Month: December 2018
It’s the time of year when the poor password practices of users are highlighted. This month has seen the list of the worst passwords of 2018 published and a list of 2018’s worst password offenders.
The Worst Passwords of 2018
So, what were the worst passwords of 2018? SplashData has recently published a list of the worst passwords of 2018 which shows little has changed since last year. End users are still making very poor password choices.
To compile the list, SplashData analyzed passwords that had been revealed through data dumps of passwords obtained in data breaches. More than 5 million exposed passwords were sorted to find out not only the weakest passwords used, but just how common they were. The list of the top 100 worst passwords of 2018 was published, although we have only listed the top 25 worst passwords of 2018:
Top 25 Worst Passwords of 2018
Unsurprisingly, there has been no change in the top two passwords this year. 123456 and password have held number 1 and 2 spots for the past five years. Donald is a new addition but would not keep a user’s account secure for long, even if their name isn’t Donald. 654321 is also new this year but offers little more protection than 123456.
Other new entries include qwerty123 and password1 – Clear attempts to get around the requirement of including numbers and letters in a password.
How common are the worst passwords of 2018? According to SplashData, 3% of users have used 123456 and 10% of people have used at least one password in the list of the top 25 worst passwords of 2018!
Poor Password Practices and the Worst Password Offenders of 2018
DashLane has published its list of the worst password offenders of the year. In addition to the list containing users who have made very poor password choices by selecting some of the worst passwords of 2018, the report highlights some of the terrible password practices that many individuals are guilty of. Poor password practices that render their passwords absolutely useless.
This year has seen many major password failures, several of which came from the White House, where security is critical. Topping the list was a password faux pas by a visitor to the oval office – Kanye West. Not only was ‘Ye’ guilty of using one of the worst possible passwords on his phone ‘000000’, he also unlocked his phone in full view of an office full of reporters who were filming his meeting with President Trump. Ye’s poor password was broadcast to the nation (and around the world). This incident highlights the issue of ‘shoulder surfing.’ Looking over someone’s shoulder at their screen to see passwords being entered. Something that can easily happen in public places.
Another White House password failure concerned a staffer who committed the cardinal password sin of writing down a username and password to make it easier to remember. It is something that many employees do, but most do not write it on White House stationary and then leave the document at a bus stop.
Password security should be exemplary at the White House, but even more so at the Pentagon. Even staff at the Pentagon are guilty of poor password hygiene, as was discovered by Government Accountability Office (GAO) auditors. GAO auditors discovered default passwords were used for software associated with weapons systems. Default passwords are publicly available online which renders them totally useless. GAO auditors were also able to guess admin passwords with full privileges in only 9 seconds.
These are just three examples of terrible password practices. While they are shocking given the individuals concerned, they are sadly all too common.
Password Best Practices to Keep Accounts Secure
A password prevents other individuals from gaining access to an account and the sensitive information contained therein. Choose a strong password or passphrase and it will help to make sure that personal (or business) information remains confidential. Choose a weak password and an account can easily get hacked. Choose an exceptionally weak password and you may as well have no password at all.
To ensure passwords are effective, make sure you adopt the password best practices detailed below:
- Make sure you set a password – Never leave any account open
- Always change default passwords – They are just placeholders and are next to useless
- Never reuse old passwords
- Use a unique password for all accounts – Never use the same password for multiple accounts
- Do not use names, dictionary words, or strings of consecutive numbers or letters
- Ensure passwords are longer than 8 characters and contain at least one number, lowercase letter, uppercase letter, and a symbol – Long passphrases that are known only to you are ideal
- Use a random mix of characters for passwords and use a password manager so you don’t have to remember them. Just make sure you set a very strong password for your password manager master password.
- Set up multi-factor authentication on all of your accounts
- Never write down a password
- Never share passwords with others, no matter how much you trust them
Password Best Practices for Businesses
Verizon’s 2018 Data Breach Investigations Report revealed 81% of hacking-related data breaches were due to weak passwords or stolen credentials. It is therefore critical that businesses adopt password best practices and ensure users practice good password hygiene. Businesses need to:
- Train end users on good password hygiene and password best practices
- Enforce the use of strong passwords: Blacklist dictionary words, previously exposed passwords, previously used passwords, and commonly used weak passwords
- Set the minimum password length to 8 characters (or more) and avoid setting a maximum length to encourage the use of passphrases.
