Lastpass Breach: What to Do About It

LastPass Breach What to Do

How to Protect Yourself & Your Wealth from the LastPass Hack 

You may have already heard about the LastPass breach, victimizing one of the leading password management programs, not once, but twice in the past few months. LastPass recently updated information about the two breaches in a letter to users on the LastPass website.

The First LastPass Breach Leads to the Second

In the first LastPass breach, dating back to August of last year, an unidentified threat actor gained access through a compromised developer account and stole portions of source code and proprietary technical information. At that time, LastPass said the breach was limited to its development system, which doesn’t hold personal data, and considered the breach “contained”. I’ve yet to meet the breached organization that, at least early in the cybercrime PR cycle, has actually determined (let alone contained) the extent of the breach.

To compound their troubles, this past December an “unknown threat actor accessed a cloud-based storage environment leveraging the information obtained in August” and was able to use some of the information taken in August to target an employee with much deeper access. This is one more excellent example of how most cyber breaches come down to the human element of cybersecurity. The hackers accessed decryption keys, stole critical backups and accessed somewhere between 10 million and 30 million customer password vaults. Which means that if they manage to crack your master password, they have access to every financial, health, investment and online account stored in your LastPass. I hope for your sake that you and your employees master LastPass passwords are 20+ alpha-numeric-symbol-based strings of characters, which drastically reduces your risk.

Your Risks, Even if Your Master Password is Strong

  1. The cybercriminals may attempt to use brute force attacks, enhanced by artificial intelligence, to guess your master password and decrypt the copies of vault data they took.
  2. More likely, they will target customers with phishing attacks in an attempt to socially engineer your master password out of you.
  3. Finally, since your phone number was also compromised, be on alert for phone calls attempting to gain your master password. LastPass does not know your master password, nor do they (or anyone) need to in order to repair this situation.

Regardless of how strong your master password is, I consider every password in your vault to be compromised. Here are steps I would take to fully protect your online accounts in the wake of the LastPass hack.

Steps to Further Protect Your LastPass Vault & Logins

  • I recommend that you immediately change all of the passwords for your critical accounts, including banking, investment, health, email, etc.
  • It is significant that the URLs of your stored sites were not encrypted, meaning that hackers know where you have accounts. In addition to changing the critical passwords, it is also important to turn on two factor authentication on each account, whether or not it was stored in your password vault. This essentially makes your password unique every minute, making it nearly impossible to crack.
  • Change your master password and make it longer and stronger. When considering a new master password, remember to never reuse the master password for your password manager in any other context, especially online.
  • Make sure that the master password is impossible to guess. For a complex, easy to remember master password, base it on the chorus of your favorite song. For example, if you are a fan of the Eagles, you might choose “Welcome to the Hotel California, such a lovely place (such a lovely place), such a lovely face” which could equal WttHC,$@lp($@lp),s@lf, where you replace all S’s with $ signs and all A’s with @ signs. It’s 21 easy-to-remember characters of security and songwriting brilliance!
  • And whether you’re part of the LastPass breach or not, you should create an account on the hacking alert website Have I Been Pwned? which will send you updates on any breaches affecting you as soon as possible. I use and trust this site to protect your privacy and security.
  • Make sure you understand the risks of storing anything in the cloud. Your data in the cloud is only as secure as the cloud provider itself.

And most importantly, educate your organization and coworkers about the risks posed by the LastPass breach, and at a minimum, forward this article on to them. If a hacker leverages the LastPass breach to penetrate your organizational data, it will be the people, not the technology, that are held to account.

________________________

John Sileo, award-winning author, cybersecurity expert and keynote speaker, has appeared for the Pentagon, Amazon and on shows like 60 Minutes and Anderson Cooper. Contact us for more details on 303.777.3221 or using our contact form.

Election Meddling by Cyber Intrusion Limited by Cybersecurity Experts

Cyber Expert on Election Meddling

Bad day for nation-state election meddling is a good day for voters

Regardless of your political bent, today is a good day for democratic elections. No significant cyberattacks on the U.S. midterm elections materialized. Cybersecurity experts, government officials and local and national election offices were well prepared to defend the vote from cyber intrusions in the 2022 midterms. As a resident of Colorado, I have personally witnessed and have been involved in definitive measures to lock down the integrity of the voting system to combat election meddling; a process that has been dramatically advanced by moving to paper-based, mail-in balloting. Take it from my colleagues at the CISA:

“We continue to see no specific or credible threat to disrupt election infrastructure, or election day operations,” a senior official at the Cybersecurity and Infrastructure Security Agency said during an election-day press briefing. The agency created a cyber-ops warroom and was in contact with other federal agencies and private-sector companies involved in election infrastructure throughout the day.

This is an excellent example of cyber preparation paying off. Prevention works. Security is possible. But it takes attention and a dedicated cybersecurity budget to make it work. A few DDoS, or distributed denial-of-service attacks against a “handful” of election-related websites materialized, but most were unsuccessful. DDoS attacks flood websites with massive amounts of traffic to “gum up the system” for legitimate users. But we should not let down our guard.

Election Cybersecurity Cautionary Note 1: CISA official observed increased efforts by more countries than in the past to influence the elections, including China. Google researchers have claimed that China has contributed to political division more than in the past, contrary to Beijing’s denials.

Election Cybersecurity Cautionary Note 2: Sen. Rob Portman (R-Ohio) and Rep. John Katko (R-N.Y.), who serve as the leaders of the GOP House and Senate Homeland Security panels, have earned reputations for collaborating with Democrats to pass cybersecurity legislation. Both are retiring, which endangers the momentum of cybersecurity policy and legislation. Compounding losses is the retirement of Rep. Jim Langevin (D-R.I.), a bipartisan dealmaker with longtime cyber policymaking expertise. Rep. Langevin, who’s office I met with last year, helped usher through some of the more significant cyber measures in recent sessions.

Tom Kellermann, a cyber-industry expert I highly respect, and who served on an influential cybersecurity commission with Langevin and now works as senior vice president for Contrast Security, told The Washington Post:

“It’s definitely going to hurt our proactive public policy as it relates to cyber… All three of those representatives and senators have been leaders in cyber. … They really see cyber as a national security and economic imperative, and they treated it in a bipartisan fashion — what might be the only bipartisan issue on the Hill.”

