Cybersecurity Monthly Newsletter March 2024

In this issue:

• How to beat the password paradox

• Cybersecurity Shorts

• Software Updates

Welcome to your March Savvy Cybersecurity newsletter. Read on to learn more about:

• A massive Chinese hacking plot affecting millions of Americans’ online accounts
• How good cybersecurity is a way to protect healthcare patients
• And more

How to beat the password paradox

Millions of online accounts have one thing in common—weak passwords. Experts say that about half of computer users choose bad passwords and then use those bad passwords across multiple accounts.

Most users know this is bad behavior but they face a double bind—either create a tough password that is impossible to recall or go back to the weak but memorable password.

How do you create a strong password that is easy to remember but hard to hack?

Mnemonic passwords

One way to beat the password paradox is using a mnemonic device—a pattern of letters, ideas, or associations that assist in remembering something. You may have used mnemonic devices in school to learn the order of the planets or other pieces of information. Remember, ROYGBIV?

To create a mnemonic password, choose a meaningful phrase—a song lyric, a prayer, even a line from a poem. Then, take the first letter of each word of the phrase to make the base of your password.

For example, say you chose the famous Shakespeare quote, “To be, or not to be: that is the question.” Your password base would be Tbortbtitq.

You can increase the strength of that password by bracketing it with a meaningful number—but don’t choose something like your birthdate or Social Security number. If you choose the date November 7, your password will now be 11Tbortbtitq07.

Lastly, add some uppercase letters and symbols to boost your password strength even more: 11Tbon+btitq!07. That’s a pretty tough password for hackers to break but still easy enough for you to remember.

Goal-setting passwords

Another method for creating tough but memorable passwords is goal-setting passwords. These passwords are not only easy to remember but are also motivational. Creative director Mauricio Estrella wrote about this practice in a Medium post after going through a difficult divorce.

Instead of being aggravated when he was required to change his work password every thirty days, Estrella decided to make his password a goal that he wanted to accomplish that month. His first password was directed at his ex-wife—Forgive@h3r.

After that password improved his feelings towards his ex-wife, Estrella decided he wanted to quit smoking. After typing Quitsmoking4ever for thirty days, Estrella did just that.

You, too, can use this motivational approach to better your life while improving your security. Choose something you want to accomplish in the near future and make it your password. Add some numbers and characters to make it even stronger.

Here are some goal-setting password examples:

Save more money ➔ $aveM0reM0n3y!

Run a marathon ➔ Run@M@ra+hon*

Read every day ➔ R3@dEveryD@y

Diceware method

Security experts believe that a random string of words can make the strongest password. That’s why many recommend the Diceware method. Here, you roll a die five times to create a random number. For example, say you roll a 6, 3, 1, 1, 4. Then you do that five more time so you have five five-digit numbers, such as:

63114

24225

13261

56312

33415

Then use the 7,776-word Diceware list to match each 5-digit number to the corresponding word on the list. Using the numbers above, your password would be vet eerie balsa sy hun—leaving spaces increases security.

But you may be thinking, “I won’t remember a bunch of random words strung together—especially for multiple passwords!”

Two researchers at the University of Southern California (USC) have a solution: Rhyming password poems. The pair created a program that assigned codes to over 300,000 dictionary words. The program creates two-line rhyming verses you can use as your password. For example:

A letter cautiously Decries/the surgeons angrily denies.

or

Elise discovered oversight /of Valley public candlelight.

According to experts, these password poems would take millions of years to crack but the rhyming helps our brains remember.

Powerful passwords

Passwords lock our accounts from prying eyes, but using weak passwords offers little protection. Trying to remember tons of unique and tough passwords, however, seems nearly impossible. The methods mentioned above will help you beat this password challenge.