- Follow the password advice published by the National Institute of Standards and Technology (NIST)
- Don’t enforce password changes too often. End users will just reuse old passwords or make very minor changes to past passwords.
- Implement multi-factor authentication
- Encrypt all stored passwords
- Consider the use of other authentication methods – Fingerprint scanners, facial recognition software, voice prints, or iris scans
Educational institutions are being targeted by cybercriminals for all manner of nefarious purposes: To obtain the personal information of staff and students for identity theft and tax fraud, to steal university funds, and to steal university research.
University research theft is an easy income stream for hackers. Research papers can command high prices on the black market and are highly sought after by nation state governments and businesses.
This fall, the UK’s Daily Telegraph revealed Iranian hackers were selling research papers that had been stolen from top British Universities including Oxford and Cambridge. Several Farsi websites were identified advertising free access to university research papers, including an offer of university research theft to order. Provide the details and, for a price, the research be found and sent through an encrypted channel.
There were papers for sale on highly sensitive subjects such as nuclear research and cybersecurity defenses. Even less sensitive subjects are valuable to foreign businesses. The research could help them gain a competitive advantage at the expense of universities. In the case of Iran, universities are being used to gain access to Western research that would otherwise be off limits due to current sanctions.
It is not just British universities that are being targeted. The hackers are infiltrating university research databases the world over, and it is not just Iranian hackers that have tapped into this income stream. University research theft is a growing problem.
How Are University Databases Breached?
One of the main ways access to research databases is gained is through phishing – A simple method of attack that requires no programming know-how and no malicious software. All that is required is a little time and the ability to create a website.
Phishing emails are sent to staff and students that request a visit a webpage where they are required to enter their credentials to academic databases. If the credentials are disclosed, the phishers have the same access rights as the user. The phishers then download papers or advertise and wait for requests to roll in. They then just search the database, download the papers, and provide them to their customers.
Various social engineering techniques are used to entice users to click the links. Requests are sent instructing the user that they need to reset their password, for instance. The web pages they are directed to are exact copies of the sites used by the universities. Apart from the URL, the websites appear perfectly genuine.
Unfortunately, once credentials have been obtained it can be difficult for universities to discover there has been a breach since genuine login credentials are used to access the research databases.
How to Prevent University Research Theft
No single cybersecurity solution will protect universities from all phishing attacks. The key to mounting an effective defense against phishing is layered phishing defenses.
- The primary cybersecurity solution to implement is an advanced spam filter to ensure as many phishing emails as possible are blocked and messages containing malicious attachments do not reach inboxes. SpamTitan for instance, blocks more than 99.9% of spam and phishing messages and 100% of known malware. Even advanced spam filtering solutions will not block all phishing emails, so additional controls are required to deal with the <0.1% of phishing emails that are delivered.
- While a web filter can be used to block access to categories of web content such as pornography, it will also block access to known malicious websites: Websites used for phishing and those that host malware.
- End user security awareness training is also essential. End users are the last line of defense and will remain a weak link unless training is provided to teach them how to identify malicious emails. Staff and students should be conditioned to report threats to their security teams to ensure action can be taken and to alert first responders when the university is under attack.
- Multi-factor authentication should also be implemented. If credentials are stolen and used to access a database, email account, computer, or server, from an unfamiliar device or location, a further form of authentication is required before access is granted.
- Universities should have security monitoring capabilities. Logs of access attempts and should generated and network and user activity should be monitored for potential compromises.
For further information on anti-phishing defenses and cybersecurity solutions that can help prevent university research theft, contact the TitanHQ team today.
There has been much debate over the use of web filters for libraries. On one side are those that believe that as places of learning, there should be no restrictions placed on the types of information that can be accessed through libraries. Libraries house books that are sexually explicit, racist, or contain material some may find distasteful or offensive, but banning those books would be inappropriate.
That same thinking has been applied to the Internet, access to which is often provided in libraries. The application of a web filter to block certain types of content is viewed as unacceptable by some people, even if as a result of a lack of technical controls library computers are used to access hardcore pornography. The American Library Association does not advocate the use of web filters for libraries, instead suggesting acceptable usage policies and educational programs are more appropriate.
The other camp considers the use of web filters in libraries to be a necessity to ensure libraries can be used by children and adults without others subjecting them to obscene and potentially harmful web content. Acceptable usage policies only discourage users from accessing pornography. Policies do not prevent such activities.
