In the early hours of Tuesday morning, city officials in Las Vegas were alerted that their computer network had suffered a security breach.
Details are currently scarce, with a post from the city’s official Twitter account merely confirming that an incident occurred and that it is being investigated.
We experienced a cyber compromise at 4:30 a.m. Tuesday. Our IT team is assessing the extent of the compromise. When aware of the attempt, we immediately took steps to protect our data systems. We will have a clearer picture of the extent of the compromise over the next 24 hours.
— City of Las Vegas (@CityOfLasVegas) January 8, 2020
Inevitably there will be concerns that Las Vegas may be the latest in a line of cities to suffer from a ransomware attack.
Recent months have seen a spate of US states and cities struck by ransomware, some of which have resulted in criminal gangs successfully extorting ransom payments amounting to millions of dollars.
Of course, one of the big problems with giving in to an extortionist’s ransomware demand is that you run the risk of encouraging other criminals to launch similar attacks.
If it is a ransomware attack that has hit Las Vegas then the cybercriminals may be out of luck if they’re hoping that the city will pay up.
In July last year, Las Vegas’s mayor was a driving force behind a resolution from the United States Conference of Mayors (USCM), agreeing to “stand united against paying ransoms in the event of an IT security breach.”
According to an article in The Las Vegas Review Journal, the city fends off an average of 279,000 attempts to breach its systems every month.
“A lot of people out there… are trying to open that cyber door,” says city spokesperson David Riggleman.
Let’s hope that whatever type of security breach has happened on Las Vegas’s city network it is not as painful as the one which crippled the city of Baltimore last year, where the mayor refused to pay a US $76,000 ransomware demand only to find out that his IT team’s idea of a data backup would be laughable if it wasn’t so woeful.
You learn more about Baltimore’s embarrassing response to its ransomware attack, in this episode of the “Smashing Security podcast:
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Yes, you could have a Scottish voice, you know, saying, "Och, aye, it's your mcGoogle device here requiring a firmware update." Smashing Security, Episode 151: Frankly, Sometimes Paying the Ransom Is a Good Idea, with Carole Theriault and Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 151. My name is Graham Cluley.
Hello, hello, and welcome to Smashing Security episode 151. My name is Graham Cluley.
And my name's Carole Theriault.
Hello, Carole.
Hello. How are you?
Well, it's just you and me this week, isn't it?
I know. Listen to the echo.
Yeah, no guests this week, although—
Yeah, don't be sad. We've got some cool stuff.
So what cool stuff have we got coming up later?
Well, I had a chat with Rachael Stockton from LogMeIn, LastPass fame, and we're going to tag that on at the end of the show because she goes through the numbers of a recent report that they've pulled together.
It is a whopper of a report, 42 or 50 pages or something, and we go through the highlights of that report. So you don't want to miss that.
It is a whopper of a report, 42 or 50 pages or something, and we go through the highlights of that report. So you don't want to miss that.
Okay, you're not reading out the entire report, 42, 45 pages?
No, it's not the Mueller investigation.
No, we're not gonna— no, we've cherry-picked the cool things that we wanted to talk about, and of course the report is available for anyone who wants to read more.
No, we're not gonna— no, we've cherry-picked the cool things that we wanted to talk about, and of course the report is available for anyone who wants to read more.
Well, talking about goodies, a little birdie told me that we have updated our Patreon at patreon.com/smashingsecurity to offer some extra goodies to those people who support us at the $5 per month tier, the super duper bonus content tier where you get extra bickering between your hosts.
So do you want to tell people what they're going to get now in addition to what they were already getting?
So do you want to tell people what they're going to get now in addition to what they were already getting?
Well, we are going to throw in three high quality Smashing Security stickers.
What?
Yeah. Not just one, not just for your laptop, not just for your laptop and your phone.
So you could stick these stickers on other people's laptops. You could basically become a hooligan.
You could become—
Smashing Security around.
Yeah, I don't— Well, actually I do recommend that because, you know, they're pretty nice stickers. We did design a logo and, you know, I'm still proud of it three years on.
All right. So if people sign up for that, they can get that. And thank you to everyone who has supported us so far.
Yeah, seriously, high five. I know we make this look it's so much fun, but this is edited to within an inch of its life.
We actually have a laugh track that we make use of because often Graham doesn't laugh at me and there's only one laugh, and I just— well, you laugh at me, you don't laugh with me.
We actually have a laugh track that we make use of because often Graham doesn't laugh at me and there's only one laugh, and I just— well, you laugh at me, you don't laugh with me.
Exactly, exactly. That's exactly how it works. What have we got coming up on the show this week?
Well, first, let's just say thank you to this week's sponsors: LastPass, Code42, and Immersive Labs. Their support helps us give you this show for free.
Now, on today's show, Graham is doing a postmortem on the Baltimore City ransomware attack, and I've got a message for you Google Home and Alexa users out there, and it's pretty scary.
Halloween's around the corner, so it's pretty fitting. All this and loads more coming up on this episode of Smashing Security. Buckle up, folks.
Now, on today's show, Graham is doing a postmortem on the Baltimore City ransomware attack, and I've got a message for you Google Home and Alexa users out there, and it's pretty scary.
Halloween's around the corner, so it's pretty fitting. All this and loads more coming up on this episode of Smashing Security. Buckle up, folks.
Now, chum chum, cute, cute. Now I want to take you back in time. I want to take you back through the ravages of time, way, way back to May 7th, 2019. Yes.
Oh, what, five months ago?
Exactly, about five months ago.
Okay, okay. Let me see if I can get to the right headspace for that one.
Because way back then, the city of Baltimore in the United States of America, the government computer networks there were infected with some ransomware called RobinHood.
That's Robin with a double B.
That's Robin with a double B.
Right, I remember that.
I don't know if there's an apostrophe as well, if it's really hip kind of ransomware.
But anyway, yes, it infected them and they demanded that a ransom was paid for the safe recovery of encrypted files on the city's affected computers and servers.
But anyway, yes, it infected them and they demanded that a ransom was paid for the safe recovery of encrypted files on the city's affected computers and servers.
Right, okay. So basically typical ransomware attack, their files are locked up and the ransom guy's saying, "Give me some money and I'll give you your files, maybe."
Exactly. And of course we've seen many cities, particularly in the United States, being hit by ransomware over the course of the year.
And some of the cities have paid up and some of them haven't. Some of them have just claimed on their insurance and recovered.
Well, in this particular case, the bad guys demanded around about $70,000 in cryptocurrency. But the Baltimore mayor, a guy who goes by the name of Bernard C. Young, he goes by Jack.
I don't understand that. But anyway, I don't know what that's about. But anyway, he refused to pay. He said, "No, no, we're not going to pay."
And some of the cities have paid up and some of them haven't. Some of them have just claimed on their insurance and recovered.
Well, in this particular case, the bad guys demanded around about $70,000 in cryptocurrency. But the Baltimore mayor, a guy who goes by the name of Bernard C. Young, he goes by Jack.
I don't understand that. But anyway, I don't know what that's about. But anyway, he refused to pay. He said, "No, no, we're not going to pay."
Ransomware blocks users from their files and demands payment to unblock them. But Mayor Young says the city won't be blackmailed.
No, I will not pay a ransom to anybody.
All city workers are at work today whether they can do their jobs or not. Mayor Young also has an alternative in mind.
If we are in this for longer than we anticipate, I'll be asking city employees who really can't do their work because of the computer systems, would they be willing to go out and help us clean up the city?
Well, two weeks later, their computer systems were still down.
All right, so what's going on during these two weeks?
Oh yeah, well, all kinds of problems. Their phone lines, their IP phone lines, they were down. Their online bill payments were affected.
People couldn't even buy and sell their houses. Even surveillance cameras run by the police around the city were affected.
People couldn't even buy and sell their houses. Even surveillance cameras run by the police around the city were affected.
Okay, so basically they were just offline effectively. They were knocked offline. Would that be fair?
They were basically knocked offline. And I'm sure they actually took down some of their own systems while they were trying to recover.
