Gap Week and the IT Privacy and Security Weekly Update for September 27th 2022


Daml’ers,

This week we are practicing a security technique introduced to us years ago while working with Scotland Yard. “Air Gapping”. You can’t get hacked if you are air gapped.

So while we are off gapping we update you on a great way not to suffer from MFA fatigue.

Then we discover after lots of arm flapping by the US authorities about the Russians and Chinese doing this…while they’re doing it too

We fly across to a popular new pastime that is causing more things to disappear than Harry Houdini did in his prime!

There are fingerprints all over a fresh Chrome story and a handful of facts that could have a major impact on your selection at the app store!
Gap

Let’s make it happen, and go air gapping!


Global: MFA fatigue

First what is MFA?

Multi Factor Authentication.

Multi-factor authentication is used to prevent users from logging into a network without first entering an additional form of verification.

This additional information can be a one-time passcode sent to your phone, a prompt asking you to verify the login attempt, or the use of hardware security keys.

OK so what is MFA Fatigue?

When an organization’s multi-factor authentication is configured to use ‘push’ notifications, a prompt will be displayed on an employee’s mobile device when someone tries to log in with their credentials.

An MFA Fatigue attack is when a threat actor runs a script that attempts to log in with stolen credentials over and over, causing what feels like an endless stream of MFA push requests to be sent to the account’s owner’s mobile device.

The goal is to keep this up, day and night, to break down the target’s cybersecurity posture and inflict a sense of “fatigue” regarding these MFA prompts.

In many cases, the threat actors will push out repeated MFA notifications and then contact the target through email, messaging platforms, or over the phone, pretending to be IT support to convince the user to accept the MFA prompt.

Ultimately, the targets get so overwhelmed that they accidentally click on the ‘Approve’ button or simply accept the MFA request to end the endless stream of notifications they were receiving on their phone.

So what’s the upshot for you? If you are an employee who is the target of an MFA Fatigue/Spam attack, and you receive an endless wave of MFA push notifications, do not panic, do not approve the MFA request, and do not talk to unknown people claiming to be from your organization.

Instead, contact the known IT admins for your company, your IT department, or your supervisors and explain that you believe your account has been compromised and is under attack.

You should also change the password for your account if possible to prevent the hacker from continuing to log in and generate further MFA push notifications.

Once your password has been changed, the threat actor will no longer be able to issue MFA spam, giving you and your admins room to breathe while the compromise is investigated.


Global: Bumping up security for registrations where only an email and a password can be used.


Bumping up security for registrations where only an email and a password are required.

You’ve heard a lot about passwords over the years and the truth is probably that we will have to suffer them for a while yet, so let’s talk about ways to raise our security to a point where even if a website gets hacked it will have minimal impact.

The first creative idea comes from Google.

Did you know that you can sign up with a gmail or your Digital Asset email that is completely unique for each site?

By taking your email FirstName.LastName and adding a +CompanyYou are signing up at@digital asset.com or gmail.com you will have an email that is unique to the site, but still reaches you.

As an example if I am Boba.Fett@gmail.com and I am signing up for a new account at https://www.starwars.com I can use the email Boba.Fett+Starwars@gmail.com and I have something that will still get to me but if that website is ever compromised, that account will only ever work for that website.

Cool huh? Try it!

Another thing about doing that is if I later get spammed with email from that site and cannot find an unsubscribe link, I can create a filter and send everything from them to the dustbin.

Super cool.

OK now let’s talk about passwords.

A good password is a long one but how do you remember it?

One suggestion is to pick a phrase that you really like.

Here’s one for the guitarists: Smoke on the water, a fire in the sky. <— yes you can use spaces now too.

If you wanted a unique password for every site you visited you’d just do something like “Smoke on the water, Starwars, a fire in the sky”.

You could make it just the first 2 letters of the website, one in Cap and one lower case, to make it even easier. “Smoke on the water, St, a fire in the sky. = 42.

If I then wanted to register at https://shop.startrek.com I would use: Boba.Fett+shopStartrek@gmail.com with a password of: Smoke on the water, St, A fire in the sky.

Obviously this is not terribly creative, but you get the drift.

As long as you maintain your pattern consistently it’s easy to remember and you will have a huge password to crack, unique to that website.

(Just don’t hum the song near a good hacker.)

Now combine the two and even if the website is hacked, it won’t compromise any of your other logins!

You have unique account registration and long unique passwords and you didn’t even need a password manager.

OK before we end this section, there will be websites that don’t accept long passwords or special characters.

They typically are the ones that get hacked first.

That’s where a password manager comes in.

If you want something open source, free and works on all platforms and phones you could do worse than BitWarden.

The advantage of a password manager is that they also check the website to prevent you from putting your new email and password in a miscreant site like https://shop.startr3k.com

So what’s the upshot for you? If you remember the LastPass hack of last week, you might be looking for a good password manager and although there are paid versions of BitWarden, there are also free versions for all phones, Linux, Windows and MacOS PCs.


US: Pentagon Opens Sweeping Review of Clandestine Psychological Operations

The Pentagon has ordered a sweeping audit of how it conducts clandestine information warfare after major social media companies identified and took offline fake accounts suspected of being run by the U.S. military in violation of the platforms’ rules.

Colin Kahl, the undersecretary of defense for policy, last week instructed the military commands that engage in psychological operations online to provide a full accounting of their activities by next month after the White House and some federal agencies expressed mounting concerns over the Defense Department’s attempted manipulation of audiences overseas, according to several defense and administration officials familiar with the matter.

The takedowns in recent years by Twitter and Facebook of more than 150 bogus personas and media sites created in the United States was disclosed last month by internet researchers Graphika and the Stanford Internet Observatory.

