On of the stories I was reading this morning mentioned that some of those with Nest security cameras have been subjected to hack attacks. One of the attacks they were subjected to were hackers asking Alexa to play Justin Bieber (as a bit of a nasty shock) on the assumption that someone with a Nest security camera may well also have an Amazon product with Alexa built-in.
Allegedly the method of compromise was simply to try known combinations of email address and password – given that there are many web site leaks that have been archived around the place, such data is easily available.
This is a reminder to :-
- Use a password manager (such as KeePass, KeePassX, Lastpass, etc.) to assist remembering passwords.
- Use different passwords on each site … or at least for the important sites.
- Periodically check on Have I Been Pwned to see if any of the sites that you use has been compromised.
- Use two-factor (or multi-factor) authentication where it is available; particularly for “sensitive” sites such as Dropbox, banks, etc.
The question is, how often does this sort of attack occur? And how often does it succeed?
In general I can’t answer that, but we do see a continuous stream of password “guessing” attacks where an attacker tries to use lists of known email addresses and passwords to get in to various services. And by “continuous stream” we’re talking about in the region of 100,000 probes a day across all services.
In terms of successful attacks, it is somewhat less than that but we do get a trickle of notifications of either account compromises or of account credential leaks. This “trickle” amounts to between 3 and 118 incidents a month (since 2015), and a mean of 28 per month (since January 2018).