Linked: We’re still making terrible choices with passwords, even though we know better
|

Linked: We’re still making terrible choices with passwords, even though we know better

Most people do the right thing with passwords for financial accounts, but all the websites that make them create an account just to read an article? Who really cares if that account gets hacked? Why not just use the same password for all of them? What’s the hacker going to do, read USA Today as them? Who cares?

That is all just normal, human, behavior. The thing that should scare the hell out of security professionals is how many people view their work access the same way. They don’t care. It’s not their data, it’s just the place where they happen to work, for now. This shows in the low number of people creating a strong password for their work accounts. (It also shows how making them change it every few months really just backfires.)

Once More For the People In the Back – Do Not Give Out Any Information To Someone Who Calls You

Once More For the People In the Back – Do Not Give Out Any Information To Someone Who Calls You

And so, I repeat. Do not give out any information to someone who calls you. Hang up, and call your bank directly.

Go read the whole thing for more of the details on these services, and how they work. It’s interesting. But if you remember nothing else, remember that when anyone calls and says they are calling about your account, a legal issue, etc. Hang up, and call the place they say they are calling from directly. That’s not how any legitimate business works anymore, so the second someone calls you and starts asking you to verify who you are, be suspicious and hang up.

Linked: Ransomware shame: More than half of business owners conceal cyber-breach
|

Linked: Ransomware shame: More than half of business owners conceal cyber-breach

I’ve been saying it for a little while now, but I think this really cements it for me, your data has already been breached somewhere. Whether you know your personal information was involved in a public breach, or you’ve somehow managed to avoid that thus far, there is still a whole bunch of ransomware and other breaches that we don’t know anything about:

Ransomware Gangs Are Mostly Just Following the Easy Money

Ransomware Gangs Are Mostly Just Following the Easy Money

I saw a few references to this KELA study of ransomware based on doing some digging around the dark web to see what people were looking for. I wasn’t necessarily surprised by what they found, because it seems relatively obvious, but I was a little surprised to see that it’s pretty well-thought-out. I guess I had been working on an assumption that folks using ransomware were just throwing out a wide net and catching whatever they could, but it seems like maybe they are thinking a bit more about what they are doing. 

Linked: Wanted: Disgruntled Employees to Deploy Ransomware
|

Linked: Wanted: Disgruntled Employees to Deploy Ransomware

Look, it makes sense at any time, but right now with companies varying sets of rules around a pandemic, forcing employees back to an office, mandating a vaccine if they do, closing offices, etc. there is bound to be at least one person who just isn’t very happy with whatever stance the company has taken.

Would the vast majority of them stoop to purposefully installing ransomware on the corporate network? Probably not, but the hacker doesn’t need the majority, they need 1. Just one person to be so angry, and also unethical, and they are in.

Apple’s Image Scanning Tool is, Well, Complicated
|

Apple’s Image Scanning Tool is, Well, Complicated

At first blush, the idea of scanning images synced up to iCloud for child sexual abuse materials against the hash list of known CSAM images seems like a good idea. As a survivor of childhood sexual abuse myself, I want tech companies to takes some initiative to deal with this issue. They also want to scan images on kids’ phones using AI to see if kids are getting into any trouble with sending or receiving sexual material. Again, that sounds like a good thing. But, as the EFF points out, this all requires a backdoor, and backdoors, once created, almost never remain used for just one purpose.