Strong Passwords Aren’t As Easy As Adding 123. Here’s What Experts Say Really Helps


source:  cnet.com

Creating a good password isn’t as simple as putting an exclamation mark at the end.

You’ve seen all the familiar rules for strong passwords almost every time you create an online account. Use capital letters, numbers and special characters, and make it at least 8 characters long (or 10, or 12). These requirements are designed to make it harder for hackers to get into your accounts. However, they don’t really make your password stronger, say researchers at Carnegie Mellon University.

Lorrie Cranor, director of the CyLab Usable Security and Privacy Laboratory at CMU, says her team has a better way, a meter that websites can use to prompt you to create more-secure passwords. After you’ve created a password of at least 10 characters, the meter will start giving suggestions, such as breaking up common words with slashes or random letters, to make your password stronger. 

These tips set the password strength meter apart from other meters that provide an estimated password strength, often using colors. The suggestions don’t come from a checklist, but instead respond to common pitfalls Cranor’s team has seen people make when they set up passwords during experiments run by the lab over several years.

One of the problems with many passwords is that they tick all the security checks but are still easy to guess because most of us follow the same patterns, the lab found. Are numbers required? You’ll likely add a “1” at the end. Is it capital letters? You’ll probably make it the first one in the password. And special characters? Frequently exclamation marks.

CMU’s password meter will offer advice for strengthening a password like “ILoveYou2!” — which meets the standard requirements. The meter also offers other advice based on what you type in, such as reminding you not to use a name or suggesting you put special characters in the middle of your password. 

“It’s relevant to what you’re doing, rather than some random tip,” Cranor said. 

Continue reading “Strong Passwords Aren’t As Easy As Adding 123. Here’s What Experts Say Really Helps”

Data Leak Exposes Details of Two Million Chinese Communist Party Members

source: infosecurity-magazine.com

Sensitive data of around two million members of the Communist Party of China (CPC) have been leaked, highlighting their positions in major organizations, including government agencies, throughout the world.

According to reports from The Australian newspaper, featured in the Economic Times, the information includes official records such as party position, birthdate, national ID number and ethnicity. It revealed that members of China’s ruling party hold prominent positions in some of the world’s biggest companies, including in pharmaceutical giants involved in the development of COVID-19 vaccines like Pfizer and financial institutions such as HSBC.

The investigation by The Australian centred around the data leak, which was extracted from a Shanghai server in 2016 by Chinese dissidents.

It noted that CPC members are employed as senior political and government affairs specialists in at least 10 consulates, including the US, UK and Australia, in the eastern Chinese metropolis Shanghai. The paper added that many other members hold positions inside universities and government agencies.

The report emphasized there is no evidence that spying for the Chinese government or other forms of cyber-espionage have taken place.

image - china tech

 

 

Beulah Graves

Product Management

In her report, The Australian journalist and Sky News host Sharri Markson commented: “What’s amazing about this database is not just that it exposes people who are members of the Communist Party, and who are now living and working all over the world, from Australia to the US to the UK, but it’s amazing because it lifts the lid on how the party operates under President and Chairman Xi Jinping.

“It is also going to embarrass some global companies who appear to have no plan in place to protect their intellectual property from theft, from economic espionage.”

In September, the Cybersecurity and Infrastructure Security Agency (CISA) and the US Department of Justice issued a joint advisory warning US government agencies and private sector companies to be on high alert for cyber-attacks by threat actors affiliated with the Chinese Ministry of State Security (MSS).

Jane May

Photographer

 

DevSecOps:  Solving the Add-On Software Security Dilemma

military operations

source: technewsworld.com

 

The lack of standard practices in the DevOps communities is causing growing friction as security teams line up against developers. This internal friction leaves software they develop and organizations that use the apps vulnerable to attacks and breaches.

A report released Sept. 30 by open source security and license management company WhiteSource explores various factors contributing to the siloed software development culture and what steps are needed to achieve agile, mature, DevSecOps practices — which involves integrating IT security as a shared function among all DevOps teams.

The report shows feelings of increased pressure among software development teams to overlook security features to meet short development lifecycles.

That finding is especially significant in light of revelations that more than half of all developers polled in the report said they have either no secure coding training or only an annual event. Add to this lack of security training among software coders the finding that fewer than one-third of organizations have a defined, agreed-upon vulnerability prioritization process.

