500,000 Hacked Zoom Accounts Given Away - Free On The Dark Web

New users have flocked to the Zoom video conferencing platform as businesses, schools, and other organizations look for ways to meet safely during the Coronavirus pandemic. Unfortunately many of those brand new accounts appear to have been secured with old passwords.

The cyber risk assessment experts at Cyble recently discovered a hacker selling stolen Zoom credentials at dirt-cheap prices — and in some cases giving them away for free.

Cyble purchased more than 530,000 on an underground hacking forum for next to nothing. Several of the company’s clients were among the stolen credentials, which also included personal meeting URLs and Zoom host keys. Cyble reached out and confirmed that the credentials were indeed valid.

Password re-use remains a huge security issue for the general public. Fatigued users feel like they can’t remember yet another password so they set up new accounts using an old stand-by.

The problem is that by now all of those old stand-by passwords have been filed away in databases by criminal hackers. They’re actively using them to break into accounts using brute force attacks.
Usernames, email addresses, and passwords have been exposed by the billions over the past several years. Creating a new account on Zoom — or any service, for that matter — is simply not a good idea.

Hackers will come knocking. It’s not a question of if. It’s a question of when. more

Spybuster Tip # 053 - Upgrade all your passwords.
Spybuster Tip # 054 - Don't worry about having to remember all your passwords. Use a password vault.

Spybuster Tip #632: Fortify Your Two-factor Authentication

Two-factor authentication is a must, but don't settle for the SMS version. Use a more secure authenticator app instead.

 The most popular authenticator apps are Google Authenticator and Authy, but password managers 1Password and LastPass offer the service as well, if that helps you streamline. If you're heavy into Microsoft's ecosystem, you might want Microsoft Authenticator. While they all differ somewhat in features, the core functionality is the same no matter which one you use. more

The Top 200 Worst Passwords of 2019

Independent researchers, who requested to stay anonymous, compiled and shared with us a list of 200 most popular passwords that were leaked in data breaches just this year. The database is quite impressive — 500 million passwords in total. And if you think that’s a lot of leaked passwords, we have some bad news for you — it’s just the tip of the iceberg. more

Here are the Top 20 to get you started...

Top 2020 New Years Resolution... Fortify your passwords.

Google: Wi-Spy Case Cashed Out

Google is poised to pay a modest $13 million to end a 2010 privacy lawsuit that was once called the biggest U.S. wiretap case ever and threatened the internet giant with billions of dollars in damages.

The settlement would close the books on a scandal that was touched off by vehicles used by Google for its Street View mapping project. Cars and trucks scooped up emails, passwords and other personal information from unencrypted household Wi-Fi networks belonging to tens of millions of people all over the world. more

Security Message Screen Savers for Business Computers and Laptops (FREE)

Three stock Security Message Screen Savers to choose from. Five rotating screens with the top five information security best practices employees can implement themselves.

• Reminders work.
• Put your idle computer screens to work as your security helpers.
• Three backgrounds to choose from, or commission custom screens.

Click link to see these information security screensavers in action.

FREE to use as-is with "Logo goes here" removed, or can be customized with your business logo.
Need to customize? Contact us for details and cost.

Three Tips for Protecting a Business's Passwords

One of the common areas we see companies and technology groups struggling to manage securely and effectively is… passwords.  We know we need them (passwords), we know they need to be “secure”, and we know they’re a pain in the neck to keep organized.  That’s exacerbated exponentially when you factor in shared passwords and accounts for teams.
Tip 1:  Quit Using Excel to Manage Your Passwords...
Tip 2:  Know All of Your Org’s Accounts...
Tip 3:  Know Your Password Security Options...

Read the full details about each tip at criticalinformatics.com

Cell Phone Passcode of 1+2+3+4 = 18 Years in Prison

A man serving 18 years in prison in South Carolina for burglary was rightfully convicted in part because he left his cellphone at the crime scene and a detective guessed his passcode as 1-2-3-4 instead of getting a warrant, the state Supreme Court ruled Wednesday.

