C410 A2BE CB73 EF77 746E 9682 E2C4 91CE D20D 800F

  1. NIST releases revised strong password recommendations
    - The new guidelines recommend passphrases over shorter passwords with special characters, and changing them only if there is evidence of compromise.
    nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
    pages.nist.gov/800-63-3/sp800-63-3.html
    www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118 (sign-in required)
    xkcd.com/936/
    Choosing strong passwords
    Generating Rememberable Passwords
  2. Implementing the NIST Security Framework? Consider looking at these.
    - The Australian “Essential Eight” or Critical Security Controls “Top 5” will help to prioritise your first actions.
    asd.gov.au/publications/protect/essential-eight-maturity-model.htm
    www.cisecurity.org/controls/
  3. Phishing
    - From SANS NewsBites Vol. 19 Num. 064: “Both the 2016 and 2017 SANS Threat Landscape Surveys found phishing, including spearphishing and whaling, was the top way threats enter organizations. While the most common response to reduce the risk is enhanced user training, technical countermeasures are also needed. Google added anti-phishing features to Gmail earlier this year and are now extending them to the mobile user…” – Neely
  4. Windows Search Bug worth watching, and squashing
    - Apply the patch now for a critical Windows Search privilege escalation and RCE vulnerability (or disable the WSearch service)
    threatpost.com/windows-search-bug-worth-watching-and-squashing/127434/
    portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8620
  5. Outlook Web Access based attacks
    - Multi-factor authentication can help
    isc.sans.edu/forums/diary/Outlook+Web+Access+based+attacks/22710/
  6. Checking for Breached Passwords in Active Directory
    - Utility using lists from HaveIBeenPwned to verify whether passwords have been breached
    jacksonvd.com/checking-for-breached-passwords-in-active-directory/
  7. Microsoft Joins Google/Mozilla in Banishing WoSign and StartCom From Trusted CA List
    - Microsoft to remove WoSign and StartCom certificates in Windows 10
    blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/
  8. Compromise On Checkout – Vulnerabilities in SCM Tools
    - RCE utilising ssh:// links in Git, SVN and Mercurial
    blog.recurity-labs.com/2017-08-10/scm-vulns
  9. The Good Phishing Email
    - Proper email headers for phishing awareness exercises
    isc.sans.edu/forums/diary/The+Good+Phishing+Email/22712/
  10. Beware of Security by Press Release
    - On “smoke and mirrors” vulnerabilities…
    krebsonsecurity.com/2017/08/beware-of-security-by-press-release/