So they kept in place the absolute emergency systems. They seem to manage to keep those up and running.
So they kept in place the absolute emergency systems. They seem to manage to keep those up and running.
Well, 911.
Yeah, exactly.
Right.
But more or less everything else was disrupted by this.
And the thousands of workers who work for the city there, they started using their own laptops, their own personal email addresses.
"Oh, I'll just email from Yahoo." Others were using old-fashioned pen and paper.
And the thousands of workers who work for the city there, they started using their own laptops, their own personal email addresses.
"Oh, I'll just email from Yahoo." Others were using old-fashioned pen and paper.
Yeah, but there's a lot of things going on in a city, right? There's all kinds of counseling going on and there's police work and there's traffic problems.
Oh yes.
And so I can understand why users—
Passports. You need to go out and buy things for meetings. Yeah, all kinds of nonsense.
But I can understand why government employees would feel responsible for trying to stay online and fix these problems.
And I can see why they would go and use their own personal email addresses and all that, which is, you know, a huge security risk in itself. You know, we can go into that as well.
And I can see why they would go and use their own personal email addresses and all that, which is, you know, a huge security risk in itself. You know, we can go into that as well.
And I'm not going to be actually talking about that potential issue in this case, because I think in dire situations, sometimes you have to try and work out what the best thing is to do to get the best outcome.
But anyway, in a news conference, the company's chief security boss, right?
But anyway, in a news conference, the company's chief security boss, right?
Right.
Chief cybersecurity, information security guy. A guy called— you'll love this— his name is Frank Johnson.
Okay.
I know you're very keen on the name Frank.
I am.
Yeah, it's a great name, isn't it? Anyway, he explained just how hard it is to keep ahead of the cybercriminals.
In a news conference this morning, the city's chief information officer said it was unclear when the computer network would get back in use.
Federal investigators asked the city to stay tight-lipped about details of the hack.
Federal investigators asked the city to stay tight-lipped about details of the hack.
Unfortunately, there's a race between bad actors in the cybersecurity industry.
Just once they know how to mitigate and keep bad things out, the bad guys go one step ahead of them and we're in this vicious race.
Now, what made things worse and more difficult in this particular case is, the mayor said he's not going to pay up, right?
But Baltimore didn't have any insurance against cyberattacks.
Just once they know how to mitigate and keep bad things out, the bad guys go one step ahead of them and we're in this vicious race.
Now, what made things worse and more difficult in this particular case is, the mayor said he's not going to pay up, right?
But Baltimore didn't have any insurance against cyberattacks.
I wonder how, that's a really good point. I wonder how many government entities or state-run or city-run municipalities actually have insurance.
Well, I don't know.
I'm sure it's on the up. I'm sure it's a big moneymaker now for the insurance industry, certainly, though they do have big heavy payouts, I suppose.
I think more and more organizations do have some form of cyber insurance these days, simply because ransomware and other attacks are becoming more common.
In this particular case, they didn't have it.
And so it seemed that it was quite likely it's gonna cost the city much more than $70,000 that the hackers were demanding to restore their data from backups and get systems safely back up and running again.
But at least they had backups, at least they were able to recover eventually.
In this particular case, they didn't have it.
And so it seemed that it was quite likely it's gonna cost the city much more than $70,000 that the hackers were demanding to restore their data from backups and get systems safely back up and running again.
But at least they had backups, at least they were able to recover eventually.
That's not really the point of backups though. That shouldn't cost 70 grand to get it back up and running again. I can imagine most organizations that would be probably true, but—
There's different costs, aren't there?
So, I mean, there's both the actual expense of restoring the backup, but there's also the expense of the downtime and the work which didn't happen.
So, I mean, there's both the actual expense of restoring the backup, but there's also the expense of the downtime and the work which didn't happen.
Right.
And giving people overtime to come in, rebuild servers and things that.
So, yeah, yeah, that's fair.
That's fair.
Yeah.
And it wasn't as though they hadn't thought about insurance.
In fact, Frank, our hero Frank, the info security chief, he had warned back in 2018 for the need for Baltimore to get cyber insurance on the budget, but the city had decided not to go for it.
And they also didn't include other things which were recommended, expanding staff security training to maybe protect them against threats from ransomware, prevent users from clicking on things or dodgy links, and other improvements to the IT infrastructure that are being called for.
So they hadn't done that, and Frank had been pushing for that.
In fact, Frank, our hero Frank, the info security chief, he had warned back in 2018 for the need for Baltimore to get cyber insurance on the budget, but the city had decided not to go for it.
And they also didn't include other things which were recommended, expanding staff security training to maybe protect them against threats from ransomware, prevent users from clicking on things or dodgy links, and other improvements to the IT infrastructure that are being called for.
So they hadn't done that, and Frank had been pushing for that.
That's interesting because wasn't it in Trump's budget? That was one of the only areas that had got an increase in funding was the cybersecurity arm.
Oh, really?
Yeah. So that's interesting that cities, municipalities didn't get a big chunk of change to help them fix their systems.
Yeah. Russia, if you're listening, we've increased our cybersecurity spending, I guess was the message he was giving out there.
Now, the good news is that not all of the city systems were actually run on its own computers. And so some escaped the attack.
For instance, Baltimore's main website was actually hosted on Amazon Web Services.
Now, the good news is that not all of the city systems were actually run on its own computers. And so some escaped the attack.
For instance, Baltimore's main website was actually hosted on Amazon Web Services.
Right.
So it's in the cloud, basically.
Like lots of companies do.
Yeah. And it was run by a contractor, although about a week after the ransomware attack, the website nearly disappeared, but not because of hackers.
It nearly disappeared because the contractors who were running Baltimore's main website hadn't been paid and the contract had expired. Oh, so Baltimore had failed to be paying them.
So the website was very nearly lost.
It nearly disappeared because the contractors who were running Baltimore's main website hadn't been paid and the contract had expired. Oh, so Baltimore had failed to be paying them.
So the website was very nearly lost.
So Baltimore are in a bit of a pickle. They're not operating at full capacity here. If they make a mistake, they're making.
Yeah.
Okay.
They're having a few problems. Yeah, a little bit of a headache, but I'm sure Frank's got it all covered. Right, I'm sure Frank's all right.
So now all these unexpected costs, like recovering from a ransomware attack, they've gotta be paid somehow, haven't they? You don't just find money down the back of the sofa.
So now all these unexpected costs, like recovering from a ransomware attack, they've gotta be paid somehow, haven't they? You don't just find money down the back of the sofa.
I do.
Do you?
Yeah. Well, you know, my husband lies there a lot, so yeah, I do. Money falls out of his pockets. It's my daily coffee. Yeah.
Well, in Baltimore's case, they transferred $6 million — whoa — from a fund which they had to improve parks and public facilities to cover the recovery from the ransomware attack and hardening the security.
That's obviously a lot more than the $70,000 that the extortionists wanted.
That's obviously a lot more than the $70,000 that the extortionists wanted.
Okay, but I don't know if that's very fair because even had they paid the 70 grand and got all their files back, they would probably still have transferred money from the park and public facilities to cover hardening costs.
Yes, to better secure.
So I don't think it's fair.
I think probably they probably did need to do that. That's true.
So it might've been 5 million instead of 6.
But let me dig a little bit deeper into this story because this is what I caught in the Baltimore Sun. And this is what has brought me back to this story from earlier this year.
It's a story about the city's IT department. You see, the city set up a council committee wanting to know how well the IT department was performing.
If it was reaching its goals in modernizing the infrastructure, you know, following concerns raised by the ransomware attack.
It's a story about the city's IT department. You see, the city set up a council committee wanting to know how well the IT department was performing.
If it was reaching its goals in modernizing the infrastructure, you know, following concerns raised by the ransomware attack.
Uh-huh. Okay.
And so they asked for all kinds of data and performance metrics.
Yep.
And the IT department said, uh, computer says no. Can't deliver that.
Why? Because they weren't collecting any information? They didn't have logs?