Lawyers for Lamar Brown argued detectives in Charleston violated Brown’s right to privacy by searching his phone without a warrant.

After storing the cellphone in an evidence locker for six days in December 2011, the detective guessed right on Brown’s easy passcode, found a contact named “grandma” and was able to work his way back to Brown.

The justices ruled in a 4-1 decision that Brown abandoned his phone at the Charleston home and made no effort to find it. The law allows police to look at abandoned property without a court-issued warrant allowing a search. more

Hawaiian Emergency Management - Passwords on Post-it Notes on Computer Screens

The Hawaii Emergency Management false alarm mess was not caused by pressing the wrong button. It was caused by poor design.

Ever select the wrong thing from a drop-down menu? Sure, it happens all the time.

The Washington Post reports...

The menu, which triggers alerts, contains a jumble of options, ranging from Amber alerts to Tsunami warnings to road closures. Some of them, such as “High Surf Warning North Shores,” are in plain English.

Others, including the one for a missile attack, “PACOM (CDW)-STATE ONLY,” use shorthand initials. (PACOM refers to the United States Pacific Command based in Hawaii.)

And the menu contained no ballistic missile defense false alarm option — which has now been added at the top of the image, marked up by officials for explanatory purposes. more

 Suggestions: 
1. Separate the messages into smaller groups: Routine Tests | Advisories | Life Threatening
2. Drop the jargon. Say what you mean, clearly.
3. Do not use instant-select dropdown menus.
4. Use radio buttons to select the message, plus a CONFIRMATION and CANCEL button to activate the selected alert, or not. Two extra seconds of thought can prevent a lot of mistakes.

If you need help with design, call on the master, John McWade. He can teach you.

And, what's with posting the passwords to an emergency management computer screen?!?!
If the personnel can't memorize a password as lame as this, they shouldn't be allowed anywhere near a keyboard. more

Password: Warningpoint2

Counterespionage Tip # 022: The Encryption & Password Mistake

An excerpt from the Forever 21 press release last week...

...After receiving a report from a third party in mid-October 2017 suggesting there may have been unauthorized access to data from payment cards that were used at certain Forever 21 stores, we immediately began an investigation. We hired leading payment technology and security firms to assist. The investigation determined that the encryption technology on some point-of-sale (POS) devices at some stores was not always on... more

The setting to enable encryption may never have been set to on. If it was, the setting may not have been password protected, thus allowing the encryption to be turned on and off.  Costly mistakes.

This happens frequently on devices which are introduced after the initial set-up of similar devices. It's similar to the not changing the default password syndrome.

Counterespionage Tip # 022: When installing new devices:

1. Change the default password.
2. Review all the settings. Turn off all the eavesdropper and espionage friendly settings.
3. Pay particular attention to security-related settings.
4. Enable encryption.
5. Change the administrator's password if the device has one.
6. Deter physical access to internal memory and components using security tape. Check often for tampering.

Removing an unencrypted printer drive for covert duplication.
Murray Associates case history photo.

You may be surprised how many devices offer password protection and encryption these days...

• Point-of-sale (POS) devices.
• Wi-Fi Access Points.
• Audio and video teleconferencing equipment.
• Networked print centers.
• Stand-alone printers with Wi-Fi capabilities.
• VoIP telephone systems.
• Interactive white boards.
• Fax machines with memory vaults.
• Computers, tablets, mobile phones.
• Manufacturing equipment.
• Medical devices.
• CCTV cameras and recording systems.

Your list of vulnerable devices may have additional items. All are hacker/espionage/criminal catnip. 

Security settings on items in your environment should be checked periodically. A knowledgeable Technical Surveillance Countermeasures (TSCM) team can do this for you. It should be part of their inspection for electronic surveillance devices and information security loopholes. 

If you don't have a TSCM team already, or are not sure of their capabilities, give me a call. ~Kevin

TSCM Alert - Keylogger Used to Hack School Grades

Former University of Iowa student Trevor Graves was arrested last week and charged...with hacking into the school's system to change grades.

