In this issue:
- LastPass Users: It's Time to Look for Another Password Manager
- Savvy Cybersecurity quick links
- Cybersecurity shorts
- Software updates
Dear Clients and Friends,
Welcome to your December Savvy Cybersecurity newsletter. Read on to learn more about:
- What you need to know about your password manager
- Equifax settlement phishing schemes
- And more
LastPass Users: It's Time to Look for Another Password Manager
One of our Savvy Cybersecurity principles is protecting our online accounts with strong and unique passwords. Given the number of online accounts we have, using a password manager to store our passwords makes sense. A password manager is a secure vault that encrypts and stores your passwords. The password manager is protected with a master password. Once you unlock the vault with your master password, you can access the password for any of your accounts. With this method, you only need to remember one password—your master password.
We've recommended a number of password managers in the past, and while we still recommend using a password manager, we must rescind our recommendation of LastPass. On November 30, the company suffered a data breach that exposed users' password vaults. At this time, LastPass has not released how many users are affected by this breach.
What should LastPass users do?
If you currently use LastPass as a password manager, you should switch to a different provider. Dashlane and 1Password are two alternatives. While we typically recommend using a paid password manager for the added features, a reputable free option is Bitwarden.
In addition to switching password managers, LastPass users must also change all of their passwords that were stored in the vault. Your new password manager should be able to create strong, unique passwords for you to use.
If you haven't already, you must also enable two-factor authentication where possible on accounts that were stored in your LastPass vault. Two-factor authentication adds an extra layer of security—a one-time code—in addition to your password. If your password is exposed, a hacker would still need the code to be able to access your account. Two-factor authentication must be enabled on your email and financial accounts. We recommend it for all accounts that allow the technology.
Don't let this breach deter you from using a password manager. These tools use the highest level of encryption to protect your passwords and are still the best way to ensure you are using strong and unique passwords for all of your accounts.
We will be removing our recommendation from LastPass from all of our Savvy Cybersecurity materials.
Equifax breach settlement payouts start being sent out. Those affected by the massive 2017 Equifax data breach have begun receiving their payout funds via email. However, some individuals were concerned that the payout email was a phishing scheme. Security expert, Brian Krebs lays out what the legitimate offer looks like here. However, he also warns that phishing schemes impersonating the payout email are likely on the horizon.
ChatGPT demonstrates how AI may write malware in the future. The AI chatbot released by OpenAI has been used by Internet users to write jokes, a play, or solve math equations. One security researcher put ChatGPT to the test and asked it to write malicious code. While the chatbox did not completely succeed, the code was almost perfect demonstrating how close AI is to creating malware in seconds.
Apple announces new cybersecurity measures. In recent weeks, Apple has announced several new security features that have been designed to better protect its users from an array of emerging threats. They revealed three new features: iMessage Contact Key Verification, Security Keys for Apple ID, and Advanced Data Protection for iCloud. Advanced Data Protection for iCloud will be available to all US based users by the end of the year and iMessage Contact Key Verification and Security Keys for Apple ID will be available globally in 2023.
The 2023 National Defense Authorization Act's impact on cybersecurity. The House and Senate have passed an $858 billion annual defense policy bill that contains significant spending increases for US Cyber Command and other efforts to bolster national cybersecurity defenses. This bill also creates an assistant secretary of cyber policy at the Department of Defense and directs the DOD secretary to brief lawmakers annually on how both the Cyber Command and the National Security Agency collaborate. You can read more on this bill here.
Log4j: 1 year later. It has been one year since the disclosure of a critical vulnerability in the Apache Log4j utility, the nation's software supply chain. This vulnerability, known as Log4Shell, allowed unauthenticated and untrained threat actors to gain control over applications using a single line of code. Even a year later, the software remains under considerable threat as authorities and the information security community struggle to transform how it develops, maintains, and consumes applications in a secure fashion.
Russian-Ukrainian war remained top of mind for cybersecurity throughout 2022. Russia's war against Ukraine and the worries about possible cyberattacks against the country's allies dominated cybersecurity news throughout the entirety of 2022. While many professionals were worried and attempted to be prepared in case Russia lashed out at Ukraine's allies, like the US, it hasn't happened yet. However, that is not to say that cyberattacks haven't been deployed. A Russian-launched data-wiping malware crippled the Ukrainian military's ability to communicate during the first few days of the invasion.
7 cybersecurity trends to watch for in 2023. While 2022 started with a technology employment boom, it is ending with many tech companies laying employees off and halting the hiring process. However, the cybersecurity industry is showing immunity to these trends. By the end of the year, some reports put the number of open cybersecurity positions at 700,000 in the US alone. As the year comes to an end and the New Year starts, cybersecurity experts and industry watchers are keeping an eye on several trends that have the potential to affect how they approach their jobs and career aspirations over the next year. Here are 7 cybersecurity trends that you should watch out for in 2023.
Apple: Apple users should update their devices immediately to protect against a zero-day vulnerability. Updates have been released for iOs, iPadOS, macOS, tvOS, and Safari. Your device should prompt you to update automatically. You can learn more about the update here.
Microsoft: Nearly 50 security issues are closed in this month's Microsoft update, one of which is considered a zero-day vulnerability. The updates impact Microsoft Edge, Office, and other programs. You can learn more about the updates here.