Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: 2024 Q2 Security Insights
Quick Take
On this episode Compliance Unfiltered, it’s that time again – time for Quarterly Security Insights! This quarter we are focused on all the goings on in the cybersecurity world and will specifically cover:
– Password Best Practices
– TCT Portal for PCI v4.0
– Facebook Exploits User Devices to Spy on Competitors
– Hackers Find a Way to Open any of Over 3 Million Hotel Keycard Locks in Seconds
– Tycoon Malware kit Bypasses Microsoft and Google’s MFA
All these topics and more, on this episode of Compliance Unfiltered.
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow with Adam Goslin. Well, welcome in to another edition of Compliance Unfiltered.
I’m Todd Coshow alongside the Paul Revere to your compliance revolution, Mr. Adam Gosling. How the heck are you, sir? Yeah, let’s get that going on. I’m doing good, how about you? Man, I cannot complain. I cannot complain on quarterly security reminders day. Let’s go. That’s right. Q2, security reminders for 2024. Let’s get into it, man. Password best practices you should ignore. Talk me through it. You should, should not ignore. Nope, you shouldn’t ignore. It’s not like you said that you should completely ignore. And that’s why we have you here. That’s the wrong idea. Yeah, good times. So yeah, definitely don’t ignore your password practices. So for the listener, the stuff we’re going to go over, none of this stuff is new or whatever.
So that’s why we call it a reminder. But keep in mind that some of the things we’re going to talk about today are these are good practices for your work setting, more importantly, they are good practices for the home setting. I can’t tell you how many people will apply all these good practices at work and then just at home, it all goes out the window. The reality is a lot of organizations get breached because passwords were exposed and there’s also a lot of personal identity theft that’s attributed to weak personal password approaches. There is certainly a need for people to get serious about their passwords. Following these best practices really goes a long way to protecting the company and it goes a long way to protecting you as an individual.
I had one organization at a client that I was working on, they were following of course horrible password practices when I first started interacting and I basically held his feet to the fire and I’ll tell you what, as we were rolling out all the password stuff, he was griping, moaning, pissing, complaining about all the stuff that was making him do and how much more difficult it was and how inconvenient everything was and blah, blah, blah, but it didn’t end. I had the joy, we were at weekly meetings and this guy would just, to make it a point, to just bitch for whatever, for a period of time about all the crap I was making him do and it was funny because about six months later, he comes back to me and he says, you know what, he’s like, I just want to say, and I mean this in all sincerity, I know I gave you a rash of shit about all the password stuff, but honestly, now that I’m kind of in this mode, now that I’m doing the things that you showed me, etc., I just wanted to thank you for making me do that. He went so far as to say it was the best decision that he’d ever made.
His wife had their personal information hacked three times in the same period and he hadn’t seen any issues since he’d started following the advice. So if you’ve got people that are similar to that guy, then your company’s security is kind of like staring at a colander if you will and trying to hold water with it. It makes an interesting self. Some of the reminder tips. Don’t ever use the same password in more than one place. You know, every single account that you’ve got, it should have its own distinct password. You know, if bad actors are able to discover, you know, discover your password on one account, you know, you want to be able to mitigate or limit the number of other sites that could potentially get swept up in the bad guys, you know, trying that password elsewhere. I mean, you keep hearing about these, you know, data breaches where, you know, people had, you know, information stolen from their systems, etc. If you’re using, you know, the same password, you know, same password on multiple systems, this stuff is literally getting posted to the bad guys. So they’ll pick that up and they’ll go try other of your accounts with the same password. So yeah, don’t do it.
Next, not using passwords with patterns. So, you know, one crafty way that people think, well, you know, I want a way to be able to remember my passwords. So what I’ll do is I’m going to use this password pattern, whatever. I’m going to make my password, my password pattern, you know, pound sign, puppy123, underscore, the name of the business that I am, you know, trying to make the password for, you know, followed by an exclamation point type of thing. And then they go and use that on all of their passwords. Well, guess what? And the same, we were just talking about how the bad guys will go in, they’ll hack a system, they’ll grab the, you know, they’ll grab the unencrypted passwords and post them to the dark web, you know, etc. Well, the minute that one of the bad guys goes and walks in and sees the pound side puppy123, you know, underscore, you know, the name of the company that the password came from with an exclamation point, well, guess what they’re going to do when they go to use that password again on secondary systems, right? they’re going to try all these other systems, they’re just going to swap out the company name. You’ve given them the vast majority of the keys to the kingdom. All they got to do is figure out, what did you call the company that this password’s for? Hey, you’re right back into the same boat. You only made it mildly more challenging for them. So definitely not using password patterns, etc. You want to set your passwords to stuff that you can’t remember. I mean, that’s kind of the point is make them long, make them complicated, use as long as you can, randomize passwords, letters, numbers, special characters, all that fun stuff. Honestly, my take on passwords is typically How large of a password can I make it is the question that I’ll often be asking myself or whoever I’m trying to set this password for. So if I can set a 200 character password, great. If I can set a 60 character password, okay. But the bottom line is that when you’ve got passwords that are that complicated, that each digit that you make it longer makes it less and less and less crackable. It makes it a longer process for somebody to try to break that password. So if you are able to commit your passwords to memory, that’s probably too simple of a password and it’s gonna be a lot easier to discover.
