The war in Ukraine has put the entire world on high alert as the aggressor, Russia, extends its hostility not just to Ukraine but to sympathetic nations that try to come to the invaded nation’s aid. Unsurprisingly, as both a traditional rival and prominent sympathizer, the USA is at the top of the list. The hostility, however, comes not in the form of direct attack but cyber warfare.

Even before the sustained automated digital intrusions various US agencies and companies are experiencing now, Russia had already been using state-sponsored agents to test the waters. And on at least one occasion, human negligence provided an alternate route to bypass multifactor authentication safeguards.

Exploiting Vulnerabilities

In May of 2021, a Non-Government Organization experienced a rapid and successful intrusion of their systems despite having multifactor authentication protocols in place. State-sponsored Russian hackers exploited a documented vulnerability known as “PrintNightmare,” a security hole in print spooler software, which coordinates printing jobs among computers on a network. 

The PrintNightmare vulnerability, once exploited, allowed the hackers to spread their control and gain system privileges within the network. Once inside, they could disable multifactor authentication safeguards, edit registries, and browse directories at their leisure.

How It Happened

In this case, true MFA implementation would have prevented the state-sponsored hackers from gaining access to the system. Unfortunately, the hackers took advantage of older systems still in place. The intrusion occurred when the hackers discovered a registered but inactive account that still used password systems set to default.

By using traditional “brute force” methods to figure out the default password through the process of elimination, the hackers eventually gained access to the system without ever having to encounter the much stronger multifactor authentication systems. By using this “back door” of an inactive but still valid user account, they were able to register themselves within the MFA system and then use that as the foundation to move into the rest of the system, find the PrintNightmare vulnerability, and then exploit that to seize control of the network’s functions.

Take Precautions

The exploitation of an in-system vulnerability would never have occurred with more diligence. Allowing inactive accounts to remain valid with default passwords still in place provides a critical loophole to bypass much stronger multifactor authentication systems.

For a more secure system, always be vigilant. When switching to MFA safeguards, disable the older, more vulnerable password accounts and systems. A chain is only as strong as its weakest link.

If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.

As the integration of digital technology with everyday life continues, identity theft has quickly become one of the more popular and commonplace crimes of the 21^st century. Rather than the physical risk of robbing someone, or the legal risk of charges of mugging, identity theft is physically safe while at the same time capable of stealing far more funds than would typically be stored as cash in the average wallet.

Many tactics are used to achieve this, but one of the more effective and efficient ones is a technique known as the “Man In The Middle” attack.

How It Works

The Man In The Middle attack is the digital equivalent of a postal worker opening up mail, reading it for salient details such as credit card number or social insurance number, and then closing up the letter and delivering it to the mailbox. In other words, important data is taken, but the user is never aware that a theft has occurred.

One of the most common ways a Man In The Middle Attack is executed is by a criminal offering a free Wi-Fi spot. People who log in thinking they are taking advantage of free Wi-Fi fail to realize that all of their input, from their names to their passwords, is being monitored and copied by the Wi-Fi provider and decrypted. The criminal then takes that data to log into those accounts and seize control.

More active forms of Man In The Middle attacks include:

• IP Spoofing
• DNS Spoofing
• ARP Spoofing

While decryption techniques can run the gamut from HTTPS spoofing to SSL stripping.

Better Security Is Needed Like Passwordless Authentication

Man in the middle attacks is one of the reasons why improved security, such as passwordless authentication, is an important component of protecting data—a man in the middle attack intercepts and decrypts inputs. However, a passwordless authentication mechanism cannot be replicated by using a physical key with a digital code or biometric authentication. 

Even if a password has been stolen, it still cannot gain a thief access without the other passwordless authentication components, such as the key, or a fingerprint, face, eye, or another biometric requirement. Multi-authentication security methods add extra layers of protection to defeat these more sophisticated forms of crime.

Man in the middle attacks and other forms of cybercriminal intrusions rely on vulnerabilities such as single password authentication systems. However, improved security measures, like FIDO protocols, can help to repel these kinds of cyber security breaches. Read here to learn more. 

Microsoft is one of the largest, oldest technology companies globally, having been an integral part of the computer revolution that started in the 1980s. Okta is a large, successful software company specializing in identity control and user authentication for other companies (known as IAM security software). Despite those impressive pedigrees, both companies have been successfully hacked by an up-and-coming criminal group known as “Lapsus$.” But how did it happen and was multifactor authentication used?

