Updated password guidelines say everything we thought about passwords is wrong

No more periodic password changes

–It’s been clear for a long time that periodic changes do not improve password security but only make it worse, and now NIST research has finally provided the proof

No more imposed password complexity 

–Users now can be less “creative” and avoid passwords like “Password1$”, which only provide a false sense of security

Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords. Läs mer

SJ-system hackat – samtliga lösenord byts

SJ har utsatts för ett bedrägeri och inloggningsuppgifter har läckt ut. Kunder har även fått sina så kallade priopoäng stulna. Nu måste samtliga 1,3 miljoner användare byta lösenord. -/-

 Vad vi har kunnat se så här långt, så är det med största sannolikhet medlemmar som använt samma lösenord på andra sajter som drabbats. Lösenorden har läckt ut och då har de här bedragarna kunnat använda lösenorden för att komma in på vår sajt, säger Jan Sjölund.

Lösenorden har inte läckt från SJ, enligt säkerhetschefen.

http://www.gp.se/nyheter/sverige/sj-system-hackat-samtliga-l%C3%B6senord-byts-1.11772999

We need a broader education in ”Practical Paranoia”

A few organisations already send out fake phishing emails, offering the employees caught up in these pseudo-scams additional training (and, presumably, unbeknownst to them, additional monitoring). While a good beginning, we need a broader education in ”Practical Paranoia”: how to tell the difference

between commercial interest and national interest;
between marketing hype and political propaganda;
between authentic relationship and clever manipulation.

Without that training – and the techniques flowing from it – technology will remain the plaything of those who have mastered the arts of control

https://www.theregister.co.uk/2018/11/13/security/

Common password attack methods

81 percent of hacking-related breaches occurred due to either stolen or weak passwords. -/-

The easiest way to gain access to information is by guessing an end user’s password. Many hackers extensively analyze both the keywords used in an organization as well as the keywords used in competitor organizations.
Hackers typically string together a set of potential keywords that may be commonly used by employees to get into a company’s network.

Instead of trying multiple passwords for one user, hackers try the same set of passwords for many users until they eventually get one password right. To their luck, if they happen to land an administrator-level password, the organization is doomed.

https://www.inuit.se/ebook-active-directory-password-policy-enforcer

Most enterprise vulnerabilities remain unpatched a month after discovery

More bugs are being squashed by the enterprise, but the time it takes to do so leaves organizations at risk.

According to CA Veracode’s latest State of Software Security(SOSS) report, up to 70 percent of bugs remain unpatched four weeks after disclosure, and close to 55 percent are not resolved three months after discovery.

Vulnerabilities impacting organization networks, apps, and infrastructure are not all equal, and part of responsible security practices require that IT staff triage issues to resolve and patch the bugs which are considered the most dangerous to that company.

However, according to the cybersecurity firm, 25 percent of vulnerabilities which are attributed high-severity ratings are not addressed within 290 days, and a quarter of disclosed bugs which may not be so critical remain unpatched well after a year.

https://www.zdnet.com/article/the-majority-of-vulnerabilities-remain-unpatched-a-month-after-discovery

How to protect your phone or computer when crossing borders

Border agents have broad powers to search people crossing borders, including their phones and laptops.But there are ways to protect your data when crossing international borders if you understand the technology and the law.

-/-

US Customs and Border Protection (CBP) agents are responsible for enforcing immigration laws and preventing the entry of criminals. Courts have so far ruled that they are allowed to search your devices for any reason or no reason at all. You might get flagged for a device search because there is something wrong with your travel documents, your name is in a law enforcement database, or you were simply chosen for random search.

There are two levels of search, according to the CBP policy on device searches. A basic search is a simple inspection of your data, including your apps, photos, chats, and other files. An advanced search involves using external equipment to access files (including deleted data), copy data, and analyze it. CBP agents need to have reasonable suspicion of a crime or violation, or a national security concern and supervisor approval.

Agents can also “detain” your device for a “reasonable period of time” while they extract your data, copy it, or attempt to break your passwords or encryption.

https://protonmail.com/blog/border-crossing-protect-electronics/

Krönika: Ett smutsigt slut för internets största spökstad

Trots miljardinvesteringar, tvångsanslutning av alla Gmail-användare och sju år, fick Google aldrig sitt sociala nätverk Google+ att lyfta. När nu nätverket stängs ner är det efter att användarnas integritet hotats p g a säkerhetshål.

-/-

Men anledningen att Google äntligen ger Google+ silkessnöret är allvarligt. I mars i år upptäcktes ett säkerhetshål som gjorde en halv miljon användarnas privata uppgifter tillgänglig för vänner och tredjepartsappar. Att avslöja ett allvarligt säkerhetshål ett halvår efter upptäckten, efter att Wall Street Journal avslöjat säkerhetshålet, hade varit allvarligt brott mot GDPR som trädde i kraft två månader efter läckan. Sannolikt blir de också stämda i USA.

https://www.jajja.com/jajja-magazine/ett-smutsigt-slut-for-internets-storsta-spokstad/

Skydda datorn mot nätfiskeförsök och andra former av onlinebedrägerier

https://support.office.com/sv-se/article/skydda-datorn-mot-n%C3%A4tfiskef%C3%B6rs%C3%B6k-och-andra-former-av-onlinebedr%C3%A4gerier-be0de46a-29cd-4c59-aaaf-136cf177d593