Regardless, today’s news is a win for all U.S. voters, and a victory for the cybersecurity experts who have worked around the clock to secure the voting infrastructure of this county.

_________________________

If you are looking for a dynamic cyber-duo to keynote your next conference, meeting or event, get in touch about bringing John Sileo and Tom Kellermann to help your audience defend their profits, information and reputation against the latest cyber attacks. 303.777.3221

John Sileo Cybersecurity Expert Top Tips

I get asked at almost every keynote speech how the audience members can protect themselves, their families and their wealth personally. So I put together a series of videos to take you through some of the first steps. I hope this gets you started, and that I am lucky enough to meet you in person at a future speech!

Freeze Your Credit

A freeze is simply an agreement you make with the three main credit reporting bureaus (Experian, Equifax and TransUnion – listed below) that they won’t allow new accounts (credit card, banking, brokerage, loans, rental agreements, etc.) to be attached to your name/social security number unless you contact the credit bureau, give them a password and allow them to unfreeze or thaw your account for a short period of time.

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742

Two-Step Logins

There are three basic ways to find out whether or not your provider makes two-step logins available:

  • Call them directly and ask them how to set it up. I especially like this method when working with financial institutions, as you want to make sure that you set it up correctly and they should be more than happy to help (as it protects them, too).
  • Visit the provider’s website (e.g. Amazon.com) and type in the words “two-factor authentication” or “multi-factor authentication” or “security tokens”.
  • Google the name of the website (e.g., Schwab.com) along with the words “two-factor authentication” or “multi-factor authentication” or “security tokens”.
  • Visit this helpful listing (https://twofactorauth.org/) to see if your desired website appears on the list of two-factor providers.

Online Backups (for Ransomware)

You need to have an offsite backup like in the cloud or elsewhere that is well-protected that happens daily on your data. That way, if ransomware is installed on your system, you have a copy from which to restore your good data. You have the ransomware cleaned off before it enacts and you’re back up and running. Make sure it:

  1. Is updated whenever a change is made or a new file is added.
  2. Is stored somewhere different than your computer.
  3. Actually works when you try to restore a file.

My personal recommendation and the one I use is iDrive online backup (iDrive.com).  I recommend buying twice the hard disk space of the data you need to back up.

Personal VPNs

A Virtual Private Network (VPN) extends access to a private network across a public network, so a user can send and receive data across a public network as if their personal device was directly connected to the private network. In layman’s terms, it’s like having a private tunnel between your device and your destination. If you haven’t already, research the term “VPN Reviews” to get the latest research and then install a VPN on every device to cyber secure your virtual office and smartphone.

Free Credit Reports

Go to annualcreditreport.com to see your three credit reports from the three credit reporting bureaus.  Periodically request a report from one of the bureaus and cycle through each of them every three months or so.

Identity Monitoring

Ask four questions as you research your options:

  1. Does the service have a simple dashboard and a mobile app that graphically alert you to the highest risk items?
  2. Does it include robust recovery services? (How long does it take to reach a live human being in the restoration department?)
  3. Does the service monitor your credit profile with all three credit reporting bureaus?
  4. Do you have faith this company be in business three years from now?

Password Managers

A password manager is a software application that helps a user store and organize passwords. Password managers store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password that grants the user access to their entire password database.

Research Password Management services such as Dashlane, LastPass, or the one I personally use, 1Password. Google the term “Password Manager Reviews” and look for articles in a magazine you trust to find the one right for you.

Junk Mail

To opt out of pre-approved credit offers with the three main credit reporting bureaus, call 888-5-OPT-OUT (888-567-8688) or visit www.OptOutPreScreen.com.

Phone Scams

If you receive a call that triggers your scam alert reflex, HANG UP!  If you receive a call from someone supposedly from a financial institution, utility company or a government agency and they ask for personal information like your Social Security number, HANG UP! Or if someone calls from “Apple” or “Microsoft” promising to help with a computer issue, HANG UP!  You get the idea.  If you think it is a legitimate call, tell them you will call them back from a published number.  If they start making excuses, HANG UP!!!

Google Maps

  1. Go to www.google.com/maps
  2. Locate your house by typing its address into the search box and pressing Enter.
  3. Click on the small picture of your house that says Street View.
  4. Adjust Google Maps Street View by clicking the left and right arrows on the Street View image until you see your house.
  5. Click the Report a Problem link at the bottom-right corner of the Street View image or, depending on the device you are using, click on the three dots in the upper right-hand corner.
  6.  It will take you to a page to Report Inappropriate Street View.  Here you can ask to have any number of things blurred, including the picture of your house.
  7.  You will need to provide your email address and submit a CAPTCHA.

Smart Speakers

Ask yourself how comfortable you are having a corporation like Amazon or Google eventually hearing, analyzing and sharing your private conversations. Many people will say they don’t care, and this really is their choice. We are all allowed to make our own choices when it comes to privacy. But the vitally important distinction here is that you make a choice, an educated, informed choice, and intentionally invite Alexa or Google into your private conversations.

Account Alerts

To monitor accounts quickly and conveniently, sign up for automatic account alerts when any transaction occurs on your account. If you spend even a dollar at a store, you receive an email or text notifying you of the purchase.

  1. Go to the bank or credit card company website.
  2. Search for “Account Alerts” in their search window.
  3. Set up your alerts for a dollar threshold that makes sense for you.

Internet of Things

  1. Understand your exposure.  What do you currently connect to the internet?
  2. Make a list of the devices you have that connect to apps on your smart device.
  3. At a minimum, make sure you have CHANGED THE DEFAULT PASSWORD!!!
  4. Also consider disabling location services, muting any microphones and blocking any webcams.
  5. Finally, update the firmware regularly.

Tax Return Scams

If you suspect tax fraud, call 877-438-4338 or go to consumer.ftc.gov to alert them.  (They will not EVER call you or reach out via text or email!)

If you had a fraudulent deposit made directly to a bank account, contact your bank’s automated clearing house department to have it returned.  And close that bank account and open a new one while you are at it!

