Tag Archive for 2FA

| November 26, 2021
Comments Off on GoDaddy WordPress Sites Hacked?

GoDaddy WordPress Sites Hacked?

GoDaddy WordPress Sites Hacked?GoDaddy (GDDY), the world’s largest domain name registrar, disclosed that it had been hacked. According to reports on Monday (11/22/2021), an unknown attacker gained unauthorized access to the system used to provision the company’s Managed WordPress sites. This breach impacts up to 1.2 million GoDaddy WordPress customers. This number does not include the number of customers of websites affected by this breach.

GoDaddy logoThe company posted, We are sincerely sorry for this incident and the concern it causes for our customers,” “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down.

GoDaddy resellers also compromised

On Tuesday (11/23/2021), GoDaddy confirmed that some of their resellers were also compromised in the attack. If you purchased your WordPress domains from

Assume your WordPress site has been compromised.

According to the SEC report filed by the Scottsdale, AZ-based firm, the attacker gained access via a compromised password on September 6, 2021. The attacker was discovered on November 17, 2021, when the attacker’s access was revoked. The attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.

What happened at GoDaddy?

credentials in cleartextSeveral sites are reporting that GoDaddy stored sFTP (Secure FTP) credentials so that the plaintext versions of the passwords could be retrieved, rather than storing salted hashes of these passwords or providing public key authentication, which is industry best practice. This decision allowed an attacker direct access to password credentials without cracking them. According to their SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.”

What did the attacker have access to?

The SEC filing indicates that the attacker had access to:

  • User email addresses,
  • Customer numbers,
  • Original WordPress Admin password that was set at the time of provisioning,
  • SSL private key and
  • sFTP and database usernames and passwords.

What could an attacker do with this info?

The attackers had unrestricted access to these systems for over two months. During that time, they could have:

  • Secure FTPThey have taken over these sites by uploading malware or adding a malicious administrative user. This allows them to maintain persistence and retain control of the sites even after the passwords are changed.
  • The attacker would have had access to sensitive information, including website customer PII (personally identifiable information) stored on the impacted sites’ databases.
  • Sometimes, an attacker could set up a man-in-the-middle (MITM) attack that intercepts encrypted traffic between a site visitor and an affected site.
  • The exposed email addresses and customer numbers cause increased phishing risks.

How to resecure your GoDaddy host WordPress site

GoDaddy should be notifying impacted customers. In the meantime, experts recommend that all Managed WordPress users assume that they have been breached and perform the following actions:

  1. If you run an e-commerce site or store PII (personally identifiable information) and GoDaddy verifies that you have been breached, you may be required to notify your customers of the breach.
  2. Change passwordsChange all of your WordPress passwords.
  3. Force a password reset for your WordPress users or customers.
  4. Change any reused passwords and advise your users or customers to do so. 
  5. Enable 2-factor authentication wherever possible. 
  6. Check your site for unauthorized administrator accounts.
  7. Scan your site for malware using a security scanner.
  8. Check your site’s filesystem, including wp-content/plugins and wp-content/mu-plugins, for any unexpected plugins or plugins that do not appear in the plugins menu.
  9. Be on the lookout for suspicious emails.

rb-

These GoDaddy data breaches are likely to have far-reaching consequences. GoDaddy’s Managed WordPress offering makes up a significant portion of the WordPress ecosystem, affecting site owners and their customers. The SEC filing says that “up to 1.2 million active and inactive Managed WordPress customers” were affected. Customers of those sites are most likely also affected, which makes the number of affected people much larger.


Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , ,
| January 26, 2021
Comments Off on Data Privacy Day 2021

Data Privacy Day 2021

Data Privacy Day 2021Data Privacy Day in the U.S. is January 28, 2021. It is an extension of the Data Protection Day celebration in Europe. Data Protection Day commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection

Why is Data Privacy Day important?

In this era with the rapid advancement in technology, having relevant data is the key to the success of any organization.  Almost every organization is collecting and combining the data in order to put the right content, in front of the right person, at the right time, and on the right platform. 

Why is Data Privacy Day important?The data is collected from the users or customers who submit their personal information trusting the firm will keep the data private. Users provide their personal information to the companies with the trust of receiving a better service and with the trust that their data is private, safe, and secure. But when the goes into the wrong hands and data privacy fails, bad things can happen. Data breaches result in cyber-criminals misusing user information for scams and identity theft. That is why everyone needs to “Own Your Their Data Privacy.” Here are resources to help you “Own Your Data Privacy.”

Update your Privacy Settings

Your purchase history, IP address, location, etc., has value – just like money. (How else does Mark Zuckerberg make his $100 billons?) Make informed data privacy decisions about sharing your data with companies. Consider the amount of personal information you are giving up and weigh it against the benefits you may receive. Use these resources provided by the National CyberSecurity Alliance (NCSA) to update your privacy settings on popular devices and online services.

Keep tabs on your apps

Keep tabs on your appsMany apps ask for access to personal information, like geographic location, contacts list, or photo album, before you can use their services. Be wary of apps that require access to information that is not required or relevant for the services they are offering. Use these tips from the Data Detox Kit, to protect your data privacy. Keep your apps up to date. Delete unused apps on your devices.

