Broker Check
September Savvy Cybersecurity Notes

September Savvy Cybersecurity Notes

September 12, 2017

In this issue:

  • The NEW way to beat the password paradox
  • Emerging threats: New Social Security scam, a warning to healthcare providers, and more
  • Cybersecurity shorts: Rise in business identity theft, spying Roombas, and much more
  • Software updates

The NEW Way to Beat the Password Paradox

Do all of your passwords contain special numbers and characters? Do you change them every 90 days?

Chances are you've been following this password advice for many years but it may not be keeping your accounts safe.

In 2003, engineer Bill Burr authored what came to be known as the official guidance on password security published by the U.S. National Institute of Standards and Technology (NIST). In it, he suggested that users strengthen passwords by incorporating uppercase letters, numbers, and characters. Burr also recommended changing passwords frequently. Quickly, Burr's words became the standard on password security.

But now Bill Burr regrets the password advice in his original guide. In a recent interview with The Wall Street Journal, Burr acknowledged that his suggestions may have actually led people to use less secure passwords.

Asking people to change a password every 90 days typically results in users making a minor change to the password such as adding a number to the end of the existing password. That change does little to increase password security.

And all the characters, numbers, uppercase letters, and lowercase letters make it harder for people to remember their passwords without offering much security value. Once masses of people adopted this trend, the hackers caught on and can now break these types of passwords in a couple of days.

So what can you do to create hard-to-hack but easy-to-remember passwords?

The new password creation method

Security experts and the NIST now say stringing five random words together is the best method for password creation.  The password Twins July Motor Buckle Add would most likely take longer to hack compared to the password C0mpu+3r45.

Why? For one, five-word passwords tend to be longer than our old passwords. Also, choosing five words tends to create more random passwords which add security. Password strength is determined by a factor called entropy—the amount of randomness or uncertainty your password contains.

But to truly create a strong five-word password, you shouldn't choose the words yourself. Studies have shown that even when we think we are choosing random words, we are strongly influenced by how often that word occurs in regular conversation, as well as grammatical rules.  

Security experts recommend the Diceware method to create your strong passwords.

Here, you roll a die five times to create a random number. For example, say you roll a 2, 6, 3, 1, 1. Then you do that five more time so you have five five-digit numbers, such as:






Then use the 7,776-word Diceware list to match each 5-digit number to the corresponding word on the list. Using the numbers above, your password would be Frame Booth Orr Assort Cutlet— leaving spaces increases security.

Now you may be thinking, "I won't remember a bunch of random words strung together—especially for multiple passwords!" It's nearly impossible to remember unique passwords for the ever-growing number of online accounts we accumulate.

The key to remembering

That's why you must also use a password manager. A password manager is a digital device that stores all of your username and passwords in an encrypted file on your computer and/or in "the cloud." Your passwords are protected by one master password—the only need you need to remember.

Once you are signed into your manager with your master password, the program will autofill the username and password fields for any known website. If you visit a new site that is not yet stored, you can easily save your login credentials to your password vault. You can also easily update passwords in the manager so you can update all of your passwords using the Diceware method.

Some people may question the security of password managers but those fears are unfounded. Password managers use strong encryption to secure your password files. Your passwords are so secure that if you forget your master password not even the company can retrieve your passwords.

Password managers typically cost $10-$30 annually and most allow you to access your manager from your various devices such as your smartphone and tablet. Free versions exist but typically those only work on one device and have limited features. There are many password managers to choose from and it's best to do some research to see which program best fits your needs. Some options you may consider are Dashlane, LastPass, 1Password, and KeePass.

Emerging Threats

Nearly half of healthcare providers and plans have fallen victim to cybersecurity incidents exposing private information. A new study from KPMG discovered that healthcare payers are being targeted 10% more often by hackers than they were in 2015. The most likely reason is that executives have made cybersecurity less of a priority. Nearly 90% of execs named data privacy and security a top concern in 2015. That is now down to 79%. The survey also found that close to half of the organizations had suffered a phishing attack in the last year.

New Social Security scam makes the rounds. The latest scheme involves scammers calling Social Security recipients and asking them to confirm personal information such as their Social Security number, birth date, and more. If the scammers receive the information, they use it to change the recipient's direct deposit information at the Social Security administration to their own account.

Tax professionals targeted in new phishing scam according to the IRS. The emails appear to come from tax software providers and include subject lines such as "Important Software Systems Upgrade." The email then asks for the user's login credentials to validate the update. The phishersuse those credentials to log into the preparer's account and steal client information.

