Cyber Cafe Chats: Passwords, who needs 'em, right?

Y'know, I know the saying is 'April showers bring May flowers,' and I don't know about you, but I'm tired of getting caught out in the rain when I try to sneak for lunch. So, let's hurry up and get a cup of coffee ready, because it's time for another

Plumes' Cyber Cafe Chat

And today's brew is going to be something that I'm sure you've all heard plenty about over the recent years:

Why do I need to make a different password for every site?

Cybersecurity - it's a broad term. For some people, that's just talking about password management and making sure you're using a VPN while on public Wi-Fi. For others, that's talking about firewalls, User Access Controls, and Intrusion Detection and Response systems. Then you have people like me who get woken up at 3AM from an alert saying that someone is trying brute force their way into your domain. Takes all kinds of folks, really.

That's where today's chat comes in, actually. Not because it happened recently, no - I'm counting my lucky glow in the dark ceiling stars that I've been blessed enough to get some good sleep recently. Y'see, despite whatever definition you give the term Cybersecurity, there's one element that stays the same throughout all systems, no matter how robust: The Human Element.

Now, that's not just a fancy sci-fi term for the resistance against our ChatGPT overlords. No, the Human element refers to us, the users who access our companies' information on the daily. From the outside in, us IT nerds probably seem like a bunch of jerkwads that don't care about your need to go to Facebook, but there's actually a lot of thought that goes into a successful security network. For example, I could build the world's most secure network - lock everything down behind multiple layers of Multi-Factor Authentication, have attention checks to make sure you're still actively using the information you're reading else I'll terminate your access and make you log in again, and I'll monitor how much data you're pulling so if you pull an unusual amount, I drop the connection immediately. Yes, I could do all of that to help protect against passwords being stolen, accounts being left open while users walk away from their machines, and stop data thievery in its tracks - all three things being real concerns that we face as System Admins alike. But you have to admit, that'd be a real pain in the ass to get into every day, right?

No, a good System Administrator knows how to balance security needs with their usergroup. They need to be able to understand that not everyone can handle multiple MFA prompts all at once, and that if you disconnect things on people too early, they waste more time getting back into the system than actually using it. And as such, they build their network alongside those limitations; I tell you all of this to give you some understanding as to why it's so important to keep your passwords secure. We do a lot of things to make sure getting access to our system, for those who are intended to have access, can be easy - so with that consideration in mind, we can talk about the other half of the Human Element.

Tell me, did you know that nearly 90% of all data breaches are caused by employee mistakes? It's true! Now, when we say mistakes, we can mean a lot of different things: clicking on a spam link and downloading malware, granting access to malicious actors because they say they're a new IT person, and yes, even sharing your password. Whether that be by a phishing attack where you get an email saying to change your password and for some reason, it mysteriously doesn't work after doing so, or you leave your passwords on a 'safe' sticky note under your keyboard, password theft attributes to countless successful breaches every year.

I can hear you now, "Well, alright Seth, I get that I need to make a secure password..." but that's not what I want to tell you. I mean, yes, please do, but what I mean is keep different passwords for all your services!

It doesn't matter if you have a super secure password if you use it everywhere after all!

So that's why I implore you, PLEASE figure out a password system that works for you. I understand that it's hard to remember passwords, but it doesn't have to be. In fact, you can use a system like this:

Date	Super Cool Password	Website or Purpose
2023Q2	P@$$W0rd$Rul3!	@Work

Allow me to explain: In the example above, we've made the password 2023Q2P@$$W0rd$Rul3!@Work.

Trust me, I don't expect anyone to have a password that complex, but this should give you an idea of what I mean. In my example, I use:

1. A Date - which is great for passwords that expire every set amount of days. You can keep the same password throughout the year just by changing the quarter!
2. A Root Password - Which is a password only I would know. Something that's secure but has value to me. You could even make this a passphrase like "PasswordsAreForChumps!"
3. The Website or Purpose of the Site - This helps add an extra layer of security where it's not just the Website name. You could do YT or Videos for YouTube for example!

If you follow the same pattern, creating passwords becomes easier and less complex to remember as time goes on. Think about it: You could easily come up with your own system instead of trying to think about which cat you liked more the day your password resets, couldn't you?

But, I do want to wrap this up because we're getting in deep at about 1,000 words already. Crazy how time flies, huh? Anyway... Passwords don't have to be some complicated thing that you dread creating. You can easily establish a system that works best for you, and that way you don't have to write down everything - or, if you do, write down the model for your passwords. No one will understand it at a glance like they would "GOOGLE PASSWORD TEEHEE". But, by doing this, you not only keep yourself more secure for if someone were to crack your password across all of the websites you may access, but you also help keep your company a bit more secure too. And doesn't it sound nice to make your IT people not work as hard? :)

Thank you again for joining me on yet another Plumes' Cyber Cafe Chat. Of course, you're more than welcome to send any password related questions my way by leaving a comment below, and if this helped, maybe send this over to someone who'd appreciate a quick lesson on cybersecurity. And as always, I'll talk to you again very soon; until next time!

