This week’s security snacks:
- Password Expiration Policies Required? Microsoft Says NOPE
- IoT – the Always-On Connected World Was Great.. until It Wasn’t
- Next Stop, Wherever the Person Controlling Your Vehicle Decides
Password Expiration Policies Required? Microsoft Says NOPE
Microsoft agrees with security experts, forcing password changes just by itself can be a bad idea.
For many people, embracing the Microsoft published security baselines is taken as a given. They consider it a golden platform for IT security. So, for some it was a bit of a surprise this week when news emerged from Redmond that the 1903 baseline would no longer force periodic password changes.
The rationale of course is that by forcing users to change their password, human behavior kicks in. Users are more likely to fall victim to re-use, incremental, and family-based passwords. This, in turn, makes the hunt so much easier for would-be attackers.
Microsoft is very serious about security these days, so it makes sense that they would recommend this path. They already offer supplemental authentication mechanisms in the form of multi-factor authentication (MFA) and their Azure AD Password Protection service which went GA back at the start of April.
This of course makes perfect sense in today’s world. We empower the end user to self-service reset their password and to carry their second factor authentication token on a device rarely more than a few feet away.
The one thing however you should consider before dropping security policies are, they need to be applied where appropriate. Just because your users can use MFA and conditional access, it doesn’t always mean your privileged internal and non-daily use accounts can leverage these technologies.
For more information on this, check out the 1903 security baseline notes by Aaron Margosis on Technet at Security baseline (DRAFT) for Windows 10 v1903 and Windows Server v1903.
IoT – the Always-On Connected World Was Great … until It Wasn’t
Flawed P2P technology threatens millions of IoT devicesFrom ordering your Saturday night take out through Alexa, to receiving a video call from your doorbell, IoT devices are making our lives more convenient. Does this convenience come with a security cost though? Yup. Millions of IoT devices have just been declared hackable.
So let us start off with a simple question. How many people change their IoT device’s default password? … Crickets … Tumbleweeds … Lots of shrugs … Maybe a few hands raised….
This is an issue, a security ticking time bomb if you will. Consumers and businesses are investing heavily in making their environments more technologically advanced, all for the sake of convenience, without ever considering what could happen when these devices go bad. Is it the fault of the average buyer, well not really, unless they function in an area like IT, the consideration “I must check for a new firmware release” or “I’ll generate a random password for this device” simply does not factor when enabling your latest piece of acquired tech.
Well if you are not of a security mindset, its just easier to unbox a device, read the manual and add it to your home or business network. It also makes it easy, when you forget the password, right? You can just read the manual or use your favorite search engine to get the default in seconds, simple. Simple though isn’t always good!
This week we found out about CVE-2019-11219 and 11220, the aforementioned millions of IoT devices totally exposed. Cameras, baby monitors, video doorbells, and more from a gaggle of different manufacturers. Multiple vulnerabilities, and no known way to really secure them has been found.
The problem of course is that there is a responsibility on everyone to understand the risks associated with IoT devices. Employees will often buy camera shutter protectors for their corporate laptop, for fear of someone eves-dropping, however, at the same time they will happily unbox a cylindrical speaker and put it in their family room letting it listen to everything that is going on in their personal life.
It’s time to put a security hat on with IoT devices. Patch the device. If there is a security issue and the manufacturer isn’t doing anything to rectify it, then ask if that device is something you are happy to live without. Don’t get me wrong, I love IoT gadgets, but make the red LED light in the corner of your room be a good helpful HAL, and avoid the “I’m sorry Dave, but I have shared that with everyone” HAL.
Read more about the millions of IoT devices with security risks in this article, Flawed P2P technology threatens millions of IoT devices.
Next Stop, Wherever the Person Controlling Your Vehicle Decides
Hackers gain access to potentially tens of thousands of vehicles, allowing them to decide when your next unscheduled stop will take place.
Hot on the heels of our post last week on the use of password “123456,” it looks like something similar has happened in the world of cars and trucks. Customers with iTrack and ProTrack vehicle tracking devices could be remotely monitored and potentially even turned off by hackers.
The issue here of course is the old reliable default password attack. Using a brute force attack, a security researcher discovered that they too could play with traffic. This is quite a sobering thought. The device put into your car, so that it could be tracked when taken by a criminal, is potentially being controlled by a criminal with you inside it.
Always change the default password in this case. It was default for a reason, it was easy. Don’t make it easy for others.
Read more on this here in this article, Researcher hacks fleets and can kill engines via GPS tracking app.