The Biggest “Small” Personal Digital Security Mistakes

Let’s briefly discuss five commonly-forgotten security best practices, and explore the potential real-life impact on our personal security if we neglect to perform them.

  • Home Router Security
  • Multi-Factor Authentication on Email
  • Multi-Factor Authentication on Apple ID and Microsoft Accounts
  • Facebook Authentication and Privacy
  • Always Lie On Security Questions

Svenskt online-kasino utpekat i jätteläcka

En grupp av online-kasinon, som tillhör flera olika ägare, har läckt känsliga personuppgifter om spelarna, insättningar och uttag. En av sajterna finns i Sverige.

En grupp av online-kasinon har läckt information om över 108 miljoner vadslagningar, inklusive spelarnas personuppgifter, insättningar och uttag. Informationen har läckt från en Elasticsearch-server som stod exponerad mot internet utan lösenord. Läckan upptäcktes av säkerhetsforskaren Justin Paine, skriver ZDNet.

Läs mer

Updated password guidelines say everything we thought about passwords is wrong

No more periodic password changes

–It’s been clear for a long time that periodic changes do not improve password security but only make it worse, and now NIST research has finally provided the proof

No more imposed password complexity 

–Users now can be less “creative” and avoid passwords like “Password1$”, which only provide a false sense of security

Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords. Läs mer

SJ-system hackat – samtliga lösenord byts

SJ har utsatts för ett bedrägeri och inloggningsuppgifter har läckt ut. Kunder har även fått sina så kallade priopoäng stulna. Nu måste samtliga 1,3 miljoner användare byta lösenord. -/-

 Vad vi har kunnat se så här långt, så är det med största sannolikhet medlemmar som använt samma lösenord på andra sajter som drabbats. Lösenorden har läckt ut och då har de här bedragarna kunnat använda lösenorden för att komma in på vår sajt, säger Jan Sjölund.

Lösenorden har inte läckt från SJ, enligt säkerhetschefen.

http://www.gp.se/nyheter/sverige/sj-system-hackat-samtliga-l%C3%B6senord-byts-1.11772999

We need a broader education in ”Practical Paranoia”

A few organisations already send out fake phishing emails, offering the employees caught up in these pseudo-scams additional training (and, presumably, unbeknownst to them, additional monitoring). While a good beginning, we need a broader education in ”Practical Paranoia”: how to tell the difference

between commercial interest and national interest;
between marketing hype and political propaganda;
between authentic relationship and clever manipulation.

Without that training – and the techniques flowing from it – technology will remain the plaything of those who have mastered the arts of control

https://www.theregister.co.uk/2018/11/13/security/

Common password attack methods

81 percent of hacking-related breaches occurred due to either stolen or weak passwords. -/-

The easiest way to gain access to information is by guessing an end user’s password. Many hackers extensively analyze both the keywords used in an organization as well as the keywords used in competitor organizations.
Hackers typically string together a set of potential keywords that may be commonly used by employees to get into a company’s network.

Instead of trying multiple passwords for one user, hackers try the same set of passwords for many users until they eventually get one password right. To their luck, if they happen to land an administrator-level password, the organization is doomed.

https://www.inuit.se/ebook-active-directory-password-policy-enforcer

Most enterprise vulnerabilities remain unpatched a month after discovery

More bugs are being squashed by the enterprise, but the time it takes to do so leaves organizations at risk.

According to CA Veracode’s latest State of Software Security(SOSS) report, up to 70 percent of bugs remain unpatched four weeks after disclosure, and close to 55 percent are not resolved three months after discovery.

Vulnerabilities impacting organization networks, apps, and infrastructure are not all equal, and part of responsible security practices require that IT staff triage issues to resolve and patch the bugs which are considered the most dangerous to that company.

However, according to the cybersecurity firm, 25 percent of vulnerabilities which are attributed high-severity ratings are not addressed within 290 days, and a quarter of disclosed bugs which may not be so critical remain unpatched well after a year.

https://www.zdnet.com/article/the-majority-of-vulnerabilities-remain-unpatched-a-month-after-discovery