Welcome to Cyber Cafe Chats with Plumes! Today's Brew: USB Condoms and Zero Day Vulnerabilities a plenty!

Hello everyone!

It's your new favorite System Admin here with a few digestable updates on security vulnerabilities on things you care about; that's right, it's time for a new section:

Plumes' Cyber Cafe Chats

Now, you're probably wondering what my Cyber Cafe Chats are all about. Good question! Honestly, I'm stilly defining it, but it's essentially breaking down the complicated news of the world of Cybersecurity and more in an easy, digestable format that's best enjoyed with your favorite blends and a steller vibe. So relax, get something warm to power through your Monday with, and let's chat.

Why do I keep hearing about "USB Condoms?"

If you've been watching the news lately, you've probably heard about "Juice Jacking" issues on the rise, but who would be stealing your precious Apple Juice? Well, it's not that different from your Grade School bully taking advantage of you, to be entirely honest. Just instead of something cool and delicious, it's your precious data or resources, which may or may not be more important to you. Personally, I prefer the white grape flavored profile data.

"Juice Jacking" refers to the the practice in which a malicious actors compromise a USB terminal, in this case the power terminals within coffee shops, airports, and other such public charging stations, to load malware onto your charging device. You see, your USB cable has two pairs of wires: one that handles power, and another that handles data; hackers use that data pair in order to install things like cryptominers, keyloggers, and sniffers alike to find what all you have on your device, and in some cases, extract it onto a store where they can access it later. There's no such thing as a free lunch, after all.

So, in order to protect yourself, you could get a USB Data Blocker such as the one linked, AKA a USB Condom. These specialized USB adapters have the data lines severed within them, and akin to their latex counterpart, block the flow of data from a potentially infected USB cord and hub from getting to your system.

That said, you can also employ the tried and true method of carrying your own charging equipment. If you use your own charging brick and USB to plug into one of these public charging stations, NOTHING can get across the AC/DC powerline to infect your machine. Or, if you're so on the go that sitting at a public charging station won't work for your busy lifestyle, a portable power bank such as the one listed here may suit all your needs. With some power banks even being able to charge multiple devices at once multiple times, you may find yourself even forgetting the brick and USB at home and not missing it whatsoever.

iOS Webkit Compromises, Android Vulnerabilities, and Chrome Memory Exploitations, OH MY

Now, before I wrap up our first Cyber Cafe Chat, I would like to bring your attention to a series of Zero Day Vulnerabilites that have been announced as of this past week, as well as asking the question: When is the last time you updated your device?

Zero Day Vulnerabilities, for those not in the know, are issues that were previously unknown to the provider that don't have a working fix yet; they've only been disclosed. Most of which receive patches that mitigate the damage, but until a fix is created and is provided to the public, hackers can exploit users who don't keep their devices up to date, and just such a thing has happened on our mobile world. You see, recently a pair of zero-day vulnerabilities were discovered on iOS devices listed below:

• iPhone 8 and later,
• iPad Pro (all models),
• iPad Air 3rd generation and later,
• iPad 5th generation and later,
• iPad mini 5th generation and later,
• and Macs running macOS Ventura.

These vulnerabilities are initiated by sending would-be victims text messages or emails with links that lead to a compromised website, in which either Chrome or WebKit vulnerabilities would be loaded based on the Operating System of the device. This vulnerability has already been patched out on Chrome as of October 2022, but has recently seen new life in the iOS sphere. That said, please take this opportunity to make sure your devices are up to date.

For iOS, that would be 16.4.1 – released on April 7^th, 2023, while for macOS, that would be 13.3.1 also released on the 7^th.

For Android, that would either be the March or April Update for Android 13, depending on your model. Google Pixel phones have yet to receive the April update, for example.

Additionally, a new zero day vulnerability was discovered within Chrome’s JavaScript engine, in which a threat actor could trigger browser crashes by memory exploitation as well as arbitrarily running code on infected devices. While the main targets identified in the attack thus far are high-risk individuals like politicians, journalists and more, we can’t be too cautious considering the clientele we work with, and the risk spyware would have on our machines.

Google has recently released a patch to fix this issue however, so I’d like to ask that you take a few minutes to update Chrome. Shouldn't take you more than a few minutes, so feel free to use that time to get some caffiene in you; you know your boy is about to do the same after writing all this out.

Of course, if you have any questions or concerns, please feel free to let me know!

It's honestly been an absolute pleasure writing this up for everyone, and I hope that you'll be able to use some of the information provided to protect yourself and others. And, if you liked this and want more easily digestable cyber information, I'd appreciate the follow! Still new to this whole blogging thing, so feel free to let me know how I can make this better for you as well! Until next time everyone...

I'll see you in the stars soon~!