Now, one of the correlated questions that I’ll get is, well, how in the heck am I gonna make long, jumble, mumble passwords that are blah, blah, blah, blah, blah, how in the hell am I gonna manage this? Well, do me a giant favor and do not underscore not put these things into a password protected Excel sheet, a text file that’s sitting on your desktop that you call passwords, you know, blah, blah, blah. Instead, use a password management system. So for the uninitiated, a password management system, it is an encrypted repository that you need to have a password to get into. And once you’re in your password management system, then you can store, organize, etc all of your passwords, you know, for your various system sites, etc. So, you know, sometimes that password management system will be something that you store locally, in which case you need to be cognizant of making sure you back that thing up. And sometimes- Did you just tell me to back that thing up? You bet your bottom dollar I did. Just so you know. All right, just so you know. All right. All right. Excellent. So with the password management systems, though, sometimes they’re online, you know, systems that you choose to use. There’s advantages and disadvantages to different choices in this arena, but what you do with your password management system is this. You do not use the same password that you used anywhere else. You do make it long and complicated, etc. But you commit that password to memory. Basically, it’s a password that only you know, which is the only instance of that particular password. It’s long and complicated, and that’s what you use for your password management system. And so basically, you go in, you have this one password that you’ve got to remember to get into your password management system. But once you’re in there, you can then go in and set… long, complicated passwords.
So going back to some of the things I was saying a minute ago, where I was saying, set a 60 character password, set a 200 character password. For me, because I use a password management system, it doesn’t matter. It doesn’t matter if my password’s 200 characters, I don’t care, because I’m basically gonna go get into my password management system, copy it from there and paste it into the system I’m trying to go get into. And it really is irrelevant, whether it’s eight characters or 200 characters. The other cool part about password management systems is that you can, when you go and configure up each entry in there, you can do all sorts of neat stuff. You can store your username, your password, you can store notes, you know, within there. You can store the URL for the target system so that you can basically go from your password management system, double click on the URL, and it’ll pop up a browser window and bring you right to the login page, type of deal.
So all of that is kind of cool stuff that you can go do. And one other one is, you know how those sites you get in there and they’re like, hey, what was your best friend in grade school is kind of like a common question or in what was the name of the street you lived on when you were in eighth grade, type of thing. A lot of people will actually answer those properly. For me, I don’t ever do that because if I have two sites that are asking me, what’s the name of my best friend in grade school, then if I answered it honestly on both sites, then, you know, whatever, Bob, right? So I would put Bob and Bob. Well, guess what? Now you’ve got some crossover. Somebody, if they get exposed to that security question, now they’ve got the answer to this other site security question. So instead, what do I do? I’ll use the notes section of my password management system and I’ll write down just a… a brief synopsis of which question they ask. So, you know, best friend in grade school, colon. And then I’ll just enter something. I’ll just make it up, you know, yellow potato, you know, blue seagull, whatever, it doesn’t matter. Just set random stuff for the answers to those questions. Because if you ever need to go in and get your password reset, etc, now you’ve got it stored in your encrypted vault of your notes related to your passwords, etc. And you can go ahead and use that to go get in. And now all your security questions across all your sites are all different. So that’s another good suggestion for people. And finally, you know, just do, we talked about storing your passwords. Don’t store them in a text file or in a, Password protected excel sheet that takes oh, I don’t know about five seconds to blast pass You know don’t write them down Anywhere though anywhere don’t write them down on a piece of paper that you stick in your desk drawer Don’t write them down. You know it on a piece of on a sticky note you put in your wallet You know don’t hide them under your chair You know it’s sadder.
