Home Interviews and Insights PASSWORDS ARE AND HAVE ALWAYS BEEN AN ACHILLES HEEL IN CYBERSECURITY
Password Manager Dave Whitelegg

PASSWORDS ARE AND HAVE ALWAYS BEEN AN ACHILLES HEEL IN CYBERSECURITY

by MaryS

“I’m afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit. It’s the least effort for the most reward.”

Introduction

At Logmeonce, we’re focused on helping protect you against cybersecurity threats. We do this in many ways. First, we provide you with a suite of tools, including a password management tool, to help keep your passwords safe. 

However, technology itself can’t solve all of our security woes (as we’ll soon discuss below). Education plays a big role in staying safe online. For this reason, from time to time, we bring in cybersecurity experts from around the world to help educate you, our blog readers, about the various ways you can protect yourself online. 

Today, Logmeonce had the opportunity to chat with Dave Witelegg, a cybersecurity expert, about his involvement in the cybersecurity space. 

We have an exciting interview planned for you today, so without further ado, let’s jump in!  

The Interview

Hello and thank you for taking the time to chat with our blog readers today Dave. You have over 25 years of commercial experience in just about everything related Cyber and Information Security, whether it’s firewalls, biometrics, encryption, operating system security, cybercrime, hacking techniques, data protection, information security management, cyber threat and risk assessing, threat intelligence, payment card security, and even pioneering Satellite VPN connectivity. But let’s start this interview by rewinding back to your early days in the cybersecurity space. What motivated you to get involved in this space? What drew you in in the first place?

I have always been fascinated in how technology works, as a young boy in the 1980s I recall taking apart one of the early home budget computers released in the UK, a ZX Spectrum, just to satisfy my curiosity on how this to space-age new technology worked. My inquisitiveness led to break into and recode one of the early football team management ZX Spectrum devices, allowing my football team to have the most money, best players and always win matches. I didn’t know it at the time, not only was I teaching myself how to write code, but the process I was undertaking was hacking, persistently making repeated trial and error attempts until I achieved the outcomes I wanted.

When I look at new technology today, I still seek to thoroughly understand how it works, naturally thinking about the weaknesses which could be exploited, and the negative impact of such exploits on the people and businesses using the technology. I developed a kind of a ‘hacker’s eye for business’, this in addition to understanding the motives of the threat actors, makes a good fit for an enjoyable and rewarding career in cyber and information security.

Cybersecurity was a very different space 25 years ago. How do you feel the balance of power has shifted within the cybersecurity space within the last 25 years? Do you feel that cybersecurity is becoming better and harder for hackers to penetrate? Or do you believe that advances in technology are only temporary patches that hackers eventually find ways to work around? Over the last 25 years who has been winning in the game of cat and mouse? How have you seen the balance of power shift during the last 25 years?

We are all more reliant on technology than any point in our history. In the last 25 years we have seen an information technology revolution, with IT steadily becoming more complicated, widespread and connected. Today we all carry powerful persistently globally connected computers in our pockets, a technology which empowers and enriches our everyday lives. However, this tech revolution also means the attack surface and opportunity is also greater than ever for a growing army of globally connected malicious actors. Today it doesn’t take a great deal of skill or even technology to become a proficient cybercriminal, indeed, technology like cryptocurrencies, the dark web and even YouTube tutorials are aiding bad actors on a global scale to commit nefarious acts. So the unwinnable security game of cat and mouse, has got a whole lot bigger over the past 25 years, and when security stands still, the bad guys always win.

Let’s talk a little bit more about password security for a moment. You mention on your blog a case where a Ring camera was compromised and a hacker gained access to a young girl’s room through her camera and then proceeded to have a conversation with her. This hack seemed to be caused by “password stuffing”. Have you noticed an uptick in the amount of IoT device hacks, not due to the device itself being compromised, but due to weak passwords? In many of these cases where the hackers target an IoT device, what are they often looking to gain from the hack?

Passwords are and have always been an Achilles Heel in cybersecurity, especially with IT systems connected to the internet, such as IoT devices like the Ring camera.

The first issue with password security is people choosing a weak strength password, to help them easily remember them. Cybercriminals know this too well, so will try all the most popular and commonly used passwords obtained from past data breaches, to attempt to break into the online accounts.

The second problem is people use the same exact username and password credentials on multiple online accounts, so if one account password is compromised, which may not even be the account holders fault perhaps due to a compromise of a third party website, cybercriminals are able to use the same stolen credentials to log in to other online accounts the user might have. Typically the bad actors will attempt to access popular online email accounts, social networking and popular eCommerce websites. These types of attacks using stolen credentials can be performed on mass in so-called ‘credential stuffing’ attacks, which automates the process and reveals accounts where the same credentials are used.