Manager your passwords!

You don’t need to be overwhelmed by all your log-ins and passwords. Use a password manager to keep your data private and track your strong passwords. Add an extra layer of protection by activating Two-Factor Authentication (2FA) whenever it is available. With 2FA, even if a cybercriminal steals your password, they won’t be able to access your account.

Take action!

  • Make sure your computer is free from known viruses, spyware, and discover if your computer is vulnerable to cyber-attacks. Use these Free Security Check-Up resources from NCSA to protect your data privacy.
  • Check your online safety know-how with a privacy and security quiz. Get started with the National Privacy Test and Google Phishing Quiz. To measure how good you are at protecting your privacy.
  • Join the National Cyber Security Alliance – and LinkedIn on January 28, 9 a.m. for the signature video conference event Data Privacy in an Era of Change. It gathers data privacy experts from industry, government, academia, and non-profit for keynotes, panels, and discussions on current topics in data privacy – Register here.
  • Show your support for Data Privacy Day by using one of the International Association of Privacy Professionals’ official Data Privacy Day virtual backgrounds for video collaborations.

rb-

Data Privacy Day reminds us of the value of our data and the rights for data transparency. It is the day that tells us to re-evaluate and identify the flaws in how we have been collecting, sharing, and using the data. The day persuades us to find a way to patch the loopholes so that our valuable data do not get tampered with malicious malware, misused, or lost.

 

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| August 30, 2020
Comments Off on No Love for 2FA

No Love for 2FA

No Love for 2FAEveryone has gone to the ATM to grab some cash. Swipe your card – enter your PIN and out comes your cash. We have been doing this for years. Using the ATM is one of the most established uses of the IT security best practice of two-factor authentication (2FA). Lets break that down.

  1. You present your ATM card to the machine (something you have),
  2. Next, you enter a secret PIN (something you know).
  3. Without both of these things (authentication factors), you don’t get your cash.

Two-factor authentication (2FA) provides an extra layer of protection for system access, by asking a user for a second means of identification. 2FA also called multi-factor authentication (MFA), requires at least two authentication factors, including:

  • authentication factorsA knowledge factor (something only the user knows, such as an ATM PIN);
  • A possession factor (something only the user has, such as an ATM card);
  • An inheritance factor (something the user is a fingerprint or retina pattern).

The most popular forms of 2FA include answers to secret questions, a code sent to your phone, or one-time password-generating tokens.

Two-factor authentication2FA is a way to mitigate risks associated with unauthorized access, especially in the current COVID-19 era of increased work from home (WFA). And yet, despite these benefits. Computer Economics has posted a report, Two-Factor Authentication Adoption, and Best Practices, which studied the adoption and practice of 2FA. The report says that firms are not using 2FA to the extent they should be to ensure organizational security:

  • 18% do not use 2FA;
  • 25% are implementing 2FA for the first time;
  • 34% practice 2FA formally and consistently.

Why is 2FA needed? Because as followers of the Bach Seat know, username and password pairs as authentication factors suck. CE writes that passwords can be “phished,” stolen, discovered, and cracked in many ways. Humans are as bad at making good passwords and changing them regularly as they are at eating their daily requirement of vegetables.

In the presser Tom Dunlap, director of research for Computer Economics, said,2FA can go a long way to protecting a company

The big picture is that 2FA is inconvenient, and users just want access … Users often rebel against it because the extra layer is seen as onerous or unnecessary.  However … companies face a wide array of security and privacy threats and 2FA can go a long way to protecting a company

Inconvenience isn’t the only issue. As I have chronicled on the Bach Seat each form of two-factor authentication has its own weaknesses. For instance, security questions can often be easily guessed. tokens can be lost and SMS can be hacked.

rb-

Another issue with 2FA is that it is unevenly implemented and there’s no central place to check if a firm has enabled it on its public-facing site. However, a website, Two Factor Auth (2FA) is trying to fill that void. Two Factor Auth (2FA) is a list of websites and whether or not they support 2FA.

Most of the well-known and commonly used sites and services are listed. The site explains what types of 2FA the firm supports. There’s even a Twitter or Facebook link where you can poke them on social media to start using 2FA – if they don’t support 2FA.

Only 1/3 of firms love two-factor authentication to use it well, despite the security benefits it provides to the firm and their customers.

Stay safe out there!

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , ,
| December 21, 2019
Comments Off on Stop Using These Passwords Now

Stop Using These Passwords Now

Stop Using These Passwords NowThe annual list of the worst passwords is out. People are lazy and still use the same old compromised passwords. Not much has changed since 2018, 2017, or 2016. SplashData’s 9th annual list of worst passwords looked at 5 million passwords that were leaked in various data breaches in 2019 and found that 123456 is still the most frequently used password.

