Missed part 1? Read "What You Should Know About Passwords"
Voice patterns overlayed


Two overlaid wave patterns from human voices, above Voices let us tell people apart. This is akin to passwords’ original intention: to tell different computer scientists apart. 
 
And we’re being shown these days why voices aren’t a reliable security measure. AI can analyze and manipulate soundwaves to achieve deepfaked voices.
 
Meanwhile passwords take a lot less processing power to copy. Why are we creeped-out by faked voices while less concerned about all that’s stashed behind the hoped-for security of our passwords? 

Why Passwords Are Dangerous

Today about half of computer breaches happen from unauthorized access to cloud-based email and collaboration accounts1

Still people are careless with passwords. Passwords get stolen in breaches. Sometimes we don’t change them (even after a known breach). Sometimes we reuse them. Sometimes they are ridiculously simple (password is still a very popular password [the second most popular in 2024]). Sometimes we think data theft happens to someone else. Though our reaction to voice-faking may give a clue to the real reason for our password carelessness.

The Many Ways

Before you can talk about password dangers, you first have to understand the ways passwords are lost or stolen:

Physical Theft Someone walks by a desk that has jotted-down passwords in a notebook or a folder or just lying around. The criminal surreptitiously snaps a photo.

A Data Breach at a Vendor Think here mostly of Software-as-a-Service (SAAS) accounts, online work tools. The value of a large breach such as the Mother of all Breaches or MOAB is that organized criminals and small-time criminals will buy these lists and try the user-name/password combinations until they get into a desired account. Their main purpose in getting into an account is financial gain, per Verizon research. You might be tempted to think ‘what’s the real harm in getting into an employee’s Canva account (there was a 2020 breach)?’ The answer …

People Reuse Passwords This remains common. And if not identical reuse, making minor tweaks like adding a number or replacing a 4 with an h, as an example. Software programs are written to quickly try hundreds of these kinds of transformations. But password reuse itself is a huge problem because as a recent Forbes-commissioned study shows 32% of people reuse passwords. And 14% use the same password on personal and work accounts. So this means access to Canva also means access to Bank of America or Amazon or even the computer that has access to a file with all the passwords (which 24% of people do [same Forbes study]).

What Do Criminals Do with Passwords?

According to Bryley partner Barracuda, threat actors [use] credentials to gain access to systems or take over accounts … once the threat actor has gained access to a system, he usually begins network reconnaissance, privilege escalation, data exfiltration … depending on the threat actor and the victim, the next step could be the start of a ransomware attack or the establishment of an advanced persistent threat (APT).3 Barracuda has said a mouthful, so let’s unpack these:

Network Reconnaissance In this stage the threat actor gathers information about a target before launching the attack. They are trying to identify weak points in an organization’s defenses so they can tailor their attack strategies, and increase the likelihood of success.
They will try to:

  • identify other systems and resources accessible from the compromised account
  • look for financial information, intellectual property, personal data, etc.
  • gain access to accounts with higher privileges to expand their control

Privilege Escalation The threat actor tries to gain access and administrative rights to a system. By modifying identity permissions to grant themselves increased rights and admin capabilities, attackers can conduct malicious activities, potentially resulting in significant damages.
They can try and circumvent a lower-privileged account by:

  • social engineering – for example they may have access to an employee’s email account. Using that trusted address they can try and ask for other access or credentials
  • exploiting known vulnerabilities in the software they encounter. A similar approach as in a supply-chain attack, discussed above.
  • installing malicious software that in some cases can grant elevated privileges or bypass privileges.
  • looking for misconfigurations in settings or software installations that can be exploited to elevate privileges

Data Exfiltration AKA stealing your info. Depending on the amount of data an employee account can access there are several different ways of capturing the data including:

  • copy and pasting, for example, credit card numbers or social security numbers. It works perfectly well for relatively small amounts of data
  • emailing to a criminal-controlled account from an employee’s compromised account, which can evade detection
  • malware can be trained to identify and download the information the criminal is after

Ransomware Ransomware is a malware program that encrypts your data and holds it until money is paid and then – if the crooks are honorable – you get a decryption key and your data back. Ransomware is most effective once a criminal has escalated privileges to take down more of your systems.

Ransomware is frequently now extortionware, where unless the money is paid, the data is publicly released. This can be at least embarrassing, but maybe extremely costly with lawsuits from the exposure of data you were supposed to protect.

Advanced Persistent Threat (APT) Like the name suggests these types of attacks are software installed on a victim’s network that can automate a lot of the above actions over the course of an extended time to reduce suspicion that there’s anything abnormal going on.

Why We Tend to Underplay the Risks of Poor Passwords

John Siracusa gave a helpful analogy about our strong reaction to getting taken in by a deepfaked voice compared to our lousy appreciation of the risks of password-protected data: we tend to worry about devices talking to us and listening to us, because that’s how we would naturally behave – with our ears and mouths. But we tend to shrug at password breaches and end up being reckless about passwords, because credential pairs isn’t something human beings naturally do.

But given the vulnerability of passwords and how much we protect with them, it’s good to keep this line of defense shored-up – as we’ll look at next in How to Protect Your Passwords.

Get more New England-based technology and security information. Subscribe to Up Times by Bryley monthly newsletter.

1 verizon.com/dbir
2 The Boston Globe Magazine ran a story about a reporter who had a debit card number stolen (in her case, probably from the physical card) – and in trying to get justice, uncovered a web of pawns operating in the service of organized crime.
3 blog.barracuda.com/2024/05/16/5-Ways-cybercriminals-access-credential-theft

Subscribe to Up Times by Bryley, the monthly tech newsletter for New Englanders by New Englanders.