Oh no, they were collecting data. It's just that they weren't backing it up. What had been happening was they'd been storing the data on their local hard drives.
They never backed up their data to a server or to the cloud.
They never backed up their data to a server or to the cloud.
Wow.
So it turned out that this wasn't the only data which was regularly being just saved to their local hard drives rather than to the cloud or rather than to an external hard drive.
They basically didn't appear to have very much in the way of any kind of backup infrastructure.
They basically didn't appear to have very much in the way of any kind of backup infrastructure.
And this is since the attack.
So this has been going on since the ransomware attack and was occurring at the time of the ransomware attack as well.
So when the mayor said, "We're certainly not going to pay the guys who've extorted us," and when Frank Johnson was appearing in front of the media as the security chief, talking about how the bad guys keep on getting better and it's a constant battle.
Well, maybe one of the things which they should have considered was, do we actually have any backups?
So when the mayor said, "We're certainly not going to pay the guys who've extorted us," and when Frank Johnson was appearing in front of the media as the security chief, talking about how the bad guys keep on getting better and it's a constant battle.
Well, maybe one of the things which they should have considered was, do we actually have any backups?
The IT guys must have known this was the case.
Well, they must have known. And why wasn't it fixed?
Or why was he unable to convince the people who held the purse strings that it would be quite a good idea to do offsite backups of some fashion.
Or why was he unable to convince the people who held the purse strings that it would be quite a good idea to do offsite backups of some fashion.
Crazy.
So they said to Frank, your buddy Frank, they said, you know, you were on the front line during the ransomware attack. You lobbied for cybersecurity insurance.
You know, you did all these things, but why wasn't this data being backed up?
Now, all he was able to do was send a statement in saying, you know, he promised that this would be improved, but he was currently on extended leave and was unlikely to return.
So basically they kicked out Frank.
You know, you did all these things, but why wasn't this data being backed up?
Now, all he was able to do was send a statement in saying, you know, he promised that this would be improved, but he was currently on extended leave and was unlikely to return.
So basically they kicked out Frank.
Well, we don't know that. Maybe Frank is sick.
Well, he apparently lost the confidence of the city.
So basically you're saying to me, Jack—
Mayor Jack—
Mayor Jack threw cyber Frank under the proverbial bus.
If the buses had been running at the time, yes.
Had the buses been running?
Maybe they weren't. Maybe the schedule was bad.
Maybe the schedule was all bad, which is why he got run over.
And some in the media have been pointing out that before becoming Baltimore's Cyber Frank. Poor old Frank. What was his previous job?
Well, he was a VP of sales at Intel and had no IT operations experience.
Well, he was a VP of sales at Intel and had no IT operations experience.
Oh, so it feels a bit like a scratch your back. Yeah, you can have this job, buddy. Come on in, Frank.
No worries. Hey, you're good with computers. You sell them. Maybe you can look after them for us.
Yeah.
It's a pretty sorry story.
And I think it's all very well saying to the ransomware guys, look, we're not going to pay up, but if you don't have any backups, if you haven't got a backup infrastructure in place, maybe that's not the right decision to make.
Now, Ars Technica, they asked Baltimore for information about how patching was going, whether there were any disaster recovery plans which existed, right?
And I think it's all very well saying to the ransomware guys, look, we're not going to pay up, but if you don't have any backups, if you haven't got a backup infrastructure in place, maybe that's not the right decision to make.
Now, Ars Technica, they asked Baltimore for information about how patching was going, whether there were any disaster recovery plans which existed, right?
Yeah.
Yeah.
All the basic Security 101 questions, right?
But they haven't been able to get a response because apparently the documents don't exist. Because they were lost in the ransomware attack and weren't backed up.
This is not just one screw-up from one individual. This seems like a kind of consolidated mass of screw-ups.
In all, it's believed the attack will have cost at least $18.2 million.
Well, and much as I hate the idea of paying the ransomware baddies, maybe it might have made sense to have spent some of that money getting the data back and then securing the systems.
Well, and much as I hate the idea of paying the ransomware baddies, maybe it might have made sense to have spent some of that money getting the data back and then securing the systems.
I mean, the way politics are going now, it wouldn't be a surprise that there's actually a money trail that follows through here on who actually capitalized on this huge payment.
Oh, you mean where the $18.2 million ends up?
Where did that go?
You're so cynical, Carole.
Oh, you should just do more homework.
Just everything's a conspiracy.
I can't help it. I'm asking the question no one wants to ask.
You're probably thinking, think it's Nessie, don't you? Or the Sasquatch.
I just— yeah, no, it's just a shocking story, actually. It's a— I think listeners will be shocked as well. You kind of expect a city to operate at a higher level of security.
Just have a bloody backup. That's all we're asking for, Baltimore.
No, please, all we're asking for—
Back it up, back it up, back it up, and encrypt your data. So Carole, what have you got for us this week?
Okay, I know I bang on all the time about home assistants, right? Just a few episodes ago, I talked about the latest whacktastic always-on listening gadgets.
Whacktastic?
You remember that Ring that both had a microphone, a speaker in it? I mean, please.
Oh yeah.
Anyway, many people poo-poo my views on these home assistants. You know, who cares what they hear? You know, these assistants are so convenient.
You mean these smart speaker things? Yeah. That's what you're talking about.
Yeah.
That's what they're called, home assistants. I'm sure you know that.
I just call them dinguses.
Right.
I think that's the best name for them, dingus.
Do you? Okay. Well, you just do that mental translation every time I say the word. So people telling me all the time how cool they are, blah, blah, blah.
And I, you know, or they say, yeah, I know, I know they do collect information or they're not great, but they keep using them, right? They leave them plugged in all the time.
And I, you know, or they say, yeah, I know, I know they do collect information or they're not great, but they keep using them, right? They leave them plugged in all the time.
Yeah.
So this story is for the guys out there that have these devices in their houses. And are choosing not to secure them. The deniers, I'm going to call them.
And I bet lots of our listeners, even though they are obviously the finest, most smartest listeners and probably considering becoming patrons of us, I bet a large percentage of them do have these smart speakers in their homes.
Oh, sure. There are loads of people that I would say are security aware with these in their houses that I know.
Yeah. Yeah.
People that have been on this show as guests.
Right. So folks should listen up to this. What are you gonna reveal about them?
So this is reported by Ars Technica. So some German researchers are raising the alarm of third-party malicious eavesdropping and phishing apps. How's that for a mouthful?
On Amazon and Google Home Assistant. So the down low is this.
On Amazon and Google Home Assistant. So the down low is this.
Yeah.
It turns out that people with shady aims or, you know, digital internet hackers or attackers could have been recording the things you say near your Google or Amazon device, all without your knowledge, and even dupe you into giving away your username and password.
I am shocked. Are you suggesting that if we bring an internet-connected device into our homes which has an always-on microphone, that somehow that might actually snoop upon us?
And it may be bad for security. This is going to make headlines.
And it may be bad for security. This is going to make headlines.
Yep. Not bored of that joke yet. Not bored at all.
Okay.
But this is what's interesting about this. This is not people employed by Amazon or Google that are hearing snippets of your conversation.
Right. Because that has happened before.
Exactly. We've read about that in the press, right? We've talked about it in our show. This is about third-party apps.
These are apps that are called, on the Amazon device, they're called the skills apps. And on Google Home, it's called actions, right?
So these are the apps that work with those home devices and assistants. And not all those apps, it turns out, do what they say on the tin.
So researchers at Germany's security research labs developed a handful of apps for Amazon and Google Home Assistant.
These are apps that are called, on the Amazon device, they're called the skills apps. And on Google Home, it's called actions, right?
So these are the apps that work with those home devices and assistants. And not all those apps, it turns out, do what they say on the tin.
So researchers at Germany's security research labs developed a handful of apps for Amazon and Google Home Assistant.
Yes.
All of these apps passed the initial vetting services from Google and Amazon. These are services that are always telling you how trustworthy and how great they are.
Yeah. Rigorous checks. Yes.
Rigorous.