 

The DevSecOps Showdown

Perhaps an even more alarming dilemma is that on average just half of the organizations have an AppSec champion on their teams. More evidence of the security divide between teams is that even when security professionals say there is one, developers do not always agree, according to the report entitled “WhiteSource DevSecOps Insights, Security vs. Developers: The DevSecOps Showdown.”

“If developers feel they are neglecting security to stay on schedule, something in the DevSecOps process is broken,” warn the report writers.

WhiteSource surveyed over 560 application security professionals and software developers. Those results show that while most security professionals and developers believe that their organizations are in the process of adopting DevSecOps, most organizations still have a way to go, according to Rami Sass, CEO and co-founder of WhiteSource. The distance yet traveled is especially significant when it comes to breaking down the silos separating development at security teams, he noted.

“Full DevSecOps maturity requires organizations to implement DevSecOps across the board. Processes, tools, and culture need to evolve in order to break down the traditional silos and ensure that all teams share ownership of both security and agility,” Sass said.

Continue reading “DevSecOps: Solving the Add-On Software Security Dilemma”

Has Your Data Been Leaked to the Dark Web?

source:  cyberdefensemagazine.com

The part of the internet not indexed by search engines is referred to as the Dark Web. The Dark Web is however frequently misunderstood. The Dark Web is a network of forums, websites, and communication tools like email. What differentiates the Dark Web from the traditional internet is that users are required to run a suite of tools such as the Tor browser that assists in hiding web traffic. The Tor browser routes a web page request through a series of proxy servers operated by thousands of volunteers around the globe that renders an IP address untraceable.

The Dark Web is used for both illegal and respected activities. Criminals exploit the Dark Web’s anonymity to sell drugs and guns. Organizations like Facebook and the United Nations use the Dark Web to protect political and religious dissidents in oppressive nations. Legitimate actors like law enforcement organizations, cryptologists, and journalists also use the Dark Web to be anonymous or investigate illegal activities.

A 2019 study, Into the Web of Profit, conducted by Dr. Michael McGuires at the University of Surrey, shows that the number of Dark Web listings that could harm an enterprise has risen by 20% since 2016. Of all listings (excluding those selling drugs), 60% could potentially harm enterprises.

Continue reading “Has Your Data Been Leaked to the Dark Web?”

Upcoming S&T Guidance Will Improve Critical Infrastructure Resilience

source:  dhs.gov (contributed by Artemus FAN, Alicia Jones


It is easy to understand the importance of our “critical infrastructure,” such as telecommunications, energy, transportation, and emergency services, but what’s often overlooked are the underlying technologies that enable them. One such technology is Position, Navigation, and Timing (PNT) services, a national critical function powering many of the critical infrastructure sectors that enable modern society.

PNT is primarily provided through the Global Positioning System (GPS) and other Global Navigation Satellite Systems (GNSS). PNT is not just used for navigation, though. It also provides precision timing information that enables critical functions within telecommunication networks and the power grid. However, these PNT services are susceptible to interference such as GPS jamming and spoofing, which pose a risk to critical infrastructure. What was once an emerging risk is quickly becoming a pressing issue, with industry reporting a growing trend in the past two years of prominent PNT disruption events around the world. As the technological barriers to conducting these activities continue to fall, it becomes even more important to ensure our critical infrastructure is resilient to PNT disruptions.

Continue reading “Upcoming S&T Guidance Will Improve Critical Infrastructure Resilience”

Don’t give your information to marketers who might pelt you with spam or even expose you to a potential hack. Use Abine Blur instead.

source: fastcompany.com

Over the summer, I came across an online store that was promising big discounts on All-Clad cookware, but with a catch: You had to hand over an email address just to see what the deals were.

This would have given me pause if not for a secret weapon: I loaded up a service called Abine Blur and generated a free “masked email” address to use instead of my real one. While the masked email would still forward messages to my actual Gmail inbox, the store would never learn my real address, and I could cut off any future emails with one click.

I started using Abine Blur about five months ago, after hearing about it from one of my newsletter readers, and it’s since become one of my most cherished privacy services. With masked email addresses, I don’t have to worry about getting spammed just because I signed up for an app, made a donation, or subscribed to some retailer’s newsletter in exchange for a coupon. I just tell Abine Blur to stop forwarding their emails, and our link is severed.