New Hampshire Library Considers Using Web Filtering Technology to Block Porn
The use of public library computers for viewing offensive sexual content is common. There have been many cases of library patrons discovering other users accessing adult content on computers in full sight of other users, as was recently the case at the Lebanon Public Library in New Hampshire.
A complaint was made to Lebanon Public Library about two children (of middle school age) who are alleged to have used the library computers to access pornography. Jim Vanier, youth center coordinator for the Carter Community Building Association, overheard the children discussing pornography at the computers, although they denied accessing adult content.
Vanier’s complaint prompted the Library Board of Trustees to form a task force to investigate current internet usage policies and the task force will consider whether a web filter is appropriate for the library.
While web filters for libraries are available to prevent obscene videos and images from being accessed, relatively few libraries have started implementing even the most basic content controls. The Children’s Internet Protection Act requires the use of web filters in libraries and schools, but only as a condition to obtain e-rate discounts and federal grants. In order to qualify for funds, obscene images, child pornography, and other information deemed harmful to minors must be blocked.
The municipal libraries in Lebanon have taken steps to curb Internet misuse and have introduced policies that prohibit computers from being used for any disruptive or inappropriate behavior, including the viewing of images of a pornographic nature. However, policies alone are insufficient to prevent all cases of inappropriate Internet use.
The reason why many libraries choose not to apply filters is often because web filters for libraries are not perfect, and as a result, they could filter out unintended content.
Accuracy of Content Blocking by Web Filters for Libraries
While there have been issues with web filters for libraries overblocking content in the past, there have been major advances in web filtering technology over the past 10 years. Web filters can now more accurately assess and categorize content.
WebTitan Cloud, for instance, has highly granular controls and allows libraries to carefully control the content that can be accessed without overblocking.
While there is potential for user error when setting policies, WebTitan Cloud solves this issue by having an easy to use user interface that requires no technical skill to use. This helps to eliminate user error that often leads to overblocking of web content.
With WebTitan Cloud, libraries can easily filter out pornography, child pornography, and other obscene and harmful content to comply with CIPA and meet parents’ expectations without restricting access to valuable, educational websites.
WebTitan Cloud also blocks access to websites that host malware to prevent malicious software from being downloaded onto library computers, as well as blocking a wide range of Internet threats such as phishing.
WebTitan Cloud – An Accurate and Easy to Use Web Filter for Libraries
WebTitan Cloud is an ideal web filter for libraries. It is 100% cloud-based so not costly hardware purchases are required. It is easy to implement, simple to use, and allows Internet content to be carefully controlled without blocking access to valuable educational material.
Some of the key features in TitanHQ’s web filters for libraries have been detailed below:
WebTitan Cloud Features
- Highly granular controls to allow precise filtering of Internet content
- Unmatched combination of coverage, accuracy, and flexibility
- Real-time classification of more than 500 million websites and 6 billion web pages in 200 languages
- 100% coverage of the Alexa 1 million most visited websites
- Easy to use interface requiring no technical skill
- 100% cloud-based filtering – No hardware purchases or software downloads required
- Supports Safe Search and YouTube for Schools
- Supports whitelists and blacklists for creating exceptions to allow/block content outside general policy controls
- Category-based filtering allows blocking through 53 pre-defined website categories and 10 customizable categories
- HTTP/HTTPS filtering
- Customizable block pages
- Supports time-controlled cloud keys to allow certain users to bypass filtering controls – for research purposes for instance
- Provides full visibility into network usage
- Full reporting suite including real-time Internet activity
For further information on TitanHQ’s web filter for libraries, to arrange a product demonstration, and to register for a free trial to evaluate WebTitan Cloud in your own environment, contact the TitanHQ team today.
Are you looking for a Cisco OpenDNS alternative that is both easier to use and much more cost effective? On Wednesday December 5, 2018, you can discover how you can save money on web filtering without cutting any corners on protection.
A web filter is now an essential cybersecurity solution to protect against web-based threats such as phishing, viruses, malware, ransomware, and botnets. A web filter also allows businesses to carefully control the online activities of employees by restricting access to NSFW web content such as pornography and curb productivity-draining Internet use.
