STE WILLIAMS

It’s May 2. Know what that means? Yep, it’s the PR orgy that is World Password Day… again

If there’s anything worse that having to constantly come up with and enter passwords, it’s the idiotic way in which we all do it.

Yep, it’s World Password Day again and that means one thing: companies of every hue and shade politely but firmly telling us we’re a disgrace.

Avast, for example, let us know that “unfortunately, many people around the world – including 83 per cent of Americans – use weak passwords that are easy to crack.” That’s right more than 8 out of 10 people haven’t got the loudly shouted message. An unfortunate side-effect of this: there will never be an end to World Password Day.

Having established we’re all idiots, Avast – which, surprise surprise, sells security software – points out that 25 per cent of people have never – yes, never – changed their passwords. So that the two main messages about passwords, namely:

  • Choose complex ones, and
  • Change them every so often

…flushed right down the toilet.

In addition to Avast, there is no shortage of companies pointing out that having bad passwords is not the equivalent of getting takeout when you should really cook but can’t be bothered – it’s actually a big problem.

There have been an unprecedented number of massive data breaches in recent years where tens of millions of people’s usernames and passwords have been stolen – and are readily traded online. If you are still using that same password on another site, you are a sitting duck – and pretty much everyone is scrambling to deal with stolen ID crimes as a result.

Here’s another company – SecureAuth – pointing out that 81 percent of confirmed data breaches still involve weak, default or stolen passwords.

Blame spreading

Of course, people are smart and have checked whether their email address has been involved in a big data breach – using sites like Haveibeenpwned.com. No, of course they haven’t: 58 per cent of Americans have never checked according to Avast – and bear in mind that Avast surveyed its own users, people who have gone to the trouble of paying for security software.

But before you sysadmins start getting smug about how you use a password manager like 1Password and would never be caught up with your password pants down, we have some sobering news for you too.

OneLogin has yet more worrying stats: two-thirds (65 per cent) of sysadmin don’t check employee passwords against common password lists and more than three-quarters (75 per cent) of you don’t check employee passwords against password complexity algorithms.

Yes, that’s right – you are part of the problem. And while you can expect everyone to bitch and moan about having to come up with complex passwords, that’s also your job: an employee is likely using the same password for your internal systems as they are for Instagram.

According to OneLogin, 63 per cent of network administrators don’t require special characters or minimum length passwords. Numbers? 71 per cent don’t require it. Upper and lowercase? 72 per cent. And an amazing 63 per cent have not put password rotation policies in place. What are you doing people?

Ok, we know what you’re doing. The same data dump points out that sysadmins waste two-and-a-half months every year resetting internal passwords. Janice may not realize how ridiculously easy it is to crack her clever “qwerty” password but at least you don’t have to deal with her every single Monday when she’s forgotten the complex one you “made” her come up with.

But you don’t away with it that easily: 96 per cent of financial institutions still rely on legacy setups that tie usernames and passwords to authentication, according to OneSpan. And that is despite the fact that 44 per cent of account takeovers come from username/password combinations exposed in data breaches.

The answer!

There is hope of some sort: according to OneSpan, 60 per cent of those that it surveyed (“300 IT decision makers across the US,” apparently) “plan to invest in new multifactor authentication technologies in 2019, including biometrics and AI/machine learning.”

We wonder though whether that “plan to invest” is contingent on you getting the expanded budget you put in for this year. Which, let’s be honest, we all know you are not getting and that if you did you’ll spunk the money you could have spent on 2FA on that new server that you really don’t need.

Password

Android apps prove a goldmine for dodgy password practices

READ MORE

But let’s get on to the inevitable closing part of World Password Day: what’s the solution? And guess what? Yes, it’s a password manager. For, like, the 50th year running.

But we have some other notable suggestions. Unisys reckons “maybe it should be called National PassPHRASE day! It’s the WORD in PassWORD that is one thing holding people back.”

It’s a fair point. But it’s like trying to get people to say “vacuum cleaner” instead of “Hoover” or “sticking plaster” instead of “Band-Aid.” Spackle. Google. Password. It ain’t gonna happen.