Yeah, that's right.
Rigorous, rigorous checks. Rigorous checks. So one of these apps posed as a random number generator because that's what you want on your Alexa and Google device.
I can't think of a random number. Alexa, can you help me?
Okay.
Yes. And 7 of these apps were basically horoscope-based.
Okay.
So this is how the researchers were able to show that attackers could be using this method to steal information. Okay. So you decide you want to use this My Lucky Horoscope.
That's the name of the app. And you sign up and say, fantastic. And you have this app, right? So you wake up in the morning and you might go over to your device.
That's the name of the app. And you sign up and say, fantastic. And you have this app, right? So you wake up in the morning and you might go over to your device.
Should I even get out of bed? I'm thinking.
No, of course you don't have to get out of bed.
No, but I'm wondering if my horoscope even says it's worth it. It may just say don't even weather today, Graham?
Exactly. So you wake up, right? You open your eyes and you go, yo, yo, Alexa, you know, or Google, ask my lucky horoscope to give me today's horoscope.
All right, yes.
And it will say, what's your sign? Probably. And you'd say, what are you? I don't even know what you are.
I'm actually— no, I'm Aries. I'm Aries, the ram.
That explains so much. Now, the home assistant starts reading out the horoscope and the user is satisfied with the task and goes off to do other things, right?
You might go call the kids or fight or love the spouse or burst into songs or start talking to yourself in your case, whatever.
And the researchers saw that the app only appears to have completed its task. In actual fact, it stuck around for a while listening.
Not only could it listen to the things you were saying, but it could also send the transcript of that information directly to the attacker.
Now the phishing apps, when the user requested a horoscope reading, for example, it would respond with an error message like, "This service is not available in your country," or something like that.
And then the app creators added on, tacked on at the end of that message, a 1 minute of silence. That's something that should not be possible according to the researchers.
And they go to show how it could be exploited, that extra time. So for example, an attacker could include a message like, "Your device needs an update.
Please confirm this action with your Amazon or Google password." Ah, so that isn't a legitimate notification of an update.
You might go call the kids or fight or love the spouse or burst into songs or start talking to yourself in your case, whatever.
And the researchers saw that the app only appears to have completed its task. In actual fact, it stuck around for a while listening.
Not only could it listen to the things you were saying, but it could also send the transcript of that information directly to the attacker.
Now the phishing apps, when the user requested a horoscope reading, for example, it would respond with an error message like, "This service is not available in your country," or something like that.
And then the app creators added on, tacked on at the end of that message, a 1 minute of silence. That's something that should not be possible according to the researchers.
And they go to show how it could be exploited, that extra time. So for example, an attacker could include a message like, "Your device needs an update.
Please confirm this action with your Amazon or Google password." Ah, so that isn't a legitimate notification of an update.
That is the bad one provided by the malicious app.
That's right. So you're sitting there and I don't know, I think, you know, 1 in 4 people apparently in the UK and the US have one of these devices in their houses, right?
So how many people, if you suddenly heard in the proper voice, please confirm your Amazon password because to update your device, I think a lot of people would go, yeah, sure, here's my password.
So how many people, if you suddenly heard in the proper voice, please confirm your Amazon password because to update your device, I think a lot of people would go, yeah, sure, here's my password.
Well, absolutely.
And the fact that it is using the Amazon or the Google Home voice means that people, I mean, it's a little bit like your computer putting up a fake message saying, you know, there's an update to Adobe Flash or something.
But it's going to be so much more convincing because you're not used to having fake updates. And so the idea is that you would then, what, you say your password?
And the fact that it is using the Amazon or the Google Home voice means that people, I mean, it's a little bit like your computer putting up a fake message saying, you know, there's an update to Adobe Flash or something.
But it's going to be so much more convincing because you're not used to having fake updates. And so the idea is that you would then, what, you say your password?
You'd go, "Ah, Jesus Christ, oh, where'd I put my password? Okay, hold on. Password 123." And go read it out.
Hunter 2.
Yeah, I was gonna say C-A-T.
And then of course, if you don't have any multifactor authentication on your Amazon or Google account and they ask you just to verify your full email address, your guess, you might be entering Scroogeville, right?
And then of course, if you don't have any multifactor authentication on your Amazon or Google account and they ask you just to verify your full email address, your guess, you might be entering Scroogeville, right?
This isn't good.
Let's just tie this all together here. The researchers were able to show that the apps with malicious intent got past the initial vetting process, right?
Ran on legitimate devices and sent private audio to the researcher who was purporting to be an attacker.
Now, Fabian Brauline, he's a senior security consultant at These Labs, told Ars Technica, we now show that not only the manufacturers, but also hackers can abuse those voice assistants to intrude on someone's privacy.
Ran on legitimate devices and sent private audio to the researcher who was purporting to be an attacker.
Now, Fabian Brauline, he's a senior security consultant at These Labs, told Ars Technica, we now show that not only the manufacturers, but also hackers can abuse those voice assistants to intrude on someone's privacy.
Yeah, because I think we were all focused on what Google and Amazon might do with this. But this has really opened it up to every Thom, Dick, and Hildegard, hasn't it?
Well, it did, but the doors have also closed shut slightly because the researchers at Germany's Smashing Security research lab privately reported these results of the research to Amazon and Google before they told us and the rest of the world about their findings.
These malicious phishing and eavesdropping apps are no longer available, right, for the Google and Amazon Home Assistants.
And both companies say they are changing their approval process to prevent skills and actions from having similar capabilities in the future.
But that's just the tip of the iceberg, right?
These malicious phishing and eavesdropping apps are no longer available, right, for the Google and Amazon Home Assistants.
And both companies say they are changing their approval process to prevent skills and actions from having similar capabilities in the future.
But that's just the tip of the iceberg, right?
Well, yeah, 'cause they've zapped the ones produced by these researchers, but there may be other ones which might be able to sneak past Amazon and Google's vetting.
Exactly, 'cause the way they kind of did it was quite clever. The app would get initial approval from Google or Amazon vetting services.
Then the researchers would change the function calls, intents. So in other words, stop and start could do other things than just stopping or starting.
They could be programmed with new functions that could cause the apps to listen or log. And I'm no developer.
You'd think someone might come up with something during the hardening process and go, hey, could someone just change that function?
On any app and it could screw up our entire device?
Then the researchers would change the function calls, intents. So in other words, stop and start could do other things than just stopping or starting.
They could be programmed with new functions that could cause the apps to listen or log. And I'm no developer.
You'd think someone might come up with something during the hardening process and go, hey, could someone just change that function?
On any app and it could screw up our entire device?
Mm-hmm.
What do you think?
I think this is quite a problem because a lot of these apps are going to be driven by the third-party servers.
And it's not like you can just provide a piece of code and say to Amazon and Google, check that out and see what it's capable of doing.
Because I imagine some of this could be driven by external data being chucked into it. It's not very good.
I wonder if so if the Amazon or Google device have a system message, maybe they should say it in a different accent to the messages which are played by apps. So you can't—
And it's not like you can just provide a piece of code and say to Amazon and Google, check that out and see what it's capable of doing.
Because I imagine some of this could be driven by external data being chucked into it. It's not very good.
I wonder if so if the Amazon or Google device have a system message, maybe they should say it in a different accent to the messages which are played by apps. So you can't—
It doesn't have to be a different accent, it could be a different voice entirely.
Yes, you could have a Scottish voice, you know, saying, "Och, aye, it's your mcGoogle device here requiring a firmware update." And then you would know.
Because normally it's, I don't know, I can do a Canadian accent. I could do any accent, to be honest. The world is my lobster.
But, you know, I'm wondering, it feels like there needs to be a clearer differentiation between is this a message from the third party written by who knows what and what they're up to.
Because normally it's, I don't know, I can do a Canadian accent. I could do any accent, to be honest. The world is my lobster.
But, you know, I'm wondering, it feels like there needs to be a clearer differentiation between is this a message from the third party written by who knows what and what they're up to.