Continue reading “This Free Service Is a Genius Way to Foil Spam…”

source: bbc.com

A few days after the coronavirus lockdown began, Ciaran Martin’s phone pinged with a text message – the government was warning him he had left home three times and had to pay a fine.
As the official in charge of defending the UK against cyber-threats, he knew enough to spot a scam.
But it was also a sign he was unlikely to have a quiet end to his time as the first head of the National Cyber Security Centre (NCSC).
Speaking in his last few days in office, he says recent events have been an “unexpected vindication” of the decision to spin out part of the intelligence agency GCHQ so classified intelligence could be better shared to protect the UK.
Pandemic protection
Cyber-criminals were quick to exploit Covid-19, using it to persuade people to click on links or buy fake goods.
And that placed new demand on systems built to automate cyber-defences and spot spoof messages.
At the same time, the NCSC had to help government and public-sector organisations deal with the sudden increased dependence on technology, whether in the cabinet meeting over video link or the government sending out genuine text messages to the entire public.
But it was not just cyber-crime groups who were on the move.
Foreign spies also began to go after new targets.
And protecting universities and researchers seeking a coronavirus vaccine became an urgent new priority.
“Many of the people involved never thought they’d be in a case where they’d be talking to part of an intelligence service about resisting major nation state threats against their work,” Mr Martin says.
In July, the UK, along with the US and Canada, accused Russian intelligence of trying to steal research.
The accusation – known as an “attribution” – came because the NCSC could draw on GCHQ’s long history monitoring Russian hackers.
“We have built up significant knowledge of some of the major attack groups from the major nation states, including Russia, over more than two decades,” Mr Martin says.
“For a lot of the things that we were seeing in the high end of vaccine protection, it was detected by us because it was the more sophisticated end, where the attacker is trying harder not to get caught.”

source: wired.com

YOU ARE, WE hope, already protecting your phone with a PIN, a fingerprint, or a face (or all three), but sometimes you’ll want to add an extra barrier to particular apps—if you’re lending your phone to a friend, say, or if your kids or partner are always borrowing your phone for whatever reason.

How you want to apply this additional protection is up to you. Some apps come with it built in; in other cases you’ll need to enlist the help of a third-party app. The process is also different depending on whether you’re using Android or iOS, and so we’ve split our guide up into two sections.

Locking Apps on iOS

Apple doesn’t give third-party apps quite as much leeway on iOS as Google does on Android, so you won’t find any general-purpose locking tools in the App Store. Instead, you’re relying on the individual apps themselves—many apps that can hold sensitive information will give you additional options.

Apple’s own Notes app for the iPhone is one example. You can lock individual notes by tapping the Share button (inside a note) or long-pressing on a note (on the notes list) and then choosing Lock Note. Notes are locked using Face ID, Touch ID, or a PIN code, and you can set this via Notes in the iOS Settings app.

screenshot from Dropbox

You can lock Apple Notes individually on an iPhone.DAVID NIELD VIA APPLE

WhatsApp has protections in place as well to keep prying eyes out of your messages. From the main screen, you need to tap Settings, Account, Privacy, and Screen Lock—you’ll then be able to set up Touch ID or Face ID to guard access to your conversations. If either of those methods fail, you’ll get pushed back to your phone’s lock screen passcode.

Another third-party app with this same security measure is Dropbox, which is handy if you don’t want your toddler accidentally wiping all your files with an ill-judged finger push. Tap Account, then the cog icon (top left), then Turn Passcode On. When you’ve set a passcode, you’ll also be given the option to use Touch ID or Face ID as well.

We can’t guide you through every app on iOS, but have a look inside your favorite ones to see if an extra security layer has been included. Evernote, Amazon, and PayPal are three other apps that can be locked with Touch ID or Face ID, and many banking apps now have the same feature too, so even if someone gets access to your phone (with or without your permission), they can’t access all of your apps.

screenshot from iphone

Dropbox is one of the apps that supports Face ID and Touch ID on iOS.DAVID NIELD VIA APPLE

You have a couple of other tools you can turn to in iOS: They weren’t primarily intended for securing apps, but they can do the same job. The first is Screen Time, which you can access from Settings: If you tap Use Screen Time Passcode to set a passcode, then select App Limits and set the daily limit for an app to zero hours zero minutes, you’re effectively locking other people out of the app without the passcode.

Your second option is Guided Access, which you’ll find in the Accessibility menu in Settings. Once you’ve enabled it, open an app and triple-tap the side button or home button—you then won’t be able to switch to any other app without entering the phone’s passcode. It’s ideal if you want to let one of the kids play a game, but don’t want them to venture onto any other apps.

