Blog / USE THE FORCE, LUKE! – New Cyber Security Threat Seems to Conjure Passwords from Thin Air
It should come as no surprise that I am a committed Star Wars fan. I remember watching the first Star Wars movie at a drive-in located in West Edmonton. The sound coming from the tin-cup speaker hung on the window frame was abysmal, but no one cared; in 1977 this was epic! Of course, Star Wars was the proverbial game-changer – and we all knew that Luke could never turn to the Dark Side. George Lucas made us believe there was a chance, but really? No way! Heroes wearing White Helmets (and flight-suits) never succumb to the temptations of the Evil Empire, Clone armies notwithstanding.
Have you ever wondered how Hackers come up with new ideas to trap us into thinking our IT systems have been compromised? Some of this is truly innovative and creative Marketing work; albeit on the Dark Side. These people all wear Black Robes.
A new type of threat is being delivered to Email inboxes this summer, and we received a copy from a Client who was concerned. This new attack had the aggressive-threat-knob turned all the way up to 11.
In the Email, “xwings” (the Sender) purports to know the Recipient’s password. They even tell the Recipient what it is. What made the Client jump was the password: While not exactly correct, it was within 1 letter of being so. That’s an attention-grabber. Xwings goes on to say the Client inadvertently got the virus on their computer, because they downloaded malware from a Porn site they visited. This malware has been gathering keystroke information and that’s how the password was discovered.
But wait, there’s more!:
Apparently, xwings also had access to the Client’s webcam and consequently made a video of the Client surfing this website. Xwings was thorough and copied a list of the Client’s contacts. There is enough quasi-Technical detail in the Email to make it look believable.
Of course, no trip to the Dark Side would be complete, unless it has a threat and a Ransom demand: In this case a promise to expose the Client by sending the naughty video to some of the stolen contacts, unless $7,000 was paid in Bitcoin.
It’s blatant in it’s attack vector, playing on fear, guilt, and embarrassment, in order to force a Ransom payment. What’s more insidious is that unsuspecting Recipients might be reluctant to report this threat, as – notwithstanding their web-surfing habits – the risk of having other (legitimate) confidential information exposed is too great.
But is it real? The answer is NO! We checked the Client’s computer and there was no virus.
Besides the semi-literate – for xwings seems to have the literary skills of an Ewok – Tech Mambo-Jumbo, the only piece of somewhat credible information is the password, which is just close enough to scare someone. So, if it’s not a virus, how did xwings get the password? The answer is fairly simple:
Most people use the same password for several – if not all – of the websites that they frequent (more about this NO-NO later.) When they’re asked – or forced – to change a password, they increment a letter or number in the chain, as it’s easy to remember. I confess to using this technique myself.
Many website databases that have login pages are regularly hacked. Most hacks go unreported and the Website Developers make some changes to plug the leak, and move on. Some of the better sites will alert or force Users to change their passwords. Regardless, it means there are huge lists of account credentials on the Dark Web (yes, really) that are regularly bought and sold. So armed with a User Name & Password list, xwings generates the slimy Email and off they go; their trip to the Dark Side is complete!
And so readers, it’s time to review some basic password Best Practices:
- Passwords should be unique for each login account. At an absolute minimum, have three passwords; LOW, MEDIUM and HIGH Security. Use LOW for common non-critical website logins; treat them as throw-away‘s. If a website account is compromised, you’re not going to be concerned; it’s just inconvenient. Use MEDIUM for accounts that link to online purchases; Amazon, iTunes, eBay, and so on. This should be changed regularly (every 90 days.) Use HIGH for uber-sensitive activities: corporate logins, banking, government business, medical information, and so on. This should be changed every 30 days.
- Passwords should be a minimum of 20 characters in length and mixed case. I like to use pass-phrases, mixed with a number and special characters (!MaryHadALittleLamb1); most login passwords require mixed-case, numbers and special characters. However, length is key; longer is always better.
- Passwords should never be closely related. (i.e.: Victoria, BC1, Edmonton, AB2, Regina, SK3, are not a good set of passwords.)
- Change passwords on a schedule of YOUR choosing, not the website’s. Every 30 days is a very good practice; every 60 or 90 days is acceptable. Set a reminder in your calendar.
- Use a reputable Password Management utility to help manage and track passwords. The utility should store the information in an encrypted format. Guard the MASTER account password with your life. I use KeePass; it’s free and interfaces with common web browsers (i.e.: Chrome, Firefox, Internet Explorer), so the passwords are automatically entered when I hit a web login page.
- DO NOT allow your web browsers to store passwords for you. These are easily hacked if your computer is compromised by a virus. Of course, password sticky notes pasted to monitors, text and spreadsheet files on the desktop, and notebooks hidden in your desk drawer, are also big NO-NO’s.
There is more – much more – when it comes to Password Management, but if you can improve your habits using these 6 recommendations, you can pat yourself on the back.
Or you can Use the Fooorce to manage your passwords, but only if your name is Luke.
If you would like more information about password and Cyber Security Best Practices to help keep your IT stress-free, please contact me or your Account Manager.