One effective method to safeguard the inherent insecurity of passwords is to enable Multi-Factor Authentication (MFA) where it is available, else use a third-party password management app to create high strength and unique passwords to each website, app and device used.

The final problem is specific IoT devices, which are often shipped with a default manufacturer username and password, used to gain initial access. It essential this default account password is changed immediately and prior to any use. You’d be surprised how many people do not change the default credentials on IoT devices like internet-connected security cameras, the bad guys can easily scan, detect and even identify the models of some IoT devices, you don’t have to be Sherlock Holmes to correctly deduce the first username and password combination they will try.

On your blog you say “Let’s hope that organisations, as well as security vendors, focus on better understanding the security needs of the industry, and invest in solutions and policies that would give them a better chance at defending against the ever-evolving cyber threat landscape.” However let’s talk about the security needs of individuals for a moment. What basic security needs of an individual do you believe are not being adequately met by the security industry?

We all must practise some basic security hygiene to keep ourselves safe. Firstly ensure our PCs, laptops, smartphones, smartwatches, applications and Internet of Things (IoT) devices in the home, such as smart thermostats and networked security cameras, are kept up to date with the latest security updates. Today most operating systems and devices by default will automatically download and install security updates, but it is important to be aware that older technology and many IoT devices may still require manual intervention to ensure they have the latest security updates applied. Not applying security updates quickly means known vulnerabilities discoverable by hackers and automated malware could be exploited.

Passwords are one of the greatest weaknesses in home cybersecurity, and the bad guys know this. Good password hygiene means using a complex unique password on each website, device and app we use. But remembering countless complicated and unique passwords for hundreds of different websites, devices and apps is not only a real chore but is practically impossible for most of us to do, especially if you want to use strong difficult to hack passwords. Password management apps and password vaults offer the solution to this modern age problem, all you have to do is remember a master password to access a trusted vault of all your usernames and passwords. And of course, it becomes incredibly important to protect that master vault password with a strong unique password and ideally, multi-factor authentication if it is available.

Anti-virus software can help prevent most known malicious software from installing onto a laptop or desktop PC. There are many vendors which will sell anti-virus software, typically through an annual subscription, anti-virus is often supplied with your PC or laptop upon purchase. However, there are also plenty of free anti-virus products on the market which will do the job. Microsoft Windows includes a highly robust anti-virus and threat prevention tool called Windows Defender Advanced Threat Protection, which is extremely effective in preventing malware infection if enabled.

Finally, the best defence is to adopt secure habits and behaviours when using your personal devices, always avoid clicking on links and opening attachments in emails which are unexpected or appear to be suspicious. Only install apps, games, and software you actually want, and only then from renown trusted providers and app stores. Be careful who you share your personal information, debit or credit card details and bank details with. Remember, those doorstep confidence tricksters and fraudsters of yesteryear deploy the same social engineering tactics and techniques through email and social media.

We’ve seen time and time again that passwords remain a common weak spot for companies and individuals alike. Weak passwords and password reuse can open up a backdoor for hackers giving them untold access to private information. Do you believe organizations are or are not doing enough to educate people on the dangers of weak passwords and password reuse?

Generally, I believe organisations could do more to help their customers and users avoid account compromise due to weak password usage. Security education and awareness is one thing, but the technology itself can be further improved upon to better protect user accounts. For example, offering or enforcing Multi-Factor Authentication (MFA) both for customer accounts and internal staff accounts is a proven effective measure to weak passwords, yet even banks and credit card companies aren’t providing true MFA with their online banking and mobile apps, often opting for a password and passcode, which are repeated single factor password of ‘something you know’. There is no silver bullet with password security, but MFA comes close, it significantly reduces the risk of account compromise, in August 2019 Microsoft stated in a blog post that MFA would block 99.9% of automated attacks on user accounts.

Up to this point users themselves have been largely responsible for a big part of their own security. We’re responsible for using secure passwords, not clicking on malicious links in emails or on websites and so on. Do you envision a future where more security responsibility is taken out of the users hands and instead the responsibility for protection is placed within the technology itself? How much progress are we making with respect to protecting users from themselves and the common mistakes they make?

Afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit, the least effort for the most reward. Social engineering a human is often much easier than hacking an IT system, albeit communications technology is used to facilitate the social engineering attack. For instance, phishing emails are the most common initial attack vector behind the vast majority of hacks and online fraud. World-renown cryptographer Bruce Schneier summed up it best when he said, “Amateurs hack systems, Professionals hack people”.

