Ransomware Posing as Flash Player Download A new strain of ransomware hit organizations throughout Eastern Europe earlier this week. Spread through compromised websites, the Bad Rabbit ransomware poses as an Adobe Flash Player download, and after infecting one machine, can quickly spread through an organization’s network without being detected.

imagesRHVA6HVG

The Latest Ransomware Presents Itself as an Adobe Flash Player Download

Nextgov | By Keith Collins |

A new strain of ransom ware, called Bad Rabbit, began hitting organizations throughout Russia and Eastern Europe on Wednesday (Oct. 25). The malware is being spread through compromised websites, presenting itself as an Adobe Flash Player download.

“When users visited one of the compromised websites, they were redirected to 1dnscontrol[.]com, the site which was hosting the malicious file,” according to a blog post by Talos, Cisco’s threat intelligence team.

Once infected with the ransom ware, victims are directed to a web page on the dark web, which demands they pay 0.05 bit coin (roughly $285 USD) to get their files back.

After one computer on a network is infected, Bad Rabbit can quickly and covertly spread through an organization without being detected. Although the ransom ware has been detected in several countries, it appears to be concentrated in organizations in Russia and Ukraine, particularly media outlets.

#SID2018 Is the Internet Safer? Today is the annual Safer Internet Day, an effort to promote safer and responsible use of the internet and mobile phones that is celebrated by over 120 countries. Several cyber experts and companies weigh in on the dangers that younger internet browsers face, and how government, industry, parents, and others in the community can help reduce usage risks.

th
#SID2018: Is the Internet Safer?

Infosecurity Magazine | By Dan Raywood | February 6, 2018

Today is the annual Safer #InternetDay, where the reality of online threats are detailed in the effort to encourage users to take better safety steps online.

According to research released by the UK Safer Internet Centre, a study of 2000 eight- to 17-year-olds, found that 11% had “felt worried or anxious on the internet,” while respondents had felt inspired (74%), excited (82%) or happy (89%) as a result of their internet use in the previous week.

This year’s event is using the slogan “Create, Connect and Share Respect: A better internet starts with you” with a strong emphasis on using the internet and what makes users feel good or bad. In a time where more is being done to deliver a safe experience online – including free SSL certificates, the launch of a new version of the TLS protocol and the ability to filter out certain words on Twitter – it does seem that more is being done to provide a safer and better experience for all online.

Margot James, Minister for Digital and the Creative Industries, said that the internet does have a positive effect on young people’s lives, but we must all recognize the dangers that can be found online. “Only by working together can government, industry, parents, schools and communities harness the power of the internet for good and reduce its risks.”

At the recent White Hat Ball, it was revealed that in 2017, there were over 12,000 counselling sessions in which children spoke to Childline about experiences of online sexual abuse, bullying and safety.

Will Gardner, a director of the UK Safer Internet Centre and CEO of Childnet, said: “Safer Internet Day gives us the unique opportunity to collectively promote respect and empathy online, inspire young people to harness their enthusiasm and creativity, and support them to build positive online experiences for everyone. It is #inspirational to see so many different organizations and individuals come together today to build a better internet.”

After all, a #safer #internet means more young people are encouraged to learn more about the internet and its workings, and therefore see the benefits of a career in cybersecurity.

Raj Samani, chief scientist and fellow at McAfee, said the reality is that we need to continue raising awareness for codes of best practice online. “Cyber-criminals are constantly on the lookout for slip ups and mistakes which allow them to access lucrative private data – from bank account details to medical history: consumers must be aware of the threats online – not least because the blurring of work life boundaries today means bad habits online can quickly slip into the office.”

As a result, Samani recommended that businesses should offer staff training to build up a strong security culture across their entire organization.

He added: “Implementing the right technology is vital but, at the end of the day, it’s about looking for a blended approach which suits your specific organization. This means finding the right combination of people, process and technology to effectively protect the organization’s data, detect any threats and, when targeted, rapidly correct systems.

“Safer Internet Day acts as a timely reminder for organizations to ensure the correct training is in place so staff can remain cyber-savvy online.”

To tie-in with the day, ENISA published the Cybersecurity Culture in Organizations report, in order to promote both the understanding and uptake of cybersecurity culture programs within organizations. ENISA said that a decent culture is achieved by:

• Setting #cybersecurity as a standing agenda item at board meetings to underline the importance of a robust cybersecurity culture

• Ensure that employees are consulted and their concerns regarding cybersecurity practices are being considered by the cybersecurity culture working group

• Ensure that business processes/strategies and cybersecurity processes/strategies are fully aligned

“While many organizations and employees are familiar with related concepts such as cybersecurity awareness and information security frameworks, cybersecurity culture covers a broader scope. The idea behind this concept is to make information security considerations an integral part of an employee’s daily life,” ENISA’s announcement said.