Who Is Lapsus$?

Lapsus$ is a cybercrime group that originally started in Brazil. As with other hacker groups, the online nature of cybercrime means that membership is not strictly limited to the country of origin. They are a recent arrival on the digital crime scene, having begun operations only in December of 2021.

However, they have already been confirmed to have successfully infiltrated the likes of Korean electronics giant Samsun, graphics card manufacturer Nvidia, and even the game developer and publisher Ubisoft. They specialize in going after corporate targets, stealing confidential data, and releasing it unless a ransom is paid.

What Happened To Okta?

Okta immediately informed the affected clients while publicly stating only 2.5% of their total clientele was impacted by the intrusion. After conducting an investigation, they concluded that a support engineer had left a laptop vulnerable for five days, and the laptop was likely hacked during this period.

In this case, it wasn’t a situation where Okta’s internal security failed, so much as negligent security measures by an individual engineer resulted in an account-takeover and access to the compromised system.

What Happened To Microsoft

Microsoft had over 40 GB of data stolen and publicly disclosed online, including source code for software like Cortana and Bing. When Microsoft conducted their investigation, they discovered that a single account was responsible for the data theft, but the account had not been hacked, as proper authentication had granted access.

In this case, the account was compromised by “social engineering,” where hackers deceive a user into voluntarily giving up account details, usually by either posing as an official or installing malware on a USB key that a user thinks contains other types of data so that when it is installed on a system, it seizes control. 

Key-based Multifactor Authentication Makes A Difference

This is why the discipline to implement and use key-based multifactor authentication is so crucial. Stealing a password for a specific device or online account is easy. With this type of multifactor authentication involving key-pairs, additional gates and checks are added so that a password is not enough to grant account access. However, multifactor authentication only works when people have the discipline to follow it and the resilience to take on the extra work of using a second authentication factor – such as SMS-OTP or emailed codes.

If you’re interested in using the FIDO protocol and moving to a key-based passwordless authentication system, that provides the maximum security to prevent phishing and other ways of executing account takeovers read here to learn more.

Large technology companies amass huge amounts of personal data from their users. Because of this, they work hard to assure both customers and shareholders that the data is safe and can’t be easily stolen through the more conventional methods of hacking and intrusion. For two of the largest tech companies globally, Apple and Meta—the parent company of Facebook—this is certainly the case. However, even the largest corporations can sometimes fall for well-implemented deceptions, and that’s exactly what happened in a case of bold social engineering.

The Human Factor

Social engineering refers to attacking the weakest link in most security chains, human error. Social engineering tricks a victim into voluntarily performing an action that would compromise an otherwise secure system by gaining trust, exploiting greed, provoking fear, or other psychological manipulation tactics.

In the case of both Apple and Meta, the social engineering tactic here was for hackers to impersonate law enforcement officers and send emergency data requests. This legitimate legal request overrides the requirements of presenting a subpoena, warrant, or other court-approved documents before needing to comply. The Apple and Meta employees faced with these bogus emergency data requests complied and handed over IP addresses, mailing addresses, and phone numbers.

The Ongoing Challenge

While embarrassing, especially for companies that typically use up-to-date security measures such as biometrics and other forms of cyber security, neither Apple nor Meta have disclosed the full amount of data given to the hackers. But it is a testament to the ambition of criminals that regardless of the cyber security measures taken, some criminals refuse to give up and resort to the most extreme measures to get the data they want.

Biometrics, USB encryption, decryption keys, and other passwordless authentication methods are all incredibly efficient forms of cyber security. However, they are forms of personal protection, giving individuals the security they need to restrict access to their data. There is no accounting for what happens when a social engineering scheme works at the very “top” of the pyramid, with the data technology companies themselves, who can override any security and provide data on request if they are presented with legitimate, verifiable legal requests, or fall prey to believing a request is legitimate without securing more verification from the parties making the request.

Apple’s Change

Apple joined the FIDO Alliance in the Fall of 2020 a new global standard in the world of passwordless authentication. Apple has now authored a multi-device FIDO standard known as “Passkey” which allows a user to use a FIDO private key to access their Apple accounts. If a device is lost or replaced, the FIDO private key can be recovered from another Apple device owned by the user. With Apple joining the other 340 FIDO Alliance members, the global establishment of the FIDO alliance is considered complete.