 

Locking Apps on Android

Android does let third-party apps control access to other apps, so you can install one of these app lockers and block access to any apps you don’t want other people snooping around inside. A passcode is usually required to gain access, though some locking tools can work with fingerprint sensors or face recognition.

Continue reading “HOW TO PASSCODE-LOCK ANY APP ON YOUR PHONE”

source: fastcompany.com

By making encryption free and easy, Let’s Encrypt solved one of the web’s biggest problems. Its secret? A maniacal focus on automation and efficiency.

Let’s Encrypt issued its one billionth digital certificate a few weeks ago. Run by the nonprofit Internet Security Research Group (ISRG), the service provides these certificates to websites for free, allowing your browser to create a secure and validated connection to a server that’s effectively impenetrable to snooping. The pandemic hasn’t halted the group’s progress: It says it’s now issued over 1,080,000,000 certificates.

That Let’s Encrypt doesn’t charge for this service is a big deal. A digital certificate for a website—also useful for email servers and other client/server systems—used to cost hundreds of dollars a year for a basic version and even more for a more comprehensive one. For smaller sites, that cost alone was a barrier.

While the price had dropped significantly before Let’s Encrypt began issuing its certificates at no cost in 2015, and some commercial issuers had offered free certificates on a limited basis, encrypting a site was no trivial matter. It required technical expertise and the ability to puzzle through command-line configurations. (Though I’ve been running websites since 1994, renewing and installing certificates had remained one of my bugbears before Let’s Encrypt.)

Let’s Encrypt didn’t set out to launch a price war and thereby destroy an existing marketplace. By making encryption free and simple, the organization has been a large part of an industrywide shift to encrypt all web browsing that has doubled the number of secure sites from 40 to 80 percent of all sites since 2016.

As executive director and cofounder of ISRG Josh Aas says, the organization wants everyone to be able to “go out and participate fully in the web without having to pay hundreds of dollars to do something.” Setting the cost at zero benefits each site’s users and the internet as a whole.

Google tracks opt-in information from Chrome browser users about the type of connections they make. It shows that secure connections rose from 39 percent (Windows) and 43 percent (Mac) in early 2015 to 88 and 93 percent respectively on April 11, 2020. One source indicates that Let’s Encrypt now supplies 30 percent of all website digital certificates. Two hundred million websites now use its certificates, the organization says.

This dramatic increase in web encryption protects people from some unwanted commercial tracking and snooping by malicious parties and government actors alike. It took Let’s Encrypt as a catalyst to put it within the reach of every website.

BLOCKING UNPRECEDENTED SNOOPING

After the revelation of the scope and nature of wide-scale, routine data collection by U.S. national security agencies added to the already-known and suspected habits of other democracies and repressive countries, tech firms shifted heavily into encrypting connections everywhere they could. That meant more encryption between data centers run by the same company (as Google added starting in 2013), encryption of data at rest stored on servers, and browser makers calling users’ attention to unprotected web sessions.

Continue reading “HOW A NONPROFIT YOU’VE NEVER HEARD OF MADE THE WEB SAFER FOR EVERYONE”

source:  cyberdefensemagazinebackup.com

Just because it meets the complexity test does not mean it is secure.

 

Most of the insider threats and some very public hacks (Yes I am talking to you, John Podesta) are due to poor password choice.  But it is not just the basics of simply changing the default passwords.   You have to change it to something complex, upper and lower case, numbers and special characters, it also has to be not easily guessed.

We had a new client that lost his password to his san.  He did not remember it, and as he always used the same form of a password – company name with capitalization, a special character, and some numbers – creating a complex password, they thought they were secure.   But in reality, it was a false sense of security there was an easily guessed password, and the company data was vulnerable to anyone who wanted to spend the time with a minuscule bit of information about the company.

Because we needed access to the san – I wrote a simple 47 line python script to churn through all the various options.  It took us less than a minute to crack the password we were in.   It helped me tremendously that they did not turn on any brute force blocking or disabling on failed attempts.  It also helped that they had default usernames enabled.    I only had to guess just a few of the 12 characters in the password.   But because computing is cheap and time is not relevant when your computer does the work for you.  I say helped, but for real it made the job of hacking in more straightforward and less time-consuming.

Lessons Learned

The main lesson learned here for my customer is password security is not hard, it just has to happen.   For better security now they use strong random passwords generated by a program.  Disable login for all default users.   Brute force blocking with time outs of at least 15 min. Where applicable and especially for access to the systems remotely, two-factor logins and biometrics are utilized.