World Password Day advice, GoDaddy hosting accounts hacked and WordPress sites under attack.
Welcome to Cyber Security Today. It’s Wednesday May 6th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Tomorrow is World Password Day. So follow safe password practices so you don’t help criminals steal data. How bad are you? Here’s are a few things to think about. According to a survey by security firm SecureAuth, 21 per cent of respondents admit they use the same password at work as they do for their personal email. Twenty per cent use the same password at work on their social media accounts. Fourteen per cent use their work password to also access their bank accounts online. Fifteen per cent of respondents said they share their work email password with their spouses or partners — which probably violates their employers’ security rules.
And I haven’t even gotten to people who use unsafe passwords, like the word ‘Password’ or the day of the week. Or use the same password for everything and just modify it by adding a different number for each site, like ‘Password,’ ‘Password2’ … Crooks love weak passwords because they’re easy to guess. They compile huge lists of weak and stolen passwords and use automation to break into email and bank accounts.
Bil Harmer, CISO and chief security evangelist of SecureAuth, told me using biometrics like fingerprints and face scans for logins if you can is safer than passwords. Unfortunately some people are afraid of giving fingerprints and face images to Google, Apple or Microsoft. Don’t be. These days biometrics are stored on the devices, not sent to companies. Still, he admits, passwords for a while will be needed for backup authentication.
So here’s what you should do: Create passphrases for each login. They’re easier to remember. Passphrases can be linked to something like your initials: If your initials are ELC, a passphrase can be “ElephantsLikeCadillacs.” Just make sure some letters are capitalized, and throw in a number. You’ll still have lots of passphrases, so use a password manager to keep track of them. And, as I keep repeating, enable two-factor authentication on applications where it’s offered.
As for companies, it’s vital they enable two-factor authentication for logins as soon as possible to stop hackers from using stolen passwords to get inside.
Speaking of hacking, website giant GoDaddy is notifying customers that an attacker got hold of some usernames and passwords to their hosting accounts. The break-in happened last October, but GoDaddy only discovered it two weeks ago. Only hosting accounts were affected, not information stored in customer accounts. But hosting accounts can be used by criminals to create phony web sites.
Good news: Police in Poland and Switzerland just broke up a hacker group called InfinityBlack that has been selling hundreds of millions of stolen usernames and passwords and doing other nasty things. The Europol police co-operative said five people in Switzerland were arrested and two online marketplaces were shut. This gang — which included minors and young adults — specialized in stealing loyalty card credentials and selling them to other gangs, who used the points to buy electronic devices.
Bad news: Another poorly-protected company database has been found. This one was owned by the adult live streaming website CAM4. According to the news site Bleeping Computer, the Irish parent company of the site immediately secured the database after security researchers altered it. But who knows how many people found and copied the data before it was closed. The database included billions of records of information including user names, sexual orientation, emails and private conversations. Data from adult sites could be used for blackmail and extortion attacks.
Finally, WordPress website administrators are being warned to make sure their sites and plug-ins have the latest security updates installed. That’s after a security firm called Wordfence said it is seeing a sudden increase in attacks on nearly 1 million WordPress sites. The attacker is trying to insert malicious code into sites. Over the weekend more than 20 million attacks were attempted against more than half a million sites. Some of the vulnerable plugins targeted had been patched several years ago. In addition to updating your plug-ins, delete any plugins that are no longer supported.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.