Security Awareness – One Password To Rule ‘em All

This is part 2 of our look into the life of Frik and his daughter Marietjie. (Catch part 1 here)

During August 2018, Frik’s plumbing business went through a bit of a slump. Business was slow, the clients he had were increasingly difficult and drains didn’t clog as they used to.

In order to unclog Frik’s business (pardon the pun) Marietjie had an idea: “Why not up your social media presence?

At this stage, Marietjie was the family social media expert: Dishing out advice on creating WhatsApp stories, doing live video streaming via Facebook and even helping Gran with applying Snapchat stickers. Frik decided to give it a shot, after all, nothing to loose, right? Facebook, Instagram, Snapchat, WhatsApp, Youtube, you name it and Plumber Frik had a profile. Marietjie also convinced him to change his online profiles from ‘Plumber Frik’ to ‘Plombier Frik’.

It will appeal to a more sophisticated clientele” she said.

Pretty soon Plombier Frik was the most followed plumber on Social Media in all of the East Rand. Doing live Facebook broadcasts while unclogging shower traps, creating how-to videos on setting your geyser thermostat and Instagramming before and after photos when replacing burst galvanized pipes. However, keeping track of all his social media profiles were a bit of a mission. Luckily, he had developed a nifty approach…

One password to rule them all, One password to find them, One password to bring them all, and in the darkness bind them.

Ok, to be honest, Frik has only watched the first half of the first LOTR movie (never mind having read the books). So this quote is a bit out of place for Frik, but please, humor me:

One fateful evening, Frik went through his list of social media accounts. One by one he changed each password to GeeVirFriknDruk007. (The equivalent of “Give Frik a Hug 007” for our English speaking listeners). Each account Frik changed was like a step closer to Mordor. The password started to burn him, he just had to use it again. And again. And again. By 1:30am that evening, Frik had changed everything, including his Gmail account password to GeeVirFriknDruk007.

By 1:30am that evening, Frik had changed everything, including his Gmail account password to GeeVirFriknDruk007.

“Lekker man, lekker” Frik said to himself.

As Frik’s social media following increased, so did the fan mail. Ladies from Prieska to Pretoria were sending him email, asking about his thick Afrikaans accent, where he grew up, what size wrench was his favorite and every now and again the odd question about re-enamelling old baths.

The fan mail started to take up a lot of Frik’s free time, but he wasn’t going to disappoint his newly acquired fan base. He still remembers the rejection he felt as a young man in 1996 when Neil Tovey didn’t respond to the letter he wrote him after Bafana Bafana’s African Cup of Nations victory. No, he’ll respond to each and every email. After a while, Frik established a nice rhythm. Monday to Thursday nights after dinner, he’ll settle into his favourite lazy chair in the living room, put on some sweet tunes from Albert Frost and respond.

Late one evening, just as Frik was wrapping up his last few fan mail responses, he received an email:

“Dear Frik,

We are importers of only the highest quality copper pipe bends.

For your perusal, we’ve attached our latest price list to this email.

Looking forward to doing business with you.

Kind regards,

Mr G Ollum.”

Ah, this should be interesting.” Frik thought to himself. “I wonder if they’ll beat the prices of Frodo’s Plumbing Supplies around the corner?

The email had a single attachment: ‘Price List.html

Clicking on the attachment opened Internet Explorer. Next loaded a Google Docs page.

Marietjie! Frik yelled.

Ja dad, whats wrong? She replied.

“What’s Google Docs?”

“It’s a thing from Google where you can create and edit documents in the cloud. Why?”

“A supplier send me a price list on Google Docs. Is it safe?”

“Yes, don’t worry.”

“Ok, it’s asking me to log in or register.”

“Just use your Gmail account to log in”

After Frik enters his Gmail username and password, the page seems to load, but only comes back to a Gmail login page.

Frik tries again, this time the page loads and redirects back to Google.

“Marietjie, it’s not working!”

“Ok dad, can I check tomorrow?”

“Ja, ok” Frik closes his laptop and stands up from his lazy chair. As the closing theme of tonight’s NCIS: Los Angeles episode plays in the background, he meanders off to bed.

The next morning, just before the crack of dawn, a strange thing started to happen. While Frik was happily snoring away, his social media accounts undergone an evolution of sorts.

In stead for being all about plumbing, it was now showing pictures advertising Ray Ban sunglasses at 90% discount!

Frik could not log in to any of his accounts anymore.

Amazing!” Frik thought to himself later in the day as he stared at a pair of Ray Ban Aviators for only R199 shown on his Instagram page. There was one issue however, Frik could not log in to any of his accounts anymore. Nothing wanted to work: Facebook, Instagram, Pinterest and Twitter. That’s odd, he thought. Alas, let’s reset the passwords for the lot.

As he went through the “Forgot my Password” option on each website, he waited with great anticipation for the familiar “ding” his phone makes when a new email arrives. However, this time Frik was only met with deafening silence. As he opened his Gmail app on his phone, he was greated with a login screen. “Odd” he thought. Entering his username and password however changed “Odd” to “Oh no“. He now could also not log into his email either.

What happened?

Frik got Phished. Properly phished. The email that he thought he received from a supplier was in fact a phishing email. An email from an attacker pretending to be a supplier. This message was specially crafted to convince Frik to open the attached Price List.html file. Once opened, it loaded a fake Google Docs page in stead of an actual price list. Again, this was just a rouge to trick him into entering his Google username and password. Once entered, his username and password was sent to that attacker without him realising.

This was just a rouge to trick him into entering his Google username and password.

Following a careful study of his email communications by the attacker, they were able to get access to his social media accounts. “How?” You might ask. Well, in this case they only had to use his email address and password, off course! Frik had the same username and password for each account. Basically the same key for every lock he had. As such, stealing one key provided access to all the locks.

 

Enter Two Factor Authentication (2FA)

Phishing is a problem, yes. However, two factor authentication (2FA) may have prevented this. 2FA is the tech that uses two ways of authenticating you when you sign on. Typically, this translates to you using a username and password combination to log in, as well as entering an additonal passcode sent to your mobile phone.

Had this been enabled, the attacker wouldn’t have had the ability to log in to any of Frik’s accounts, even though they had his user name and password. This is because the 2FA passcodes would have been sent to his mobile phone, leaving the attacker high and dry.

“But how do I enable this magic?” I hear you ask. Below is a list of common platforms with their how-to guides on enabling 2FA:

And lastly, password reuse is bad. Don’t do it, just don’t. Use a password manager that allows you to securely store passwords for your accounts. This will enable you to generate secure, unique passwords for each place you log on. A good free one you can have a look at is LastPass.

Leave a Reply

Your email address will not be published. Required fields are marked *