Emerging threat

Millions of Americans’ accounts caught up in Chinese hacking plot. The US Department of Justice and FBI have accused seven Chinese nationals of orchestrating a widespread, 14-year-long hacking campaign targeting US officials, businesses, and politicians, as well as foreign critics of China. The alleged hackers sent over 10,000 malicious emails, impacting thousands of victims across multiple continents, in what the justice department called a “prolific global hacking operation” backed by China’s government. The charges come as the UK and New Zealand have also accused China of being responsible for malicious cyber campaigns targeting their respective countries. The alleged hacking resulted in the compromise of work accounts, personal emails, online storage, and telephone call records, with the hackers using sophisticated methods to target individuals and companies, including defense contractors and a leading 5G network equipment provider.

Cybersecurity shorts

CISA is warning state and local governments about Phobos ransomware. Earlier this month, CISA released an advisory warning of known cyber attack techniques and indicators of compromise to help public sector organizations protect themselves against ransomware, specifically from the threat Phobos. In 2019, Phobos, a ransomware-as-a-service (RaaS) provider, started to target IT systems of municipalities and county governments, emergency services, education institutions, public health care, and many more critical infrastructures. According to the US Department of Health & Human Services, the average Phobos ransomware payment is approximately $38,100. You can read more about the CISA advisory here.

Cyber-physical attacks could be the next route of action with help from AI. Cyber experts have expressed their concerns with the arrival of Artificial Intelligence (AI) getting into the hands of hackers stating they are afraid we may be entering the era of “cyber-physical attacks.” In February of this year, the FBI had warned Congress about Chinese hackers who have burrowed deep into the US’ cyber infrastructure attempting to cause damage; explaining that it looks like their main targets are water treatment plans, electrical grids, transportation systems, and other US critical infrastructures. An MIT professor, Stuart Madnick, who has studied cyber-physical nexus, has also voiced his concerns about physical attacks being the next phase of cybercrimes.

Cybersecurity is healthcare patient safety. Late last month, Change Healthcare’s systems were taken offline and its parent company, Optum, disclosed that a cybersecurity issue was the cause of the outage. UnitedHealth Group initially tried to blame the attack on a “nation-state” affiliated actor before actually acknowledging that it was caused by the notorious cybercriminal gang BlackCat, also known as ALPHV or Noberus. This was discovered because BlackCat had quickly taken credit for the breach in a deleted post on its dark website. With the healthcare field constantly being targeted by cybercriminals, cybersecurity experts are saying that this incident could spur greater emphasis on enhancing protocols and even create greater oversight from the federal government. You can read more about how proper cybersecurity is patient safety and more about the attack here.

Chief Tech Officers claim human error is the biggest cybersecurity threat. Almost two-thirds of Chief Technology Officers (CTO) believe that human error is the biggest cybersecurity threat facing organizations today. Human error, which has a great range in this field – from downloading a malware-infected attachment to failing to use a strong password – is more threatening than the potential of both ransomware and phishing attacks. Due to these threats, CTOs have started to deploy a range of tactics to protect their teams and companies. One of the tactics happens to be multi-factor authentication, which has taken off in recent years and adopted by 94% of companies.

Two CISA systems hacked and forced to go offline. A federal agency in charge of cybersecurity had discovered that it was hacked last month and was forced to take two computer systems offline. One of CISA’s affected systems runs a program that allows federal, state, and local officials to share cyber and physical security assessment tools, according to those who briefed the incident. Whereas the other holds information on the security assessments of chemical facilities. CISA disclosed that this was “a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience.

Software updates

Adobe: Adobe released updates for many of its products this month including Adobe Premiere Pro, Adobe Bridge, Lightroom, and more. While none of these appear to be critical, you should still update your programs as soon as possible.

Apple: Apple released an urgent software update for iOS this month. The update is in response to at least two vulnerabilities that were being exploited. Your Apple devices should prompt you to update automatically. You can learn more here.

Microsoft: Over 50 security issues were closed in this month’s Microsoft updates. These updates impact programs such as Microsoft Authenticator and Microsoft Azure. Your devices will prompt you to update automatically. You can read more about the updates here.

SERVICES WE OFFER RELATED TO THIS TOPIC

The information contained in this post is for general use and educational purposes only.  However, we do offer specific services to our clients to help them implement the strategies mentioned above.  For specific information and to determine if these services may be a good fit for you, please select any of the services listed below.