I’ll tell you a fun story a fun finger air quotes story so I was working at this one place and this was this was before I really went headfirst into the security compliance arena and It was the guy that was responsible for basically the infrastructure Okay, so what did what did we ended up discovering that this dude? We Needed a there were some issues going on I’m gonna put it to you this way There were some issues going on and we and he was in the you know kind of in the process of leaving the organization and the And so we said hey we need to we’re gonna need to get in under, under your account Because you know we have to be able to get into the system to go in and reset things and blah, blah, blah So what does he do he pulls out his damn phone pull pops the back off of the off of the case of his phone And he’s got a piece of paper sitting in there with literally Donate domain admin credentials blah, blah, blah all written right down there You know it’s not like you’d ever lose your phone and G I don’t know you know, know exactly who it was that had the phone You know whose phone it is and then figure out. Oh, I don’t know where they worked so yeah, it was really It was really bad. That was kind of the icing on the I am pretty that was the icing on the cake for, for, for that particular individual, but it just don’t do not ever write your passwords down. Don’t write them down You know get them into your secure encrypted password vault, and that’s really the Yeah, you know kind of the, the way to go So Quick tip use the TCT portal for an easy move to PCI 4 .0 So I know PCI 4 is a major point of emphasis for a lot of folks right now Especially with the deadline of March 31st clearly in our review mirror.
Tell the people more about it, Sure, well, you know the, the reality is, is that the last time you could fill out a three two one? AOC was the end of March and so For a lot of organizations. They either are coming up on a 4 -0 needing to go toward 4 -0 or They just jammed their you know, they’re OC in you know under the wire and bought themselves some time. But either way, you know, if PCI V4 is in your future, you know, kind of the quick tip for the crew is this, is make sure that you’re leveraging the TCT portal so that you can move and migrate easily. The TCT portal already has in it the ability to do migrations of your organization to PCI V4. So if you just wrapped up a PCI 321, and you know you’re headed toward four for a lot of folks, what I recommend to them is, you know, go ahead and get your licensing for the portal. And basically backfill a three, two, one track, get all your evidence and blah in there, organize all that fun stuff. And that way you can go ahead and do a couple of different things. You can take all of your assignments, map them over to PCI V4. You know, you got the ability to use TCT portals capability for live linking back to your prior engagement. So even though you’re talking about a three, two, one, and a four in the background, we’ve got mappings between these two. So I can take a three, two, one and migrate it to four is one, two, I can just go to the four engagement, turn on live linking and refer back to the like evidence under that three, two, one track. That way, you know, it’s very, very streamlined for organizations to kind of go through and look at how everything is kind of mapping in to figure out what do they need to go do some work on, you know, and whatnot, gives them a huge leg up. It’s so much work for organizations to go and try to get their arms around the new standard and you know, what’s changed and what’s different and where does this map from and to etc.
I see a ton of organizations basically wasting a ton of time. And here at TCT, TCT we’re not a gigantic fan of wasting time. We want to make your compliance management suck less So certainly if you are not already You know drinking, drinking the Kool -Aid and on the TCT portal or you know somebody that’s having to deal with this Tell them to give us a shout. We’ll be happy to we’ll be happy to give them a hand and show them Show them the light if you will There you go. Now What’s new in the news just a reminder listeners can always access links To various news stories by going to the TCT website at get TCT comm click on resources Click on security reminders Adam Talk us through the news this week.
All right Well, let’s start with the we’ll start with an interesting one Um, so it turns out and it’s kind of coming, coming out in the news as we speak that Facebook or otherwise known as meta and now. They were caught doing a man in the middle attack against their competitors. It was a pretty big revelation. Apparently this was going on back in the 2016 to 2019 arena and where basically what they were doing is they were they were using client mobile devices to attempt to detect decrypt and intercept other applications analytics on the customer’s phone and they were targeting things like Snapchat, YouTube, Amazon, you know, etc. The allegation as it stands right now is that Zuckerberg was, was paying teenagers to install kits on their phone which would allow these you know kind of these attacks to happen and would also obfuscate meta from being you know directly linked you know linked to this.
It’s actually a pretty interesting read you know for the you know for the user you want to go in and read the full details you know Tom was telling you telling you a little bit earlier but we’ve got a link to the to the news story here but yeah it’s a pretty it’s a pretty interesting read and they be and they also were showing an email that ostensibly is straight from Zuckerberg you know telling people that they need to start getting their arms around this and tell them to find it basically find a way so yeah I think there’s gonna be a little bit hot water in that one.
