Take a moment to consider how many passwords you have online. Sure, there are the primary three or four that you use every day, but how many sites have you created accounts on? Online shopping, accounts associated with work, apps required for package delivery, and more are all things that
Read More
PASSWORDS ARE AND HAVE ALWAYS BEEN AN ACHILLES HEEL IN CYBERSECURITY
“I’m afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit. It’s the least effort for the most reward.” Introduction At Logmeonce, we’re focused on helping protect you against cybersecurity threats. We do this in many ways. First, we provide you with a suite of tools, including a password management tool, to help keep your passwords safe. However, technology itself can’t solve all of our security woes (as we’ll soon discuss below). Education plays a big role in staying safe online. For this reason, from time to time, we bring in cybersecurity experts from around the world to help educate you, our blog readers, about the various ways you can protect yourself online. Today, Logmeonce had the opportunity to chat with Dave Witelegg, a cybersecurity expert, about his involvement in the cybersecurity space. We have an exciting interview planned for you today, so without further ado, let’s jump in! The Interview Hello and thank you for taking the time to chat with our blog readers today Dave. You have over 25 years of commercial experience in just about everything related Cyber and Information Security, whether it’s firewalls, biometrics, encryption, operating system security, cybercrime, hacking techniques, data protection, information security management, cyber threat and risk assessing, threat intelligence, payment card security, and even pioneering Satellite VPN connectivity. But let’s start this interview by rewinding back to your early days in the cybersecurity space. What motivated you to get involved in this space? What drew you in in the first place? I have always been fascinated in how technology works, as a young boy in the 1980s I recall taking apart one of the early home budget computers released in the UK, a ZX Spectrum, just to satisfy my curiosity on how this to space-age new technology worked. My inquisitiveness led to break into and recode one of the early football team management ZX Spectrum devices, allowing my football team to have the most money, best players and always win matches. I didn’t know it at the time, not only was I teaching myself how to write code, but the process I was undertaking was hacking, persistently making repeated trial and error attempts until I achieved the outcomes I wanted. When I look at new technology today, I still seek to thoroughly understand how it works, naturally thinking about the weaknesses which could be exploited, and the negative impact of such exploits on the people and businesses using the technology. I developed a kind of a ‘hacker’s eye for business’, this in addition to understanding the motives of the threat actors, makes a good fit for an enjoyable and rewarding career in cyber and information security. Cybersecurity was a very different space 25 years ago. How do you feel the balance of power has shifted within the cybersecurity space within the last 25 years? Do you feel that cybersecurity is becoming better and harder for hackers to penetrate? Or do you believe that advances in technology are only temporary patches that hackers eventually find ways to work around? Over the last 25 years who has been winning in the game of cat and mouse? How have you seen the balance of power shift during the last 25 years? We are all more reliant on technology than any point in our history. In the last 25 years we have seen an information technology revolution, with IT steadily becoming more complicated, widespread and connected. Today we all carry powerful persistently globally connected computers in our pockets, a technology which empowers and enriches our everyday lives. However, this tech revolution also means the attack surface and opportunity is also greater than ever for a growing army of globally connected malicious actors. Today it doesn’t take a great deal of skill or even technology to become a proficient cybercriminal, indeed, technology like cryptocurrencies, the dark web and even YouTube tutorials are aiding bad actors on a global scale to commit nefarious acts. So the unwinnable security game of cat and mouse, has got a whole lot bigger over the past 25 years, and when security stands still, the bad guys always win. Let’s talk a little bit more about password security for a moment. You mention on your blog a case where a Ring camera was compromised and a hacker gained access to a young girl’s room through her camera and then proceeded to have a conversation with her. This hack seemed to be caused by “password stuffing”. Have you noticed an uptick in the amount of IoT device hacks, not due to the device itself being compromised, but due to weak passwords? In many of these cases where the hackers target an IoT device, what are they often looking to gain from the hack? Passwords are and have always been an Achilles Heel in cybersecurity, especially with IT systems connected to the internet, such as IoT devices like the Ring camera. The first issue with password security is people choosing a weak strength password, to help them easily remember them. Cybercriminals know this too well, so will try all the most popular and commonly used passwords obtained from past data breaches, to attempt to break into the online accounts. The second problem is people use the same exact username and password credentials on multiple online accounts, so if one account password is compromised, which may not even be the account holders fault perhaps due to a compromise of a third party website, cybercriminals are able to use the same stolen credentials to log in to other online accounts the user might have. Typically the bad actors will attempt to access popular online email accounts, social networking and popular eCommerce websites. These types of attacks using stolen credentials can be performed on mass in so-called ‘credential stuffing’ attacks, which automates the process and reveals accounts where the same credentials are used. One effective method to safeguard the inherent insecurity of passwords is to enable