Safe Online Shopping Habits – Episodes 1, 2 & 3

  1. Stick to websites you know and trust. Beware of imposter websites that have a URL nearly identical to the one you mean to use.
  2. Always look for the lock icon in the browser and and “https” in the URL.
  3. Use long strong passwords.
  4. Never shop with a debit card online. It’s even better to use a dedicated credit card just for online purchases.
  5. Set up automatic account alerts on your bank account.
  6. Request a new credit card number once a year (after the busy shopping season).
  7. Set up two-factor authentication on your bank, credit card and retail accounts.
  8. Use a Personal Virtual Private Network (VPN).
  9. Download the apps for your favorite retail sites onto your smart devices and shop directly from them using your cellular connection.  This will assure you are not on a fraudulent site, you are protected by at least two passwords and your internet connection is encrypted.

Phishing Scams

  1. Mistrust every link in an email unless you know who it is coming from and you were expecting that link.
  2. If you’re suspicious about a link in an email, type the URL directly into the address bar of your browser to make sure it takes you to the legitimate website.
  3. Use the hover technique to see if you’re going to the real site or the site of the cyber criminals.

John Sileo, cybersecurity expert and identity theft speaker, has appeared for the Pentagon, Amazon and on shows like 60 Minutes and Anderson Cooper. Contact us for more details on 303.777.3221 or using our contact form.

Prepping for Russian Cyberattacks

be prepared for russian cyberattacks

This post is a summary of a full interview about Russian Cyberattacks that John conducted with Bottomline Publications.

As Russian cyberattacks increase, a bit of prep isn’t paranoid

The world is a bit on edge, wouldn’t you say? With geopolitical tension escalating and Russian recruitment of members from REvil, a criminal computer-hacking organization, it’s a good time to buckle down and be very intentional about how we are protecting what matters most – data and otherwise. Preparing for a Russian cyberattack is not about being afraid or panicking that cyber doomsday is around the corner. It is about having systems and backups in place that will make your life safer, easier, and more in your control if an attack should occur. And it protects you even if it doesn’t occur. Those who prep, survive. And because our physical worlds are so influenced by our digital worlds, you can’t plan one without the other.

Here is a quick summary of 11 ways to protect both the physical and digital realms of your day-to-day life:

Infrastructure

  • Stock up: non-perishable foods, medications, water (1 gallon per person per day), a windup radio, portable power station, and other emergency supplies.
  • Gas up: Keep your tank filled.

Finances

  • Cash out: Keep two weeks worth of money in $5-10 bills. Russia could shut down ATMs or credit card processors.
  • Print ‘em: Opt into paper statements to have bank account information handy.

Cyber Threats to Cloud Data

  • Back up: Use a 3-2-1 plan to backup essentials (photos, passwords, emails, documents, financial info). Keep THREE copies of the data in TWO different formats with ONE in the cloud.
  • Check back: Make sure to have a consistent backup schedule and check that it’s working.

Cyber Attacks On Your Network

  • Don’t click: Pause before clicking on any links in emails. This break will allow you to investigate and possibly avoid ransomware attacks, phishing scams, and other Russian cyberattacks.
  • Patch Software: Turn on automatic updates for all operating systems, anti-virus software and apps.
  • Two-factor Authentication: Turn on two-step logins for all financial, health and wealth websites as well as email.
  • Protect the elderly/young: Seniors and kids are easy targets. Setup remote access to their devices, use parental controls where applicable and make sure they know not to click on suspicious email links.

Communication Backup Plan

  • Plan it: In the event of a communication outage, make sure you have a predesignated meeting place to gather at after a scheduled number of hours.
  • Print it: Print out (or memorize!) phone numbers, street addresses, and other important information stored on your phone.
  • Know it: Make sure you know how to manually operate your garage door, thermostat, and other household appliances that would normally use the internet.

Believe me, I get it. No one wants to think about the chilling possibilities of Russian cyberattacks that cause disrupted gas pipelines, locked ATMs, or dead cell phones. But as the Russian aggression stumbles and sputters, Putin and his generals will reach for any tool of power in their desperation. It’s not a time to be paranoid, but prepared.

_________________________

John Sileo shares his story of losing everything to cybercrime because of a lack of preparation with keynote audiences around the world. He specializes in the human element of cybersecurity and makes cybersecurity engaging, so that it sticks. Contact us at 303.777.3222 to see how John would customize for your event.

Did Apple Passkey Just Kill Traditional Passwords?

And Will Passkeys Permanently Marry You to Apple?

Humans are weak and so are our passwords. We make easily memorizable (read: guessable) passwords that accidentally invite cybercriminals and identity thieves into our homes, offices and bank accounts like a neighbor for afternoon tea. The solution? Remove humans from the tea party.

Enter Apple. At the company’s annual WWDC developer conference, Apple proposed a new form of authentication that may put passwords entirely out of business. But are we truly ready to retire those decades-old, reuse-for-everything-but-the-kitchen-sink passwords?

Many tech giants are making the move away from passwords and towards passkeys. Why? Because our passwords stink. While a password is a series of numbers, letters, and symbols typed in by a user to unlock an account, a passkey is a form of biometric authentication that is stored in the physical device. Instead of typing “123456” into any given account (which happens to be the most common password for many years running, along with, you guessed it, “password”), Apple proposes a finger/face ID that would automatically sign you into your accounts by unlocking your device. Should you lose or break that phone, passkeys are backed up to the iCloud Keychain and synced across devices. Not to mention, the keys will allow us to sign into websites with end-to-end encryption, further deterring hackers from reaching any valuable data.

How Passkeys Are Like Nuclear Launch Codes

Passkeys can be compared to the “two man rule”, which is the extra layer of protection behind the launching of nuclear missiles. This rule basically requires that two (or more) people each have a key that operates only when paired simultaneously with the other key. In order for anyone to push the missile-launching red button, each key holder needs their physical key to unlock it. This creates a buffer between mistakes (no spilled coffees starting nuclear war, phew!), emotional overreaction, and hacking. Cybercriminals are much less likely to hack both ends of the passkey–both the user end on the device and the company end on the website. By removing weak passwords on the user end, and weakly protected databases of passwords on the website end, hacking is less likely to exploit the human element.