I think you're actually, I think that's a really good idea. I didn't think of that.
Thank you very much.
The accent thing's all yours.
But I do think having a differentiation of voices between the, this is Amazon and Google speaking versus this is an app speaking would be, you know, you could have two different voices that make it very clear.
You can choose those voices. And at the moment there's only one, I think, that come out of the systems. 'Cause they're not, you know, these are cheap devices, right?
They are basically flogging these for as cheap as they possibly can to get them in as many households as they can. And they've succeeded.
But I do think having a differentiation of voices between the, this is Amazon and Google speaking versus this is an app speaking would be, you know, you could have two different voices that make it very clear.
You can choose those voices. And at the moment there's only one, I think, that come out of the systems. 'Cause they're not, you know, these are cheap devices, right?
They are basically flogging these for as cheap as they possibly can to get them in as many households as they can. And they've succeeded.
Can you buy different voices for these smart devices?
No, I don't think so.
You can't get like, you know, Peter Falk as Columbo or something?
I don't know. I don't know. Should have done more research.
I know. I know.
Okay. So advice for you deniers out there, right? For all you people that say, yeah, yeah, great crawl. Okay. These are things you can do, right?
So you can limit links to external devices and personal accounts, right? You don't want to have everything tied into your little Google or Amazon device. Right?
You wanna use two-factor authentication, especially on the account that is tied to your device.
So if you have a Google Home Assistant, you wanna make darn sure, extra, extra darn sure that your Google accounts have two-factor authentication, which they should already have anyway.
You want to manage your recordings. So remember how you were talking about how you went looking on your Google account and you found these actual audio recordings from your family?
I wonder how long it's gonna be before, you know, a researcher can show that they can be scooped up, all those old recordings that are lying around in the account.
So you, like, you wanna make sure you delete old recordings from your Alexa or from your Google Home device.
So you can limit links to external devices and personal accounts, right? You don't want to have everything tied into your little Google or Amazon device. Right?
You wanna use two-factor authentication, especially on the account that is tied to your device.
So if you have a Google Home Assistant, you wanna make darn sure, extra, extra darn sure that your Google accounts have two-factor authentication, which they should already have anyway.
You want to manage your recordings. So remember how you were talking about how you went looking on your Google account and you found these actual audio recordings from your family?
I wonder how long it's gonna be before, you know, a researcher can show that they can be scooped up, all those old recordings that are lying around in the account.
So you, like, you wanna make sure you delete old recordings from your Alexa or from your Google Home device.
And another thing is Amazon and Google are never going to genuinely ask you for your password via your smart speaker, right?
They're not gonna ask you shout out your credit card number, I would imagine. So no, not your password.
They're not gonna ask you shout out your credit card number, I would imagine. So no, not your password.
Please don't. Even if they do, do not do that. Now, this is a really cool idea.
Would love to hear from people that actually use these devices to see if this is actually a convenient idea or not. But both of these devices have a mute button.
And when it is muted, it is not— it won't respond to you. It won't respond to voice commands, but it also will not be listening.
What you do is you can enable your mic when you need to use it and then turn off the mic when you're not using it.
And I know it's a bit of a pain, but it's a small price to pay for the additional privacy, I think, until these things get stabilized and legislated properly.
Would love to hear from people that actually use these devices to see if this is actually a convenient idea or not. But both of these devices have a mute button.
And when it is muted, it is not— it won't respond to you. It won't respond to voice commands, but it also will not be listening.
What you do is you can enable your mic when you need to use it and then turn off the mic when you're not using it.
And I know it's a bit of a pain, but it's a small price to pay for the additional privacy, I think, until these things get stabilized and legislated properly.
I think a lot of people would find that a pain though, don't they? A lot of people have these in the kitchen.
Yeah, they're elbow deep in washing up and they just really need to hear Billy Idol or something.
And also, do you trust the mute button?
Well, no. Are you asking me?
I wonder whether there would be a market for, you know how you have cozies for teapots to keep them warm, whether you could have a cozy for your smart assistant.
A Faraday bag.
Right. And then it can't see you, can't hear you. Be wonderful, wouldn't it? Put in the cupboard box.
Yeah, no, yeah. Listen, you know what I would do? I would just unplug it and give the little bugger a bath, right?
But definitely unplug it first though, otherwise, you know, you're gonna get electrocuted and I'm gonna get in trouble for that.
But seriously, to my mind, these things are like gremlins, but in reverse. You remember gremlins before they got wet? They were all cute and fuzzy wuzzy.
And then you give them a bath and whammo, they turn into this evil, slimy, gross monster thing that ruins your life.
But definitely unplug it first though, otherwise, you know, you're gonna get electrocuted and I'm gonna get in trouble for that.
But seriously, to my mind, these things are like gremlins, but in reverse. You remember gremlins before they got wet? They were all cute and fuzzy wuzzy.
And then you give them a bath and whammo, they turn into this evil, slimy, gross monster thing that ruins your life.
Don't feed them after midnight.
And the water, right?
Oh, and the water thing. Yeah, no, yeah, that's yes.
Right, so this is the opposite, right? This is Home Assistants are gremlins in reverse. They go all passive and lovely once their electronics are unplugged and given a big old soak.
Watch out for those gizmos.
But unplug. Don't you love a win-win situation? Imagine if you could have both enterprise-wide password management with single sign-on. What is single sign-on?
Well, Graham, let me dazzle you. Single sign-on is designed to connect employees to high-priority apps. All without needing the user to log in at every single hurdle.
Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing.
You don't need to say the forward slash. Ah.
Well, Graham, let me dazzle you. Single sign-on is designed to connect employees to high-priority apps. All without needing the user to log in at every single hurdle.
Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing.
You don't need to say the forward slash. Ah.
So you've got an IT security team, but you want to turn them into security superstars? How can you best provide each employee with the opportunity to upskill themselves?
Immersive Labs provides a cloud-based system. It's available 24 hours a day, whenever is convenient for them to learn.
It provides hands-on experience with tools, technology, and even sandboxed malware. The platform provides story-based threat simulations.
It lets teams enhance their skills while stopping an online banking breach or the hack of industrial control systems. Lots of fun to be had there.
Check out Immersive Labs' skills development platform to drive down your organization's cyber risk while reducing training costs. Check them out at immersive labs.com/lite.
Immersive labs.com/lite.
Immersive Labs provides a cloud-based system. It's available 24 hours a day, whenever is convenient for them to learn.
It provides hands-on experience with tools, technology, and even sandboxed malware. The platform provides story-based threat simulations.
It lets teams enhance their skills while stopping an online banking breach or the hack of industrial control systems. Lots of fun to be had there.
Check out Immersive Labs' skills development platform to drive down your organization's cyber risk while reducing training costs. Check them out at immersive labs.com/lite.
Immersive labs.com/lite.
Okay, so it turns out that we are all bad people. Well, not all of us. Most of us though, because 60% of employees who quit their jobs admit to taking data.
Yeah, that's why Code42 provides data loss protection for when employees quit. It can help you detect insider threats, investigate file activity, and respond before damage is done.
A really cool aspect is that at any time Code42 can tell you what data lives where, when it leaves, where it goes, and who has access to it.
To learn more about how you can protect your company from insider threats, visit Code42.com. Www.patreon.com/smashingsecurity.
Yeah, that's why Code42 provides data loss protection for when employees quit. It can help you detect insider threats, investigate file activity, and respond before damage is done.
A really cool aspect is that at any time Code42 can tell you what data lives where, when it leaves, where it goes, and who has access to it.
To learn more about how you can protect your company from insider threats, visit Code42.com. Www.patreon.com/smashingsecurity.
Now on with the show.
And welcome back. And you join us on our favourite part of the show, the part of the show that we like to call Pick of the Week.
Pick of the Week.
Anybody? Anybody? Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app. Whatever they wish.
It doesn't have to be security related necessarily.
Better not be.
Well, my pick of the week this week, Kroll.
Yes.
Is not security related. You'll be pleased to hear.
Thrilled.
