Normal view

There are new articles available, click to refresh the page.
Before yesterdayMain stream

World Password Day: Experts Warn of Weak Passwords, Offer Security Tips

✇Cybersecurity News and Magazine
By: Alan J
3 May 2024 at 03:43

World Password Day

Passwords remain the most common instrument in securing our digital lives, yet they still serve as the basis of targeted attacks by cybercriminals. World Password Day on May 2nd serves as a obligatory reminder of the importance of robust password practices. In light of this day, experts have offered offer key insights and secure password recommendations to enhance password security, safeguarding personal data from malicious attacks.

Secure Password Recommendations for World Password Day

Weak passwords are enticing to attackers as they could grant access to various types of sensitive data – personal data, financial information, identity documents or other compromising details. According to research from Kaspersky, telemetry data in 2023 indicated that at least 32 million password-based attacks were attempted in 2023. While the number of attempts have dropped down from about 40 million incursions in 2022, these number still remain a cause of concern. Here are some expert-backed secure password recommendations to mitigate the risks of password-based cyber threats and maintain personal security online: Creating Strong and Memorable Passwords: Experts recommend the "association method" as an effective method to craft strong yet memorable passwords. The association method involves using personally significant word sequences or concepts while creating passwords. For example, the use of special quotes or events you have been fond of can be used to form a sequence that is easy to recall due to personal significance but remains a challenge for outsiders to guess. Embracing Non-Standard Options: Unique or uncommon password characters such as emojis present an alternative to commonly-known words. As Emojis are based on the Unicode standard, they offer a range of characters that would be difficult to crack through automation. By incorporating emojis into passwords, users can enhance security while adding a creative touch to their login credentials. Avoiding Common Pitfalls: It remains important to steer clear of common and easily guessable passwords like "1234" or "password." Cybercriminals often exploit these predictions through automated brute-forcing techniques. Users may find it hard to keep track of passwords as most platforms require passwords with a minimum strength of symbols, letters & numbers.  Password managers can be used to generate strong and unique passwords for safekeeping. One Account, One Password Strategy: Managing multiple accounts can be challenging but adopting a one-account-one-password strategy can enhance personal security by limiting the potential impact of a compromised password. Password managers can assist you with the creation and maintenance of different passwords. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Dropbox Sign customer data accessed in breach

✇Malwarebytes Labs
2 May 2024 at 16:44

Dropbox is reporting a recent “security incident” in which an attacker gained unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. During this access, the attacker had access to Dropbox Sign customer information.

Dropbox Sign is a platform that allows customers to digitally sign, edit, and track documents. The accessed customer information includes email addresses, usernames, phone numbers, and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. The access is limited to Dropbox Sign customers and does not affect users of other Dropbox services because the environments are largely separate.

“We believe that this incident was isolated to Dropbox Sign infrastructure and did not impact any other Dropbox products.”

Even if you never created a Dropbox Sign account but received or signed a document through Dropbox Sign, your email addresses and names were exposed. In a government (K-8) filing about the incident, Dropbox says it found no evidence of unauthorized access to the contents of customers’ accounts (i.e. their documents or agreements), or their payment information. 

The attacker compromised a back-end service account that acted as an automated system configuration tool for the Dropbox Sign environment. The attacker used the privileges of the service account for the production environment to gain access to the customer database.

To limit the aftermath of the incident, Dropbox’s security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens.

For customers with API access to Dropbox Sign, the company said new API keys will need to be generated and warned that certain functionality will be restricted while they deal with the breach.

Dropbox says it has reported this event to data protection regulators and law enforcement.

Recommendations

Dropbox expired affected passwords and logged users out of any devices they had connected to Dropbox Sign for further protection. The next time these users log in to their Sign account, they’ll be sent an email to reset the password. Dropbox recommends users do this as soon as possible.

If you’re an API customer, to ensure the security of your account, you’ll need to rotate your API key by generating a new one, configuring it with your application, and deleting your current one. Here is how you can easily create a new key.