In addition to offering threat protection and content control on wired networks, a DNS-based web filter offers protection for BYOD and company owned devices regardless where they connect to the Internet. Multiple locations can be protected through a central web-based console.
A DNS-based web filter is cost effective to implement as no hardware purchases are required and no software needs to be installed. A DNS-based filter is also easy to maintenance and requires no software updates or patches.
With DNS-based filters, content control and online threat protection is simple; but what about cost? Many businesses have looked at Cisco OpenDNS to meet their web filtering requirements but are put off due to the high cost. Fortunately, there is a more cost-effective way of filtering the Internet.
TitanHQ and Celestix are hosting a webinar on a WebTitan-powered Cisco OpenDNS alternative, Celestix WebFilter Cloud.
Celestix will be joined by by TitanHQ EVP of Strategic Alliances, Rocco Donnino, and Senior Sales Engineer, Derek Higgins, who will explain how Celestix WebFilter Cloud works, why it is an ideal Cisco OpenDNS alternative, and how you can have total protection against web-based threats at a fraction of the cost of running OpenDNS.
The webinar will be taking place on Wednesday December 5, 2018 at 10:00 AM US Pacific Time
Advance registration is required. You can register for the webinar on this link.
A massive Marriott data breach has been detected which could affect as many as 500 million individuals who previously made bookings at Starwood Hotels and Resorts. While the data breach is not the largest ever reported – The 2013 Yahoo breach exposed around 3 billion records – it shares second place with the 2014 Yahoo data breach that also impacted around half a billion individuals.
Largest Ever Hotel Data Breach
The Marriott data breach may not have affected as many people as the 2013 Yahoo data breach but due to the types of information stolen it is arguably more serious. Approximately 173 million individuals have had their name, mailing address, email address stolen and around 327 million individuals have had a combination of their name, address, phone number, email address, date of birth, gender, passport number, booking data, arrival and departure dates, and Starwood Guest Program (SPG) account numbers stolen. Further, Marriott also believes credit card details may have been stolen. While the credit card numbers were encrypted, Marriott cannot say for certain whether the two pieces of information required to decrypt the credit card numbers was also obtained by the hacker.
In addition to past guests at Starwood Hotels and Resorts and Starwood-branded timeshare properties, guests at Sheraton Hotels & Resorts, Westin Hotels & Resorts, W Hotels, St. Regis, Aloft Hotels, Element Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, and Four Points by Sheraton have been affected, along with guests at Design Hotels that participate in SPG program.
The data breach was detected by Marriott on September 8, 2018, following an attempt by an unauthorized individual to access the Starwood database. The investigation revealed the hacker behind the attack first gained access to the Starwood database in 2014. It is currently unclear how access to the database was gained.
The Marriott hotels data breach is naturally serious and will prove costly for the hotel group. Marriott has already committed to offering U.S. based victims free enrollment in WebWatcher, has paid for third party experts to investigate and help mitigate the data breach, and the hotel group will be bolstering its security and phasing out Starwood systems.
Even though the Marriott hotels data breach has only just been announced, two class action lawsuits have already been filed. One of the lawsuits seeks damages totaling $12.5 billion – $25 per breach victim.
There is also a possibility of a E.U. General Data Protection Regulation (GDPR) fine. Fines of up to €20 million are possible, or 4% of global annual turnover, whichever is greater. That could place Marriott at risk of a $916 million (€807 million) fine. The UK’s Information Commissioner’s Office – the GDPR supervisory authority in the UK – has been notified of the breach and is making enquiries.
Harder to calculate is the damage to the Marriott brand. Share prices dropped by 8.7% following the Marriott data breach announcement, and they are currently around $5 down. While share prices will likely recovery over time, the breach will almost certainly result in loss of business.
Risk of Marriott Data Breach Related Phishing Attacks
Email notifications sent to breach victims by Marriott came from the domain: email-marriott.com. Rendition Infosec/FireEye researchers purchased the domains email-marriot.com and email.mariott.com shortly after the announcement to keep them out of the hands of scammers. Other similar domains may be purchased by less scrupulous individuals to be used for phishing.
A breach on this scale is also ideal for speculative phishing attempts that spoof the email domain used by Marriott. Mass email campaigns are likely to be sent randomly in the hope that they will reach breach victims or individuals that have previously stayed at a Marriott hotel or one of its associated brands.
Consequently, any email received that is related to the breach should be viewed as potentially malicious.