By Andrew Paulette
1.) New password guidelines say everything we thought about passwords is wrong (April 18, 2017)
Summary: When I recently discovered a draft of new guidelines for password management from NIST (the National Institute of Standards and Technology), I was amazed about the number of very progressive changes they proposed.
Although NIST’s rules are not mandatory for nongovernmental organizations, they usually have a huge influence as many corporate security professionals use them as base standards and best practices when forming policies for their companies. Thus, another fact I was surprised about was a lack of attention to this document, finalized March 31, from both official media and the blogosphere. After all, those changes are supposed to affect literally everyone who browses the Internet.
Why it matters: The changes to the NIST Password Guidelines at first appear to fly in the face of some conventional password wisdom that is usually taught during end user training – password complexity requirements have been removed, and the organization no longer recommends a periodic password change. These changes, however, make sense. Forcing users to use specific characters in their passwords like numbers and symbols does not create a more clever password (most users will default to standbys like Password1$), and changing passwords on a periodic basis usually result in a number being tacked to the end of a user’s password, which again will only delay an attacker momentarily if they are an advanced threat. Instead, the focus on creating a “blacklist” of common passwords seems to be a much better approach that will allow organizations to weed out the worst and most commonly compromised passwords (such as password or 123456), establishing better password hygiene. If organizations can create databases of compromised passwords from various sources, this will further increase the security of the organization while actually removing some of the burden placed on users in the form of password management.
2.) The US Takes On the World in NATO’s Cyber War Games (April 29, 2017)
Summary: LAST YEAR, CAPT. Sean Ruddy and his team of operator-soldiers from the US Cyber Brigade entered a Locked Shields, a NATO-organized cyber-defense war game that pits teams from dozens of countries against “live-fire” attacks. It was their first time. And of the 19 countries represented, the US finished dead last. This week, they got their shot at redemption.
Why it matters: Possibly one of the most interesting parts of this article is not the detail on how the Cyber Brigade handled the operations of the opposing red team during the simulation (the US came in 12th out of 25 teams this year), but the fact that the gameplay also included decision making from a legal and diplomatic perspective. Attribution of attacks to a specific threat actor, and then choosing the correct line of action using international law which was not created with cyberspace in mind can be a challenge, and there seems to be a greater focus in recent simulations and exercise to bring policy-makers and leaders up to speed on what calls to make during cyber incidents, and ensuring it is the right call. This will be especially important when serious cyber incidents occur, and any training offered is sure to give these individuals context on when to use diplomacy to solve an issue, and when it is time to drop a “cyber-bomb” on the adversary.
3.) Intel patches remote hijacking vulnerability that lurked in chips for 7 years (May 1, 2017)
Summary: Remote management features that have shipped with Intel processors since 2010 contain a critical flaw that gives attackers full control over the computers that run on vulnerable networks, according to advisories published by Intel and the researcher credited with discovering the critical flaw.
Why it matters: Potentially a serious problem, this vulnerability’s saving grace is that the footprint of exploitable servers was fairly small (7,000 based on scans from Shodan, according to the article) due to the services that must be running to successfully carry out an attack. The problem could have been much more severe if it had affected a larger base of intel’s chipsets, which would have caused headaches for a large portion of the population and businesses, if it would not only include servers, but the workstations we use day to day. As a downside, however, the fact that this vulnerability is in the firmware makes remediating this difficult and risks bricking the device if performed incorrectly.
This vulnerability is a great example of the fact that many vulnerabilities in the codebase for operating systems and firmware can go undetected for years before being addressed and fixed.
Summary: When it comes to websites with bad password policies, there’s no shortage of bad actors. Sites—some operated by banks or other financial services—that allow eight- or even six-character passwords, sometimes even allowing letters to be entered in either upper- or lower-case? Yup. Sites that e-mail forgotten passwords in plaintext? Sadly, all the time. Ars largely stopped reporting on them because they’re better covered by Twitter accounts like this one.
But recently, I saw a site policy so bad I couldn’t stay quiet.