While the researchers did not attribute the sham accounts to the U.S. military, two officials familiar with the matter said that U.S. Central Command is among those whose activities are facing scrutiny.

Like others interviewed for this report, they spoke on the condition of anonymity to discuss sensitive military operations.

The researchers did not specify when the takedowns occurred, but those familiar with the matter said they were within the past two or three years.

Some were recent, they said, and involved posts from the summer that advanced anti-Russia narratives citing the Kremlin’s “imperialist” war in Ukraine and warning of the conflict’s direct impact on Central Asian countries.

So what’s the upshot for you? Significantly, they found that the pretend personas – employing tactics used by countries such as Russia and China – did not gain much traction, and that overt accounts actually attracted more followers.


Global: GPS Jammers Are Being Used to Hijack Trucks and Down Drones

The world’s freight-carrying trucks and ships use GPS-based satellite tracking and navigation systems, but “Criminals are turning to cheap GPS jamming devices to ransack the cargo on roads and at sea, a problem that’s getting worse…”

Jammers work by overpowering GPS signals by emitting a signal at the same frequency, just a bit more powerful than the original.

The typical jammers used for cargo hijackings are able to jam frequencies from up to 5 miles away rendering GPS tracking and security apparatuses, such as those used by trucking syndicates, totally useless.

In Mexico, jammers are used in some 85% of cargo truck thefts.

Statistics are harder to come by in the United States, but there can be little doubt the devices are prevalent and widely used.

Russia is currently availing itself of the technology to jam commercial planes in Ukraine.

As we’ve covered, the proliferating commercial drone sector is also prey to attack…

During a light show in Hong Kong in 2018, a jamming device caused 46 drones to fall out of the sky, raising public awareness of the issue.

While the problem is getting worse, the article also notes that companies are developing anti-jamming solutions for drone receivers, "providing protection and increasing the resiliency of GPS devices against jamming attacks.

So what’s the upshot for you? “By identifying and preventing instances of jamming, fleet operators are able to prevent cargo theft.”


Global: Will Low-Code and No-Code Development Replace Traditional Coding?

While there is a lot of noise about the hottest programming languages and the evolution of Web3, blockchain and the metaverse, none of this will matter if the industry doesn’t have highly skilled software developers to build them," argues ZDNet.

Prediction? Automatic code generators like Github CoPilot, AWS CodeWhisperer and Tab9 will eventually replace “traditional” coding.

“Although ACG is not as good as developers may think, over the next few years, every developer will have their code generated, leaving them more time to focus on their core business.”

As businesses turn to automation as a means of quickly building and deploying new apps and digital services, low code and no code tools will play a fundamental role in shaping the future of the internet.

According to a 2021 Gartner forecast, by 2025, 70% of new applications developed by enterprises will be based on low-code or no-code tools, compared to less than 25% in 2020.

A lot of this work will be done by ‘citizen developers’ — employees who build business apps for themselves and other users using low code tools, but who don’t have formal training in computer programming.

In order to build a proficient citizen developer workforce, companies will need an equally innovative approach to training.

“Low code and no code tools are democratizing software development and providing opportunities for more people to build technology, prompting more innovation across industries,” says the CEO of Stack Overflow…

So what’s the upshot for you? The rise of low-code and no-code could help to further democratize tech jobs, creating more opportunities for talented individuals from non-tech or non-academic backgrounds.

A 2022 survey by developer recruitment platforms CoderPad and CodinGame found that 81% of tech recruiters now readily hire from ‘no-degree’ candidate profiles.

The CodinGame COO Aude Barral believes this trend will only grow as the demand for software professionals intensifies.


Global: Chrome for Android Gets Fingerprint-Protected Incognito Tabs

Here’s a fun new feature for Chrome for Android: fingerprint-protected Incognito tabs.

9to5Google discovered the feature in the Chrome 105 stable channel, though you’ll have to dig deep into the settings to enable it at the moment.

If you want to add a little more protection to your private browsing sessions, type “chrome://flags/#incognito-reauthentication-for-android” into the address bar and hit enter.

After enabling the flag and restarting Chrome, you should see an option to “Lock Incognito tabs when you leave Chrome.”

If you leave your Incognito session and come back, an “unlock Incognito” screen will appear instead of your tabs, and you’ll be asked for a fingerprint scan.

So what’s the upshot for you? Chrome on iOS has had a biometrics-backed Incognito feature, called “Privacy Screen,” for a few years.

This is a first for Android, though. Chrome’s “flags” menu is technically for experiments and in-development features, so this isn’t guaranteed to become a readily accessible user feature, but making it to the stable channel—plus the feature already existing on iOS—is a good sign.


Global: 5 Amazing Facts About Mobile App Development.

  1. Almost 100% of screen time is spent in apps.

  2. The average user has more than 80 apps on their phone.

  3. Mobile gaming has seen a huge rise in users

  4. Android has almost 1.5x more apps than the App Store.

  5. Half of the applications available on the App Store have never been downloaded.

So what’s the upshot for you? Those numbers should dissuade just about any novice app developers… but don’t let them dissuade you!



And the quote of the week: “You know something is wrong when the government declares opening someone else’s mail is a felony but your internet activity is fair game for data collecting.” - E.A. Bucchianeri

mind-the-gap-roundel-home-4031789262


We’d like to thank the “Gap Band” for our Intro and Outro. (Podcast) And honestly some pretty fly outfits in this video The Gap Band - Early In The Morning (Official Music Video) - YouTube


That’s it for this week. Stay safe, stay secure, don’t touch the mail, hands off the outfits, and see you in se7en.