Sophos Cloud Optix
Hackers from a left-wing group known as RedHack recently claimed to have got into three different email accounts belonging to Turkey’s Energy Minister, Berat Albayrak.
According to reports, that hack led to a huge data dump consisting of 17GB of email going all the way back to April 2000.
Apparently, the hack was greatly simplified by the fact that Albayrak used the same password for multiple accounts, making him a sitting duck for the keylogger that the attackers are said to have used.
A keylogger can, in theory, retrieve all of your passwords even if you carefully use a different one for each account.
But the job is much easier, and much more likely to succeed, if the attackers only need to compromise one account, which then turns into a sort of “skeleton key” for all the others.
What, no 2FA?
We’re assuming that as well as having just one password for everything important, Albayrak didn’t bother with two-factor authentication (2FA), also known as two-step verification, either.
Two-step verification is where you need to provide a one-time login code, usually sent via SMS or generated by a dedicated mobile app, as well as typing in your regular password.
Although 2FA doesn’t guarantee your online security, it does make password-stealing attacks much harder, and that’s why we regularly recommend turning the feature on whenever you can.
Ironically, Turkey seems to have responded by temporarily blocking access to various cloud-based storage services last weekend, including Dropbox, Microsoft OneDrive and Google Drive.
What to do?
This ongoing incident is a good reminder of how much is at stake when you’re careless about access control, especially when you keep large amounts of data online.
Our advice is:
- Consider using a password manager. That way you’ll get a fresh password for each account, and you won’t be tempted to make them the same (or even similar) for fear of forgetting them.
- Pick proper passwords. You’ll need a really good password for your password manager, even if you use it to store all your online passwords, so you still need to know how to choose wisely.
- Turn on 2FA wherever you can. It’s not a silver bullet, but it does make a cybercrook’s job harder, because he can’t just use a keylogger today to steal your account password and then keep logging in whenever he feels like it,
- Make regular backups and keep them off-line. This protects you against all sorts of unavailability problems, including ransomware, loss or theft of your laptop, and outages in your usual cloud services.
2FA?
Laptop computers are _portable_. You can take them into a steel-framed building with no cellular reception. You can take them on a cruise with no cellular reception. You could even take them into a coal mine with no cellular reception.
And once you are there, there’s no way to log in and reset your profile and turn 2FA off. Once you’ve done this (fortunately I haven’t) by forgetting to disable 2FA before you go to that no-cellular destination, you’ll be tempted to leave it off so you’re not isolated again.
These kludges are not a consumer-friendly solution to server security, just an excuse for it.
Seriously, you’d go on a cruise (or down a coal mine) without realising in advance that was going to happen?
Larry M does have a point though. It only takes one incident. Maybe you left your phone at home. Maybe the battery ran out and you can’t charge via USB. These are much simpler scenarios where you’re stuck. You end up locked out of your stuff. Many people would probably then turn 2FA off, believing it to not be worth the hassle.
Security vs. convenience. E.g. Lisa’s article from Oct 7th. As soon as security gets in the way, most people are going to turn it off and ignore it. That’s why password reuse and sharing still comes into play. Quite simply, it’s easier.
Actually, most 2FA services let you generate a small stash of emergency codes that you can encrypt separately and store for just those cases.
Unfortunately for security, your argument is merely an excuse. We’re urging you to *adopt* 2FA as part of your digital lifestyle, which means accepting the unlikely risk that you might go down a coalmine without warning, suddenly want to browse the internet (so use app-based 2FA and not SMS-based, then!), and be unable to do so. You can always find reasons not to take security more seriously, in the same way that you can always come up with reasons not to wear a seat belt (what if the car catches fire and I am panicking to get out?), or not to wear a bicycle helmet (it might get sweaty) or not to install smoke alarms in your home (I might forget to change the battery and that will give a false sense of security).
I would probably known about the cruse or mine visit in advance, (Though depending on my job, I might not get much warning – An industrial safety inspector perhaps), but all of us have taken road trips, and discovered that our destination has zero mobile phone reception, the hotel has no WiFi or suchlike.
If there’s no mobile phone reception and no Wi-Fi then methinks you aren’t going to be doing any network logins…
…and even if you were, you don’t need a network or GSM connection to use TOTP-style (app-based) 2FA. And even if you did, most 2FA services provide emergency login codes, though, like backup, you need to organise them before you need them.
Speaking personally, I’ve had more failures of the “A” key on my keyboard than I’ve had unexpected ocean cruises (or trips down coal mines during which I have wanted to login to a cloud service). On those grounds, it sounds as though I ought to avoid all passwords with “A” in them, just in case I can’t type them in when needed.
And I’ve forgotten regular passwords more frequently than I’ve had a mobile phone service outage, or not had any power for my mobile phone, at least in the last five years. I suppose I have been fortunate to live in countries where mobile phones are such a huge and lucrative business that the operators take scrupulous commercial care to avoid periods during which you can’t send messages or make calls…and I seem to have a knack for finding handy power outlets in unxepected locations. (Hint: make friends with the cleaning staff.)
if people were honest, there would be no need for secrets/passwords/2fa. never mind,,,,
Wha.. they just logged in using a keylogger? rookie mistake. :p what’s worse was that all the credentials were pretty much the same. No 2fa was just the cherry on top really. I was about to say 2fa, strong password, even stronger recovery methods, a decent vpn like ivacy for an aded layer of protection and most importantly, data backup in case all hope starts to feel lost… but oh well.