The introduction of passkeys to replace passwords has us wondering–what are the unintended consequences of this new and shiny solution? We must remember that hackers are the masters of unintended consequences. While we cannot be sure of these downfalls, we know that the good guy’s solution is the bad guy’s shiny new opportunity. For example, passkeys will unintentionally increase the marketplace for stolen credentialized devices (working smartphones along with their working passcode). This may introduce a greater physical threat of violence as cybercriminals target the parts of the equation held by us consumers.

Another thing to keep in mind is the myriad of ways in which we are in Apple’s pocket by keeping their products in ours. Apple is very intentionally leveraging security to keep us roped into their products. In fact, they have made security and privacy one of their key competitive differentiators.

So is it worth it? Are we willing to be beholden to Apple products for better security? That is for you to decide as we head into a new password-less era. Like with most new technology, it’s often better to pause, observe, and wait for the unintended consequences to pan out. While it would be easy to throw our hands up, smile at the face ID, and get to our Netflix show without touching a keyboard, we have to know what measures are in place to protect our most valuable capital. And we won’t really know that until cybercriminals have a crack at it.

Pros of Apple Passkey

  1. Efficient and easy to use (no more memorizing guessable passwords!)
  2. Less fallable than human knowledge/memory
  3. Social engineering is taken out of the equation
  4. Security is no longer reliant on that password that you created ten years ago and have copy/pasted since
  5. Stored on the device and therefore more resistant to data breaches
  6. End-to-end encryption (that even Apple supposedly can’t view)

Cons of Apple Passkey

  1. Increases the marketplace for stolen credentialized devices
  2. Increased dependency on the phone and upon Apple
  3. Unknown how passkeys would work for non-apple users

Things to keep in mind about all technological advances

  1. Big promises will always have unintended consequences
  2. In general, it’s better to wait and see when it comes to new technological advances, especially in organizations, where rolling out a new technology can create massive headaches.
  3. Biometrics are not the end-all solution even if it is safer. How companies store and protect that data matters too.

_________________________

John Sileo shares his story of losing everything to cybercrime with keynote audiences around the world. He specializes in the human element of cybersecurity and how technological changes like the death of passwords can derail an entire organization. Contact us at 303.777.3222 to see how John would customize for your event.

Automotive Cybersecurity: Don’t Bank on Untrained “Drivers”

Would you send your newly licensed 16-year-old out to drive on the interstate without spending months teaching them safety skills and the rules of the road? I hope not! Even if their car had all of the latest safety technology – front and side airbags, auto-locking seatbelts, crash-warning sensors – and a low-deductible insurance policy, you still wouldn’t take the risk.

In other words, technology without training is completely useless. And the same is true of cybersecurity, whether you are running a local car dealership or a national automotive chain. And that matters because in the past two years, 85% of auto dealerships have reported being a victim of cybercrime. Let’s go back a step.

National Auto Dealers Association Highlights Hacking Among Auto Dealers

I recently spoke for the National Automobile Dealers Association (NADA). NADA is an American trade organization composed of nearly 16,500 franchised new car and truck dealerships. Each year, the folks at NADA gather business leaders to discuss the latest in industry innovation and shop thousands of new products and services from the industry’s top vendors and suppliers. In addition to showcasing exceptionally cool new concept cars, auto dealers are keenly aware of the rapid increase of cyberattacks targeting their privacy, profits and reputation.

This year, the NADA Show 2022 took place in the Las Vegas Convention Center. In addition to a keynote interview with Michael Strahan, the conference also featured a Distinguished Speaker Series, which had a fantastic roster of keynote speakers that included Col. Nicole Malachowski, Lt. Cdr. Jesse Iwuji, and myself. I was invited to chat about pressing automotive cybersecurity threats and solutions as they specifically relate to car dealers and the automotive industry.

Think about it – even corporate auto dealers like Toyota and Lexus aren’t immune to cyber threats. After 3.1 million pieces of consumer data were compromised in an automotive industry cyber attack that targeted Australia, Japan, Thailand and Vietnam, it was only going to be a matter of time before auto dealerships and manufacturers in the U.S. came under fire. And the industry is under attack for a very good reason.

Auto dealers handle a treasure trove of valuable customer data. And when you are as busy as dealers are with product supply chain issues, labor shortages and general entrepreneurship duties, cybersecurity can become just another item on a very long checklist. So let me give you a quick recap of the small business cybersecurity checklist I detailed during my presentation, The Art of Human Hacking: Social Engineering Self-Defense for Auto Dealers.

Automotive Cybersecurity Trending Cyber Attacks

Why are car dealerships coming under so much cyber fire? The COVID-19 pandemic accelerated a playing field that was already taking shape – the remote workforce. As the marketplace was forced into working remotely, many elements of a traditional dealership — like sensitive customer and financial data — were moved into the cloud so they could be accessed from outside the dealership. Cloud operations can be convenient, scalable and profitable. But they also open up backdoors into the dealership if cybersecurity isn’t built in from the beginning.

In essence, the auto industry has moved from a fortress model (where data is secured behind a centralized network protected by a moat, or perimeter security, like firewalls and VPN), to a widely distributed computing kingdom where data is accessed from the dealership itself as well as homes, remote offices, cafes, airports, hotels and conferences. That means that traditional defenses like anti-virus, firewalls and virtual private networks are no longer sufficient.

A second threat is the advent of supply chain attacks, where the cyber criminals hijack legitimate software that the dealer trusts and uses it to infect the entire network. SolarWinds, Casey and Loj4j are examples of this malicious attack vector. This is particularly damaging because there is no warning that the enemy has crossed the gate and is living in your systems.

But probably the most effective and pervasive form of attack is ransomware. Ransomware uses encryption to lock down every connected computer on your network, and then charges you a ransom to recover your data. When you don’t pay the ransom, the ransomware gangs leak your data and report you to the press and regulatory agencies to trigger expensive and reputation-damaging publicity.