As technology becomes more secure and more difficult to defeat, it stands to reason criminals will increasingly target people more. Over the last two years, I have observed phishing attacks becoming more targeted and convincing in nature. Cybercriminals are taking more time to select and research their intended victims, using social media platforms like Facebook and LinkedIn to build intelligence about specific targets, and even using text messaging, phone calls and letters by post to help successfully con their victims out of money. The financial reward justifies the level effort criminal put in these types of cyberattacks. So it’s important we don’t ever get complacent, and keep on our toes to the latest digital age threats.

On your blog you also talk about an increased focus on AI as a tool to combat hacking attempts. What are some interesting advances you’re seeing around the intersection where passwords and AI meet?

Machine Learning, which is a subset of Artificial Intelligence, is already proving to be a powerful tool in detecting cyber threats by analysing big data, by using algorithms which flag issues like unnecessary access privileges, compromised passwords and general malicious activity. The constant self-adaptation in how Machine Learning analyzes data means computers can predict malicious actions from threats before they happen, and even take it a step further by invoking action to prevent those malicious actions from being successful in near real-time, all far more accurately than any human is able. For instance, a suspected password compromised account could be automatically disabled by AI as soon as the password compromised was detected.

Deep Learning, a subset of Machine Learning, could remove all human intervention altogether, as the AI is effectively able to fully correct itself. So perhaps a future Security Operations Centre at a large enterprise could well just be a single screen, with AI reporting stats and the actions it has taken. But today, while not a panacea, Machine Learning can provide real benefits, especially in large Security Operations Centres (SOC), by helping analysts breakdown the steady stream of data into actionable intelligence, reducing workload and false-positive errors, as evidenced by the numerous big-name vendors using Machine Learning within cloud-based SOCs and Threat Intelligence management services. On the flip side, Machine Learning could also be used nefariously to devastating effect on security.

In your opinion, what are the most exciting advances in Biometric technologies as they relate to keeping users safe?

The built-in biometric authentication capabilities of smartphones are a significant advancement for security, whether it’s through facial recognition or fingerprint reading, they are hard to defeat while being quick and convenient for people to use. Given nearly all of us have a smartphone, smartphones could be an effective tool to quickly authenticate a person with MFA on any IT system. In that, you need possession of the smartphone and pass the smartphone’s biometric check, so it could well be the answer to solving the password weakness problem. Apple Pay and Google Pay have already been successfully rolled out and have helped to reduce payment card fraud, given smartphones are more secure to pay with than plastic credit cards, even the payment card number isn’t stored anywhere on the smartphone.

What cybersecurity threats scare you the most? What things keep you up at night?

The growing nation-state and cyber-terrorist threat is an increasing concern. As a society, we have become heavily reliant on IT infrastructure, and it is becoming more probable that future cyber-attacks could result in physical world damage and loss of lives. The impact of the WannaCry ransomware outbreak on NHS IT systems is a recent example of such cyberattack which threatens lives. Even though threatening lives was not the WannaCry attack’s objective, it is a demonstration of a physical world impact and potential harm which could be caused by a cyberattack on technology relied upon. I worry about the growth and our dependence on IoT devices, the security of driverless cars and trucks, and recent increases in nation-state cyber armies and their capabilities to inflict physical world havoc through large scale, highly sophisticated and persistent cyber-attacks.

Lastly, what cybersecurity advances excite and inspire hope in you the most?

As a cybersecurity professional focused on protecting complicated business systems and IT infrastructure, the latest advances Machine Learning is particularly interesting. The potential real-time analysis of high volumes of system monitoring data, to identify and then intervene to prevent malicious activity could a real security game-changer at medium to large enterprises.

The long-overdue regulation of IoT inspires hope, consumers purchasing and using IoT devices must be protected with the necessary IT security and privacy standards by default. There have been some truly frightening examples of insecure IoT devices released for home use, such as the internet-connected ‘My Friend Cayla’ smart doll, which was a child’s toy IoT device, deemed so dangerous it was banned in Germany. We are becoming ever more reliant on IoT devices, most homes already have several IoT devices in plain sight, smart speakers, smart lights, smart thermostats. IoT is also increasingly being adopted within the manufacturing, agriculture, transportation, energy and medical sectors, so regulation is essential to help ensure IoT security is not neglected and to keep us all secure. 

Thank you greatly for taking the time to chat with Logmeonce’s cybersecurity blog readers today Dave. We truly appreciate it. To our blog readers, if you’d like to learn more about Dave and the work he does you can follow him on Twitter or head over to his website here

HASHTAGS: #security #cybersecurity #passwords #CyberSec #CyberSafety #privacy