Part of this was to appreciate that “cyber threat awareness campaigns alone do not provide sufficient #protection against ever evolving cyber-attacks,” and that technical cybersecurity measures need to be in accordance with other business processes, and it is important that employees need to act as a strong human firewall against cyber-attacks.

A safer internet is better for all, although a cynic of such awareness days would suggest that there should be year-round awareness of the issues and part of developing a culture is the constant awareness. Regardless, some action is better than none and it is reassuring to see such positivity about internet usage in 2018.

Should Agency Websites Shutdown with the Rest of Government?

Some government websites were inaccessible during this week’s government shutdown. Content on other government websites was accessible, but only content published prior to the shutdown. In one instance, the National Science Foundation (NSF) suggested that maintaining its website during a government shutdown could pose cyber security risks. In contrast, the National Endowment for the Humanities (NEH) website remained opened but not updated. The NSF may run its own physical web server(s) onsite, while NEH and other agency sites that continued without interruption are hosted on the enterprise cloud. Conclusions cannot yet be drawn that government-run web servers went dark and cloud hosted sites remained up.

Could The Cloud Save Government Websites From Going Dark In The Next Shutdown?
Forbes | By Kalev Leetaru

Last April I wrote that rumors of the EPA’s open data website disappearing were merely the bureaucratic outcome of a potential government shutdown, but that perhaps the renewed attention to where the government’s scientific agencies host their data might yield changes that would make them more resilient to future government shutdown threats. Unfortunately, it appears that not all agencies learned from last year’s public outcry and earlier this week the US Government shutdown ended up turning off the lights on some US Government websites. How can it be in 2018, with the web such an important way of interacting with government agencies, that entire agency websites could simply vanish at the metaphorical stroke of midnight?
During this past weekend’s US Government shutdown, the EPA open data portal was spared, as was the USDA website, which simply added a brief message about the site not updating during the shutdown, in contrast to the 2013 shutdown, when they just removed their entire site. The data.gov portal largely shut down, though it made an archive of its metadata available via BitTorrent.
The National Science Foundation’s (NSF) website was a different matter. As with the EPA scare last year, I was first alerted to the disappearing site when I started receiving messages from colleagues looking for datasets, critical PDF documents, forms, references and other data from the now-vanished National Science Foundation’s website. Visitors to the NSF website were greeted with an homage to the simpler days of the web: a text-only one-page HTML homepage generated in Microsoft Word.
In contrast, the website of the National Endowment for the Humanities (NEH) remained completely open with the only modification being the addition of a small link to the agency’s shutdown plan. Unlike NSF, NEH’s shutdown directive provides that “public NEH websites such as http://www.neh.gov and edsitement.neh.gov will remain up, but will not be updated.” This is what one might expect from a government agency in 2018: websites simply freeze in time until the government resumes, but whatever was there prior to the shutdown remains accessible.
Similarly, websites for NIH, NASA, USGS, DOE and countless other agencies remained active.
When reached for comment, an NSF spokesperson responded that the agency had shut down its website in 2013 as well and that “The OMB memorandum [OMB-M-18-05] provides further guidance on continuity or suspension of IT operations for an agency, stating that continued access to agency websites does not warrant the retention of personnel or obligation of funds. Consistent with OMB guidance, NSF evaluated the potential operational impact and cyber security risks of maintaining agency websites, and decided it would be most prudent to suspend website operations.”
It is remarkable that NSF cited cyber security risk as a reason for shuttering its website during the shutdown. Given that many other agencies left their websites operating, does this mean they simply tolerated a higher risk of their sites being compromised? Or have they adopted a better cyber security posture that makes their sites more able to weather a shutdown without being hacked?
This also raises the question of what happens to US Government computing systems during a shutdown if they come under cyber-attack and whether website defacement and computer breaches would be detected and/or remediable during a shutdown. If NSF felt it would be unable to adequately detect or respond to a cybersecurity breach of its web site during a shutdown, does this mean that the US Government needs to develop a special cybersecurity policy to assist agencies during shutdowns?
Despite apparently feeling that the cybersecurity risks of leaving its website online during the shutdown were severe enough to warrant its deactivation, the agency did not suspend its social media accounts. When asked why it felt those accounts were not at risk from being taken over during the shutdown, the agency did not respond other than to confirm that it left its social accounts online, but did not update them.
The agency also did not respond beyond its statement above as to why it believed that it could not safely leave its website online, even while many of its peer agencies did so. When asked how “NSF determined that ‘cybersecurity risks’ warranted the deactivation of its website, while its peer agencies continued to operate their sites as normal” and whether “NSF has comment on whether its web infrastructure is notably different from its peers and thus at greater cybersecurity risk?” the agency responded “The OMB guidance stated that agencies should both evaluate potential operational impacts and cybersecurity risks of maintaining agency websites. Like in 2013, we decided it was most prudent to suspend website operations.”