So let’s see the next the next interesting story hackers found a way to open up any of about three million hotel key card locks in seconds. Um yeah they uh they have a unsafe lock is a key card hacking technique that could open up a lot of hotel room doors in seconds.
It needs to be performed in certain steps leading to exploitation, but Dormacaba is the name of the brand that’s kind of under fire. They use weak encryption as well as RFID exploits. The hacker used a hotel key card, a $300 RFID read write device, and then basically wrote two blank key cards of their own. The first blank card rewrites a part of the LOX data, and the second key card then exploits it. So yeah, it’s pretty rough. The more challenging piece here is these are all hardware devices. In some way, shape, or form, they’re going to need to make adjustments to them. That’s going to be a lot of work. So yeah, should be interesting stuff. So, you know, Sisa’s warning that hackers are actively attacking Microsoft SharePoint vulnerability. So, you know, it wouldn’t be a quarterly security reminder with something coming out of Microsoft. So, you know, SharePoint has a new vulnerability. It can be remotely executed. If the attacker gains authentication with site owner permissions, they can initiate this network -based attack remotely.
So, again, you know, the listeners can go to the site, click on the news link, the CVE is in there. You know, but the vulnerability was found in the middle of 23, but, you know, some of the companies are still being victimized by this attack as a result of bad patch management. So again, you know, you kind of, you look at, you know, the overall security and compliance program. It’s kind of one of the, it’s one of the real benefits, right, of leveraging a strong compliance management system is that you can turn that thing on like TCT portal and operational mode, and it will give the reminders for, hey, go patch your stuff, go patch your stuff, et cetera, prove you patch your stuff, right? If those companies were taking this seriously, then it wouldn’t be in this position, but yeah, apparently not. But, you know, there’s no new information, you know, on, you know, what weapons the attackers are using to exploit the weakness, only that the weakness can still be present if it’s not patched appropriately.
Moving on, there is a tycoon malware kit that bypasses Microsoft and Google’s multi -factor authentication. So, yeah, love it. I actually, it was funny, I had an organization that was, you know, that was, that was, you know, hit me up about, you know, TCT portal. portal and leveraging the, you know, kind of the main players, you know, for their for their MFA, you know, and I mean, honestly, part of the reason why I avoided it is that is that I didn’t want, you know, because those platforms are huge F and targets, you know, for people trying to trying to get through them, because so many people use them. So I think I’d rather I think I’d rather stay out of the limelight if possible. But yeah, the tycoon malware is being sold via telegram app. It’s a low cost fishing, fishing as a service platform. So the fishing kit can perform blitzkrieg on 365 and Gmail email based accounts and has a capability that allow it to bypass the multi -factor authentication. So Bitcoin is used as the payment method and the malware allows the phishing attackers to set up a tycoon 2FA. So allows the attackers to use a reverse proxy server, host the phishing target web page except victim inputs and prompts and redirect them over to the actual MFA request. So pretty interesting stuff there.
Next up, the SEC is ramping up a hacking probe with a focus on tech telecom companies. So the US SEC is a continuation of its probe into the government breach in 2020 of their SolarWinds Orion system. That breach left thousands of companies with potential exposures to also being targeted. To the SEC regulator that’s in charge, he now is asking for internal communications from affected companies regarding the impact to their systems due to the breach. So it’s in relation to a court filing that the SEC made against SolarWinds where they’re claiming that the investors were defrauded by SolarWinds attempting to cover up known weaknesses. So I’m actually really glad to see that they’re putting the screws to some of these companies that are kind of flipping about their security and compliance approach and I think it’s great.
Lastly, CloudFlare put out some stats saying they had blocked 3 .4 billion unwanted emails last year. So, you know, Cloudflare is a big player in the cyberspace, you know, and they announced that they rounded it out to 3 .4 billion spam emails that they blocked last year. So it put this in perspective, you know, that equates to blocking over a hundred spam emails a second. You know, the blocked emails were a combination of spam, malicious, bulk mailing messages. About 3% of those emails were phishing, you know, with a growing pattern for that heading into the 2024 arena. I think we were talking and we were talking previously about, you know, the how the, the bad guys using AI are finding ways to greatly streamline their patterns for their phishing emails and really automate the hell out of those things. So I’m expecting that as many emails as our spam out there, I think it’s gonna just get a lot worse before it gets better.
Oh, and that right there, folks, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered.
I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
