The Guy Who Made Up All Those Password Rules Is Sorry
Security news took a turn for the existential this week, as President Donald Trump rattled apparently improvisatory sabers at North Korea, nudging the world one step closer to nuclear confrontation. The loose threats came on the heels of North Korea successfully miniaturizing a nuclear warhead, a development experts have dreaded about for years. Lots of other stuff happened too, but, you know.
In non-nuke-news, a bit of cyberpunk fantasia became real this week, as scientists demonstrated that not only could they plant malware in DNA, they could use it hack a gene-sequencing that read it. It’s not exactly a practical mode of attack at the moment, but still an impressive—and bonkers—proof of concept. A hack of more immediate concern: The Russia-affiliated hacker group ‘Fancy Bear’ has been observed using a leaked NSA exploit to spy on targets at hotels. It’s a good reminder to patch all your gear—especially if you are a mid-tier hotel chain—and to never trust the Wi-Fi networks you encounter on your business trips.
HBO also likely wished they’d protected themselves better, as hackers continued to release stolen data from the company, and dropped a new ransom note. It’s not too late to protect future elections, according to two guys who recently hacked voting machines to bits. And the Army has taken steps to protect itself from vulnerable consumer drones, by suspending its use of DJI products.
We also too a look at the potential chilling effect of the FBI’s case against hacker Marcus Hutchins, a white hat hacker accused of helping create widely used malware.
Of course, there’s more, which is why we’ve rounded up all the news we didn’t break or cover in depth this week. As usual, click on the headlines to read the full stories.
You know all the old password rules, right? Use a mix of alphanumerics and characters. Change them often. While they sound like they should work, more recent research has shown that they’re better at making headaches than secure accounts. Just ask the guy who wrote them back in 2003, as the Wall Street Journal did this week. Then-NIST manager Bill Burr wrote an eight-page set of instructions that, while intended to be helpful, actually make things worse. Burr knows it now, and he’s sorry. Rather than dwell on the past, though, maybe just look at the latest and greatest in password security advice? No weird symbols required! Unless you’re into them, no judgment here.
The Shadow Brokers haven’t leaked any new NSA exploits for a bit—although the effects of Eternal Blue and other tools are still being felt—they’ve apparently profited from them. One researcher pegs their gains in exploit subscriptions at around $88,000 in the cryptocurrency Moreno. He also found email address for five subscribers. Which, folks, if you’re going to buy access to intelligence community hacking tools (and don’t do that, but, you know) at least make yourself a little harder to contact?
With tensions in the Korean Peninsula at dangerously high levels, recently observed cyberattacks in South Korea raised alarms of further escalation. But wait! Security firm Trend Micro revealed this week that the so-called OnionDog attack was not, in fact, the product of malicious action by a North Korea-affiliated hacking group. Instead, it appears to be a “cyberdrill,” a preparedness exercise in South Korea that happens to use live malware samples. That’s a small relief in light of the larger problems threatening the region (and the world) but take what you can get.
The internet of things! At this point one almost expects it to be riddled with vulnerabilities. But a Siemens patch this week serves as a fun reminder that those “things” can include tech with access to sensitive medical information. In this case, it’s a PET scanner that, according to Homeland Security, “an attacker with low skill” could hack. And while Siemens has promised a software update by the end of the month, the real challenge comes in getting all of those hospitals and health care services to deploy it. This has been your regular reminder to keep things off the internet unless absolutely necessary, and even then maybe think twice.