![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneThe first one was a doozie. A guy from Nigeria - actually from Nigeria, but he was no prince, created a ransomware scheme where he tried to recruit disgruntled employees to deploy ransomware from INSIDE corporate networks for a cut of the ransom! He was a student who wanted to create his own social media company but had no money and no job, thus no resources to start the operation.
So why not kickstart the money through a crime spree!
He's been arrested by Nigerian authorities. Another problem with having no money is the inability to pay off cops to avoid arrest.
Now, here's the really funny bit. Brian Krebs, former Washington Post reporter, who now solely writes about cybercrime and computer security, wrote about this guy when he launched his scheme. His identity wasn't known at that point. Krebs' web site is Krebsonsecurity.com. This scammer accused him of defaming his operation calling him Mister Krebson. :-) I thought that was hilarious! Guy clearly didn't do his homework on the people investigating him. He apparently wasn't difficult to take down.
https://krebsonsecurity.com/2021/11/arrest-in-ransom-your-employer-email-scheme/
The second story is quite good, but I just have to ask: WHY THE [BLEEP BLANKETY-BLANK] DIDN'T YOU IDIOTS DO THIS TWENTY YEARS AGO? I knew default passwords were a bad idea then, why are you just now coming around to this idea?!!!
The UK Parliament is passing an act that will require most, not all, devices that connect to the internet to not have weak/embedded passwords. Basically, when you get a device (WiFi router, web cam, thermostat, whatever) you MUST change the password on it and it cannot be reset to a factory default password.
Why?
Aside from the fact that it's a stupid and easily-prevented security hole, a British internet provider sent out thousands of WiFi routers with the same simple password, trusting that the users would change it when they set it up. Yeah, right. So rectal haberdashers went around, using these free WiFi hotspots (once you knew what the password was and how to find hotspots where the SSID is not broadcasted) to download childporn, leading to a lot of innocent people being raided by the police because their router was insecure.
From the article:
The Product Security and Telecommunications Infrastructure Bill lays out three new rules:
-easy-to-guess default passwords preloaded on devices are banned. All products now need unique passwords that cannot be reset to factory default
-customers must be told when they buy a device the minimum time it will receive vital security updates and patches. If a product doesn't get either, that must also be disclosed
-security researchers will be given a public point of contact to point out flaws and bugs
That last item will be a pain to implement, it's something that has been clamored for in the security community for ages. There's no standard for that so the implementation is going to be very uneven if it's not codified AND regularly updated! I've seen stories on Krebs and Schnier.com where security researchers have found proof, not just evidence, that a company's network has been compromised, but they haven't been able to reach anyone in the company's IT department to report it!
There are specific exceptions to the act of certain types of devices that are exempt. Still, progress!
https://www.bbc.com/news/technology-59400762
I do some computer installation work for a couple of very small companies in my area, people who are too intimidated to replace their own router. And that's fine, I'm happy to help them, and I make a few bucks on the side. I give them a strong password, it's written down for them, and I record the password in a protected file on my phone so when I'm working with them again later, I've got records in my pocket.
For the iPhone, I use a program called mSecure. I think it cost me $5-10 to buy, it has very strong encryption. If it's not available for the Android universe, I'm sure there's something similar.
So why not kickstart the money through a crime spree!
He's been arrested by Nigerian authorities. Another problem with having no money is the inability to pay off cops to avoid arrest.
Now, here's the really funny bit. Brian Krebs, former Washington Post reporter, who now solely writes about cybercrime and computer security, wrote about this guy when he launched his scheme. His identity wasn't known at that point. Krebs' web site is Krebsonsecurity.com. This scammer accused him of defaming his operation calling him Mister Krebson. :-) I thought that was hilarious! Guy clearly didn't do his homework on the people investigating him. He apparently wasn't difficult to take down.
https://krebsonsecurity.com/2021/11/arrest-in-ransom-your-employer-email-scheme/
The second story is quite good, but I just have to ask: WHY THE [BLEEP BLANKETY-BLANK] DIDN'T YOU IDIOTS DO THIS TWENTY YEARS AGO? I knew default passwords were a bad idea then, why are you just now coming around to this idea?!!!
The UK Parliament is passing an act that will require most, not all, devices that connect to the internet to not have weak/embedded passwords. Basically, when you get a device (WiFi router, web cam, thermostat, whatever) you MUST change the password on it and it cannot be reset to a factory default password.