API customers should be aware that names and email addresses for those who received or signed a document through Dropbox Sign, even if they never created an account, were exposed. So, this may impact their customers.

Customers who use an authenticator app for multi-factor authentication should reset it. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.

If you reused your Dropbox Sign password on any other services, we strongly recommend that you change your password on those accounts and use multi-factor authentication when available.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

The UK Bans Default Passwords

✇Schneier on Security
By: Bruce Schneier
2 May 2024 at 07:05

The UK is the first country to ban default passwords on IoT devices.

On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted.

The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with consumers about how long their products will receive security updates for.

The UK may be the first country, but as far as I know, California is the first jurisdiction. It banned default passwords in 2018, the law taking effect in 2020.

This sort of thing benefits all of us everywhere. IoT manufacturers aren’t making two devices, one for California and one for the rest of the US. And they’re not going to make one for the UK and another for the rest of Europe, either. They’ll remove the default passwords and sell those devices everywhere.

Another news article.

UK Government Law Will Soon Prohibit Passwords Such As “admin” or “12345”

✇Cybersecurity News and Magazine
By: Alan J
30 April 2024 at 00:36

UK Government Law

The UK government has taken steps to safeguard consumers from cyberattacks by prohibiting common and easily-guessable passwords such as "admin" or "12345". The UK government law comes into effect on 29 April 2024 and will mandate manufacturers, importers, and distributors of consumer connectable products in the UK to follow the obligations and standards set in the 'UK Product Security and Telecoms Infrastructure (PSTI) Act 2022' as well as the 2023 Regulations under the same act. The law aims at setting minimum security standards that must be followed before consumer devices can be sold in the UK, to protect UK homes.

Uk Government Law Was Passed in 2022; Will Come to Effect this Year

These measures are part of the Product Security and Telecommunications Infrastructure (PSTI) Act passed in 2022 as well as additional laws passed in 2023. These are designed to bolster the UK's resilience against cyber attacks and disruptive interference following growing concerns stemming from a series of incidents and proposed counter-legislation. A NordPass study in 2023 revealed that "123456, password, qwerty, Liverpool..." were among the most used passwords in the UK. The study highlights that default and weak passwords remain a relevant concern even today. Besides passwords, the new legislation also seeks to tackle inherent issues in existing incident reporting procedures and update periods. With regards to reporting, the law mandates manufacturers to provide consumers with details on reporting security issues within products, and timely updates until resolution, while the information should be made available without request and free of charge. The law mandated that such information should be "accessible, clear, and transparent." With regards to updates, the law mandates information on minimum update periods to be published and clearly accessible to the consumer in a transparent manner along with an end date. The updated information is required to be understandable for a reader without prior technical knowledge.

UK Government Law Could Fine Violators £10 Million or Up to £20,000 a Day

According to the law, the Office for Product Safety and Standards (OPSS) would be responsible for enforcing the relevant act operating from 29 April 2024. Manufacturers, vendors, or firms that fail to comply with the regulations could face fines of up to £10 million or four percent of their global turnover, as well as up to £20,000 a day in the case of an ongoing violation. This new UK law comes as the EU Cyber Resilience Act draft makes rounds for legislative discussion with the inclusion of recent amendments. The Act obliges manufacturers and retailers to follow minimum security requirements throughout the product lifecycle. Following the passing of the Cyber Resilience Act expected in Early 2024, internet-connected products and software would be required to receive independent assessments to check if they comply with the new standards. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

AT&T Passcodes for Millions Are Reset After Leak of Customer Records

✇NYT: Technology
By: Aimee Ortiz
30 March 2024 at 18:03
Nearly eight million customers and 65.4 million former account holders were affected by the data breach, the company said.

© Matt Rourke/Associated Press

AT&T reset the passwords of millions of its customers in the wake of a data breach.
❌
❌