Here’s Rod Simmons, VP of Stealthbits trying his hand: “After three decades of IT tormenting users about creating complex passwords then forcing them to come up with a new one ever 60-90 days for some random sadistic reason…”

A strong start, we’re sure you’ll agree. What is Rod’s solution? NIST advice – specifically NIST 800-63b. He loves it. “What is great about the new guidance? Three benefits: 1) Only change passwords if there is sign or compromise or it is in a compromise dictionary; 2) Stop time-based password expiration; and 3) Relax complexity rules.”

Hang on. Those last two are what everyone else has just been ragging on everyone else for NOT doing.

The real answer to passwords? Get rid of them altogether, says co-founder of Cequence Security, Ameya Talwalkar: “We hope to live in a password-less world, one day. Until then, protect yourself with few good habits:

  • Do not use the same password across multiple sites.
  • Use biometric authentication on mobile phone apps
  • Use at least two online password managers to securely save and sync your credentials
  • Change passwords on finance and healthcare related applications on a regular basis.”

So there you go – the answer this year isn’t just a password manager. It’s TWO password managers!

And with that, we’ll give up giving contradictory and impossible advice for another year and going for a pint or six. ®

PS: We recommend multi-factor authentication, use unique per-website long pass phrases and a password manager if necessary, and change passwords if they are stolen.

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/02/world_password_day/

  • 03/05/2019
  • adm

Security Depends on Careful Design

Deploying focused edge protection on-site extends security beyond the network level to shield millions of previously exposed devices, apps, and control systems.

The need for security is not new. We’ve seen devastating cyberattacks across every industry and type of organization, from the breach of millions of consumer logins to state-sponsored cyberwarfare against the military. But these events don’t occur because of a blatant lack of security; actually, most organizations do have some form of cybersecurity.

While one in four organizations have designated cybersecurity teams, still 40% of all US businesses encountered at least one ransomware attack last year. The numbers continue to worsen as businesses begin to interconnect their systems — often a mix of legacy and modern Internet of Things (IoT) — and create webs of smart machines that can spread information, and malware, at lightning speeds.

The outlook is grimmer for industrial operations, which are controlling some of our most critical infrastructure and assets, and undergoing rapid modernization. Deloitte found that in 2016, companies in the energy sector reported 20% of all cyber incidents, coming in third behind manufacturing plants and communications networks. As these industries become increasingly “smart” and connected, the security risks multiply.

Historically, industrial operators “air-gapped” their networks, restricting access to their control devices and systems by isolating them on separate networks. While this minimized the risk of unauthorized access to physical and logical systems, the approach is becoming unsustainable. Industrial operators are connecting previously isolated assets and their data, linking them to applications running elsewhere in their domains and with the cloud, creating complex interactions that cannot be reconciled with closed architectures or system isolation. With vital systems connected, we need to take steps to create secure environments and mitigate growing vulnerabilities.

Security Gone Wrong
Beyond understanding the value that cybersecurity brings in protecting critical systems and information, the IT departments and decision-makers who deploy these solutions must understand how each design consideration affects their systems’ security and operation.

To demonstrate the importance of security design, let’s walk through a common setup in major industrial operations: a Windows computer with a programming application that accesses an industrial programmable logic controller (PLC). The following two examples are specific security features that are frequently deployed with good intentions. Yet these solutions fall short in the face of today’s multifaceted landscape of risks.

Scenario 1: Locking a PLC
One of the most popular PLC models enables the user to “lock” the PLC, as you would lock your personal cellphone. Only users who know about the PLC and its passcode can unlock it. This seems like a logical solution to ensure that the device is inaccessible to unauthorized parties.

However, the moment that particular PLC is unlocked, anyone who is on the broader system’s network has access to the PLC. For instance, anyone could use the PLC vendor’s programming software to connect to the PLC in question.

Unencrypted, easily stolen, unlocked password passing over network.Source: Susanto Irwan

Scenario 2: Locking the Software
A step up from locking a PLC is locking software itself. One of the most popular programming software suites offers the ability to lock access to that software, preventing unauthorized users from making changes in code that affect the system or other devices.

However, this is only locally enforced, functioning within that particular software and machine where it is running. This means that a malicious user could run another instance of the same programming software on a different machine, make changes, and gain access to that PLC without authorization to do so.