Well, I found a few different websites which were quite curious. And you recently have become something of the artist, haven't you?
You've been texting me images of some of the amazing painting that you have been doing.
You've been texting me images of some of the amazing painting that you have been doing.
I would only call it amazing from the, you know, for someone who's never put up a paintbrush before. It's early days, dude. It's early days.
I am genuinely impressed by what you've been doing. So I have gone to a website, and our listeners can as well, called zoomquilt2.com.
Okay, I'm going there right now.
Okay, now it's a little bit odd.
Two, like number two?
Yeah, the number two. Zoomquilt2.com, all one word. HTTPS, of course, we only point you to those kind of sites.
And this is a webpage where you are zooming in on an image, a rather creepy, freaky, sort of spooky, peculiar image.
And this is a webpage where you are zooming in on an image, a rather creepy, freaky, sort of spooky, peculiar image.
But you never stop zooming in.
But you never stop because the more you go in, the more the picture changes and the more you begin to see.
And then you begin to see it and it's all different kinds of art forms and, oh, I'm in a cinema. Oh no, I'm entering the mouth of some kind of monster.
Oh, it's actually really— it's so fast. Well, you can slow it down, Carole. With your mouse, you can even go into reverse as well. You've got a speed control.
And then you begin to see it and it's all different kinds of art forms and, oh, I'm in a cinema. Oh no, I'm entering the mouth of some kind of monster.
Oh, it's actually really— it's so fast. Well, you can slow it down, Carole. With your mouse, you can even go into reverse as well. You've got a speed control.
Oh, I see that.
Yeah.
I thought that was getting to the end to see if there was an end, but there isn't. You're right.
Right. And now it does ultimately loop around as well.
You've watched it that long?
Oh yes. Yes. And there's some others as well. There's the original ZoomQuilt, not with a 2, ZoomQuilt as well, which does something like this.
Okay, going to look at that one. Yeah, I don't love this. This kind of makes me— oh, it says, oh, don't go to zoomquilt. Oh, hang on.
Have I got the name right?
Whoa, back out, back out.
Oh no, no, no. The original one is zoomquilt.org. Don't go to zoomquilt.com, whatever you do. Zoomquilt.org is the original one.
You're right.
There's a nice one called Arkadia with a K dot XYZ. That's quite a nice one. You might like that one more actually. Go to Arkadia.
This is basically looking into my husband's belly button. Exactly.
Yeah. But you're never—
This is what I imagine what would happen if I suddenly got sucked in there. This is where— this is what would happen. Yeah.
Anyway, so—
He doesn't listen. Doesn't matter.
I don't know quite— I don't quite know how they did this. So I'm quite intrigued as to how on earth they did this. I said, they do ultimately loop round.
But I think, you know, I was just thinking about your artist's brief. It's jolly clever. It's jolly clever.
And I thought, oh yes, well, you know, if you were to have a screensaver or something that, or something up on your TV rather than just watching people playing snooker, then maybe you'd want to put up something this.
Arkadia.xyz. Arkadia with a K as the third person.
But I think, you know, I was just thinking about your artist's brief. It's jolly clever. It's jolly clever.
And I thought, oh yes, well, you know, if you were to have a screensaver or something that, or something up on your TV rather than just watching people playing snooker, then maybe you'd want to put up something this.
Arkadia.xyz. Arkadia with a K as the third person.
You know what? Go to the show notes and get the link.
Go to the show notes. You'll find them all up there. That's a little less trippy.
But I imagine this is a little bit what it's— if you were to take LSD, I imagine it's something a bit this.
But I imagine this is a little bit what it's— if you were to take LSD, I imagine it's something a bit this.
Oh, really?
I don't know. I've only just started drinking normal tea.
Right.
I probably will never discover, but I imagine this is the kind of— any opinions, Carole?
Nope. No, pass. I'm passing on that one.
Yeah, yeah. Okay. All right. So, yes. So there you are. Zoom Quilt and Arcadia.xyz is my pick of the week. Carole, what's your pick of the week?
Well, I am going to talk about a YouTube channel called Historia Civilis.
Civilis.
Civilis.
There was a lot of it around in the past.
Links in the show notes. This is for people like me who know sweet FA about Roman and pre-Roman history. Caesar, do you know anything about Roman elections?
Do you know anything about Seneca?
Do you know anything about Seneca?
Most of what I know probably comes from either Asterix books or watching I, Claudius on TV back in the 1970s, which was—
Right. So I read all of the Asterix books. I was a diehard fan. I would still say that I knew nothing about the constitution of the Spartans.
Okay.
All right. This is very educational, but it's done in a super cute way. So the video is almost like a board game.
And talking about different people are represented with little blocks, and they kind of dance around the screen as the person gives the lecture on whatever— Caesar in Gaul, the revolt, right?
Or Cicero, his year, 63 BCE. So there's all these kind of really interesting little history windows that, you know, they run about 20 minutes a pop.
And talking about different people are represented with little blocks, and they kind of dance around the screen as the person gives the lecture on whatever— Caesar in Gaul, the revolt, right?
Or Cicero, his year, 63 BCE. So there's all these kind of really interesting little history windows that, you know, they run about 20 minutes a pop.
Okay.
And you can learn a lot, and they've done it in a very cute, refreshing way.
And he speaks very precisely and slowly and says every single word clearly, which I think is great because it must make it useful on a much wider, more broader audience, right?
People that might have more difficulty with English could totally follow this as well.
And he speaks very precisely and slowly and says every single word clearly, which I think is great because it must make it useful on a much wider, more broader audience, right?
People that might have more difficulty with English could totally follow this as well.
I have watched one of, or some of one of these, and he does have a rather unusual vocal delivery, doesn't he?
Okay, but let me tell you what I learned.
So in Sparta, unlike other places where if a man died, his son would get all his wealth and fortune, but here the women, the wives, got the money.
So in Sparta, unlike other places where if a man died, his son would get all his wealth and fortune, but here the women, the wives, got the money.
Okay, sounds reasonable.
And you think that sounds reasonable because today that's what normally would happen, except men died super young because they were all in battle, right?
So they die young, wife gets all the money, then she marries again, guy dies again, she gets all the money, she passes on that money to her children.
Equally to the— say she has a daughter and a son, for example.
So they die young, wife gets all the money, then she marries again, guy dies again, she gets all the money, she passes on that money to her children.
Equally to the— say she has a daughter and a son, for example.
Okay.
And then that daughter starts off with quite a nice little package, and she marries and gets the money, and she marries, gets money.
So apparently women were not allowed to vote, weren't allowed to do anything political or make any decisions.
So apparently women were not allowed to vote, weren't allowed to do anything political or make any decisions.
They were loaded.
But they were loaded.
They were more loaded than the two kings. They were like Spartan heiresses or something like that. Anyway, places like Rome were really scared of these women, right?
They were really, really rich, but they weren't very powerful because they weren't able to vote and they weren't able get in and make decisions and policy.
They were really, really rich, but they weren't very powerful because they weren't able to vote and they weren't able get in and make decisions and policy.
But sure, but if they had lots of money, couldn't they tell other people how to vote?
So watch the show, watch the show. Anyway, I think it's great. I think he's done his homework.
I think he's done it in a very controlled fashion, and it's a refreshing but educational take. So check out Historia Civilis. Not civilis, not civilis, folks. Starts with a C.
I think he's done it in a very controlled fashion, and it's a refreshing but educational take. So check out Historia Civilis. Not civilis, not civilis, folks. Starts with a C.
I'll put a link in the show notes for everybody and check it out. Well, that just about wraps it up for this week.
You can follow us on Twitter @SmashInSecurity, no G, Twitter won't allow us to have a G. And you can also continue the discussion with us on Reddit. You can join us up there.
Just search for the subreddit, the Smashing Security subreddit.
You can follow us on Twitter @SmashInSecurity, no G, Twitter won't allow us to have a G. And you can also continue the discussion with us on Reddit. You can join us up there.
Just search for the subreddit, the Smashing Security subreddit.