Some other interesting password factoids from the survey include:

  • SplashData logopassword has been knocked out of the top two spots for the first time in the list’s history.
  • Simple patterns using contiguous keys on the keyboard like 1q2w3e4r, qwertyuiop, and !@#$%^&* are new for 2019. They may seem complex but will not fool attackers.
  • QWERTY is a big mover in 2019. qwerty moved up 6 places to #3 in 2019 and qwerty123 moved up 13 spots to #13 in 2019.
  • After making his debut on the 2018 annual list “donald” fell to #34 on the most dangerous password to use.

RankPasswordChange
1123456(Rank unchanged from 2018)
2123456789(up 1)
3qwerty(Up 6)
4password(Down 2)
51234567(Up 2)
612345678(Down 2)
712345(Down 2)
8iloveyou(Up 2)
9111111(Down 3)
10123123(Up 7)
11abc123(Up 4)
12qwerty123(Up 13)
131q2w3e4r(New)
14admin(Down 2)
15qwertyuiop(New)
16654321(Up 3)
17555555(New)
18lovely(New)
197777777(New)
20welcome(Down 7)
21888888(New)
22princess(Down 11)
23dragon(New)
24password1(Unchanged)
25123qwe(New)

Morgan Slain, CEO of SplashData, told Gizmodo,

Our hope … is to convince people to take steps to protect themselves online, and we think these and other efforts are finally starting to pay off. We can tell that over the years people have begun moving toward more complex passwords, though they are still not going far enough as hackers can figure out simple alphanumeric patterns.

rb-

So how can you keep your online personal information safe?

  1. how can you keep your online personal information safe?Make sure none of your passwords are on SplashData’s worst passwords of the year list. If they are log on and change them immediately. See the full 100 worst passwords on SplashData’s site.
  2. Use two-factor authentication, whenever possible. Even if a hacker has your password, they won’t have that random code and therefore won’t be able to get into your account. Not sure if your favorite website supports two-factor authentication, search the Two Factor Auth List to find out.
  3. Consider a password manager. Your brain is no longer an adequate password manager. SplashData makes several password managers SplashIDTeamsID, and Gpass depending on your needs.

Related article

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| December 17, 2018
Comments Off on The 10 Worst Passwords of 2018

The 10 Worst Passwords of 2018

The 10 Worst Passwords of 2018It is the end of 2018 and we have learned nothing from the massive Facebook and Marriott data leaks and numerous other hacks. California-based password-management company SplashData released its 2018 100 worst passwords based on 5 million leaked passwords on the internet.

Few people have switched things up. People continue to use the same hacked passwords time and time again. Topping the list of terrible passwords were “123456789” at No. 3, “password” at No. 2, and “123456” at No. 1. 2018 marked the fifth-straight year that “123456” and “password” kept their top two spots on the SlashData list.

1. 123456
2. password
3. 1Password23456789
4. 12345678
5. 12345
6. 111111
7. 1234567
8. sunshine
9. qwerty
10. iloveyou

There are only 2 new entries in the 10 worst passwords, the highly unsecure “111111” at number 6 and “sunshine” at number 8.

SplashData estimates 10% of people have used at least one of the 25 worst passwords on this year’s list, with roughly 3% of internet users rely on the worst password, “123456.”

Don’t congratulate yourself yet if your passwords didn’t make SlpashData’s top 10 most used and least secure passwords of 2018. Check out the rest of SplashData’s list of 100 worst passwords. If your password made the worst 100 worst passwords list this year, you should change it.

rb-

Password advice has changed about as quickly as people’s passwords – NOT MUCH but worth repeating …..

  • sisyphusUse passphrases of twelve characters or more with mixed types of characters.
  • Use different passphrases for each account. if a hacker gets access to one of your passwords, they will not be able to use it to use other sites and you only have to change that password instead of 50 of them,
  • Use a password manager to generate and store your passwords and automatically log into websites.
  • Set up two-factor authentication, especially when it’s generated on a phone app like Google Authenticator or on a small hardware device like Yubikey, can add an extra layer of security.

Imperva points out that 5% of all successful attacks are using brute force to guess a user or an administrator password. Brute force attacks do this with repeated login attempts using every possible letter, number, and character combination to guess a password.

Because most individuals have many accounts and many passwords, people tend to repeatedly use a few simple passwords. This leaves them exposed to brute force attacks. Email accounts protected by weak passwords are particularly valuable to hackers. They may be connected to additional accounts, and can also be used to restore passwords.

Attackers use specialized hardware to perform efficiently guess user passwords. Cryptocurrency mining rigs with graphics processing units (GPUs) and application-specific integrated circuits (ASICs) can be very effective in quick repetitive tasks like password guessing.

Imperva recommends a number of steps that an administrator can take to protect users from brute force password cracking:

  • Lockout policy—you can lock accounts after several failed login attempts and then unlock it as the administrator.
  • Progressive delays—you can lockout accounts for a limited amount of time after failed login attempts. Each attempt makes the delay longer.
  • Captcha—tools like reCAPTCHA require users to complete simple tasks to log into a system. Users can easily complete these tasks while brute force tools cannot.
  • Requiring strong passwords—you can force users to define long and complex passwords.
  • Two-factor authentication—you can use multiple factors to authenticate identity and grant access to accounts.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
« Older Entries