It’s crucial, however, for every company to take its own cyber security seriously. Your data on your systems and networks need to be protected. If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.

One of the more recent trends in computing for work has been the arrival of “the could,” or, more accurately, the storage of data and applications online. Rather than have data or software stored and accessed directly on the local storage of a physical device, such as a computer or smartphone, the data or software is instead stored online. A device merely goes to the appropriate platform on the Internet to access the data or functionality. This became crucial in the last two years as the pandemic made working from home and other forms of hybrid work essential for health and safety reasons. However, it also meant that digital crime is now turning its attention to this new frontier which means the need for more cyber security.

The Workload Cyber Security Risk

One of the biggest challenges in cyber security is that identity theft can result in a single individual’s resources being compromised. In other words, if someone’s credit card is stolen, that person’s credit purchases are now controlled by external actors.

However, cyber security for cloud-based computing is even more problematic. A cloud-based work solution allows a person—or criminal—access to their work from anywhere in the world, rather than on a single local machine and hard disk. Now, depending on the workload of that individual and the extent of their administrative privileges, the amount of authority and access of a cyber attack can be devastating. If a single executive has a workload that comprises all the subordinates’ data below, that is access to huge amounts of data. If this is spread across different cloud services such as Microsoft’s Azure, or Amazon Web Services, the risk becomes greater.

Taking Steps

Companies must now consider workload management and protection as well as identity protection. Without protecting a single user’s workload, broader access to other systems and data creates significant cyber security risks.

Companies need to consider better safeguards, such as integrating multifactor authentication systems or biometrics to decrease vulnerability from a single-password security system. For example, the use of digital keys eliminates the danger of secure information needing to be transmitted online at all. However, companies must also carefully assess how their workloads occur, who manages them, and how vulnerable those workloads are to intrusion for a truly secure system.

Cloud-based storage and computing are incredibly efficient and convenient, but they must also be properly protected. To ensure better security for your cloud-based work practices, learn more about Nok Nok’s multifactor authentication technology and passwordless security measures.

The US government has recently announced that it will be implementing an expansive and comprehensive initiative to integrate a “zero trust” strategy into all agencies. But what exactly does this mean? It’s a goal to introduce better, more secure multifactor and cryptography-based authentication into existing government agencies, which means more security identity checks but fewer obstacles.

Nothing Is Taken For Granted

As the name implies, the “zero trust” strategy works under the assumption that no one should be taken at face value without verification. In this case, however, verification may occur multiple times through different mechanisms and security features, which is a foundation concept of multifactor authentication combined with cryptographic key pairs.

In a traditional “trusted” security system, one verification is enough. The conventional single-password system is a good example of this. A manager, for example, may have complete access to employee records, employee data like bank account numbers and social security numbers, and even credit numbers and mailing addresses of customers via purchasing database. Complete access and control to all this data are granted through inputting the correct password, which could be as complex as a random string of alphanumeric characters or as simple as the manager using the word “password.” Should that single password ever be stolen or guessed by a criminal, all that access and control, the manager has is now transferred to someone else. In some cases, a password isn’t even required. As long as a person logs into a manager’s desktop computer in the office, complete system, network and data access is granted.

The zero trust strategy makes none of these assumptions, and cryptographic multifactor authentication is a cornerstone of this philosophy. Depending on how extensive the zero trust implementation is, it’s not enough to verify a person’s identity logging in. Even the type of connection and device used for the log-in may also need to be confirmed. The person’s identity is then continually checked for high-value events like accessing sensitive data or conducting a payment transaction.

This is especially important in an age where cloud storage and cloud computing-based applications make it possible for a legitimate user to access software and data anywhere. Multi-factor authentication allows someone accessing confidential data from within their own office at corporate headquarters to quickly do the same thing in Japan from their company-issued smartphone. The key difference is that now, even if someone’s password or smartphone is stolen, the cryptographic-based multifactor authentication philosophy of zero trust now has safeguards to prevent one, two, or even three pieces of stolen verification from being enough.

Multiple verification systems can be fast and easy without being cumbersome through biometrics, digital keys, and other design innovations. Learn more here about how Nok Nok’s modern identity and passwordless authentication technology protects today’s multifactor security measures.