The average cost to a dealer to regain their data is trending quickly upward. Though the average ransom payment is just over $150,000, a recent attack on Arrigo Automotive Group in West Palm Beach, Florida cost the dealerships approximately $500,000 in remediation. And that doesn’t account for reputation damage or lost revenue due to fleeing customers.

To make matters worse, the average downtime associated with an auto dealers cyber attack is 21 days long — three weeks’ worth of lost revenue as the icing on the bitter cyberattack cake. And since the Federal Trade Commission revealed there were 38,561 reported cases of identity theft related to auto loans and leases in 2019, it’s no surprise that over 80% of customers would choose to take their business elsewhere, leaving the compromised auto dealer behind.

Why Car Dealer Data is so Attractive to Hackers

  1. Unfortunately, but rightly so, cybercriminals view unprepared auto dealers as poorly protected financial institutions. Because of the costs involved in purchasing an automobile, dealers collect data just like a bank does, from consumer identity and credit details to loan payment and banking information, not to mention demographics, online behaviors and more. But unlike a bank, the automotive industry is not government regulated, removing one powerful incentive for dealerships to implement safeguards.
  2. Dealerships have a multitude of hacker entry points. Think about the variety of third-party partners and digital marketplaces with which dealers do business. Then consider the varied operating systems and software packages that finance, admin, sales and service utilize on a daily basis. Don’t forget the free guest WiFi access, the number of customers who have access to associates’ desks and the multiple locations they potentially service. Every one of those nodes is an entry point for a cybercriminal.
  3. And most importantly, nearly half of American dealerships don’t have adequate automotive cybersecurity solutions, or even basic small business cybersecurity solutions, to defend these entry points. Only 49% of dealerships claim to have adequate protection against cyberattacks, while another 73% have yet to undergo automotive cybersecurity testing to fine-tune their incident response plans.

Auto Dealers and Small Business Cybersecurity Checklist

If auto dealers want to prevent an auto dealer cyber attack, the answer is not to simply build a technological fortress around their sensitive data. While advanced technology can certainly deter hackers, 91% of cyber attacks rely on social engineering — when a cybercriminal uses techniques such as phishing emails to gain access into an organization.

In other words, hackers always go after the humans first, because poorly trained employees and executives tend to be the weakest link in the cybersecurity chain. But they don’t have to be.

As auto dealerships of all sizes continue to navigate an evolving cybersecurity landscape, staff and employees must be treated as integral part of cyber defenses. To refuse to do so isn’t just costly, it’s like putting an inexperienced driver behind the wheel of a potentially harmful machine. If you own or operate an auto dealership business and are unsure if your organization is doing everything it can to fulfill the framework for automotive cybersecurity best practices, take a look at this small business cybersecurity checklist I recently shared with the attendees of the NADA Show 2022:

  • Does your dealership currently have cybersecurity defenses in place? Defenses include end-point protection, zero trust architecture, two-factor authentication, password managers, default deny firewalls and many other layered techniques.
  • Does your dealership have around-the-clock security monitoring to detect cyber threats? It is not enough to have the equipment, you also need to attend to the alerts when they arise.
  • Does your dealership understand the specific cyber risks impacting your industry, including but not limited to: malware, ransomware, supply chain attacks, brute force hacking, phishing, social engineering attacks and credential theft?
  • Has your dealership contracted with an external security vendor to conduct a risk assessment in the past 12 months?
  • Does your dealership periodically assess third-party partners and marketplaces to understand the risks they can pose to your business?
  • Does your dealership have established policies and procedures in place to protect your business information and systems?
  • Do you have a robust data backup and recovery response plan in case ransomware locks up your network?
  • Has your dealership conducted an incident response test in the past 12 months to ensure all procedures are accurate and effective?
  • Do your dealership employees know what to do in the event of a cyberattack or a loss of service?
  • Do you provide regular, engaging Security Awareness Training for your employees, executes and 3rd-party partners?

If you answered no to any of these questions, you are well advised to resolve those issues before they take down your business like they did mine. Make a call today to a  cybersecurity expert you trust deeply who will help you build a framework to your dealership needs and then educate your people to become your strongest cybersecurity defense instead of your weakest, most exploitable link.

The Best Framework for Automotive Cybersecurity Best Practices

In today’s digital age, cybersecurity for automotive dealerships is just as mission-critical as it is for large banking institutions. It’s important to treat your customer data just like customers treat the precious cargo they transport in the cars you provide. The framework that I shared at NADA 2022 is called the Blockbuster Cybersecurity Framework. It includes 9 components with corresponding questions that help you analyze, organize and communicate the cybersecurity changes you need to make.

If you are unclear of how best to deploy a non-technical framework for moving forward, or need to improve your Security Awareness Training, consider bringing me in as a board advisor or keynote speaker who will energize and illuminate your cyber efforts and your people. Once I share my two-year battle with cybercrime and how I almost went to jail for taking my eye off the ball, your team will be motivated to make the necessary changes. Send me an inquiry today to learn more.

And no matter what, don’t send your employees out on the road without training them how to be a proactive, knowledgeable part of the solution.

Anonymous vs Russia Hacktivism for Ukraine

anonymous vs russia hacktivism

Who thought that Anonymous vs Russia would be the top billing cyber event of the Russian invasion of Ukraine? We watch in horror and disgust as Russia continues its assault on the Ukrainian people. Tanks roll down streets, missiles are launched, neighborhoods are shelled and innocent civilians are killed. Some things never change in war.

As each new conflict begins in our modern age, in addition to military weapons being used, it is inevitable that we also now must consider the other weapon at the disposal of Vladimir Putin: Cyber Warfare.

Russian Cyberpower

Russia, which has a history of launching cyberattacks against other countries, particularly Ukraine, could shut off power (as they did previously), disrupt communications, destroy technology capabilities (as the NotPetya malware attack did) and cause further chaos and hardship in the lives of Ukrainians. At this writing, there have been some Distributed Denial of Service (DDoS) and malware attacks, but the effects have not been as devastating as past attacks.