Again, to this week's Smashing Security sponsors, Code42, LastPass, and Immersive Labs. Their amazing support helps us give you this show for free.
And thank you, wonderful listeners and supporters.
And thank you, wonderful listeners and supporters.
But don't hit pause just yet.
No, Rachael's coming. Rachael's coming. Exciting time. After the music, we are going to hear from Rachael Stockton, who's talking about a brand new report from LastPass.
You can check out this report at smashingsecurity.com/lastpassreport, and we'll bring you right to it. Okay, take a listen.
You can check out this report at smashingsecurity.com/lastpassreport, and we'll bring you right to it. Okay, take a listen.
Something weird is happening.
One sec.
Something weird is happening. I hope I'm not being thrown out. Everything's frozen. Hold on. Yeah, you still hear me?
Yep.
Okay, we're good.
Sorry. That's great. That's actually a cute beginning.
Great. Oh, great. Everything's frozen. Can you still hear me?
Great.
Let's do this.
As you can hear, the delightful and insightful Rachael Stockton of LogMeIn, the company behind LastPass, is with us for another special interview.
Thank you so, so much for making the time to chat with us. Between us, it's a bit more fun than one of the meetings, right?
Thank you so, so much for making the time to chat with us. Between us, it's a bit more fun than one of the meetings, right?
Don't even get me started. I'm totally going to send you this meme, and I want you to put this up by this discussion. But yes, it is 100% more fun.
Now, you guys just put out some research, and I was hoping to get your special insight on it because obviously, you have the inside scoop.
Yeah, definitely.
By using data from over 47,000 organizations, we've been able to really understand different trends that we're seeing, password management, different trends that we're seeing when it comes to multifactor authentication, and how these really differ from businesses who are smaller, let's say less than 1,000 employees, to $10 million and higher, so bigger businesses.
So yeah, it's very cool to be able to use what people are doing to be able to help others learn.
By using data from over 47,000 organizations, we've been able to really understand different trends that we're seeing, password management, different trends that we're seeing when it comes to multifactor authentication, and how these really differ from businesses who are smaller, let's say less than 1,000 employees, to $10 million and higher, so bigger businesses.
So yeah, it's very cool to be able to use what people are doing to be able to help others learn.
And use you do. This is a beefcake of a report coming in at a whopping 42 pages. This must have taken some time to compile.
I'll tell you, our machine learning team was incredible on this, and it's really helped us gain a lot of insights.
Oh, that's cool.
Now, in the introduction, you guys write, quote, we want to help IT and security professionals understand the greatest obstacles employees face when it comes to passwords.
So I thought this was a good place to start.
Now, in the introduction, you guys write, quote, we want to help IT and security professionals understand the greatest obstacles employees face when it comes to passwords.
So I thought this was a good place to start.
They're very similar to what we've seen actually year over year, which is the number of passwords that are expected and how hard it is to remember all of those.
That has not really changed too much over time, and I think that is one of the biggest challenges that employees face.
We have seen some very interesting things this year though, in a difference between small businesses and larger businesses in the number of passwords and some of the things and negative things that come from that, password reuse.
That has not really changed too much over time, and I think that is one of the biggest challenges that employees face.
We have seen some very interesting things this year though, in a difference between small businesses and larger businesses in the number of passwords and some of the things and negative things that come from that, password reuse.
I'm guessing that password reuse is one of the biggest problems that you're still facing in password world.
Yeah, it definitely is on a personal, you know, for personal users, but in the businesses too. And you can't forget there's a lot of overlap between personal and business passwords.
And now of course people have way more sites to pay attention to than ever before, right?
There's a lot more user logins that they have to dig out, and why not use the same password all the time? Because it's easier to remember.
There's a lot more user logins that they have to dig out, and why not use the same password all the time? Because it's easier to remember.
Definitely. So what we found when we looked at businesses today, people in small businesses have on average 85 passwords that they need to remember.
And so think about just all of those little systems.
And we found that small businesses— and this not that small, organizations 1,000 employees and below, they reuse about 10 to 14 passwords. Really?
And yes, and so, you know, that's what, like 15% of all their passwords are reused.
But here's the interesting thing, larger organizations greater than 1,000, they have decreased the number of passwords that employees need to use down to 25.
And with that, about 4 of them are reused.
And so think about just all of those little systems.
And we found that small businesses— and this not that small, organizations 1,000 employees and below, they reuse about 10 to 14 passwords. Really?
And yes, and so, you know, that's what, like 15% of all their passwords are reused.
But here's the interesting thing, larger organizations greater than 1,000, they have decreased the number of passwords that employees need to use down to 25.
And with that, about 4 of them are reused.
I'm going to guess why that is.
Okay, okay, ready? Hold on.
Drum roll.
I'm going to guess that's because big companies, enterprises can afford consolidated enterprise solutions where maybe you can have a single sign-on to all the options within that service.
I'm going to guess that's because big companies, enterprises can afford consolidated enterprise solutions where maybe you can have a single sign-on to all the options within that service.
You are 100% right.
Boom.
Boom. Totally. Yes, I believe so too. I mean, we found that about 50% of organizations are using SSO, but the vast majority of those are larger organizations.
And what's interesting, and I think we've talked about this before, is this doors and windows concept. Yeah. You know, single sign-on is exactly what that is.
I mean, everybody listening understands that. It's one place for all your employees to be able to access the applications that you care most about.
And while that sounds super easy, there's an incredible amount of integration that has to go on to have that be seamless. And that is an incredible amount of work for IT.
So that ability has to be very easy, but that does take away the number of passwords that somebody needs to remember.
And what's interesting, and I think we've talked about this before, is this doors and windows concept. Yeah. You know, single sign-on is exactly what that is.
I mean, everybody listening understands that. It's one place for all your employees to be able to access the applications that you care most about.
And while that sounds super easy, there's an incredible amount of integration that has to go on to have that be seamless. And that is an incredible amount of work for IT.
So that ability has to be very easy, but that does take away the number of passwords that somebody needs to remember.
And this kind of explains why small businesses are sitting ducks when it comes to things ransomware or social engineering attacks, because they have too many accounts to remember.
They're, of course, reusing passwords and they're not all using password managers.
They're, of course, reusing passwords and they're not all using password managers.
It's true. And remember what we talked about last time? Even your listeners came back and agreed. The general IT manager in a small-medium business, their back is up against the wall.
They have so many things to do. So figuring out how to solve these problems in a world that's changing very quickly is hard. And the risk is huge.
You mentioned ransomware and things that. The latest Verizon data breach report, 43% of all attacks are on SMBs.
And I believe it was in CISA, and CISA is the month, 60% of those SMBs that get attacked go out of business. So this is serious stuff.
They have so many things to do. So figuring out how to solve these problems in a world that's changing very quickly is hard. And the risk is huge.
You mentioned ransomware and things that. The latest Verizon data breach report, 43% of all attacks are on SMBs.
And I believe it was in CISA, and CISA is the month, 60% of those SMBs that get attacked go out of business. So this is serious stuff.
Yeah, you just don't have the resiliency to bounce back if you get hit by something a piece of ransomware, for example.
You just don't have those reserves if it's as a smaller business. Okay, so they have all these passwords, they don't have the same IT resources, and they don't have the same budget.
What advice do you have for small businesses, IT guys, and companies that want to be more resilient against these threats?
You just don't have those reserves if it's as a smaller business. Okay, so they have all these passwords, they don't have the same IT resources, and they don't have the same budget.
What advice do you have for small businesses, IT guys, and companies that want to be more resilient against these threats?
I think one of the biggest things to really think about are what are behaviors that you can enforce?
And if you're going to invest in something, ensure that you know how you could be able to fully roll it out.
When we look at the windows and doors, the passwords with SSO that you're going to centralize with SSO, and then the passwords that you don't have as much control over, those applications that people either bring in or just really on top of priority for you to integrate.
Looking for a solution that's easy to use, but does both of those because there's no point in really just doing one or the other when you can do both.
But it has to be easy and it has to be able to be rolled out successfully.