One of the biggest liabilities of relying on a single-password system is granting unprecedented control and access to anyone who knows that password. Unfortunately, the only way to reduce the chance of a password being stolen is to make passwords easier to remember, thus making them easier to guess or figure out through criminals’ increasingly more sophisticated and automated methods.

Conversely, making passwords harder to guess through a string of random alphanumeric characters makes them slow, difficult, and inconvenient to use, eliminating their efficiency while at the same time still retaining the risk of relying upon a single password alone to grant access.

FIDO Improves Security With Passwordless Authentication

An alliance of global companies has now joined to form an organization known as The FIDO Alliance, which stands for “fast online identity.” The FIDO protocol creates a compatible cryptographic standard across devices and software platforms to ensure these cryptographic measures are interoperable across browsers, platforms and devices. The goal of FIDO is to enable phishing-resistant passwordless authentication systems while also making user experiences frictionless and seamless.  These modern security technologies make user access faster, easier, more efficient, and more secure than legacy systems based on the collection, storing an input of personal secrets and information like user’s name and password.

FIDO is doing this through a dual-key based authentication system known as key pairs that use asymmetric encryption methods and offers 2-factor authentication in one encrypted user step.

More Than One Mechanism

Symmetric encryption is something most people are familiar with. Something is encrypted or “locked” using a single device, such as a USB key with data on it. Data is encrypted, inaccessible, and unreadable if the key is present. When that same key is present, the data can be accessed and is decrypted so it can be read.

Asymmetric encryption relies on two keys. One is a “public key” that allows users to choose the form of encryption for the data to be protected. The second is the “private key” that must be present for the decryption to take place. 

In other words, even if the public key is duplicated or stolen, it only grants access to the data. The data still can’t be read because it requires the presence of both the right public key and its pair, the private key, to access the data or access software services. The combination of a FIDO key pair system creates an easy passwordless authentication system that eliminates the inconvenience of creating a strong, hard to remember string of random alphanumeric characters and also does away with the knowledge-based authentication system, such as asking people what their mother’s maiden name was for a hint, which could often be gleaned through searching public social media profiles and posts.

If you’re interested in using the FIDO protocol and moving to a passwordless identity and authentication system, read here to learn more.

As the 21^st century processes its first major military engagement with the Ukrainian defense against Russian invasion, it has also revealed that digital warfare plays an important role. Unfortunately, cyber security warfare does not restrict itself to only military targets. This is something that both Ukraine and allies worldwide—including the United States—are now discovering for themselves.

As a result, the Whitehouse has now declared that it will be moving forward aggressively to implement a “zero trust strategy” in the computer networks of all relevant agencies and organizations.

Never Trust and Always Verify For Cyber Security

Ironically, the zero-trust strategy has its roots in the Russian proverb, “trust, but verify.” The implication is that even if you have a person or thing that you trust, you should always take the time to verify that who you are dealing with is who you are expecting.

In terms of cyber security, a zero-trust strategy means that even if a person, account, or piece of hardware previously accepted by a network’s infrastructure is legitimate, there should still be verification of the  authenticity of the user. This is a security protocol that is even more important in today’s wireless world, where a legitimate user can potentially log in from any device anywhere in the world. It’s one thing to have a recognized user come into a secure building with staff that identifies them, and go into their own office and use their computer inside a secure network. It’s a different matter when that same person claims to be logging into a secure database using a smartphone in an entirely different country without any user identity checks along the way.

A Comprehensive But Worthwhile Effort

The initiative to bring multiple government agencies into a modern, zero-trust compliant security framework will not be fast, cheap, or easy. Each agency already has its own established conventions and protocols, so there will have to be a lot of adaptation and evolution to respect the needs of the different organizations.

However, the American government’s willingness to commit to Zero-Trust architectures speaks volumes of the nature of cyber security in the 21^st century. With the continued reliance on easy access anywhere in the world, cloud-based storage and applications, multi-factor authentication, and other elements of the zero-trust strategy have become essential. A single password, once stolen, can surrender vast amounts of data and system control. Multi-factor authentication, cryptographic keypairs and the zero trust strategy ensure that there are extra safeguards.

Modern identity and cryptographic multi-factor authentication is one way to improve your cyber security. Learn more here about Nok Nok’s modern identity and passwordless authentication technology and how it protects multifactor security measures for more peace of mind.