In addition to the government-sanctioned hackers, cybercriminals and hacktivists have become involved. This includes the infamous hacker collective known as Anonymous, who has claimed credit for several cyber incidents in the Anonymous vs Russia battle. This includes DDoS attacks that have shut down Russian government websites and Russia Today. The hackers were able to post pro-Ukraine content, including patriotic songs and images from the invasion – something the average Russian citizen would never see on the state-backed news service.

Russia Today openly attributed the problems with its website to Anonymous, and claimed the attacks came from the US. Of course, the major concern is that Russia will not only turn their cyber sights on Ukraine, but on any country imposing sanctions or otherwise openly supporting Ukraine. So far, the cyber activity has been limited, but that could change and many warn that the US and others should be on high cyber alert, especially for those in critical sectors such as finance and health care.

Social Media Giants Get Involved

A slew of other players have entered the field, from Facebook, YouTube and Twitter banning content  by Russian state media to outsiders providing satellite internet access to Ukraine via his Starlink satellites to Ukrainian citizens forming an “IT Army” to launch digital attacks that take down sites sharing Russian propaganda.

There are two major longer-term concerns about the “open season” for hackers this has created. One is that due to the urgency of this crisis, there is a strong possibility of digital errors and unintended consequences, such as excessively destructive malware or unintended collateral damage. Hacking events by non-governmental entities could also be mistaken for government-backed hacks and lead to escalating retaliation that could force the United States (and Allies) into a larger, ongoing cyber conflict with Russia.

The most eye-opening aspect of the conflict is the realization that cyber warfare is being used in a hostile act of war for the first time. In addition to theaters of war on land, in the air, on the water and from space, there is now the additional arsenal of cyberattacks that will change warfare forever.

_____________________________

John Sileo is a world-recognized keynote speaker, author and expert on cybersecurity. His clients include the Pentagon, Amazon and Charles Schwab. He has appeared on 60 Minutes, Anderson Cooper and Good Morning America. John specializes in entertaining your audience as he educates on how to avoid the disastrous cybercrime headlines that destroy performance, profits and reputation. Call directly on 303.777.3221 to learn more. 

Ransomware Attacks in 2022: What You Need to Know


Every company is vulnerable to cyber attack — and I mean every company, small and large. Are you responsible for delivering half of the East Coast’s fuel supply? Vulnerable. Are you the largest beef supplier in the world? Yep, still vulnerable. The alarming surge in ransomware attacks has put a target on every company’s back, including massive organizations like Colonial Pipeline and JBS.

And small businesses, contrary to media coverage, are even more vulnerable.

So, you might want to pause before you think, “Ransomware attacks? That won’t happen to us!” After the events of 2021, it’s safe to assume that hackers didn’t just level the playing field… they decimated it. Fortunately, there are still several ways for businesses to fight back and protect their data, their clients and their livelihood.

Take a look at what we know so far about the coming ransomware attacks in 2022 and how your organization can kick off their culture of security with an action-oriented cybersecurity keynote speech at their next gathering.

What are Ransomware Attacks and Why Are They Exploding?

Let’s start with the basics: What is a ransomware attack, anyway? Put simply, a ransomware attack occurs when a type of malicious software, called malware, is downloaded onto any single computer in an organization’s network. Typically, this occurs when one employee unwittingly clicks on a malicious link and thrusts the company into attack-mode.

Once the malware has been downloaded, hackers are free to roam about your systems and wreak havoc unchecked. The culprit behind the ransomware attack often blocks access to data or every computer system in the business, usually by encrypting it, until a ransom has been paid. In the latest cases, hackers also threaten to publish the breached data if they don’t quickly receive the ransom. The prospect of destructive news headlines, reputation damage and fines for data exposure are often compelling enough to convince the victim company to pay up without seeking out the advice of a cybersecurity expert.

2021 proved to be not only the most dangerous, but also the most costly year on record for ransomware attacks. There were upwards of 700 million attempted ransomware attacks in 2021, a figure that beats last year’s totals by a whopping 134%. Curious as to what led to such a spike in ransomware attacks?

A blend of geopolitical and cybersecurity factors is to blame. For one, global organizations have become increasingly reliant on digital infrastructure, like the cloud-based computing that exploded in usage with the rise of remote work. Not to mention, today’s payment methods are simply more friendly to criminals — crypto currencies like Bitcoin are essentially untraceable once a ransom is paid, letting cybercriminals off the hook.

What You Should Know About Ransomware Attacks in Coming Months

Though you’re prepared with a basic definition of ransomware, vocabulary alone won’t exactly protect you in the case of cyber attack. The key is to move beyond awareness to action. To better prepare, here is some of what you can expect of ransomware attacks in 2022.

The Timeline for Paying a Ransom Has Shortened Dramatically

Once a ransomware gang has you under their thumb, they’re going to treat you like Amazon — in other words, they’re going to want same-day delivery for their demands. Hackers today are putting organizations under extreme pressure to pay a ransom quickly to unencrypt their computer systems or protect their data, often with devastating consequences if the ransom is not met.

In recent cases, a ransomware gang will expose an organization’s sensitive data in retribution, then alert the media and report the breach to the authorities — so, the company has to pay fines and weather bad publicity. Talk about a double whammy, right? Well, for ransomware gangs, it’s easier to extort money from one organization than to sell the data one record at a time on the dark web.

Take a look at the JBS cyberattack, for example. Hackers with the REvil gang threatened JBS that their $22.5 million ransom would double if it wasn’t paid quickly enough… and they would post the company’s data publicly if they weren’t paid within three days (generous, right?). JBS ultimately paid an equivalent of $11 million in ransom to ensure the company’s facilities remained operational.

Government-Issued Playbooks Are Available for Review

The United States is currently #1 for ransomware volume in the world, coming in with more than 203 million ransomware hits in just one year. This amount is more than 13 times the volume of ransomware in South Africa, the second-highest country; and in total, the U.S. had a higher volume of attacks than the other top nine countries combined… times four.

So, it should come as no surprise that President Biden recently signed a $1.2 trillion infrastructure package packed with cyber measures — after all, ransomware isn’t exactly something at which you want to rank number one. The Cybersecurity and Infrastructure Security Agency (CISA) has also published Cybersecurity Incident Response Playbooks for federal agencies to respond to vulnerabilities and hacks, which private companies are urged to review as well.

