Welcome to The Dashlane Tech Check for August 11, 2017! I’ll help you catch up on Dashlane news and the biggest headlines in the tech and information security industry. And, just for fun, I’ll include a useful life hack that will keep your personal and work-related data secure all year long.
What in the (security) world?
Here’s what made headlines this week in the world of digital identity, security, and privacy:
Former National Institute of Standards and Technology manager regrets his 2003 password advice. Here’s why.
Bill Burr, the former National Institute of Standards and Technology manager admitted that he regrets much of the password advice he authored in an eight-page document back in 2003. In an interview with The Wall Street Journal, Burr acknowledges that the password advice he offered only encouraged negligent and predictable password practices, like using guessable password transformations and changing passwords at least every 90 days. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” said Burr.
So what should your passwords look like? As The Verge notes, you should make your passwords obscure, random phrases that are easy for you to memorize, but wouldn’t make any sense to an automated system.
HBO Hackers: Pay $7.5 Million or more secrets will be leaked
The HBO hacking saga continues. As we covered in last week’s Tech Check, unidentified hackers stole 1.5 terabytes of data from HBO release unaired full episodes of current and upcoming shows, portions of the Game of Thrones script, and thousands of internal documents. This Monday, according to Slate, the hackers leaked more data, including the script summaries for the next five episodes of Game of Thrones, scripts & full episodes of other shows, a month’s worth of emails from an HBO executive, and an executive’s contact list with the personal phone numbers of some Game of Thrones. In a video, the hackers also demanding $7.5 million in bitcoin to be paid by the end of the week, or else face the consequences of having more private information leaked to the public.
FCC proposes counting mobile data as broadband internet
According to Engadget, a “Notice of Inquiry” from the US Federal Communication Commission (FCC) proposed “to incorporate both fixed and mobile advanced telecommunications services into our Section 706 inquiry.” Section 706 of the 1996 Telecommunications Act requires the FC to annually report “whether advanced telecommunications capability is being deployed to all Americans in a reasonable and timely fashion.” Moreover, as Engadget notes, if mobile connections were to be considered “broadband”, then the FCC would significantly decrease the download and upload speeds currently required to fit the definition of home broadband. This could significantly impact Americans in poor and rural areas.
UK government announces Data Protection Bill
UK’s Digital Minister, Matt Hancock, announced a new Data Protection Bill that will overhaul the government’s current data protection laws and align the UK with the EU’s upcoming General Data Protection Regulation (GDPR) law. According to diginomica, the Data Protection Bill would give citizens more control over their digital identities by having the right to ask for their personal data to be erased. It’ll also give the Information Commissioner’s Office (ICO) more power to impose sanctions on firms that do not comply with the law.
WannaCry hero pleads not guilty of creating and distributing banking malware
Marcus Hutchins (also known as @MalwareTechBlog), the same malware researcher who helped stop the WannaCry ransomware outbreak, was arrested after attending the Def Con conference in LAs Vegas and charged with six counts of hacking-related charges. According to The Hacker News, Hutchins’ bail was set last Friday at $30,000.
Hutchins is accused of creating and distributing the Kronos banking malware between 2014 and 2015. Kronos was designed to steal a victim’s banking credentials and personal data from their infected computer. It was sold on Russian online forums for $7,000. The Hacker News reports that Hutchins admitted he wrote the code for the malware, but pleaded not guilty during his initial court hearing.
Kenya’s opposition leader claims the presidential election was rigged by hackers to favor opponent
During a press conference, opposition leader Raila Odinga refuses to accept the results of the presidential election, claiming that hackers broke into the server where the results were transmitted. CNN reports that Odinga trailed the incumbent President Uhuru Kenyatta–45 percent to 54 percent respectively–with more than 98 percent of the polling stations reporting yesterday. Odinga provided no evidence of election rigging, except for citing an unnamed source at Kenya’s Independent Electoral and Boundaries Commission.
Moreover, in an interview with CNN, former US Secretary of State John Kerry reassured Kenya voters that the election process maintained its integrity. “The process is still underway. But we believe that the election’s commission in Kenya has put together a process that will allow each and every vote’s integrity to be proven,” Kerry said, noting that there were “little aberrations here and there. “If anything was electronically fiddled with, there is a way to go back and absolutely ascertain what happened in the polling station. So by paper ballots, there is a protection of each and every Kenyan’s vote,” he said.
More than 30,000 current and former UCLA students notified of potential data breach
According to a report from UCLA’s school newspaper, the Daily Bruin, about 32,000 current and former University of California – Los Angeles (UCLA) students were notified about a potential security breach. UCLA spokesperson Tod Tamberg told the Daily Bruin that the cyber attack affected students who provided their personal information–like names, street addresses, social security numbers, birth dates, and medical information–to the school before April 2016. To date, there is no evidence that the hacker accessed or stole any of the data.
The State of Enterprise Security
Critical vulnerabilities in 47 percent of corporate information systems
According to a new analysis of security audit findings from Positive Technologies, 47 percent of investigated corporate systems had critical vulnerabilities last year. InfoSecurity Magazine says the analysis found that testers could take full control over corporate infrastructure on 55 percent of the systems audited–as an internal intruder, 100 percent of the systems audited were compromised. Moreover, 75 percent of cases had extremely poor wireless network security and exactly a quarter had very low staff awareness of internal systems.
1 in 5 small-to-medium-sized businesses shut down after a ransomware attack
CNET shares the results of an assessment from Malwarebytes’ Second Annual State of Ransomware Report, which that 32 percent of companies were hit by at least one malware attack last year; of those companies, a fifth had to completely shut down. The assessment also found that a quarter of businesses experienced more than 20 ransomware attacks last year.
But security software isn’t fully to blame. Brett Callaghan, Senior Systems Engineer at Malwarebytes, says that the people behind malware attacks are exploiting “the human factor.” “A lot more attackers are becoming aware of the fact that they can make small amounts of money at a grand scale very quickly if they completely automate this. The attackers we’re seeing are extremely sophisticated — they’re not fussed about creating a file and making something look real,” he said.
“They’ll just go after the user and they’ll spray and pray. If you hit 100,000 email accounts and 10,000 hit the button and you’re charging $200 a piece? That’s a significant amount of income right there from doing very little,” he concluded.
A new survey finds organizations have not made necessary security improvements following global ransomware attacks
A Tripwire survey found that more than two-thirds of security professionals believe their organization has not made significant security improvements after the WannaCry and Petya ransomware attacks. According to InfoSecurity Magazine, almost a third of security professionals believed their organizations struggled to manage what devices are on its networks, but many are also concerned about vulnerability management (14 percent), administrative privilege issues (6 percent) and audit log attention (6 percent). Notably, 40 percent believed that one singular issue isn’t to blame and that their organization fails to solve all of these issues.
The Week’s Lifehack to Improve Your Security
With several recent surveys and assessments blaming “the human factor” for faulty security practices, business owners and IT managers should consider focusing their attention of reinforcing their organization’s human firewall–employees! First, start with the basics. We’ll tell you the five things every incoming employee should know about online security best practices during their first week on the job.
Have any thoughts on any of the news I shared? Leave me a comment below and make sure to visit our blog next week for another edition of The Dashlane Tech Check.