Layered Security Design, Threat Modeling, and Continuous Iterations
Attackers will exploit the easiest and quickest way into a system. And in the scenarios described above, the critical missing component was secure identity-based access covering the entire system, regardless of device or software.

Just as anyone on a network has access to an online PLC, they also can lock the PLC — without having to authenticate the person applying the lock. As a result, a malicious user or malware can lock a PLC, then hide or discard the password. Blocking all non-malicious users’ ability to access that device, they then have free rein to use it to distribute ransomware. When access is based on device or memory of a specific passcode, it becomes easy to obtain or leave in plain sight for external parties to exploit.

These security measures might have been designed with the best intentions but can easily backfire, shutting down industrial operations and costing millions of dollars in lost production (and worse, havoc wrought on the system). In both scenarios, the neglected steps to thwarting malicious actors were 1) continuously iterating the security design, 2) implementing threat models, and 3) applying layered security. And to cover all the necessary ground, security solutions must be built from the ground up around universal, role-based access.

A New Architecture
Organizations must define their security policies in accordance with the risks at hand for their systems and operational scope — e.g., what are my requirements for credentials and access if there are hundreds or thousands of devices and employees logging in to the network every day? — before designing and developing their security functions. From there, it is imperative to rigorously test these functions across both static and dynamic threats, zero-day attacks, and various means of penetration from unauthorized third parties. These diagnostics can thus feed into an ongoing model of the threats at hand, and inform the organization’s security measures as they evolve over time.

Recommended cycle for evaluating threats and security needs, designing security functions, and deploying solutions that comprehensively protect systems. Source: Susanto Irwan

Access control for industrial devices and systems is now a fundamental component of security compliance to protect their integrity, reliability, and safe operation — and to enable IoT at industrial scale. But in industrial operations, which are physically disparate and varied in connectivity, we must move beyond one centralized security center to a decentralized model. By deploying smaller, focused devices, we can extend beyond network-level security to protect to millions of previously exposed devices and control systems at the operational edge. This increases the universal enforcement of access control, and if one device or group of devices becomes compromised, can prevent the shutdown — or devastating attack — of an entire network.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Susanto Irwan is the Co-Founder and Vice President of Engineering at Xage. Prior to Xage, Susanto held senior engineering and product development roles at Shape Security and Arxan Technologies (acquired by TA Associates). Susanto has over 16 years of experience in security, … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/security-depends-on-careful-design-/a/d-id/1334543?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 03/05/2019
  • adm

Security Doesn’t Trust IT

How a rocky relationship between IT operations and cybersecurity teams can compound security risks.

IT operations and security teams share the bulk of responsibility for protecting organizations from digital threats. Unfortunately, lack of trust between the two can compromise security.

As part of its “Getting Your House in Order” report, commissioned by 1E, Vanson Bourne analysts polled 600 senior IT decision makers: 300 from IT operations and 300 from IT security across the US and UK. Their idea was to evaluate cybersecurity challenges from both teams. What they found is a “crisis of trust” causing existing security problems to grow more serious.

Sixty percent of respondents say they had suffered a “serious” security breach in the past two years; 30% have experienced more than one. The leading causes of breaches are lack of clear security protocols (52%) and unpatched software (51%), followed by a lack of collaboration between IT operations and security (42%), and a lack of patch automation (40%).

Most (93%) practitioners polled say they face challenges. Securing new technologies is at the top of the list, with 48% of respondents saying it was an issue, followed by restrictive budgets (39%) and a lack of understanding between IT operations and security (35%), which tied with legacy systems. Eighty percent of those surveyed say digital transformation drives cybersecurity risk, with 73% reporting they are now more dependent on software than they were 12 months ago.

Less than one-quarter of respondents think IT operations and security teams work well together to secure the organization. Experts point to poor cohesion and disparity in objectives: IT ops will typically push forward with projects, which are then slowed by security’s precautions.

In most organizations, the change management process is owned by IT ops, which considers the business use case, effects on business processes, and how to make necessary changes. It’s security’s job to point out problems and IT’s job to fix them. But data shows lack of trust here is causing friction: Nearly half (49%) of security pros say they can rely on IT to cover security alerts; even fewer feel IT can cover data breaches (48%) or keep software up to date (47%).

