Search results for: passwords

California lawmakers have taken the lead in trying to address privacy and security issues with Internet of Things (IoT) devices (which we have been writing about for years), by passing the country’s first IoT security bill, which is now headed to Governor Brown’s desk for signature by September 30.

One of the issues addressed by the bill is the fact that IoT devices, such as routers, home security systems, televisions, refrigerators, and other home appliances come to your home with a default password. Many people do not take the time to change the password and therefore, the password stays on the default one. The California bill statutorily requires IoT manufacturers to enable stronger passwords on IoT devices so they are not as easily hacked.

A botnet called Owari is specifically designed for, and able to easily crack default or weak passwords of IoT devices. A default password is not designed to continue to be used by the consumer. Manufacturers of IoT devices assume that consumers will change the passwords on their IoT devices to a unique password for the customer. By using the default password provided by the manufacturer, consumers are putting themselves at risk of intrusions into their IoT devices and the data on those devices being stolen or used.

When purchasing an IoT device, follow the manufacturer’s instructions on how to enable your own password on the device, and as in all cases of anything connected to the Internet, the password should be complex to deter intrusions and theft of data.

Ancestry.com has confirmed that RootsWeb, its free website for individuals to search genealogy, recently had a security vulnerability on its server that exposed a file containing the usernames, email addresses and passwords of 300,000 users. The compromise occurred in 2015.

According to Ancestry.com, most of the accounts that were compromised were from free trial or currently unused accounts. No financial information or Social Security information is included in the exposed file. It is informing the users whose information has been compromised.

Nonetheless, users of Ancestry.com may wish to change their passwords.

We all know by now that we are not supposed to give our passwords to anyone else or use someone else’s passwords to access an electronic system.

Despite this basic data security tenant, a new study by Healthcare Informatics Research reports that 73% of medical professionals admit that they have used another’s password to access an electronic medical record (EMR).

The survey asked 299 medical professionals in hospital settings if they had ever used someone else’s password to access an EMR. Of those questioned, 100% of the medical residents said yes, they had, and 57.7% of nurses admitted they had as well.

The study found that the reason the residents had violated basic security hygiene was that they had not been given a user account of their own, or did not have access rights to access information that was needed to fulfill their duties.

The authors of the study recommended:

  • work on having less burdensome processes for workers to attain appropriate access credentials for their job duties
  • extend EMR access to Para-medical, junior staff, interns and students in understaffed hospitals during on-call hours and delegate administrative tasks
  • allow maximum privileges for one-time use in lifesaving conditions to junior staff so using someone else’s password is not necessary

These recommendations will have to be individually evaluated by hospitals in the context of their HIPAA compliance programs.

The National Institute of Science and Technology (NIST) has long been a leading authority in Cybersecurity—even before Cybersecurity became a household name.

It originally published its Cybersecurity Framework-intended not to be a standard, but to offer guidance—to all industries on how to begin to tackle data security.

As cyber threats expand and become more sophisticated, NIST continues to provide guidance which is helpful to the public and private sectors.

NIST recently published its most recent draft Cybersecurity guidance, which provides important information for companies to consider. NIST is seeking comments to the draft guidance until September 12.

Separately, NIST issued guidance that supports the change from complex passwords to using long, easy to remember passwords. That guidance can be accessed here and see Privacy Tip #102 that discusses how you can educate your employees on using long passwords they can remember.

I feel like I have been writing about Passwords over and over and that’s because I have. Despite hearing about how important passwords are over and over again, compromised passwords continues to be an issue for organizations.

Since the National Institute of Science and Technology (NIST) recently published new guidance and is recommending the use of Long easy to remember passphrases, I thought it was an opportune time to give you some of my tips when I educate client employees on recommended practices regarding passwords.

It is important that when an employee sits down at his or her company work station or laptop, that s/he can remember his or her password without having to refer to any written piece of paper (like a sticky note taped to the front of the workstation or inside the laptop) or check the notes on their phone. (I refer to these two examples as this is what many employees do every day so they can remember their password.) You have to get it into their brain that they have to memorize their password. It must be in their brain. I liken it to Tom Cruise in Mission Impossible getting his instructions and then they self-destruct. Employees in general like Mission Impossible movies and laugh, but get the point. They need to come up with a password that they can memorize and it self-destructs and is not retrievable.

I am a believer in the use of long easy to remember passphrases, which is consistent with NIST’s guidance. One example I use is Myfavoritecolorispurple$ or, Myfavoritecolorisblue! This of course is not my password, but it is a clear example of a complex passphrase that is easy to remember. It has a capital letter, lower case letters and a number or symbol. My IT colleagues approve and say it is complex enough for most password requirements.

When you give your employees ideas for long easy to remember passphrases like the ones above, tell them not to actually use the example! They need to come up with a unique phrase that they will remember when they log on to their computer. Give them subject matter ideas like hobbies, (IwishIwasasingledigithandicap/) or travel (IloveNewOrleans$) or animals or pets (Icaught5bass!) or seasons (Fall!smyfavoriteseason).