Cybersecurity Shorts

Business tax identity theft rises as consumer tax-related identity theft cases decline.The IRS has seen consumer tax fraud cases drop nearly 47% in the beginning half of 2017. Fraudulent business tax returns have been growing in popularity, however. The IRS reports 10,000 possible fraudulent business tax returns so far this year—6,000 more than the same time frame in 2016. This may be a result of hackers stealing data from professional tax preparers.

Say goodbye to Adobe Flash—the video player will stop being supported come 2020. Adobe announced the phase-out of its notoriously buggy software this month. In recent years, hackers have targeted the program heavily leading to critical vulnerabilities nearly every month. Very few websites require Flash these days, which also lead to Adobe's decision to kill the product.

Your Roomba may soon sell a map of your home to marketers after vacuuming. Roomba's parent company, iRobot, already maps users' homes if they opt in to the Clean Map reports. This feature shows users where the Roomba went and what areas of their home had the most dirt. CEO Colin Angle hinted at the possibility of selling this information to companies such as Google, Amazon, and Apple in the future. If these maps land in the wrong hands, users' security and privacy could be at risk.

Hackers crack voting machines in minutesat DEF CON cybersecurity conference. Given recent fears regarding voting machine security, the conference organizers decided to create a "Voting Machine Village" made up of 30 machines for hackers to break into and find vulnerabilities. All of the machines were hacked, and most in mere minutes. The attendees shared possible fixes to make our voting machines more secure.

Multiple White House officials fall victim to phishing emails sent by "email prankster." The prankster, who is based in the UK, spoofed Jared Kushner's email address and sent a message to Homeland Security Adviser Tom Bossert. Bossert, who works in cybersecurity, responded to the email and included his personal email address. The prankster also disguised himself as Reince Priebus and sent a message to Anthony Scaramucci the day after Priebus resigned. Scaramucci was fooled by this message as well.

Pharmaceutical company Merck hit with ransomware attack that impacted manufacturing, research and sales, and order fulfillment for certain products. The attack was first discovered back in June, but the company has had difficulty in fully recovering. Some operations are still not up and running.

Nearly 20,000 Medicare members had their information exposed in a July Anthem BlueCross BlueShield data breach. An employee working for Anthem's Medicare insurance coordinator services vendor, LaunchPoint Ventures, downloaded data on members and emailed it to himself. The data includes Social Security numbers, ID numbers, last names, and dates of birth. As of now, the data has not been misused. LaunchPoint fired the employee and has contacted affected individuals.

Senate advances cybersecurity bill to help educate small business owners on cybersecurity threats. Working with the Small Business Administration, the Senate Small Business and Entrepreneurship Committee approved legislation requiring small business owners who receive grants from the Small Business Administration to train employees on cybersecurity defense.

Game of Thrones episodes leaked, Twitter accounts hacked in a bad week for HBO. Earlier this month HBO had 1.5 terabytes of information stolen. This included episodes of Game of Thrones, Ballers, and Room 104. The hackers demanded nearly $6 million in exchange for not leaking more episodes, which HBO did not pay. Later, HBO Twitter accounts were hacked by OurMine hacking group.

Financial advisors must improve cybersecurity practices, according to the SEC. While preparedness has increased among firms since the SEC's 2014 Cybersecurity Initiative, there are still areas advisors could improve. For example, less than two-thirds of advisors have implemented plans on how to respond to a data breach. In addition, firms need to do a better job on updating software.  Read more here.

Gmail introduces a new feature to combat phishing messages.Using the iPhone Gmail app, you will be alerted when you click on a suspicious link with a message telling you that this link leads to an untrusted site. The app gives you the option to cancel or proceed. If you proceed, you will see another message that explains the link has been designed to steal your information. A similar feature has already been implemented in Android's Gmail app.

Software Updates

Adobe: Adobe released updates for Adobe Acrobat, Adobe Reader, and Adobe Flash Player this month. The majority of issues affect Acrobat and Reader, so be sure to update those programs as soon as possible. As we mentioned earlier, Adobe Flash Player is being phased out and you may want to investigate whether you need the program or not. You can learn more about the update here.

Microsoft: Nearly 50 security holes were patched by Microsoft this month—many of them critical. Vulnerabilities are found in Windows, Microsoft Office, Microsoft Search, and other programs. Your computer should prompt you to update automatically but you can learn about the patches here.