-
NIST releases revised strong password recommendations
- The new guidelines recommend passphrases over shorter passwords with special characters, and changing them only if there is evidence of compromise.
nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf
pages.nist.gov/800-63-3/sp800-63-3.html
www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118 (sign-in required)
xkcd.com/936/
Choosing strong passwords
Generating Rememberable Passwords - Implementing the NIST Security Framework? Consider looking at these.
- The Australian “Essential Eight” or Critical Security Controls “Top 5” will help to prioritise your first actions.
asd.gov.au/publications/protect/essential-eight-maturity-model.htm
www.cisecurity.org/controls/ - Phishing
- From SANS NewsBites Vol. 19 Num. 064: “Both the 2016 and 2017 SANS Threat Landscape Surveys found phishing, including spearphishing and whaling, was the top way threats enter organizations. While the most common response to reduce the risk is enhanced user training, technical countermeasures are also needed. Google added anti-phishing features to Gmail earlier this year and are now extending them to the mobile user…” – Neely - Windows Search Bug worth watching, and squashing
- Apply the patch now for a critical Windows Search privilege escalation and RCE vulnerability (or disable the WSearch service)
threatpost.com/windows-search-bug-worth-watching-and-squashing/127434/
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8620 - Outlook Web Access based attacks
- Multi-factor authentication can help
isc.sans.edu/forums/diary/Outlook+Web+Access+based+attacks/22710/ - Checking for Breached Passwords in Active Directory
- Utility using lists from HaveIBeenPwned to verify whether passwords have been breached
jacksonvd.com/checking-for-breached-passwords-in-active-directory/ - Microsoft Joins Google/Mozilla in Banishing WoSign and StartCom From Trusted CA List
- Microsoft to remove WoSign and StartCom certificates in Windows 10
blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/ - Compromise On Checkout – Vulnerabilities in SCM Tools
- RCE utilising ssh:// links in Git, SVN and Mercurial
blog.recurity-labs.com/2017-08-10/scm-vulns - The Good Phishing Email
- Proper email headers for phishing awareness exercises
isc.sans.edu/forums/diary/The+Good+Phishing+Email/22712/ - Beware of Security by Press Release
- On “smoke and mirrors” vulnerabilities…
krebsonsecurity.com/2017/08/beware-of-security-by-press-release/
C410 A2BE CB73 EF77 746E 9682 E2C4 91CE D20D 800F
![[TI: logo for TI accredited teams]](../assets/img/TI-Accredited_120x120.jpg)
![[FIRST.org Logo]](../assets/img/first-org-simple.png)