Don’t Know Who to Call After a Cyber Attack? Neither Does the FBI

If the U.S. is number one in the whole world for ransomware volume, can you believe that even the Federal Bureau of Investigation doesn’t know who to call in the event of a cyber attack? Just ask about the Colonial Pipeline ransomware attack, where Colonial employees had to contact at least seven federal agencies before they could find the right point of contact — seven!

Could you imagine being responsible for nearly half of the East Coast’s fuel and having 2.5 million barrels of fuel per day stuck in Texas, and the FBI has not a clue what to do about it when you call? The initial email Colonial Pipeline sent about the ransomware attack was ultimately forwarded between multiple people in the FBI before they could even start to provide guidance.

Realistically, there is no singular point of contact for organizations to call when they have been hit by cybercrime, either federally or locally. Even worse, most organizations haven’t established a relationship with the proper agency prior to getting attacked. You know ransomware response is in disarray when even the agencies tasked with solving attacks don’t know whose responsibility it is.

How to Fight Back Against Cybercrime in 2022

In 2022, small businesses will be just as, if not even more, vulnerable to cyber attacks than large-scale corporations. We must anticipate that ransomware gangs will act aggressively and that anyone — and I mean anyone — can fall victim to blindly launching malware onto a company network.

Here’s how you can fight back to not only protect your business and livelihood but also minimize the fear and confusion surrounding these attacks.

1. Manage User Accounts and Passwords

I’ve said it before and I’ll say it again: One weak password can bring an entire organization to its knees [watch the video]. The Colonial Pipeline attack? Operations were shut for six whole days and a $4.4 million Bitcoin ransom was paid due to one lone password. To safeguard against cyber attacks in 2022, do yourself a favor and clean up old user accounts and passwords.

Step 1: Encourage employees to set a totally unique password that does not match credentials on other websites. Using a password manager like 1Password, Dashlane or LastPass is a much stronger way to create and protect long and strong passwords that you don’t have to remember.
Step 2: Deactivate old user accounts and ensure previous employees no longer have access to company data.

2. Require Two-Step Authorization for Accounts

As more employees dial in from home, you must cyber secure your virtual office. I recommend starting with two-step authentication for all accounts. In the case of the Colonial Pipeline attack, a “complicated password” was felled by a legacy VPN with single-factor authentication. Two-step authentication, either with a text message or a dedicated authentication app, can minimize the impact of poor passwords and act as a second layer of protection for strong login credentials.

3. Create and Test an Off-Site, Offline Data Backup

An off-site, offline backup of your data is a must-have to restore after an attack. An off-site backup is a method of encrypting and transferring company data to a remote server that is geographically separate from the local system. This can centrally protect your company’s data in the event of an attack, and also ensure you will not lose crucial information if an attack does occur.

4. Construct a Long-Term Game Plan

The above tips will not be effective without a company-wide effort to enhance cybersecurity. Like I’ve mentioned before, just one password or one employee can kickstart an attack that spirals into millions of dollars of damage. Your cybersecurity is a continuous effort, so make a long-term game plan and document proper protocols to share with all relevant stakeholders in the event of a malware concern or ransomware attack.

5. Bring in a Cybersecurity Keynote Speaker to Motivate the Human Element

Now more than ever, cybersecurity relies just as much on human decisions within the company as it does the technology to protect the company’s data. To fight back against cybercrime in 2022, continue educating yourself and your team on the evolving cyberthreat landscape. To increase effectiveness, bring in an entertaining cybersecurity expert or dedicated cyberthreat speaker to keep your people engaged. Boring training does nothing to improve your culture of security.

A cybersecurity keynote speaker can help your company easily navigate the otherwise confusing and overly-technical components of cybercrime, network security, mission-critical data, and the human decisions that impact it all. In a fun and engaging manner, a cybersecurity keynote speaker unravels the layers of cybercrime to not only educate your team but also encourage them to take actionable steps towards effective data protection.

Now is the time to protect your data, your clients, and your livelihood. To avoid becoming the next disastrous data-breach headline, bring in a trusted cybersecurity keynote speaker like myself to help guide your long-term game-plan against cybercrime. Contact The Sileo Group today to initiate a crash course in cybersecurity, identity theft prevention, security awareness training, online privacy, and ultimately, to protect your bottom line.
_____________________________

John Sileo is a drastically different keynote speaker who focuses on the human element of cybersecurity. His clients include Amazon, the Pentagon and Charles Schwab, but he gets his deepest satisfaction from helping smaller organizations and associations protect their data, profits and repuation. John books out many months in advance, so please call 303.777.3221 to learn more. 

Ransomware Attack: What if this were your Billion $ mistake?

No one has ever heard of your company. Let’s call it, COMPANY X. And you like it that way. In 57 years, you’ve never once shut down your mission-critical operations that fuel the US economy. YOU are an honest, satisfied employee of Company X, and although your security team hounded you with preachy posters in every ELEVATOR to never use the same password twice (because passwords are like dirty underwear), you still did. You used the same totally UNGUESSABLE 10-character password for your work login and hotel loyalty program. Which got breached. You changed the stolen password on the hotel website, but forgot about your work login. And your company doesn’t require two-step logins, even though they bought the technology after a dashing keynote speaker SCARED the crap out of them.

In mid-February, you receive a promotion, and with it, a new login to the system. In spite of a $200 million per year IT budget, your company never decommissions your old login credentials, leaving access as wide open as the BACK DOOR into a college-town liquor store.

On April 27, DARKSIDE, (yes, even hackers have a sense of humor) a ransomware attack ring protected by EMPEROR PUTIN, buys your stolen loyalty credentials for approximately five cents and uses artificial intelligence to insert them on every login page on the Company X website, which they know you work at from your snappy LinkedIn profile. While outdated on the hotel site, your username and password still work for your vacated role at Company X.

By April 29, DarkSide has loaded ransomware onto your computer, which happens to be in the master control room of Company X. Company policy states that any sign of ransomware triggers an automatic shutdown of all operations, which suggests that Company X isn’t clear on how closely their business I.T. systems are tied to their operational or O.T. systems. PARTY FOUL.

