I currently have 181 passwords in my password manager. Sadly, that's not even all of the passwords I keep as I have some systems and equipment that don't require stringent security so they don't get entered into the Bitwarden application. I maintain one Windows computer where the password is simply "Q". Passwords for my virtual machines use a common alphanumeric scheme based on the operating system so I always know the password based on the machine. All in all, I probably maintain at least 200 passwords.
My password numbers may be a bit excessive as most people don’t have multiple sock-puppet accounts or feel the need to register their name with every new email service. A 2020 study conducted by NordPass found the average Internet user maintains one hundred passwords. And that's the problem.
Passwords are inherently insecure. While some users take password security seriously, most choose weak passwords for their logins as a habit. We value quick access and convenience more than security. We want to easily access our resources with the least amount of friction possible. Our need for easy-to-use and remember passwords translate into simple passwords and password reuse -one password unlocks many sites for most people.
According to the 2021 Verizon Data Breach Investigation Report, 81% of all data breaches resulted from a compromised password. Advanced computing power has made cracking weak passwords extremely easy and sophisticated phishing campaigns have become more refined and more difficult to identify.
A 2020 survey conducted by Security.org found that 76% of persons between the ages of 25 and 40 years old recycle their passwords between multiple accounts. Attacks such as password spraying and credential stuffing rely on this reuse of passwords.
Are we moving beyond the password? The big three of computer technology, Apple, Google, and Microsoft, have announced their agreement to move forward with the reality of a passwordless Internet. The group issued a joint statement announcing they will expand their support of the FIDO infrastructure.
FIDO - Fast Identity Online, is a set of open-source protocols that eliminate the need for user passwords. Once a user authenticates within the FIDO Alliance network they can sign into any FIDO-enabled website or service through biometrics such as a fingerprint, voice, iris scan, or facial recognition. There will also be the option for sites to allow authentication through the use of a security token such as RSA or Yubikey.
If this is the first time hearing about FIDO - get ready - it's the future. Of course, there is still 100 million computers out there still running Windows 7.
Read the statement issued by Apple.
The devil in the details
There are at least 65,000 fake students currently enrolled in the California Junior College System. The students are enrolled by international fraudsters who benefit from near immediate financial aid and Covid-19 relief payments. It is estimated the fraud is costing the state of California 900 MILLION dollars per semester. Why won’t college officials validate new students and also remove the fraudulent enrollments? The devil in the details - the colleges actually benefit from the fraud. Funding is based on enrollment numbers so fake students increase enrollment which equates to increased state funding. Additionally, the schools are afraid if they acknowledge the fraud they may be responsible to repay the state.
Sextortion, yes it’s a thing, yes it’s bad
Unfortunately, law enforcement is receiving way too many of these complaints. And that’s only the from the young victims that come forward as many are too ashamed to seek help and suffer in silence. This is a case where looking for love in all the wrong places cost you dearly. https://www.nbcnews.com/tech/tech-news/sextortionists-are-increasingly-targeting-young-men-money-outcome-can-rcna27281
AML → anti-bribery
I’ve never actually taken any official anti-money laundering training other than what was included in other financial crime courses. I was surprised to read this blog post and find that anti-bribery training isn’t included in most money laundering training sessions. It seems like something that should be covered. The authors of this post make a strong case for it. https://fcpablog.com/2022/05/03/why-anti-bribery-training-should-always-include-an-aml-module/
SEC doubles down on crypto enforcement
While many business and government entities think cryptocurrency is a game, a passing fad at most, the Securities and Exchange Commission obviously feels differently. They have renamed their cyber investigation unit to the Crypto Assets and Cyber Unit and plan to double its compliment to 50. https://www.sec.gov/news/press-release/2022-78
The Rest
In last weeks issue I highlighted the abuse of BNPL - Buy Now Pay Later services. Right on queue, SFGate reports that delayed payment services are sending young people into crushing debt. https://www.sfgate.com/news/article/influencers-lead-Gen-Z-into-debt-17142294.php
Cloudflare explains how it dealt with one of the largest DDOS attacks every launched. https://blog.cloudflare.com/15m-rps-ddos-attack/
VMWare released their 2022 “Modern Bank Heist Report” detailing modern threats to financial institutions. https://news.vmware.com/security/modern-bank-heists-5-0-the-escalation-from-dwell-to-destruction
Cool Job
Senior Enforcement Officer - FINCEN. https://www.usajobs.gov/job/652916500
Cool Tool
obfuscate your google search: http://isearchfrom.com/
Sports scores - without politics, BS, or ads: https://plaintextsports.com/
Irrelevant
Catalytic converter theft rampant due to the extremely valuable metals inside the devices. Carfax details the most targeted vehicles. https://www.carfax.com/blog/catalytic-converter-theft
Thank You for opening this weeks email and a special note of thanks to those that shared last weeks newsletter!
Matt
“You can either build your dream, or help someone build theirs” - says the constant voice inside my head
Bonus super geeky technical read
Mandiant published a rather long and technical write-up on their recent observations of several threat actors investing in bulk email collection from their victims. It’s well worth the read if your into DFIR or cyber threat intelligence. https://www.mandiant.com/resources/unc3524-eye-spy-email