...Graves allegedly attached a keylogger to several university computers in order to compromise faculty, staff and student information. In January 2017 the scheme was identified when a keylogger was discovered and reported by a staff member...

The school estimated that about 250 people had their HawkID and password stolen.

The court documents state that Graves allegedly used the information taken to escalate his privileges within the school's computer system enabling him to change grades, an ability given only instructors. more

This school was lucky. They discovered the spying device almost by accident. 

Most electronic surveillance and subsequent information loss is never discovered, because... "If you don't look, you don't find."

Typical keystroke logger attached to keyboard cable.

Technical Surveillance Countermeasures (TSCM) inspections are not just about finding bugs and wiretaps. These exams also discover keyloggers, optical surveillance (spycams) and other methods of information loss.

Periodic TSCM exams are as vital to an organization's health as medical exams are to people. Think about that for a second... both can spot a cancer while it can still be cured.

Need a TSCM exam, or a local referral? Contact me. ~Kevin

Things We See - The Anemic Posted Password

Ticketmaster Allegedly Hacked Start-up to Steal Trade Secrets

A startup ticketing company alleged in a legal filing that Live Nation Entertainment Inc., the country’s biggest concert promoter, hacked into its computer systems and stole trade secrets.

The allegations, included in an amended antitrust lawsuit that was originally filed by Brooklyn-based Songkick in 2015, are based on information that the company said came to light in the discovery process.

Filed in U.S. District Court in Los Angeles Wednesday, the complaint alleges that Live Nation’s Ticketmaster unit obtained unauthorized access to Songkick’s computers with the help of an executive who has worked at both companies. more

Spybuster Tip #512 — Change all passwords whenever an employee is terminated or quits. ~Kevin

Business Espionage: At these rates, employees may start selling your passwords.

Hackers are claiming to have accounts at major United States government agencies for sale, including NASA, the Navy, and the Department of Veteran Affairs.

The unverified cache found by Infoarmor chief intelligence officer Andrew Komarov includes 33,000 records tied to the US Government, plus research and educational organizations and universities.

Agencies on the list include the US General Services Administration, National Parks Service, and the Federal Aviation Administration. One government data listing visited by The Register promised alleged access to six unnamed accounts for subdomains of the US Navy including 3.5 bitcoins (US$2132).

They are also selling alleged access to five accounts across subdomains for NASA's Jet Propulsion Lab for three bitcoins (US$1827).

Another three logins to servers of the US Centres of Disease Control and Prevention over FTP and SFTP were being flogged for half a Bitcoin (US$300). more

It's time to make peace with passwords. This free guide will help.

By now we're all well aware of what makes a bad password … it's us. 

A glance at SplashData's annual reporting on the world's worst passwords shows just how laughably bad at creating passwords us humans really are. But what's worse, as Steve Ragan's analysis of leaked passwords shows, is that many passwords on the naughty list adhere to the carefully crafted password policies in use in companies today.

How can security leaders do better? For one thing, we can stop blaming users, says Michael Santarcangelo. Instead, we can focus on providing them with technology that makes the job easier.

That's where this guide comes in. more

Security Director Alert - 46,000 Internet-accessible Digital Video Recorders (DVRs) Hackable

Hackers can log into DVRs from RaySharp and six other vendors using a six-digit hard-coded root password

Up to 46,000 Internet-accessible digital video recorders (DVRs) that are used to monitor and record video streams from surveillance cameras in homes and businesses can easily be taken over by hackers.

According to security researchers from vulnerability intelligence firm Risk Based Security (RBS), all the devices share the same basic vulnerability: They accept a hard-coded, unchangeable password for the highest-privileged user in their software -- the root account.

Using hard-coded passwords and hidden support accounts was a common practice a decade ago, when security did not play a large role in product design and development...