And if you're going to invest in something, ensure that you know how you could be able to fully roll it out.
When we look at the windows and doors, the passwords with SSO that you're going to centralize with SSO, and then the passwords that you don't have as much control over, those applications that people either bring in or just really on top of priority for you to integrate.
Looking for a solution that's easy to use, but does both of those because there's no point in really just doing one or the other when you can do both.
But it has to be easy and it has to be able to be rolled out successfully.
If you can have your cake and eat it, why not, right?
You definitely can. But here's the other thing. It does not have to be done all at the same time.
Right.
You know, you can sort of take it piece by piece or bite by bite in your metaphor.
So let me get back to the report for a second. It's not all doom and gloom in this report, is it? Your findings show that multifactor authentication use is on the rise.
I read up 12% points over last year.
I read up 12% points over last year.
So about 57% of the organizations who are using LastPass are using multifactor authentication, and that's great.
That increase is important because the fact is, whether it's a password manager or single sign-on, when somebody gets access to either one of those, they have the keys to the kingdom.
And so best practice is always to protect with multifactor authentication.
But even bringing that back to the small-medium business, I mean, that's a place still where, you know, less than a third of organizations are protecting their business with multifactor authentication.
And I think that could be a very, very quick win for some of the listeners out here.
I remember talking to some customers recently at an event that we held, and one of the things that they were challenged by with multifactor authentication was still getting it by the users.
Always comes up. Back to that. And I do think that, you know, if you've looked at solutions a year ago, that a lot of things have changed.
There's a lot of different things out there that'll enable biometrics, simple ease of use, and so it might even be time to reevaluate.
That increase is important because the fact is, whether it's a password manager or single sign-on, when somebody gets access to either one of those, they have the keys to the kingdom.
And so best practice is always to protect with multifactor authentication.
But even bringing that back to the small-medium business, I mean, that's a place still where, you know, less than a third of organizations are protecting their business with multifactor authentication.
And I think that could be a very, very quick win for some of the listeners out here.
I remember talking to some customers recently at an event that we held, and one of the things that they were challenged by with multifactor authentication was still getting it by the users.
Always comes up. Back to that. And I do think that, you know, if you've looked at solutions a year ago, that a lot of things have changed.
There's a lot of different things out there that'll enable biometrics, simple ease of use, and so it might even be time to reevaluate.
Why do you think there's a steep rise in the use of multifactor authentication now?
Regulations and things like the Privacy Act and GDPR and the constraints that that's putting on some businesses?
Do you think that's kind of forcing the hand of some companies that might otherwise be turning a blind eye to the cybersecurity risk?
Regulations and things like the Privacy Act and GDPR and the constraints that that's putting on some businesses?
Do you think that's kind of forcing the hand of some companies that might otherwise be turning a blind eye to the cybersecurity risk?
It's interesting. You have government and regulations pushing down, but you also have multifactor authentication taking more of a natural place in a consumer's life.
So, there's even more of bringing that to work and, you know, now you authenticate to applications like you authenticate into your phone every day.
So I think that it's actually both.
And who knows, who knows what will be, you know, 5 years from now, 10 years from now when it comes to gaining access and proving you are who you are.
So, there's even more of bringing that to work and, you know, now you authenticate to applications like you authenticate into your phone every day.
So I think that it's actually both.
And who knows, who knows what will be, you know, 5 years from now, 10 years from now when it comes to gaining access and proving you are who you are.
That's why I love working in this industry so much, really. Just a pivot, but I just love how fast it moves.
Both the good side and then the bad side tries to keep up and the good side gets ahead and it's just, you know, there's a little bit of excitement there, isn't there?
Both the good side and then the bad side tries to keep up and the good side gets ahead and it's just, you know, there's a little bit of excitement there, isn't there?
Oh yeah. I mean, this is real.
I mean, what we do, what your listeners do, what my company does and the other tech companies do, I mean, we really are trying to make a difference and protect organizations and protect economics.
And, you know, this is real stuff. This is a real risk.
I mean, what we do, what your listeners do, what my company does and the other tech companies do, I mean, we really are trying to make a difference and protect organizations and protect economics.
And, you know, this is real stuff. This is a real risk.
Now, one thing I found in your report I wanted to ask you about just before we go is that you broke down the use of multifactor authentication by country.
So, the leader of the pack, the top performer, was Denmark, and still Denmark couldn't boast more than 50% of businesses using multifactor authentication.
So, there's still a long road ahead, don't you think?
So, the leader of the pack, the top performer, was Denmark, and still Denmark couldn't boast more than 50% of businesses using multifactor authentication.
So, there's still a long road ahead, don't you think?
Yeah, I definitely think. And even if you look down the top 5, I think, let me look, they're non-American.
They're Denmark, Netherlands, Switzerland, which I think goes right back to your point about regulations. And I mean, GDPR had a huge impact on these countries and the US as well.
But I think we really see that here. And yes, it not being over 50% is very interesting. And it does say there's still a lot of work to do to understand why not.
And then both ways, how to make it easier to implement, more cost-effective to implement, and make sure people understand why they have to.
They're Denmark, Netherlands, Switzerland, which I think goes right back to your point about regulations. And I mean, GDPR had a huge impact on these countries and the US as well.
But I think we really see that here. And yes, it not being over 50% is very interesting. And it does say there's still a lot of work to do to understand why not.
And then both ways, how to make it easier to implement, more cost-effective to implement, and make sure people understand why they have to.
Okay, and finally, I know you have to go, but what are the kind of 3 top takeaways you'd have for any IT guy or gal out there who needs to get a better handle on their cybersecurity and, you know, get their guys educated?
You know, you need to make a plan. Like I said, you have to take this bit by bit, particularly if you're in a smaller company.
So, you know, you have to look broadly, do some learning, but then make a plan.
And with that, you know, I think first steps there really are thinking about what's that lowest hanging fruit.
And I think one of the first things you can look at is what are the things that you can be protecting more with multifactor authentication of your systems, what are they, and, you know, find that.
And then I think the second piece is how do you close those doors and windows.
With multifactor authentication, you kind of put this huge lid on everything, but there's so much work you need to do behind the scenes. So those are the three that I would look at.
Make a plan, look at multifactor authentication, and then look at how you're going to be sort of consolidating access to simplify for your employees.
So, you know, you have to look broadly, do some learning, but then make a plan.
And with that, you know, I think first steps there really are thinking about what's that lowest hanging fruit.
And I think one of the first things you can look at is what are the things that you can be protecting more with multifactor authentication of your systems, what are they, and, you know, find that.
And then I think the second piece is how do you close those doors and windows.
With multifactor authentication, you kind of put this huge lid on everything, but there's so much work you need to do behind the scenes. So those are the three that I would look at.
Make a plan, look at multifactor authentication, and then look at how you're going to be sort of consolidating access to simplify for your employees.
Thank you so much for making the time to come on the show once again. We love having you on.
Listeners, if you have any thoughts on what Rachael and I have discussed today, do tweet us and tell us your thoughts or ask your questions.
Listeners, if you have any thoughts on what Rachael and I have discussed today, do tweet us and tell us your thoughts or ask your questions.
This—
I was gonna do a CyberWire sign-off. It must be—
I feel like total multiple personalities sometimes.
Yep.
Yep. Yep.
Thank you, Rachael, so much.
Thank you so much.
Nice work, Carole. Very interesting hearing that.
Don't sound impressed. What? You always sound so impressed, like, oh, Carole, you did a good job there.
Wow. I don't think I always sound impressed, Carole. I don't think you can say that.
You don't always sound impressive. That's what I'm going to say.
So remind me again where I can download this report from.
You can get it from smashingsecurity.com/lastpassreport. Boom.
Lovely. Until next time, cheerio. Bye-bye.
Bye.
Don't be a stranger. Find us on Patreon.
Speak next week.
Week. Okay. What?
Okay.
Baltimore’s Mayor Bernard C. “Jack” Young was a fellow sponsor of the USCM resolution to not pay ransomware extortionists.
