Advertisements

Microsoft Confirms Change To Windows 10 Passwords That Nobody Saw Coming

uncaptioned

Ask a bunch of security professionals what makes a secure password and you’ll get a bunch of different answers. Some will argue that it’s all about length, others that randomness and complexity are king while everyone will agree that password reuse is never acceptable.

Some will still argue that giving passwords an expiry date, after which they must be changed, is an essential part of the business security policy picture. It would appear that, with the arrival of the Windows 10 May update, Microsoft is finally no longer going to be amongst that latter group. According to Aaron Margosis, a principal consultant with Microsoft, Windows 10 will no longer recommend “ancient and obsolete” periodic password expiration in the security baseline settings starting with the May update.

While being most welcome, it has to be said nobody I have spoken to in the information security business saw that coming. Not least as the arguments for password expiration have been comprehensively dismantled for some years now yet Microsoft has not shown any inclination to jump from this particular sinking security ship.

The security baseline configuration has been part of the Windows staple diet for organizations wanting secure operating system settings out of the box for many years. It is actually a whole set of system policies that make good sense as a starting point for secure postures for many and as the default positioning for some. Things become problematic for organizations when they undergo an audit which uses the Microsoft security baseline and penalizes them for non-compliance if they have something other than the current 60 day Windows password expiration default maximum.

Yet, as Margosis writes “recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists and multi-factor authentication.”

The United States National Institute for Standards and Technology (NIST) has been recommending password expiration is dropped from security policy since 2016. Now it seems that Microsoft has finally caught up and will be dropping the requirement starting from Windows 10 (1903) and Windows Server (1903) onward. This makes perfect sense to me as someone who has been following information security trends for the best part of three decades.

Things have changed over those years, not least the technology that now enables threat actors to crack simplistic passwords in the blink of an eye. Forcing users to change passwords over relatively short timeframes inevitably leads to those users choosing the simplest, and therefore most memorable, passwords possible. Stand up everyone who has never seen incremental numbering of short passwords in a corporate environment. I’m guessing everyone is still sitting down.

The days of simplistic passwords changed often are long gone, replaced by longer and more complex ones which don’t expire but rather are reinforced with those banned password lists and multifactor authentication for example. “While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines,” Margosis says “which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values.” What Microsoft isn’t doing is changing baseline requirements for minimum password length, history, or complexity.

It also isn’t stopping organizations from configuring password expiration if they must, for regulatory compliance reasons for example. “The password-expiration security option is still in Windows and will remain there,” Margosis says, adding “by removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance.”

Please follow me on Twitter or connect with me on LinkedIn, you can find more of my stories at happygeek.com

I have been covering the information security beat for three decades and Contributing Editor at PC Pro Magazine since the first issue way back in 1994.

Source: Microsoft Confirms Change To Windows 10 Passwords That Nobody Saw Coming

Advertisements

Asus Just Gave You 1 Million Reasons To Switch From Windows To Linux

Cyber-security and antivirus company Kaspersky dropped a bomb on Asus laptop users this week, revealing that malware was distributed through the Asus Live Update utility. It masqueraded as a legitimate security update, and even boasted a “verified” certificate — hosted on Asus servers — to make it appear valid. Kaspersky has deemed this attack “one of the biggest supply-chain incidents ever.” Such attacks spiked 78% between 2017 and 2018. This shouldn’t raise alarms for just Asus users. It should prompt you to seriously consider whether you want Windows on your PC. Because the possibility of this ever happening on a desktop Linux OS like Ubuntu is minuscule.

My own Asus Republic of Gamers laptop — now running Linux

Jason Evangelho

How Serious Is ShadowHammer?

In the long tradition of scary codenames for such attacks, Kaspersky has labeled the attack “ShadowHammer.” The company says that according to its statistics, more than 57,000 users of Kaspersky Lab products (such as Kaspersky Anti-Virus) have already installed it. However, they estimate that its true reach extends to 1 million Asus computers.

To my knowledge this is only eclipsed by the infamous CCleaner attack, which was distributed to 2.7 million Windows PCs.

The motivations for the malware attack are unclear, but it apparently targeted only 600 specific MAC addresses. Once found, the attack would escalate to install more software to further compromise the system. There doesn’t seem to be a reason that the attackers couldn’t have activated this on every single computer affected.

For an informative and detailed discussion on this attack, listen to TechSnap Episode 400.

What’s even more frightening is that Kaspersky discovered the same type of technique used against the Asus Live Update software was also leveraged against three other vendors. The company promised to reveal more substantial information at an upcoming Security Analyst Summit in Singapore.

When contacted by Kaspersky, The Verge reports that Asus evidently denied the attack originated from its servers. In a follow-up press release, however, Asus did acknowledge that this was a “sophisticated attack” on its Live Update servers.