Software updates are a primary concern: Two-thirds of organizations’ software is current, while 34% of endpoints remain vulnerable to threats; on average, respondents say they only have visibility of 64% of their total software estate. Further, 68% have migrated devices to Windows 10, which is now 4 years old. Windows 7 is reportedly losing support on Jan. 14, 2020, and 58% of respondents think failure to meet the cutoff will mean “significant security risk.”

“If you don’t have visibility into one-third of your endpoints, then how is security meant to trust you in patching all those machines and making sure they’re safe?” says 1E CEO Samir Karayi. He’s especially concerned about how teams struggle with visibility and software updates. “Those are a pretty fundamental sort of thing that operations need to be doing,” he adds.

The rocky IT-security relationship affects the perception each team has of the other. Three-quarters of respondents think IT has a “keep the lights on” attitude that prioritizes availability over security. Nearly two-thirds say the security team knows how to keep the business secure, but IT operations teams make securing the organization more complicated. Nearly all (97%) said their businesses as a whole would benefit from better collaboration between IT and security.

“The steps in working together are pretty simple,” Karayi says. “I think it’s a mindset thing.” Because they distrust one another, IT and security often end up buying and using different tools, which contributes to conflict. He suggests starting with transparency: getting the two groups together to discuss their goals and objectives, so everyone is on the same page.

It’s also important to get the board involved. When it’s time to talk budget, 90% of respondents say their organizations prioritize other issues over cybersecurity. Better reporting practices and performance measurements could help drive both funding and awareness for security.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/security-doesnt-trust-it---and-it-doesnt-trust-security/d/d-id/1334599?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 03/05/2019
  • adm

Misconfigured Ladders Database Exposed 13M User Records

Job-hunting site Ladders leaves job seeker data exposed on the Internet.

Another company has misconfigured another AWS-hosted database, and this time the results are 13 million user profiles exposed. Employment-recruitment site Ladders exposed the records of job seekers who had signed up for the possibility of landing a high-end position.

Security researcher Sanyam Jain found the database as part of his ongoing research on exposed data. The information left open included contact details and detailed employment histories — information that could be used by attackers to form compelling spear phishing messages.

According a TechCrunch report, Ladders removed the database from public view within an hour of being contacted by the publication.

For more, read here.

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/misconfigured-ladders-database-exposed-13m-user-records/d/d-id/1334600?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 03/05/2019
  • adm

New Exploits For Old Configuration Issues Heighten Risk for SAP Customers

Exploits give attackers a way to create havoc in business-critical SAP ERP, CRM, SCM, and other environments, Onapsis says.

Exploits targeting a couple of long-known misconfiguration issues in SAP environments have become publicly available, putting close to 1 million systems running the company’s software at risk of major compromise.

Risks include attackers being able to view, modify, or permanently delete business-critical data or taking SAP systems offline, according to application security vendor Onapsis.

The exploits, which Onapsis has collectively labeled 10KBLAZE, were publicly released April 23. They affect a wide range of SAP products, including SAP Business Suite, SAP S/4 HANA, SAP ERP, SAP CRM, and SAP Process Integration/Exchange Infrastructure.

The exploits are not targeting any inherent security vulnerabilities in SAP’s code, Onapsis says. Rather, they target improperly configured access control lists (ACLs) in SAP Gateway and SAP Message Server. SAP Gateway handles communications between SAP and non-SAP systems, and Message Server does communication and load balancing between SAP app servers. The two components are present in many SAP environments.

SAP Gateway ACL files are currently delivered in secure mode by default. But on older versions, the default configuration was insecure and allowed attackers a way to bypass security mechanisms and take full remote control of a SAP system to steal or manipulate data. Improperly configured ACLs on SAP Message Server, meanwhile, allow any host with network access to the server to register a fake app server in the SAP system, Onapsis said. This could enable man-in-the-middle attacks and allow attackers to gain full control of the SAP environment.

SAP has long ago highlighted these issues to customers and has provided instructions on how to properly configure the ACL files. Even so, these ACL files remain open to exploitation at a very high percentage of SAP environments. According to Onapsis, publicly available data and its own research over the past 10 years suggest that as many as 900,000 systems across 50,000 companies worldwide may have the misconfigurations for which exploits are now newly available.

