This is your Shared Security Weekly Blaze for May 6th 2019 with your host, Tom Eston. In this week’s episode: Is this the end of password expiration policies, are there camera’s recording you on an airplane, and the unknown data breach exposing 80 million records.
Protect your digital privacy with Silent Pocket’s product line of patented Faraday bags, phone cases, and wallets which will make your devices untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order during checkout. Visit silentpocket.com today to take advantage of this exclusive offer.
Hi everyone, welcome to the Shared Security Weekly Blaze where we update you on the top 3 cybersecurity and privacy topics from the week. These podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.
Last week Microsoft has come out and admitted that password expiration policies are essentially useless and said that these requirements are “an ancient and obsolete mitigation of very low value”. In a blog post about updated security baseline settings for Windows 10 and Windows Server, Microsoft says that password expiration policies really don’t provide additional security. Microsoft says that “If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem”. Now this doesn’t mean that password expiration’s are going away anytime soon but in regards to the Microsoft security baseline, it means that if an organization uses this baseline, password expiration will be optional and not enforced. The current recommendation in the industry is to use blacklists of banned passwords, implementation of multi-factor authentication, and detection of password guessing attempts.
I can say that for once I actually agree with Microsoft here. Password expiration is really an outdated practice so it’s good to see Microsoft getting with the times. Be sure to check out our upcoming monthly show where Scott and I delve deeper into this topic. In the meantime, let’s see how many organizations follow this sound advice from Microsoft.
In related news, the UK’s National Cyber Security Centre released an analysis of the 100,000 most common passwords from recent data breaches and hacking campaigns. The most common passwords consist of ‘123456’ at 23.2 million, ‘123456789’ at 7.7 million, followed by ‘qwerty’, ‘password’, and ‘111111’ . My non-scientific analysis tells me that people are just lazy picking weak passwords like this! Let’s hope that more sites use password blacklists that help prevent users from selecting these really poor passwords.
If you fly United, Delta, or American Airlines, have you recently noticed that there is now a sticker over what looks to be a camera on the entertainment system that is found on the back of seats? If so, this is because of recent privacy complaints from passengers thinking that these cameras were recording them on the airplane. United told BuzzFeed News that the cameras were never activated and were installed by the manufacture for possible future applications such as video conferencing. As an additional measure all three airlines decided to put stickers on these cameras to alleviate any customer privacy concerns.
You may remember that back in February a photo of a camera on a Singapore Airlines entertainment system went viral on Twitter and caused quite the privacy controversy. On top of that there has been a more recent concern over the use of facial recognition technology being used by Delta, JetBlue and other airlines to replace boarding passes. These new systems are being tested out by US Customs and Border Protection right now at certain airports to further screen passengers by matching the picture taken of you to your passport photo. In most cases you can opt-out of these scans but for non-US citizens traveling to or from the US you may not be able to opt-out.
And now a word from our sponsor, Edgewise Networks.
Organizations’ internal networks are overly permissive and can’t distinguish trusted from untrusted applications. Attackers abuse this condition to move laterally through networks, bypassing address-based controls to spread malware. Edgewise abstracts security policies away from traditional network controls that rely on IP addresses, ports, and protocols and instead ties controls directly to applications and their data paths.
Edgewise allows organizations to analyze the network attack surface and segment workloads based on the software and how it’s communicating. Edgewise monitors applications and protects data paths using zero trust segmentation.
Visit edgewise.net to get your free month of visibility.
Security researchers from vpnMentor discovered an unprotected database that included identifying information of more than 80 million US households. Apparently, a 24 gigabyte database was found on a Microsoft cloud server that contained records of households that included full names, marital status, income bracket, age, address, date of birth and most concerning latitude and longitude of their exact location. In a blog post last week vpnMentor was asking for the public’s help to identify the company that this database belonged to. To me this was a little confusing since the IP address belonged to Microsoft’s cloud service and obviously Microsoft would know the person or company hosting this database. Microsoft did release a statement stating that “We have notified the owner of the database and are taking appropriate steps to help the customer remove the data until it can be properly secured”. Still, no owner of the data itself has been identified or released. What’s also interesting about the data is that it only lists adults ages 40 or older. This means that if this data was already accessed by scammers, more older adults in the US may be targeted with ransomware and other phishing attacks. As I’ve mentioned on the show before, the elderly are frequent targets for these types of attacks. Oh, and I’m in my 40’s but would not consider myself or others my age elderly! But I think you get my point.
That’s all for this week’s show. Be sure to follow the Shared Security Podcast on Facebook, Twitter and Instagram for the latest news and commentary. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or watch and subscribe on our YouTube channel. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.