No apology was issued. This is not how you build trust. (Especially since this is far from being the first security blunder Asus has made.)

Asus has since patched the Live Update software and issued a tool for users to determine if they owned one of the specific computers targeted. Given the circumstances, I’m not even going to link to it, but it’s available via this press release page.

An FAQ posted alongside the press release has a stinging piece of advice for users who were affected by the malware attack: “Immediately run a backup of your files and restore your operating system to factory settings,” it states. “This will completely remove the malware from your computer. In order to ensure the security of your information, ASUS recommends that you regularly update your passwords.”

What really rattles my cage about this situation is the fact that Kaspersky uses the word “teaser” in the URL associated with its ShadowHammer post, as if this is some kind of movie trailer. Then the company warns that three other Asia-based software vendors were attacked using the same method without revealing who they are.

But all of this information is just background for the real point I’m trying to make.

Why Ubuntu (And Linux In General) Is Safer

uncaptioned image

Dell put forth considerable effort into making the popular XPS 13 the perfect Ubuntu laptop

Jason Evangelho

Consider how many companies have independent control over the software and hardware inside your Windows PC. Intel, AMD, Dell, Nvidia, Realtek among several others. The vast majority of the code they use running on your computer is not open source. That means it’s not subject to inspection by the hundreds of millions of people using it. The code can’t be independently verified. The code comes from multiple locations across multiple update utilities.

On Ubuntu and other Linux distributions, my firmware updates, software updates and security updates come from a single source: the operating system’s built-in software center.

This next part is important: only a select few individuals at Asus are responsible for ensuring the software and firmware being sent through the Asus Live Update utility is safe. And it’s almost certain no one at Microsoft saw the code before it before it went out to those 1 million Asus laptop users.

Rather than base my entire argument about Linux being safer on personal experience or subjective opinions, I reached out to Alex Murray at Canonical. Murray is the Security Tech Lead for Ubuntu, a Linux distribution used by hundreds of millions. It powers everything from IoT devices to home desktops; supercomputers to the web servers delivering the majority of your experiences on the internet. Netflix is powered by Ubuntu, as is Amazon Web Services. Outside your home, Lyft and Uber are powered by Ubuntu.

My question for Murray was straightforward. Can something like ShadowHammer happen on Linux?

Murray admits that while this sort of attack is a possibility on Linux, it would be a lot harder to pull off.

Ubuntu is based on Debian, one of the the largest and most mature Linux distributions available. “Many of our source packages originate from Debian where we add Ubuntu-specific patches on top,” Murray says.

As such, Murray explains that there are “many, many people who can detect any possible malicious changes to a software package.” That’s the beauty of open source. Changes are submitted publicly, and every line of code can be scrutinized.

Of course, there needs to be a more elaborate system of checks and balances that doesn’t rely solely on community.

uncaptioned image

Alex Murray, Ubuntu Tech Lead at Canonical Ltd.

Alex Murray

“Various teams of Canonical employees are responsible for maintaining the packages in the ‘main’ section of the Ubuntu software archive, and as such we provide further review and oversight of the source code in these packages,” Murray says. “Importantly, only trusted individuals are allowed to publish software package updates, which again raises the bar to prevent this kind of attack. Finally, we have a strong and dedicated community of developers and users who help to provide an even further level of ‘community’ oversight as well – which gives us a good defense in depth approach to detecting this kind of attack.”

In a nutshell, this means even if a trusted developer is compromised, there are various other individuals who will likely take notice.

But even that isn’t enough, so Canonical takes things a step further.

“From an end-user point of view, Ubuntu uses a signed archive approach where each package is cryptographically hashed and the list of hashes signed in such a manner that our package manager will not install packages which fail the signature and integrity checks,” Murray explains.

This means that even if an Ubuntu mirror (an external software source not directly managed by Canonical) was compromised and someone uploaded malicious copies of packages there, it would fail the signature check and would not be installed.

“We offer digital signatures to verify the integrity of the installation ISO images as well,” Murray says. “So together with the repository signatures, users can be confident that the software they are downloading and installing is what is published by Ubuntu, and with all the various reviews outlined above, we have many opportunities to detect any possible malicious changes to the software packages being published.”

Beyond these methods of ensuring security for its users, I’d recommend this article which explains in detail how Ubuntu delivers system updates and why it’s a more elegant and less frustrating experience than on Windows.

Securing Firmware Through The Blockchain

Firmware updates are an often overlooked — but easily manipulated — potential attack source. One of my favorite Linux distributions, Pop!_OS, uses the power of blockchain to ensure that the firmware updates being delivered to its users have no possible way of being manipulated. And they take an amazing approach to their server setup.