SAP Environments a Black Box for IT
Juan Perez-Etchegoyen, CTO at Onapsis, says the root cause for the high prevalence of misconfigured systems — despite all the warnings about the risks — is the tendency by SAP teams to operate on their own without proper oversight from the IT security team.

“SAP implementations have their own IT, their own security teams, and their own admins,” Perez-Etchegoyen says. “Everyone is focusing on operational availability. We always find they are not properly addressing cybersecurity risk.”

Historically, the SAP environment has been something of a black box for enterprise IT teams. They haven’t had much of an opportunity to implement controls and have defined policies for SAP environments. So it is not unusual at all to see these misconfigurations present in a high proportion of SAP customer sites, Perez-Etchegoyen notes.

SAP environments that are potentially exposed should address the issue promptly because exploits are now available. Properly maintaining and updating an ACL involves some administrative overhead, but the benefits ofdoing so far outweigh the costs considering the risks involved, he says.

Onapsis has provided signatures for the exploits to major security vendors and incident responders to enable detection and monitoring for the exploits. The company is also working with government organizations and SAP service providers to coordinate a response. Additionally Onapsis has made its intrusion detection available free to all SAP customers, the company said.

This is another example of the need for organizations to address the security of ERP platforms and to ensure proper security and governance for the environment, Perez-Etchegoyen says.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-exploits-for-old-configuration-issues-heighten-risk-for-sap-customers/d/d-id/1334602?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 03/05/2019
  • adm

Extortionists leak data of huge firms after IT provider refuses to pay

Financial data from some the world’s biggest companies – including Porsche, Oracle, Toshiba and more – has been stolen and published in a ransomware attack on the large, Germany-based IT provider Citycomp.

Citycomp, which says that it maintains over 70,000 servers and storage systems “of every type and size” in 75 countries, issued a statement saying that it had “successfully fended off a hacker attack” in early April and that it has no intention of complying with the blackmail attempt.

Given its refusal to capitulate, Citycomp said, the data couldn’t be saved from being doxxed. “Full transparency” was in place and it informed its customers “right from the start,” it said.

[Citycomp] does not yield to blackmail. The repercussion is the publication of the stolen customer data.

While Citycomp said that the attack had been stopped, a security firm it’s working with and which was authorized to speak to Motherboard told the publication that as of Tuesday, it was ongoing. Michael Bartsch, executive director of Deutor Cyber Security Solutions:

Citycomp has been hacked and blackmailed and the attack is ongoing. We have to be careful as the whole case is under police investigation and the attacker is trying all tricks.

The hackers created a .onion Dark Web site where the stolen data can be browsed and downloaded. The list of victims includes names such as Porsche, Oracle, Toshiba, the New Yorker, Ericsson, Leica, UniCredit, British Telecom, Hugo Boss, NH Hotel Group, and Airbus, among many others. On the site, the hackers claim that they have “312,570 files in 51,025 folders, over 516GBb data financial and private information on all clients.”

Citycomp hack dark web site
A screenshot of the dark web site housing the Citycomp data

Bartsch told Motherboard that after informing and warning all clients, being fully transparent from the get-go, their support has been “unanimous.”

The hacker(s) told Motherboard in an email that the point of the attack was financial: using the handle Boris Bullet-Dodger, they told Motherboard’s Joseph Cox that they had demanded $5,000 from Citycomp.

“Boris” claimed to have prowled Citycomp’s systems for just over a month, and that they targeted Citycomp specifically because “they have an [sic] totally awful security system.”

The hacker(s) said they had no intention of extorting the client companies themselves:

No, these companies are not guilty of awful work of citycomp.

What to do?

As we’ve mentioned before when reporting about ransomware, defending against a determined, targeted attack demands defense in depth, and, as in many things, prevention is better than cure. That starts with ensuring that your systems are patched and your Remote Desktop Protocol (RDP) is secure, and finishes with regular, comprehensive, off-site backups, with much else in between.

To read more about those things and the preventive steps you can take to protect yourself against targeted ransomware of all stripes, read our article on how to defend against SamSam ransomware.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3P0Cjr96TnU/

  • 02/05/2019
  • adm

Is a sticky label the answer to the IoT’s security problems?

If the security of Internet of Things (IoT) devices is one of tech’s big worries, how might this be turned around?

In the UK, the Government just published new details of its surprising and unfashionable answer – a sticky label.