You get the drift.

The other nice thing about using passphrases is that NIST agrees they can be used for a longer period of time so employees don’t get frustrated with having to change their passwords every 60 days.

So check out the new password guidance from NIST here and try to make the password education fun and engaging.

An unknown intruder was able to access team communication platform HipChat last weekend, allowing access to the account information of users, including email addresses, hashed passwords and names. There is also a chance that actual room metadata, which includes the room name and room topic, may have been compromised. The cyber-attacker was able to access a server in the HipChat Cloud web tier.

HipChat has advised that it reset all passwords of all affected accounts following the intrusion and has provided instructions to users on how to reset their passwords. It is important to follow those instructions if they are received from a company that has suffered an attack and you are affected.

Last week, Brian Krebs reported that hackers using a malware dubbed “Marai” have identified hundreds of thousands of home and office devices that have weak security. Then the hackers released the malware publicly so anyone can use it and intrude into home and office devices that do not have proper security to thwart the attack through a distributed denial of service (DDos) attack. The hackers can gain access to these devices and turn them off, disrupt the way they work, or use the control of the device to extort money from the homeowner.

It is reported that there are over 23 billion devices on the market today that are connected to the Internet of Things “IoT,” and that number is growing rapidly. The IoT includes anything connected to the internet, but for my purpose today, it means your home security system, your oven, TV, baby monitor, routers, DVDs, window lock systems, refrigerators, pet collars and toys.

It is easy for the hackers to gain access to your baby monitor, because when the baby monitor was developed, data security was not the priority. No one was thinking that hackers could or would want to hack into a baby monitor.

The bigger problem is that when a home is thoroughly connected to the internet, including all of its appliances, and according to Alfred Chung of Guidance Software, “Anyone with access to a fully connected home can build a detailed profile about the occupants…They can gather data about the time of day when the home is occupied, the number of people inside the home at various times, personal details like age, appearance and gender of those living in the home…With connected appliances, they can even tell what food occupants store in their fridge…”

Although hackers would be very disappointed at the food I store in my fridge, it is still very creepy and scary to think that all of this information can be obtained because my home is a connected home. Of course, you all know that I would never connect my fridge, my security system or my TV to the internet, so this should not affect me. However, I know many of you do love to connect your appliances to your phone, so before you connect that appliance, think twice—do you really need to connect that device to the internet?

Finally, because of the massive attacks that have occurred recently as reported by Krebs, it is being widely suggested that if your home and its appliances are IoT and connected, change your passwords immediately.

I have been doing a lot of live employee training lately. I really enjoy it, and have been told that it is some of the most entertaining training around. The reason why I can get the audience to laugh is because I tell real stories of some ridiculous things people have done that have gotten themselves (or mostly their employers) in deep trouble.

I often advocate that everyone should be using passphrases instead of passwords, including a past Privacy Tip. Passphrases are long enough so they will pass muster with any IT security guy’s complex password requirement. They are easier to remember, and most importantly, since people usually can remember them, THEY DON’T WRITE THEM DOWN. Most people really warm to the idea and like it and try to come up with a good passphrase.

And then I read a recent article that made me shake my head in disappointment.

By now, everyone knows not to write down their passwords, not to put them in their top drawer, and not to paste it on a post-it note on the monitor of your work station. People actually chuckle at this—like anyone would ever do that…

And yet, people, yes, employees, still write down their passwords.

I also harp on why it is so important to encrypt laptops. If the laptop is encrypted and it is lost or stolen, there may be a safe harbor from breach notification. So encryption is important for mobile devices, including laptops.

In this particular case, the employee of U.S. HealthWorks had an encrypted laptop—so the employer was doing the right thing when it came to data security for laptops—but the employee wrote down his password, and then actually kept the paper that the password was written on WITH THE LAPTOP! So when the laptop was stolen on July 18, 2016, not only did the thief get the laptop, but the thief hit the jackpot because s/he got the password right along with the laptop and the key to the encrypted data, making the encryption useless.

Unfortunately for the employer, it had to notify the 1400 patients whose information was contained on the laptop, because although it was encrypted, the password was available to the thief in order to access the data.

So my tip for this week is DON’T WRITE DOWN PASSWORDS! Do it for yourself AND for your employer.

Lightspeed, a retail point-of-sale company that provides cloud-based services to 38,000 clients, has reported that its central database, which stores client information on sales, products, encrypted passwords, and in some instances, electronic signatures, has been compromised.

The system that was compromised was the one that retailers can access through tablets, smartphones, and other mobile devices.

Lightspeed is suggesting that clients change their passwords. The compromise of the digital signatures is also concerning, so companies that receive the email notifying them to change passwords, may wish to look further into the compromise of the digital signatures as well.