Friday Five: 1/18 Edition
Demystifying the 773 million record breach, how the government shutdown impacts cybersecurity, weaknesses in a DoD health agency, and more are covered in this week's Friday Five.
1. Monster 773 million-record breach list contains plaintext passwords by Dan Goodin
It's not that the biggest news of the week isn't big - it's that it isn't nearly as big of a deal as some publications have made it out to be. The news, for the initiated, is that a massive cache of email addresses and passwords dubbed "Collection #1" surfaced online this week. Troy Hunt, the owner of HaveIBeenPwned.com, a handy breach notification service broke it down on Thursday. While yes, 773 million email addresses and 21 million passwords is a lot, it's worth keeping in mind that the majority of them, 663 million email addresses actually, are years old, from previously disclosed breaches, and have been listed on HIBP previously. That means most users should have already reset those passwords. If anything, this week’s “breach” should serve as a teaching moment. Use different passwords for different services, use two-factor authentication, and use a password manager.
2. As The Government Shutdown Drags On, Security Risks Intensify by Lily Hay Newman
We've highlighted articles before – like this one – that describe just how severe the government shutdown has been has been for cybersecurity. Wired put it best this week -- now that the shutdown is in its fourth week “early concerns have since compounded and evolved into a mounting crisis.” Affected: The National Institute of Standards and Technology, which has a large chunk of its site offline and 85 percent of its employees furloughed, government websites that have had their HTTPS encryption certs expire, and events sponsored by the DHS that can help foster innovation.
3. Facebook’s Privacy Problems Get Real in Germany by Alex Webb
Impossible to do a Friday Five without recapping Facebook's trials and tribulations of the week, right? That's the case this week after Germany's Federal Cartel Office, the country's national competition regulator, told the service it was going to ban it from collecting user data from third parties, a la data sharing between WhatsApp and Instagram. The watchdog, which also goes under the name Bundeskartellamt, has had an issue with Facebook for awhile now. It began looking into whether the way it handles third-party back in 2016, eventually had a court in Berlin last February rule the way it uses personal data is illegal, threatened to take action against Facebook last August, and said in October it was further deliberating an action.
4. DoD Health Agency Security Flaws Put Patient Data at Risk, OIG Finds by Jessica Davis
Office of the Inspector General reports are nothing new – there’s usually one released every few weeks or so – but that doesn't make them any less fascinating. The latest (.PDF) drills into the security at the Department of Defense Health Agency, a combat support agency of the Army, Navy, and Air Force. In short, it sounds as if the DHA has some work to do. It had difficulty complying with password complexity requirements for its clinical information system, some of its sites had security weaknesses, some systems weren't configured to lock after periods of inactivity, and in general, suffered from a lack of "standard operating procedures to manage system access.”
5. Airline Booking System Exposed Passenger Details by Jeremy Kirk
Amadeus, a service that works with hundreds of airlines to handle flight bookings, said it was looking into a vulnerability that apparently could have exposed passenger records. The company said in a statement that no data from travelers was disclosed but paradoxically said it was conducting a review and would be working hand-in-hand with customers affected. The actual blog post on the research is a good read and worth combing through if you're looking for further technical details.