And that’s how Colonial Pipeline, supplier of 45% of the East Coast’s fuel supply, shut down all operations for 6 days. 2.5 million barrels of fuel per day, stuck in Texas because of your single password that opened the company to ransomware attack. Ok, I realize this isn’t really your fault, but what if it was? What if you were the one who caused FLORIDIANS to queue at gasless gas stations as if KRISPY KREME and In & Out Burger had just merged?

Colonial chooses to defy the FBI DIRECTIVE to never pay a ransom (research says that doing so just invites the cybercriminals to come back for seconds) and pays DarkSide $4.4M dollars in untraceable bitcoin to get their pipes back in the game. Well, not totally untraceable, as the FBI HELPS Colonial retrieve half of its bitcoin. But don’t expect them to come to your rescue, as you probably don’t supply the East Coast with half of its carbon emissions. Even after the blackmail is complete, fuel doesn’t flow for 6 more days. Which causes Billions in damage to the US economy and Millions in reputational damage to Colonial. Because of a password. From one person.

Here’s what this ransomware attack means for you:

  • Every employee matters: One weak password can bring an organization to its knees
  • Don’t let your company get cocky, because it CAN happen to you.
  • The ransomware get-out-of-jail price tag is now often in the tens of millions.
  • Security is an obsessive, continuous pursuit, so make a long-term game plan.
  • Never forget to deactivate old user accounts.
  • Require two-step logins to minimize the impact of poor passwords.
  • Have a foolproof, off-site, offline backup of your data.
  • None of this works without a healthy underlying culture of security.

If you’re confused about how to prepare for a ransomware attack, consider a leadership crash course in cybersecurity. Because one small cyber mistake, and everyone will know your company.

_____________________________

John Sileo hosts cybersecurity crash courses that target the human element of cybersecurity. His clients include Amazon, the Pentagon and Charles Schwab, but his most fulfilling engagements are for smaller organizations and associations that can affect immediate change. 303.777.3221

 

SolarWinds Hack: What Vladimir Putin Wants Every Business To Ignore

Summary of the SolarWinds Hack

Russian hackers inserted malicious code into a ubiquitous piece of network-management software (SolarWinds and other companies) used by a majority of governmental agencies, Fortune 500 companies and many cloud providers. The software potentially gives Russia an all-access pass into the data of breached organizations and their customers.

Immediate Steps to Protect Your Network

I would recommend having a conversation with your IT provider or security team about the following items, as much for future attacks as for the SolarWinds hack:

  • After reading through this summary, take a deeper dive into this WSJ white-paper: The SolarWinds Hack – What Businesses Need to Know
  • For small businesses, it is important that you check with any cloud software providers to make sure they have resolved any problems with affected software.
  • Patch all instances of SolarWinds network management software and all network management, security and operational software in your environment.
  • Make sure your security team keeps up with the latest fixes for the Sunspot virus.
  • Configure your network assets to be as isolated as possible so that your most confidential data caches are separate from less confidential data.
  • Review the security settings of every category of user on the system to tighten user-level access.
  • Make sure employees know the proper procedures for connecting remotely to your network. Verify that they aren’t using a free personal VPN to connect.
  • If you utilize Microsoft products, keep up to date with their Investigation Updates.
  • If there is a chance you have been affected, have a full security audit done of your network.

Details of the SolarWinds Hack

During the worst possible time – a contentious presidential transition and a global pandemic – dozens of federal government agencies, among them the Defense, Treasury and Commerce, were breached by a cyber espionage campaign launched by the Russian foreign-intelligence service (SVR). The SVR is also linked to hacks on government agencies during the Obama Administration.

Senator Angus King said Putin “doesn’t have the resources to compete with us using conventional weapons, but he can hire about 8,000 hackers for the price of one jet fighter.”

In addition to internal communications being stolen, the operation exposed hundreds of thousands of government and corporate networks to potential risk. The hackers infiltrated the systems through a malicious software update introduced in a product from SolarWinds Inc., a U.S. network-management company. This allowed unsuspecting customers of their software to download a corrupted version of the software with a hidden back door allowing hackers to access their networks from “inside the house”. SolarWinds has more than 300,000 customers world-wide, including 425 of the U.S. Fortune 500 companies. Some of those customers include: the Secret Service, the Defense Department, the Federal Reserve, Microsoft, Lockheed Martin Corp, PricewaterhouseCoopers LLP, and the National Security Agency. (Note: more recently, it has been discovered that SolarWinds wasn’t the only primary software infected.)

A Solar Winds spokesperson said the company knew of a vulnerability related to updates of its Orion technology management software and that the hack was the result of a highly sophisticated, targeted and manual supply chain attack by a nation state. Like the FireEye breach, this was not a broad attack of many systems at once, but a stealthy, patiently-conducted campaign that required “meticulous planning and manual interaction.”

SolarWinds Hack was a Supply Chain Attack

These supply-chain attacks reflect a trend by hackers in which they search for a vulnerability in a common product or service used widely by multiple companies. Once breached, it spreads widely across the internet and across dozens or even hundreds of companies before the compromises are detected. Many companies have increased their level of cyber-protections, but they do not scrutinize the software that their suppliers provide. This is a concern because corporations typically have dozens of software suppliers. For example, in the banking industry, the average number of direct software suppliers is 83. In IT services, it’s 55.

To understand the severity and national-security concerns of this breach, think of this as a “10 on a scale of one to 10”. The Cybersecurity and Infrastructure Agency ordered the immediate shut down of use of SolarWinds Orion products. Chris Krebs, the top cybersecurity official at the Department of Homeland Security until his recent firing by Trump, stressed any Orion users should assume they have been compromised. Other investigators say that merely uninstalling SolarWinds will not solve the threat and that recovery will be an uphill battle unlike any we have ever seen. While the hackers may not have gained complete control of all companies, all experts agree that it will take years to know for certain which networks the Russians control and which ones they just occupy and to be assured that foreign control has been negated. Because they will be watching whatever moves we make—from the inside.


John Sileo is a cybersecurity expert, privacy advocate, award-winning author and media personality as seen on 60 Minutes, Anderson Cooper and Fox & Friends. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.