25 Nov 2020
Cybersecurity Newsletter
Keeping an eye on cyber news and threats
Google Services attacks starting to trend
I mentioned in my previous newsletter that attackers are now turning to Google Drive as a delivery method for phishing campaigns, but now it seems it is catching on and we are starting to see a trend with cyber criminals expanding their use of Google’s services such as Google Forms and Google Docs to send out phishing attempts.
Google have stressed they are doing their best to prevent this, but watch out for any unusual Google Services notifications, particularly those relating to document collaboration and forms.
If you do receive anything that isn’t genuine, report it to Google using the ‘report abuse’ function.
Your robot vacuum cleaner can listen to you
Researchers have recently discovered that a vulnerability in robot vacuum cleaners that would allow a hacker to listen in to your conversations.
The attack takes advantage of the LiDAR sensors used by many robot vacuums. LiDAR stands for Light Detection and Ranging and is the remote sensing method that uses light pulses in the form of a laser to measure distances to nearby objects in order to navigate itself around them. It turns out you can repurpose this system into sensing acoustic signals which are uploaded to the cloud and extracted remotely to process the raw signal and extract information.
Before you get all paranoid and take a hammer to it, the attack is complex and requires the attacker to be on your network and have already compromised the vacuum cleaner, but pretty cool right?
Complicated passwords and human behaviour
Human behaviour is a key factor in everything we do, influencing our day to day life in the way we work, communicate and approach certain things, and it is no different when it comes to cybersecurity. The most common causes of data breaches are human error or social engineering because hackers know how we think. They know the patterns we follow and the passwords we are likely to use, that’s why we try to add complexity to password requirements, but in turn this can lead to the same problems.
When adding complexity to passwords most people also follow the same pattern, a capital letter in the first position, a symbol in the last, and a number in the last 2. Sound familiar? Hackers know people follow this pattern so will apply the same method when trying to crack passwords. They will also use common substitutions such as “$” for “s”, “3” for “E”, “@” for “a” and so on. Duplicating words is a common way for people to make their passwords longer such as passwordpassword, or following a numeric pattern when their password expires, such as password1, password2 and so on.
Hackers know we get fed up with password requirements and struggle to remember them. In fact, they count on it because it means people will continue to follow predictable patterns, write passwords down and reuse them.
OK, so avoid common patterns and substitutions, keep it random, maybe a few random words, but how do you remember them without writing them down? Simple - you don’t need to. Where there’s a problem there’s a solution and for passwords it’s a password manager, which brings me nicely on to this week’s top tip.
This week’s top tip – Sign up for a password manager
When it comes to cybersecurity human behaviour is our number one weakness; we are predictable and forgetful. As I’ve already mentioned, creating strong passwords with more characters and symbols can be a great way to strengthen your password if done correctly, but remembering these passwords can be challenging and may force you to follow a pattern or write them down.
Password managers (or vaults) are an excellent tool which will help you create strong passwords without needing to remember them. They are also a good way to make sure you don’t reuse the same passwords or follow predictable patterns.
The principle is simple but effective – keep your passwords in one place and only remember one good strong password. All of your passwords will be encrypted to a high level, zero-knowledge protocols make sure not even the website admins can see your passwords and 2-factor authentication on your account will also prevent unauthorised access.
You can access your passwords from the website, mobile app or the browser extension which can auto-fill your passwords, save new ones and generate random strong passwords for you.
There are many to choose from so it’s up to you which provider you go with, but a few of the highest rated password managers include Dashlane, NordPass and LastPass. Dashlane tops the list on most review sites but LastPass is noted as having the best free version, which allows unlimited passwords.
That’s all for now, see you next week.
Mike