Hashing Algorithms for storing Passwords
Almost every week, an ever-growing list of data breaches occurs around the world. In a lot of cases, attackers gain access to sensitive information such as a hashed password database. An alarming observation of recent attacks is how credentials are stored.
Many of the recent breaches (small and large), are using old, outdated and insecure methods for today’s standards such as MD5, unsalted SHA variations and even plain-text passwords. These methods can be trivial for an attacker to retrieve the plain-text passwords through brute-force attacks.
The ISM and NIST provide guidance and recommendations of storing passwords. As a summary:
• ISM: As per control 1252, agencies must store credentials in a hashed format using a strong hashing algorithm that is uniquely salted. For example, a hashing algorithm from at least the SHA2 family.
• NIST: Passwords must be hashed (SHA1-3) and salted with at least 32-bits of data.
It’s recommended to ensure best-practices and hardening guides are followed to protect such sensitive information. In addition, layering security controls such as implementing MFA provides an extra level of protection. The goal here is to ensure that if a breach occurs, brute-force type attacks would prove impractical.
Author: David Roccasalva
FaceTime Bug allowing Eavesdropping
A critical bug has just been discovered in the new iOS allowing eavesdropping via FaceTime. A fix is expected later this week, but in the meantime, it is highly recommended to turn off FaceTime.
3-2-1 Backup Strategy
An organisation can lose its data due to many reasons: cyber-attacks, corrupt storage media, rogue employees or human error. A simple yet effective solution to backup your data is the 3-2-1 strategy. The strategy consists of three steps:
• STEP 1: Create three copies of your data including one primary copy and two other backup copies.
• STEP 2: Store the two backup copies on two different media such as hard disks or cloud.
• STEP 3: Always keep one of these copies at an offsite location.
Daily backups are bread and butter for any IT department. Yet many companies fail to formulate a backup and recovery plan for their data. Start by implementing the 3-2-1 backup strategy. Check out the following article by one of our experience consultants, David Roccasalva, about considerations that need to be taken before making a data backup strategy.
A future ISM prospect?
Department of Homeland security has issued an emergency directive requiring all US agencies to operate with a .gov domain. AU Gov tends to follow US Gov directives in turn so potentially, this is something that may be incorporated into the ISM in future.
Adobe's Security Updates
Adobe has recently released security updates to fix two critical vulnerabilities for Acrobat and Reader. The first vulnerability, identified as CVE-2018-16011, can lead to the execution of arbitrary code. The second vulnerability, identified as CVE-2018-19725, can result in privilege escalation.
As these vulnerabilities are public now, it is highly recommended that both Mac and Windows users install these updates. Click on the following link for further action: