Transcript
Jim Love (0:04)
Well, it's here. This is our final daily news show of the season. We have a weekend show with our cybersecurity panel doing a wrap up of some of the key stories and issues from this year. And I'll be back with you Monday, January 6th with the Daily News. And over the holidays we'll have some special content for you which we hope you like. Now, as I always say, back to our regularly scheduled programming Millions stolen in crypto wallets linked to a 2022 LastPass hack TP link routers face possible US ban over national security concerns and Microsoft pushes for a passwordless future with passkeys. Welcome to Cybersecurity Today. I'm your host, Jim Love. Let's get into it. The fallout from the 2022 LastPass breach is far from over, with millions of dollars in cryptocurrency ST victims wallets. This week, blockchain analyst Zach XBT reported an additional $5.36 million stolen from 40 crypto wallets. These thefts, he claims, are the latest in a string of attacks tied to the massive LastPass breach. The original breach allowed attackers to access both encrypted and unencrypted data, including API tokens, multifactor authentication seeds, and encrypted password vaults. While vaults were protected, weak or reused, master passwords could be brute forced, potentially exposing sensitive information like cryptocurrency seed phrases. And this isn't an isolated incident. In October 2023, $4.4 million was stolen, followed by 6.2 million in February 2024. Overall, over $35 million was reportedly taken from 150 victims linked to the breach. ZackXBT warns, if you believe you've stored your seed phrase or keepasses in LastPass, migrate your crypto assets immediately. Security experts continue to stress the importance of unique, strong passwords and recommend biometric authentication tools for additional protection. LastPass maintains it has found no conclusive evidence directly connecting these thefts to a breach. However, these ongoing incidents underscore the risks of weak password management and the lesson is clear. Even encrypted data is only as secure as the passwords protecting it. TP Link, the dominant router brand in the US could soon face a ban over a national security concern. Federal investigations by the Department of Commerce, Defense and Justice are scrutinizing the Chinese made devices which have a history of vulnerabilities and potential misuse by state backed hackers. TP Link holds 65% of the US market for home and small business routers, with 11 of Amazon's top 20 best selling models, including the popular AX 3000 and AX 1800. However, the router's affordability and popularity come with risks. Microsoft recently identified TP Link devices as part of a botnet dubbed covert network 1658, used in sophisticated cyber attacks against Microsoft Azure customers, including U.S. defense Department suppliers. The concerns aren't new. TP Link routers have been implicated in several cybersecurity incidents, including the Mirai botnet attacks and cases of custom malicious firmware infections attributed to Chinese state hackers. This year, a critical vulnerability in the Archer C54.00X router earned a maximum CVS score of 10.0, highlighting the ease with which attackers could gain full remote control. The Justice Department is also probing TP Link's pricing strategy, suspecting that selling routers below manufacturing cost could be part of an anti competitive practice. Meanwhile, a Chinese Embassy spokesperson in Washington accused the US of using security concerns as as a pretext to suppress Chinese firms. If the ban proceeds, it would mark another escalation in the US China tech tensions For TP Link users, the uncertainty raises questions about future support and security patches. It's a reminder that choosing budget friendly tech can sometimes come at a higher long term cost, and Microsoft is doubling down on its vision for a passwordless future, promoting passkeys as safer and easier alternatives to traditional passwords. The company revealed in a recent blog that it blocks 7,000 password attacks per second, nearly double the volume from last year, and faces 146% increase in phishing attacks annually. Pass keys offer a significant security upgrade by storing private encryption keys on local devices such as phones, rather than on servers vulnerable to breaches. They eliminate the need to type credentials into websites, instead relying on biometric authentication such as fingerprints or facial recognition. This makes them resistant to phishing attacks, as hackers would need both your device and your physical presence to gain access. Microsoft has gradually rolled out passkey support across its ecosystem, including Xbox, Microsoft 365 and Copilot. By integrating passkeys into login prompts like face, fingerprint or pin. The company has made the transition seamless for users. Recent experiments showed that emphasizing passkeys as faster or more secure increased adoption rates by over 24%. And the company has also been nudging users towards passkeys at key moments, such as during account creation or password resets. While Microsoft still allows users to skip for now, its long term goal is to phase out passwords entirely. The path forward includes making passkeys the default, removing passwords altogether, and fully adopting phishing resistant credentials. This shift highlights a growing consensus in cybersecurity. The password, once a cornerstone of online security, is now a weak link for organizations and individuals. Adopting passwordless technologies may soon become not just an option, but a necessity. Finally, whatever holiday you celebrate, for us it's a Merry Christmas. But whatever it is for you, we hope you have a great time with your loved ones. And we hope that the next year brings you great happiness and joy. I have no idea what the next year will bring for me and this program. Only one thing is certain. I'll be back at the news desk on Monday, January 6, with a new episode of Cybersecurity Today. I'm your host, Jim Love. Thanks for listening.