Called ‘Secure by Design’ since first being mooted in 2018, this won’t simply be a nice to have sticker. In time it could become a legal requirement to display it on anything sold with IoT features, such as internet TVs, home security cameras, IoT toys, and home appliances.

Right now, the legal bit remains an aspiration subject to further consultation, but legislation appears to be on the cards at some point, perhaps by next year.

Rather than get mired in complicated security concepts, Secure by Design cleverly zeros in on three fundamental problems that bedevil IoT devices and device security in general.

“IoT device passwords must be unique and not resettable to any universal factory setting.”

The industry has been getting better at avoiding this pitfall in recent years (witness the way broadband routers now ship with unique admin and Wi-Fi passwords) but a lot of mass-market IoT gadgets still ignore this simple principle.

“Manufacturers of IoT products provide a public point of contact as part of a vulnerability disclosure policy.”

A simple and radical suggestion – if you make something there should be a way for researchers to tell you that something’s broken in it that needs fixing. There’s plenty of anecdotal evidence that some mass-market manufacturers at least, are completely oblivious to this concept.

“Manufacturers explicitly state the minimum length of time for which the device will receive security updates through an end of life policy.”

This is where things become uncomfortable for device makers. The first two above require a change of culture but wouldn’t cost much to implement. This one, however, could be a sticking point.

Big brands such as Google, Apple and Microsoft already offer a clear indication on the life expectancy of their products, but they are the exception rather than the rule. For most product makers, the idea of a defined life expectancy with a legally binding update schedule to maintain is anathema, because it adds ongoing costs that play havoc with their investment model.

Notice that Secure by Design doesn’t, as it stands, tell makers how long this should be, simply that they should be upfront about their intentions.

Good luck to anyone who can figure out a sure-fire way of putting that into practice. The danger is that device makers come up with clever ways to downplay its importance or hide the information in small print.

A waste of time then?

The idea of government imposing national security standards on equipment is still alien to an industry built on easy investment, time-to-market, and barely any regulation beyond that required for electrical safety.

And yet security standards that get their timing right have a habit of becoming de facto, a good example being the way stringent cybersecurity regulations in tiny Singapore have influenced compliance standards far beyond its borders.

Once a higher standard has been set, larger manufacturers with economies of scale often buckle down and treat it is a useful guide. The fact that the UK Government says it has taken input on Secure by Design from Amazon, Philips, Panasonic, Samsung, Miele, Yale and Legrand is encouraging.

Let’s see whether Secure by Design’s code of practice gets watered down or ends up being optional. But cynics shouldn’t assume it will.

Some will argue that had governments laid out stringent security regulations in advance of IoT being invented, investors would have shied away from investing.

Then again, had that happened there would also be no IoT security problem to worry about. To borrow an old adage: if you think security is expensive try living in a world that doesn’t have any.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ASUfzhKg2_M/

  • 02/05/2019
  • adm

DHS policies allow unlimited, warrantless device search

A lawsuit against warrantless searches at US border points has revealed that the Department of Homeland Security (DHS) has given its border patrol agents free rein to conduct warrantless, suspicion-less device searches for pretty much any reason at all.

The lawsuit was filed against DHS in 2017 by the Electronic Frontier Foundation (EFF) and the ACLU on behalf of 11 people. Those people include a military veteran, journalists, students, an artist, a NASA engineer, and a business owner, all of whom experienced forced, warrantless searches of their cellphones and laptops at the border.

On Tuesday, the ACLU and the EFF filed evidence in court showing policies and practices of Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP) that authorize officers to conduct warrantless, suspicion-less device searches for purposes that have nothing to do with immigration or customs laws, including:

…enforcing bankruptcy, environmental, and consumer protection laws, and for intelligence gathering or to advance pre-existing investigations.

The documents show that border agents are also allowed to consider requests from other government agencies to search devices, the EFF said.

Agents are empowered to search electronic devices even when the actual target isn’t the traveler standing in front of them – such as when the traveler is a journalist or scholar with foreign sources who are of interest to the US government, or when the traveler is the business partner of someone under investigation.

