As April arrives, we can see the end of the semester approaching rapidly, maybe too rapidly for some. I hope everyone is able to navigate these final weeks of the spring semester with success and alacrity. As always, new cybersecurity threats, mostly similar to the old ones, but with updated themes, continue to crop up. This newsletter will briefly discuss two of these threats in particular (with a bonus factoid) and give a report on how our first campus-wide cybersecurity awareness training course is proceeding. Finally, we’ll take a deeper dive into passwords, password managers, and multi-factor authentication.
The latest wide-spread threat as of the time this post was written is a vulnerability in the ubiquitous Chrome browser. If you aren’t certain you are running the latest version, be sure to take a minute to close and restart Chrome to allow it to update. On desktops, you should be running Chrome version
99.0.4844.84 100.0.4896.60. This is a momentous version and may cause you some issues in parts of the Internet. You see, programmers are all about optimizing the programs they write. This sometimes has unintended consequences.
In this case, the Chrome major version going from a two-digit number (99) to a three-digit number (100) could cause some websites confusion, as many sites, while they are ubiquitously tracking you, only grab the first two digits of your browser version. This could result in the website determining you are running version “10” of the Chrome browser. Some websites require minimum versions of browsers to provide full functionality and with version “10” being “less recent” than any Chrome version since…version 11 (if that was even a thing), some sites might not work as expected. Major websites should not have this problem, but “smaller” sites, with fewer human resources to update their code, may have issues. Firefox will also be running into this issue soon (it is currently at version 98).
All of the hype within tech communities about this pending problem may be as overblown as the whole Y2K thing, for which some of you who are reading this newsletter were not around to experience. That’s OK, you didn’t miss much, except for seeing the massive amounts of money made by companies “helping” everyone be “Y2K ready”. This academic paper written from a British perspective, penned almost immediately after the millennium turned, is a pretty good summation of the craziness.
The second “new” technique in use by cyber-criminals is called MFA prompt-bombing or just MFA bombing. This technique is dependent on annoying you enough with prompts for MFA that you, in frustration, allow the login attempt. Multi-factor authentication systems like the one we use here for our Berry accounts, where you just have to press the “Accept” button, are particularly susceptible to this type of attack. Imagine it is nighttime and you are ready to sleep, or are already asleep, and your phone keeps demanding that you allow a login to your account. Eventually, you may be tempted to allow the login to make the phone to be quiet.
Don’t do this!
This is the point of the attack. If your phone exhibits this behavior, with the Microsoft Authenticator continually asking you to confirm a login, especially if this occurs at night or at a time when you KNOW you are not logging in to your account, ignore the request. Denying the request will just allow it to pop back up. Use whatever method you need to effectively ignore the request, either by putting your phone on silent or “do not disturb”, or physically placing your phone far enough away from you that it doesn’t bother you. At your first opportunity, reset the password on your Berry account, and notify us by emailing email@example.com and explaining in as much detail as possible what happened and when.
I want to again thank everyone who has already completed the cybersecurity training course. I predict that by the time this newsletter posts over 200 of you will have completed the course. I encourage you to take the time and complete it if you have not. It takes about twenty minutes, has a minimal number of questions, requires no math (some of you will get that reference), and will help inform you about good cybersecurity practice.
The April cybersecurity awareness posters will go out on Monday, April 4th. They are all about passwords and account security. The four main points are:
- Make your password a sentence (or phrase)
- Unique account, unique password
- Keep it safe
- Multi-factor Authentication
Let’s briefly unpack each item.
For passwords you must memorize and know without assistance, make them sentences or phrases. It makes them much easier to remember, and longer is always better. How many passwords do you absolutely have to know without assistance? If you are using a password manager (more on this below), probably only one. As long as you can get into your mobile device/phone via a PIN or a biometric method, you can then open your password manager and retrieve any other password you need. This, of course, makes your phone highly valuable to you and to those who would like to illegally gain access to your accounts.
This brings us back to the original idea of creating a strong memorable password using sentences or phrases. Another method and other tips are presented on the Cybersecurity News & Alerts site on the Good Password Guidelines Quick Info page. Key among the tips on this page is NOT using a common phrase or saying. These well known adages are loaded up into cyber-criminals’ password hacking tools, along with simple passwords like “password”, just in case a potential victim uses one as their password. Figure out what method is best for you to be able to remember a good, strong, and long password. Or a few of those.
But back to the question of how many passwords can you remember without a password manager? At a bare minimum you’d still have to be able to get into your phone (but you could use previously mentioned methods), your computers, your email, bank accounts, and other online accounts and services. That would be 5-10 passwords. Can you remember that many unique passwords? Because…
…the next point is “unique account, unique password”. You should never reuse passwords between accounts and particularly, you should never reuse passwords between personal and work accounts. Yes, every account should have a unique password (and arguably a unique username, but that is a future topic for this newsletter), so the exposure of one password does not compromise multiple accounts. Imagine someone stealing or guessing the password to one of your social media accounts. That can be embarrassing, but what if you used the same password for your bank account? That could be financially devastating.
So…that means you need lots of good, strong passwords for all your accounts. How many different accounts do you have? Email, work, banks and other financial services, medical and prescription sites and app, utilities, streaming services, membership/community websites, the list goes on and on and on… I have 337 entries in my password manager, including secure notes and passwords for encrypted documents. Yes, every password is unique. I don’t write that to brag, only to emphasize the potential difficulty of trying to function in this digital age without a password manager (unless you have an eidetic memory or total recall, neither of which have been conclusively proven to exist according to Wikipedia).
Password managers also keep the rest of your passwords safe, which is the third point on the April poster. There is a Quick Info page about password managers on the Cybersecurity News & Alerts site. That page has a link to a flyer that compares several popular password managers, and some that are not as popular. As I already mentioned, when you use a password manager, you really only need to remember one good, strong, and long password. The password manager then does 99.9999% (this figure is only wildly estimated) of the work of creating, storing, and retrieving the rest of your passwords. Take a look at the page and the flyer for more information.
The last point on the cybersecurity awareness poster is multi-factor authentication. This consists of an additional layer of security for your accounts, requiring not just a username and password, but also a temporary one-time password (TOTP) sent to an app on your phone or less securely, via SMS text or email. You can also purchase “keys” like those made by Yubico that can serve as an additional factor. These are relatively inexpensive and can work with everything from your laptop or desktop to your phone and mobile devices. I highly encourage you to use multi-factor authentication everywhere you can, but particularly on financial, medical, and other sites that maintain sensitive information about you.
Finally, I want to give you a heads-up on upcoming topics and resources. As mentioned above, there will be a future newsletter that will discuss the additional security afforded by using unique usernames on websites. Coming soon to the Cybersecurity News & Alerts site is a new Quick Info page on the why and how of securely backing up personal data. The Good Password Guidelines Quick Info page will also be refreshed with additional information, possibly before you finish reading this newsletter.
With MFA enabled on your Berry account, you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the current posts page.
You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted.
Food For Thought
Link to XKCD comic: https://xkcd.com/1820