address when purchasing online, filling out forms, or signing up for newsletters. These “hidden” emails will help reduce the spam you receive. The most critical steps to protecting your email account are using a long password unique to the account and multifactor authentication if it’s offered.

-----

 

"Do I need to shut down my computer every night?"

No, in most cases, you don’t. Every week or so, it’s a good idea to restart your personal computer so the software can update itself. As the BBC says, when a computer runs software, it loads much of the program into its memory. To prevent technical issues, operating systems usually insist that when updates are needed, shut down the software and restart it so the new software can be installed.

 

Remember this critical step at home and work: set your computer so a password must be entered to wake the machine from sleep.

Send us your cybersecurity question
for possible use in a future newsletter.

Cartoon © 2023 CartoonStock | Original content © 2023 Aware Force LLC

bottom of page