“Firmware updates are delivered using a build server, which contains the new firmware, and a signing server, which verifies that the new firmware came from inside the company,” writes parent company System76. “The two servers are only connected via a serial cable. The lack of a network between the two means that one server cannot be accessed if entry is achieved through the other server.”

System76 sets up multiple build servers alongside that primary one. For a firmware update to be verified, it must be identical on all servers. “If even one build server contains a compromised firmware update, this update cannot proceed to signing and will not be delivered to our customers,” System76 says.

This is very similar to how cryptocurrency mining works, and is arguably a more useful and forward-thinking implementation of blockchain.

Choose Linux

The bottom line is that Windows has too many potential attack points, most of which are not directly overseen by the very company who develops the operating system. The vast majority of the code cannot be audited by the community. There are less checks and balances in place to ensure that these attacks are prevented. After seeing how Ubuntu and various other Linux distributions ensure the security of their users, the Microsoft Windows approach starts to seem a lot less sane.

And if you’re wary of Linux because you think its archaic and not user-friendly, here are some articles that may change your mind, including one to help find the perfect OS to suit your needs:

Since joining Forbes in 2012, I’ve contributed to gaming and technology features on PCWorld and Computer Shopper. You can also find me on Jupiter Broadcasting where I h…

Source: Asus Just Gave You 1 Million Reasons To Switch From Windows To Linux

3 Ways to Instill Lifelong Digital Learning Skills in Students – Matthew Lynch

1.jpeg

Millennials value tech training and development from their employer, above all else, because they know that it will help them compete in a global economy. Interestingly, appropriate tech training and professional development equates to higher job satisfaction. Additionally, improving your tech skills will not only ensure you are a more productive employee, but also a more fulfilled individual overall.

While milestones like high school and college graduations are worth ones to celebrate, they are never an end date for learning new tech skills. Lifelong digital learning, the kind that goes beyond what is needed in the moment or to perform well at modern jobs, is essential.

Yet the U.S. tends to put a time stamp on learning and it is often assumed that individuals learning and education halts at age 18 or 22, when they enter the workforce. According to the U.S. Bureau of Labor Statistics, on average by age 40 a person has held 10 different jobs.

That means those job-specific tech skills learned in college classrooms, while still valuable, aren’t as relevant when the next job or career comes along. With technology changing job fields so drastically, it is now more even more imperative to continue learning new tech skills, in order to be the most well rounded, productive worker possible.

So what are some ways that the education and edtech community can foster this spirit of continued digital learning while children are still in classrooms?

Teach basic tech literacy.

All kids, regardless of what they hope to accomplish in their careers, need a basic technology skill set that simply did not exist a generation of K-12 students ago. This tech literacy must happen early, and be fostered in ways that are feasible from home too. A good example of a foundational tech initiative is Code.org’s Hour of Code program. It focuses on children and their involvement in computer science and coding and offers lessons for students as young as Kindergarten.

Likewise, President Obama’s K-12 Computer Science for All program is also concentrated on providing students with the computer skills necessary to thrive in today’s job market. Just as learning to read opens countless doors throughout the rest of life, learning coding and other tech basics will serve this generation of K-12 learners well for the rest of their lives.

Cultivate a “learning for learning’s sake” atmosphere.

The climate of our classrooms today is one of strict adherence to a set of benchmarks. If a topic isn’t on a standardized test or in that year’s outlined curriculum, it matters less or not at all. It’s not really the fault of the teachers. Educator accountability, after all, is tied to test results. Whenever possible, though, teachers should look for opportunities for learning that will not be tested later.

Maybe it’s unplanned visits to a school garden or a related lesson that won’t be on any graded or tested materials. Show students that learning is not just about answering test questions later on; sometimes it is just about gaining more knowledge.

Offer accelerated learning.

The job market is evolving rapidly and our education system hasn’t caught up. The weight of large undergraduate student loans means that it isn’t feasible for workers to take 2 to 3 years off to pursue higher education. Accelerated online learning programs that cater to working individuals fit the bill here. Several companies including One Month, Codecademy and General Assembly use varying methods but all aim to address the same issue: getting students on track in a flexible, affordable, and fast way.

New skills, such as computer programming, can be taught online via specialized learning platforms to people on their own time and won’t interfere with their full-time employment. The K-12 community can take a cue from these higher education initiatives: Find ways to offer learning that goes outside the traditional school hours and shows students that learning can happen on a flexible scale.

Becoming a lifelong digital learner truly is invaluable, both personally and professionally. Instilling this trait in our students is important for their own sake, and for ours. The next generation of graduates must value learning simply for its inherent greatness — not just the knowledge that lets us accomplish a simple goal.

Your kindly Donations would be so effective in order to fulfill our future research and endeavors – Thank you

%d bloggers like this:
Skip to toolbar