There is both an enormous amount of convenience and speed in using digital payment systems. For the general public, online payments through credit cards or even cryptocurrency enable customers to buy products worldwide that they might otherwise not have local access to. For businesses, online payments negate any possibility of fraudulent payment through counterfeit cash. Every transaction is a legitimate one that uses real funds.

However, just because the actual transactions are legal and legitimate doesn’t mean the person making the purchase is. This is where payment fraud through online transactions is on the rise due to breaches in cyber security.

Identity Theft and Account Takeovers Lead To Payment Fraud

The way payment fraud occurs today has shifted away from traditional strategies like printing counterfeit money and using that false cash to make purchases. Today’s digital criminals look for vulnerable accounts, seize control of them, and then use the funds or payment system associated with those accounts to make purchases. In other words, the money is real, and the account is legitimate, but the person using the account has stolen that access from the rightful owner or is using the account without the owner knowing it.

This results in the victims eventually receiving receipts and other proofs of payment for purchases they never made. It is the cyber security equivalent of someone having their wallet stolen and then the thief using that cash to make purchases.

Rising Fraud

Payment fraud is on the rise in a few key areas, most notably:

• Digital Wallets
• Payment Service Provider Transactions
• Cryptocurrency Transactions
• Buy Now, Pay Later Transactions
• Loyalty Reward Points

Billions of dollars in payment fraud occur every year, and one of the reasons for this is the inadequacy of legacy security systems. A single password-only security system, even with multi-factor authentication enabled, is incredibly vulnerable, especially if a careless customer uses an easily deciphered password. Even when a strong, single password is used, criminals use of “keylogging” can defeat this.

Multi-factor authentication is one addition way to “harden” a system against this type of identity theft. These cyber security measures use additional cyber security components, such as physical-digital “keys” or biometric authentication to add stronger layers of security. Even if a password is stolen, the password alone won’t grant access or control of an account without the additional authentication factors.

The challenge, however, lies in ensuring that cyber security measures provide protection without obstruction. If a security feature makes it too difficult to make a purchase, it does more harm than good. This is where initiatives like Nok Nok’s use of FIDO protocols play an important role. Read here to learn more. 

Despite the careful language of special military operations being used, the undeniable fact is massive military forces have been directed to invade—and in some cases destroy—vast tracts of Ukrainian land. There is now a war raging between the beleaguered nation of Ukraine and the Russian aggressor, but as a key supporter of the Ukrainian defense, America and its businesses are at risk of attacks on their cyber security.

A Battle With Precedent

Ukrainian digital infrastructure has already shown the effects of cyber-attacks. There have been breaches in everything from their electrical infrastructure to transportation-related networks. Over the years, Russia has tested the boundaries of breaking American cyber security, and the US has in turn responded.

However, with open warfare between one country and another, the world is now seeing how the digital space has become a second battlefield, often with secondary but important consequences. And while the United States is not directly participating in the war, its role as a major supporter of Ukraine has put the American digital space in the target sights of Putin’s “gangster diplomacy.”

What To Expect

Four sectors are traditionally the most likely targets for attacks on cyber security. Finance is a surprise to no one, as Russia is now the victim of history-making sanctions. The energy sector is another, as incursions seek to either seize control or lock legitimate users out of power generation. Transportation and aviation are other sectors, as logistics always plays a crucial role in any successful plan or operation.

However, it is crucial to note that Russian cyber-attacks are not just attacks of a deliberate strategy; they are also attacks of opportunity. Russian attacks are not necessarily conducted by individuals targeting only specific, named targets. They actively hunt for vulnerabilities anywhere and will exploit them if found.

This is where reliance on a single-password-only and knowledge-based cyber security system can expose serious vulnerabilities for any business. Multi-factor authentication systems, or even passwordless authentication systems that use other measures like cryptographic biometrics, increase the trust and safety of systems by orders of magnitude. Passwordless systems have no password to be stolen, and for multi-factor authentication systems, a password being compromised no longer means systems and access and control are given. Without those additional factors, such as a one-time randomly generated code, or the detection of a physical-digital key, a system remains inaccessible.

If you’re interested in transformational change to your cyber security, learn more about Nok Nok’s modern identity and passwordless authentication technology, and cryptographic multi-factor security measures for better protection and greater peace of mind.