January 17, 2023

2023 Resolutions for Script Kiddies

Written by TrustedSec

Active Directory Security Review Application Security Assessment Mobile Security Assessment Office 365 Security Assessment Password Audits Research

Introduction

2022 was a tough year. It seemed like no one was safe. Nvidia, Samsung, Ubisoft, T-Mobile, Microsoft, Okta, Uber—and those were just some of Lapsus$’s breaches. What’s a Script Kiddie to do to be better protected in 2023?

Another year in the books, and it was another big year for cybersecurity. While 2022 did not have the big, large-scale attacks like SolarWinds or log4j of the previous years, cyberattacks were definitely not slowing down. Even as defenses and awareness continued to grow, incidents and breaches continued to plague business and individuals alike. No one was safe, not even our cryptocurrency or password managers (looking at you, Crypto.com and LastPass). So, what can you do to protect yourself besides just unplugging and moving off-grid? Well, here are a few resolutions to make for 2023 to improve your security online.

Turn on MFA

So, the LastPass hack was a thing? What do I do now? Just go back to using 12345 for all my passwords, because why not?

Passwords have been a weak point for years. First, it was easy-to-guess passwords, and then it was password reuse. If only we could have long, random passwords that were different for every website and service. The solution to all our problems: password managers. Now, we can create unique passwords for all our websites, and all we need to remember is one master password to unlock our password vault.

Well, it was the solution until it wasn’t. What happens when a hacker gets access to your vault and only needs to crack one password to get access to all the keys to your kingdom? Or, what happens when the attacker gets access to your browser’s memory and can then scrape all the stored passwords? As one of our TrustedSec researchers demonstrated, what happens is that your long, unique passwords are useless.

So passwords, even if you’re using a password manager, are practically dead—use multifactor authentication. You probably already use it for your financial accounts, but you should really start enabling multifactor authentication for all your important accounts. Most websites and services support multifactor authentication whether you are using SMS messages, an app, or a hardware token. MFA is not bulletproof, as some recent attacks have demonstrated, but it definitely raises the bar and makes you a much harder target.

Don’t Rely on Being Alt.

I don’t need to worry about hacks because I run macOS. Prove me wrong.

There was a time when only the cool kids were running macOS or Linux or name-your-alternative to the big name on the block: Microsoft. Since the majority of people were using Microsoft, it became the target du jour for almost all hackers. Now, Microsoft vulnerabilities haven’t gone away, but they are becoming a much harder target, so hackers have been turning to more low-hanging fruit like macOS, ChromeOS, and other open-source software that hasn’t faced the same scrutiny over the years. Microsoft is not the only target anymore, which means the cool alternatives are no longer safe.

The shift to open-source vulnerabilities was evident with the log4j attack and has only grown. One of the drawbacks to open-source software is that it may require multiple vendors to patch the vulnerabilities, and many IoT devices run open-source software, making them an attractive attack surface. And macOS is also no longer safe. The increase in macOS vulnerabilities and inclusion of macOS payloads in cross-platform attack frameworks demonstrate that there is no more hiding. Cross-platform frameworks that make use of languages like Go and Rust open up more systems to malware authors.

The moral of the story is, “Don’t just rely on security through obscurity.” Your niche, alternative environment is no longer being ignored by hackers. You need to stay current with software updates and patch, patch, patch.

Be Afraid of AI

Won’t technology save us? I keep hearing that security is getting better. Machine learning is the way of the future. And, our benevolent AI overlords are almost here.

It may seem like technology is the solution and artificial intelligence will save us. After all, machine learning can identify and stop some novel attacks, and it’s only getting better (or more annoying, depending on where you sit). However, AI is not a panacea solution to all our problems. AI is a tool, and as such, it can be used for good or evil.

Players are gonna play; scammers are gonna scam; and phishers are gonna phish. Black hats are always looking to take advantage of new technology, just like the white hats, and AI is no exception. The world has now been exposed to the joys of ChatGPT and the endless, humorous bedtime stories it can generate for your little ones (trust me, and try it). But the awesomeness of ChatGPT can be used for nefarious purposes. Professors are already worried about plagiarism, if you can call it that. Maybe writers and journalists should be worried about job security. Heck, maybe even Google should be worried about its search dominance. But, even if it doesn’t know everything and can’t write an A+ paper yet, everyone should be worried about how good and convincing ChatGPT can sound. Now spammers and phishers can use ChatGPT to make everything sound more convincing and less like a Nigerian Prince trying to move his money out of the country.

The resolution here is to be even more discerning. Deepfakes and AI are making it harder and harder to tell truth from fiction, so don’t believe everything you read or see. Verify, verify, verify. Use trusted sources. Go to websites directly. Please don’t send money to any smooth-talking princes.

Trust No One

So, what you’re saying is that 2023 is going to be scary. Who can I trust?

With the rise of attacks and deceptive practices, it may seem like you can’t trust anyone. Those credentials could be compromised. That reliable software could be the source of the next vulnerability. And that seemingly legitimate email could be a fake. So, it might seem like you can’t trust anyone, and that is correct. You should not trust anyone.

Zero Trust is not just a buzzword anymore. It’s time to drop the concept of a secure network with perimeters and focus on users, resources, and privileges. This means less dependency on VPNs and firewalls and more reliance on the principle of least privilege. You should no longer implicitly trust someone or something based on where it is in the physical world or cyberspace. This is a result of moving to remote work, the cloud, and other managed enterprise environments.

Zero Trust is hard to implement on a personal level, but you can try to learn from the concept. Limit access to resources, even if it seems like it’s from a trusted source, like your home network. Verify the identity of phone calls, texts, and emails. Run as a limited user during your day-to-day surfing of the web. In general, do not put your eggs in one basket and leave the basket on your front porch because you think no one else can get to it. (I might be mixing or creating metaphors, but you get the point.)

Conclusion

Thanks for the tips. Hopefully, I can make and actually stick to some resolutions this year. And maybe 2023 will be a little safer and more secure for all.

The world can be a scary place and the future uncertain, but with these resolutions, hopefully you can help protect yourself and provide a little sense of security. Cyberattacks will not stop. The eternal war between white hats and black hats will continue to be waged in 2023, but hopefully, you can avoid being collateral damage. Just keep these thoughts in mind, and remember, only you can prevent forest fires… and identity theft, and ransomware, and scams, and… A Script Kiddie’s data is a horrible thing to lose, so try to protect yourself and, if you can, someone else, too—and remember to always check your return values.