US Government: Don’t Require Special Characters in Passwords*:
- The standards organization of the United States, NIST, has concluded that many common requirements for passwords, like forcing you to use special characters, are misguided.
- NIST recommends the use of lengthy passwords, and instructs administrators to allow passwords to run at least 64 characters long.
- It also says people should only be forced to change their passwords if there is evidence of tampering, rather than at an arbitrary interval.
- A password with special characters may be hard to remember but easy for a computer to guess, while a long and simple password is easy for a human to remember and actually very difficult for a computer to guess.
- The guidelines say that administrators should take actions that make accounts more secure than special characters ever could – like preventing the use of common passwords and creating a waiting period between incorrect login attempts.
*Source: Quartz, June 24, 2017
China Has Agreed to Stop Cyber-Attacks on the Canadian Private Sector*:
- China has signed an agreement to stop conducting state sponsored cyber-attacks against the Canadian private sector.
- The new agreement only covers economic espionage, which includes hacking corporate secrets and proprietary technology, but does not preclude China from conducting state-sponsored cyberattacks against the Canadian government or military.
- The two sides agreed that neither country's government would conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
*Source: Time, June 25, 2017
Ransomware Spreads across Europe with Firms in Ukraine, Britain, and Spain Shut Down*:
- In Ukraine, major firms, airports, and government departments have been struck by a massive cyber-attack which began to spread across Europe last week.
- In the Netherlands a major shipping firm confirmed its computer terminals were malfunctioning.
- The virus is believed to be ransomware – a piece of malicious software that shuts down a computer system and then demands a sum of money to fix the problem.
- This comes just a few weeks after the WannaCry hack, which affected more than 150 countries and crippled parts of the NHS.
- It remains unclear who is responsible for the latest attack.
- A Danish transport and logistics company with branches worldwide, announced that "multiple sites and business units" had been shut down after the cyber-attack.
- Some experts have linked the ransomware to a virus called Petya, which targets the hard drive on a computer rather than individual files.
*Source: The Telegraph, June 27, 2017
The CIA Can Remotely Hack Into Computers that Aren’t Even Connected to the Internet*:
- There’s always been one surefire way to protect computers that control sensitive operations like power grids and water pumps: cut them off from the internet entirely.
- New documents published by WikiLeaks in June suggest that even when extreme measures are taken, no computer is safe from motivated, well-resourced hackers.
- The 11 documents describe a piece of software called “Brutal Kangaroo,” a set of tools built for infiltrating isolated “air-gapped” computers by targeting internet-connected networks within the same organization.
- The process begins when a hacker remotely infects an internet-connected computer in the organization or facility being targeted; then Brutal Kangaroo waits until someone plugs a USB thumb drive into the infected computer.
- From that point, the virus will spread further malware to any system that thumb drive is plugged into, with the idea that eventually one of those drives will be plugged into the air-gapped computer.
- The major flaw in the concept of isolating sensitive computers is that the air gap around them can only be maintained if no one ever needs to copy files onto or off of them.
- The Brutal Kangaroo documents are the latest revelation about what the CIA’s hackers are allegedly capable of, though the CIA has not confirmed its ownership of the documents or tools.
*Source: Quartz, June 24, 2017
Health Insurance Giant Agrees to Record $115 Million Payout Over Data Breach*:
- Health insurance giant Anthem Inc. will pay $115 million to end a court battle over a 2015 data breach that exposed the sensitive information of nearly 80 million Americans.
- That’s a new record – Target, for example, settled for only $18.5 million after a breach exposed payment cards of 41 million customers.
- This figure should serve as a warning to other companies that think security isn’t worth the investment.
- Anthem has also agreed to guarantee “a certain level of funding for information security and to implement or maintain numerous specific changes to its data security systems, including encryption of certain information and archiving sensitive data with strict access controls.”
- Had they taken those steps prior to 2015, the company would have saved itself and its customers a whole lot of grief.
- Most of the money will pay for credit monitoring, although roughly $38 million will go toward attorneys’ fees.
- While the Anthem incident was allegedly a hack that didn’t involve any medical records or credit card details, about 79 million people had their personal information compromised – including names, addresses, birthdates, and social security numbers.
*Source: Gizmodo, June 23, 2017
Cyber-Attack on Parliament Leaves MPs Unable to Access Emails*:
- Parliament has been hit by a “sustained and determined” cyber-attack by hackers attempting to gain access to the email accounts of Members of Parliament (MPs) and their staffers.
- The attack sought to gain access to accounts protected by week passwords; fewer than 90 email accounts were compromised during the cyber-attack.
- MPs said they were unable to access their emails after the attack began and cited blackmail as a possible motive.
- The estate’s digital services team made changes to accounts to block out the hackers, and that the changes could mean staff were unable to access their emails.
*Source: The Guardian, June 24, 2017
The U.S. is Slowly Submitting to the EU’s 2018 Privacy Law*:
- 100 % of U.S. based privacy professionals believe the importance and complexity of managing privacy in their organizations is increasing.
- Similar numbers acknowledge they will increase their investment in managing privacy, yet 61 percent of these same professionals acknowledge they have done little to prepare for the coming of the world’s biggest privacy regulation, the EU’s General Data Protection Regulation, or GDPR.
- The general attitude concerning American GDPR readiness seems to be, "Yeah, we know it’s a big deal, we know it’s going to cost a lot of money, and we know we’re a little behind in getting ready, but we’ll get it done.”
- The American regulatory framework doesn’t provide much structure, so we’ll happily adopt one from abroad.
- Many privacy professionals welcome the GDPR, and see its coming as a great opportunity for companies to regularize around a common set of standards and requirements.
- Big global companies that loom large in the American business scene will in turn pass along their alignment with GDPR to all their suppliers, who will be asked to meet the new requirements if they want to keep their contracts.
- For the most part, American business has self-regulated when it felt it was in its best interests to do so, and that’s what we’re seeing happen with GDPR compliance.
- American businesses will adopt the protections for individual data within the GDPR because it’s good business to do so.
*Source: Venture Beat, June 24, 2017