Why?
Aside from the fact that it's a stupid and easily-prevented security hole, a British internet provider sent out thousands of WiFi routers with the same simple password, trusting that the users would change it when they set it up. Yeah, right. So rectal haberdashers went around, using these free WiFi hotspots (once you knew what the password was and how to find hotspots where the SSID is not broadcasted) to download childporn, leading to a lot of innocent people being raided by the police because their router was insecure.
From the article:
The Product Security and Telecommunications Infrastructure Bill lays out three new rules:
-easy-to-guess default passwords preloaded on devices are banned. All products now need unique passwords that cannot be reset to factory default
-customers must be told when they buy a device the minimum time it will receive vital security updates and patches. If a product doesn't get either, that must also be disclosed
-security researchers will be given a public point of contact to point out flaws and bugs
That last item will be a pain to implement, it's something that has been clamored for in the security community for ages. There's no standard for that so the implementation is going to be very uneven if it's not codified AND regularly updated! I've seen stories on Krebs and Schnier.com where security researchers have found proof, not just evidence, that a company's network has been compromised, but they haven't been able to reach anyone in the company's IT department to report it!
There are specific exceptions to the act of certain types of devices that are exempt. Still, progress!
https://www.bbc.com/news/technology-59400762
I do some computer installation work for a couple of very small companies in my area, people who are too intimidated to replace their own router. And that's fine, I'm happy to help them, and I make a few bucks on the side. I give them a strong password, it's written down for them, and I record the password in a protected file on my phone so when I'm working with them again later, I've got records in my pocket.
For the iPhone, I use a program called mSecure. I think it cost me $5-10 to buy, it has very strong encryption. If it's not available for the Android universe, I'm sure there's something similar.
no subject
Date: 2021-11-26 06:37 pm (UTC)no subject
Date: 2021-11-26 08:14 pm (UTC)A lot of people will think it's a PITB to set and remember admin access password. I can understand that. And they may not have a friend/nephew who is sufficiently computer literate to set it up for them. It's really a shame that there aren't more "I'll set up your WiFi router securely for you for $50" kiosks. Takes you all of 20 minutes from scratch, maybe a bit over half an hour if you update the BIOS and set up a guest account or do things like configure it for custom DNS or VPN. Add more $$$ for the latter services. Could be a good retirement business to do out of your house, come to think of it....
no subject
Date: 2021-11-27 02:17 am (UTC)Whatever is old is new again. We have a Christmas catalog which is selling a password-storage notebook. You know, dead tree style.
At this point, I think it's likely that the security flaws in writing your pws down are probably still less than the flaws in using "password" or "12345" as your passwords everywhere.
no subject
Date: 2021-11-27 05:55 am (UTC)A friend of mine in another state who does similar consulting that I do had a client a few years back who had a printed sheet next to his computer setup, easily accessed, covered in passwords next to his computer. Everything was there. And I mean EVERYTHING. He told me that one of the problems was that they didn’t understand what some of the computer-related passwords were, which required resetting some of them so that they could subsequently be labeled.
I recently saw an article that said that if a password wasn’t short and easily hacked, criminals weren’t going after longer passwords. So it looks like most cyber crooks are largely going after the low-hanging fruit, possibly pursuing the Top 50 or 100 of the most common password lists. I use a three-tier design for my passwords. The first tier is trivial and used for web sites that have zero monetary value: no financial transaction will ever take place their, no payment to or thru the site, or the site is a one-shot use and will never ever be used again. Second tier is the site has moderate value: will be used again, somewhat important, but no financial information will be stored or passed through it. Gets a fairly strong password. Third tier will have a credit card stored on it. Gets an extremely strong password, but not one of these system-generated one since I need to remember what method was used to generate said password and I could use the site/password on up to six, possibly more, devices. Only the first tier password will be reused since it doesn’t matter if it gets compromised.
The annoying thing is getting “FRAUD ALERTS!” from various sources saying my primary email address has been compromised! OH NOES! But since they don’t tell me the site that it was associated with when it was compromised, I have no way of evaluating whether or not I need to change any passwords tied to it! Stupid alert is of absolutely no value to me without that information. Even if they gave me the last four characters of the password, I could discern the rest.