Both agencies also allow agents to retain the data they copy off devices and share it with other government entities, including state, local, and foreign law enforcement agencies. They’re none too careful with that data, either, as we learned in December when the Office of Inspector General (OIG) filed a report with DHS about border agents copying travelers’ data and leaving it kicking around on USB drives that they don’t always erase and sometimes misplace.

The searched

The EFF named the 11 people listed in the lawsuit, some of whom we’ve written about.

They include natural-born US citizen Sidd Bikkannavar. He’s a NASA engineer who was detained by US Customs and Border Protection (CBP) in 2017 and pressured to hand over his NASA-issued phone and the PIN to get into it.

This, in spite of the fact that the work-issued phone could have contained sensitive information relating to his employment at the space agency, and in spite of the fact that NASA employees are obligated to protect all work-related information. A CBP officer returned his phone after a half hour, saying that it had been searched using “algorithms”.

Also among the plaintiffs is artist Aaron Gach, another natural-born US citizen who was forced to unlock his phone after returning from putting on a gallery installation in Brussels. That installation focused on “mass incarceration, government control, and political dissent”.

Another plaintiff is Diane Maye, a college professor and retired US Air Force officer who was detained for two hours at Miami International Airport when coming home from a vacation in Europe in June.

Akram Shibly is also a plaintiff. The independent filmmaker, who lives in upstate New York, was crossing the US-Canada border when a CBP officer ordered him to hand over his phone.

Just three days earlier, CBP had searched his phone, when he was returning from a work trip in Toronto, so Shibly declined. He’s alleging that officers then physically restrained him, with one choking him and another holding his legs, and took his phone from his pocket. He alleges that he suffered “great pain and fear of death”. The officers kept the phone, which was already unlocked from the search of three days prior, for over an hour before giving it back.

How is this legal?

Border crossings are commonly referred to as “constitution-free” zones where protections against unreasonable search are somehow suspended. That’s not strictly true, as the ACLU has noted, but the search rules certainly are different. The rights group has been trying to legally compel border agents to comport with the Fourth Amendment, which prohibits unreasonable searches and seizures.

The ACLU says that Fourth Amendment protection of privacy rights of a cellphone were made clear in Riley v. California, a landmark 2014 case in which the Supreme Court unanimously held that the warrantless search and seizure of digital contents of a cellphone during an arrest is unconstitutional.

The Supreme Court has also ruled against warrantless phone search in cases such as US vs. Jones.

The EFF and ACLU have moved for a summary judgment – i.e., a request for the court to rule that the other party has no case, because there are no facts at issue, and therefore the case shouldn’t go before a jury at all – to block warrantless searches of electronic devices at US ports of entry.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8AB-gSQ4ywc/

  • 02/05/2019
  • adm

World Password Day – what (NOT!) to do

Today is World Password Day, and that means it’s a day that’s all about caring and sharing…

…but WITHOUT THE SHARING!

We made a short video to catch your attention:

(Watch directly on YouTube if the video won’t play here.)

None of the passwords in the video seem truly terrible – there’s no 123456 and no password, after all.

But all the passwords you see in the video are easily guessable, even though most of them aren’t dictionary words, and all of them come from a recently released list of the top 100,000 passwords.

So don’t take password shortcuts to save a few seconds a day in your digital life – if you’re serious about keeping the crooks out, don’t make it easy for them to get in!

Our recommendations are:

Happy World Password Day – and stay safe out there!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KUw_T57dd-8/

  • 02/05/2019
  • adm

World Password Day or Groundhog Day?

Despite decades trying to fortify our passwords with bolt-on solutions, attackers have always found ways to defeat them. Here are four reasons why.

Happy World Password Day! This year’s “Hallmark-Holiday-for-Password-Maintenance,” May 2, coincides with the commemoration of another event: the 40-year anniversary of then 16-year-old Kevin Mitnick’s infamous hack on Digital Equipment Corporation (DEC). Posing as a system developer, Mitnick stole login credentials for the Ark computer system. He achieved this by successfully phishing for credentials, allowing him and his associates unfettered access to the system to exfiltrate source code and other software.

If Mitnick’s associates hadn’t reported the crime to the police, the credential theft may never have been solved. Labeled as “cyberspace’s most wanted” by The New York Times, Mitnick and his escapades offer an important reminder that — despite overwhelming evidence and decades-long efforts to improve front-line security — passwords are ineffective against cyberattacks. It’s long past the time that we adopt smarter, better security solutions.