RBS researchers found that they contained a routine to check if the user-supplied username was "root" and the password 519070."If these credentials are supplied, full access is granted to the web interface," the RBS researchers said... (Test it on your DVRs. ~Kevin)

RaySharp claims on its website that it ships over 60,000 DVRs globally every month, but what makes things worse is that it's not only RaySharp branded products that are affected.

The Chinese company also creates digital video recorders and firmware for other companies which then sell those devices around the world under their own brands. The RBS researchers confirmed that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender (a brand of Circus World Displays) and LOREX Technology, a division of FLIR Systems, contain the same hard-coded root password.

And those are only the confirmed ones. more

Business Espionage Alert - Bribing for Passwords

Ireland has a new problem to throw at Apple: hackers are trying to buy company logins from employees. In some cases, employees are being offered upwards of €20,000 (about US$22,245) in efforts to coax out user names and passwords.

An Apple employee told Business Insider, "You'd be surprised how many people get on to us, just random Apple employees. You get emails offering you thousands [of euros] to get a password to get access to Apple."

Hackers are reportedly also targeting Apple employees for company information.

Exactly what hackers expect to accomplish once they have logins isn't clear. They may be trying to conduct industrial espionage (well, duh), dig up personal information, disrupt company plans, or something else entirely. more

You can bet this isn't just happening at Apple. Warn your employees you are on to this, watching for it, and will prosecute disloyal employees. ~Kevin

Did Your Lame Password Make the Top 25 List for 2015?

Here are the most popular passwords found in data leaks during the year, according to SplashData:

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball
11. welcome
12. 1234567890
13. abc123
14. 111111
15. 1qaz2wsx
16. dragon
17. master
18. monkey
19. letmein
20. login
21. princess
22. qwertyuiop
23. solo
24. passw0rd
25. starwars 
    more 

Aged Law Urped Up to Decrypt Phone Data

The Justice Department is turning to a 225-year-old law to tackle a very modern problem: password-protected cellphones.

Prosecutors last month asked a federal magistrate in Manhattan to order an unnamed phone maker to provide “reasonable technical assistance” to unlock a password-protected phone that could contain evidence in a credit-card-fraud case, according to court filings... 

...the government on Oct. 10 obtained a search warrant to examine the contents of the phone. In the credit-card case, the phone was locked, so prosecutors asked U.S. Magistrate Judge Gabriel Gorenstein to order the manufacturer to unlock it. They cited the All Writs Act, originally part of a 1789 law that gives courts broad authority to carry out their duties. (more)

Die Spy: We hack dead people's computers, so you don't have to!

Has a family member recently died leaving you with more stuff than answers? 
Die Spy can help!  

Our teams can find out everything you want to know about your deceased loved one. You may find out so much you will wonder why you ever bothered to get to know the person when he or she was alive!

We have a service package to fit any budget...

Open Sesame
Do you want to make sure there aren't any paperless bills to be paid or recurring payments that should be canceled? Perhaps you want to notify the deceased's social media contacts of the death. With our most basic package a low level hacker will get you logged in to your loved one's computer, tablet, and smart phone to help you find that person's most used accounts... (more)


Someone forensic examiner better buy up DieSpy.com fast.

 Wish I published this on April 1st.

iPhone Security Alert: The 1 Security Measure Owners Need To Take

Early Tuesday, a number of Australian iPhone and iPad owners awoke to find their devices locked, with an alert asking for $50 to $100 to give access back. The lesson: It's easier than you think for someone to get into your Apple products -- even if a thief doesn't have the actual iPhone in his or her hands.

One way to make yourself that much safer? Start using two-step verification for your Apple ID.

When you enable two-step verification, Apple will make you prove you're actually you whenever you buy anything on iTunes, the App Store or the iBooks Store. It works like this: Apple will text you a code anytime you try to sign into your Apple account to make a purchase. You will then have to input that number to verify your identity. That way, nobody else can access your account unless they have both your password and your device, making it far more difficult to steal your identity and credit card information.

Here's how you do it... (more)