The purpose of World Password Day, as the official site says, is “to raise awareness about the critical need for good passwords.” If the daily deluge of data breach stories in the media isn’t evidence enough, consider this statistic, from “Shape Security’s 2019 Credential Spill Report“: In 2017, more than 2.3 billion credentials from 51 different organizations were reported compromised.

Fighting a Losing Battle
Fast forward to March 2019, and despite repeated urgent warnings to deploy stronger controls whenever a data breach occurs, the Identity Theft Research Center (ITRC) recorded 79 data breaches exposing 3.3 million sensitive records. Leading causes include unauthorized access, hacking, and employee error or negligence. Indeed, World Password Day feels more like the 1993 time-loop movie Groundhog Day; despite countless warnings to strengthen our passwords, we repeatedly experience credential-related breaches nearly every day.

When looking for reasons, four issues stand out.

Reason 1: Too Many Reused, Easy Passwords
“123456,” “123456789,” “qwerty,” and “password” remain the most popular password choices — and people use them over and over again. According to the UK’s National Cyber Security Center (NCSC), password reuse is the norm: More than 50% of all users rely on the same password to log in to multiple accounts, with many toggling between consumer sites and corporate systems.

It’s easy to blame lazy users for the problem. But the truth is, the industry expects a lot from individuals, who are continually asked to create longer, more complex passwords with a mix of symbols, cases, and numbers — making them even harder to remember. Password managers are useful, but only 12% of Americans use one.

Reason 2: Phishing Doesn’t Need a License
Phishing lures from fake invoices, bogus email delivery failure notices, file-sharing services, ersatz legal notices, and financial services notices remain the leading method of attack according to “Symantec’s 2018 Internet Security Threat Report.” People are still clicking on them despite widespread educational efforts across enterprises, industries, and social networks.

Reason 3: Corporate Negligence
Just this year alone, Facebook revealed that hundreds of millions of passwords in plain text were accessible to over 20,000 employees — and a few weeks later admitted that millions of Instagram passwords were also exposed.

Even more insidious is that individuals and groups openly sell stolen passwords and email addresses. In January, cybersecurity researcher Troy Hunt disclosed that nearly three-quarters of a billion email addresses and 21 million passwords were available on a hacker forum. A study by Google puts the number of credentials available on the black market at almost 2 billion. Concerned Internet users can see if their password has been exposed on Pnwed Passwords, which provides a database of more than a half-billion real-world passwords previously exposed in data breaches.

Reason 4: The Growing Epidemic of Credential Stuffing
Then there’s the matter of credential stuffing, the process of acquiring a cache of previously stolen credentials and using them, often in an automated fashion, to gain unauthorized access to a resource. It is a popular technique for attackers to break into both consumer and enterprise accounts because people often reuse passwords across multiple accounts.

Bottom line: The continued reliance on passwords is not sustainable and has utterly failed us. Passwords are an outdated authentication method and consistently proven ineffective in today’s threat landscape.

Once upon a time, passwords were cool and had a purpose. Prohibition-era speakeasies come to mind. In 1932, Professor Quincy Adams Wagstaff (Groucho Marx) may have been the very first analog-style phisher when he duped Baravelli the Ice Man (Chico Marx) into giving him permission to enter a party in a delightful scene from the 1932 comedy Horse Feathers. At the end of the film, once inside the party, Prof. Wagstaff wisely changes the password, aware that Baravelli already knew it. Then, he forgets it.

In our digital lives, we follow the same ridiculous paradigm, only with far graver consequences. While we’ve spent decades trying to fortify our passwords with bolt-on solutions, attackers have always found ways to defeat them. World Password Day, while likely well-intentioned, shows just how urgently we must move on and kick our addiction to passwords. Let’s use the day to take an enlightened approach to truly protect our identities.

Related Content:

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Stephen Cox is a technology veteran with nearly 20 years in the IT industry, including 10 years of experience leading software development teams in the security industry. A key player in some of the most influential IT security firms in the world, he is recognized as an … View Full Bio

Article source: https://www.darkreading.com/endpoint/authentication/-world-password-day-or-groundhog-day/a/d-id/1334579?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 02/05/2019
  • adm