Given that NEH felt so confident in the ability of its website to function unattended during the shutdown that it actually codified in its written shutdown policy that the site would continue to be available, it raises questions of why NSF believes its own website could not safely remain available. After all, if NSF believes its site is so vulnerable that it would be at risk during a shutdown, what does that say about its security posture and safety that it believes it cannot withstand even a few days on its own? NSF did appear to concede that it might learn from its peer agencies, saying “NSF is reviewing its plans and identifying ways where we can make changes while still complying with the law.”
While the agency itself would not comment on why it was unable to leave its website functioning, one clue might be a 2016 bulletin that suggests the agency may run its own physical web server(s) on premises, rather than outsourcing its website hosting to the enterprise cloud. In contrast, websites for NEH, NIH, and NASA all continued without interruption and all resolve to IP ranges in Amazon’s AWS cloud, meaning they could rely on Amazon’s enterprise-grade infrastructure and security to continue functioning even in the absence of Government IT staff to monitor them. DOE’s website, which resolves to an IP hosted by BlackMesh hosting services, similarly remained up. At the same time, however, data.gov, which was shut down, resolves to an AWS and CloudFront IP address, while the USGS website appears to resolve to a US Government IP range and remained up.
Thus, it is not as clear cut as saying that government-run web servers went dark and cloud hosted sites remained up. If the Department of Interior and NSF both indeed operate their own web servers, why is it that the Interior was able to configure those servers to safely and securely continue to function during the shutdown, while NSF felt it was unable to continue making its websites available without placing them at an unacceptable operational and cybersecurity risk? Why did data.gov shutdown even though it is hosted in the commercial cloud, while other sites also hosted in the same cloud remained available? GSA did not respond to a request for comment as to why data.gov was disabled during the shutdown.
Clearly, agency decision making played a key role as to which agencies decided to leave their sites running and which made the decision to wipe their agency from the digital world with a single keystroke in an erasure that would make Orwell’s 1984 government proud.
Putting this all together, it is remarkable that in 2018 a government shutdown could result in entire agency websites and the open data portal of the United States going dark. Even more remarkable is that at least one agency responded that its website shutdown was due at least in part to cybersecurity concerns of running its site unattended, suggesting the US Government may need a unified cybersecurity policy to protect agencies during shutdowns. It is noteworthy that it appears that even those agencies that shuttered their websites appeared to leave their social media accounts online, instead of similarly suspending them out of fears that attackers could leverage social engineering or other approaches to take them over while they were unattended during the shutdown.
That the Government’s outsourced communications platforms on Twitter, Facebook and elsewhere largely remained online even as some websites were turned off, raises the question of whether the US Government should simply outsource the rest of its public digital presence to the firms that power the modern digital age? It appears that many federal agencies have already outsourced their web hosting and that those cloud-hosted sites from the White House (Akamai) to the Department of Energy (BlackMesh) to NEH, NIH and NASA (Amazon AWS) largely remained up during the shutdown, though with the notable exception of data.gov.
In the end, many US Government agencies that shut down in 2013 seem to have learned their lessons and remained available this time, while others chose to wipe their agencies from the digital world in lieu of 1990’s-style one-page homepages written in Microsoft Word. The trend towards outsourcing Government hosting seems to have helped, with even those agencies shuttering their websites electing to keep their cloud-hosted social media accounts running. Perhaps as the last technology holdouts finally join the modern era and as Government moves the rest of its hosting infrastructure to the cloud, the US Government will no longer go digitally dark during the next shutdown.

DHS: More Fed Cyber Services Could Be Outsourced

Barry West, the Department of Homeland Security’s senior accountable official for risk management, believes that federal agencies may pursue outsourced cyber security services from contractors more frequently, due to the ongoing global shortage of and competition for cyber talent.

Government Could Shift to Security-as-a-Service, DHS’s West Says
Fedscoop | By Carten Cordell

With cyber talent in high demand, Barry West said Thursday that the government may soon to lean more heavily on the private sector for cyber security help.

West, the Department of Homeland Security’s senior accountable official for risk management, said that an ongoing global shortage of cyber talent could soon push agencies to more frequently pursue outsourced cyber security services from contractors rather than try to compete with the private sector.

“When I look at a visionary view of cyber, I think this is really where we are headed,” he said at ATARC’s Federal CISO Summit. “This would have been far-fetched probably five years ago, saying you were going to have a private sector company perform your security.”

West pointed to research from Gartner that predicted that there would be a global cyber shortfall of 1.8 million by 2022 — with the federal government struggling to compete with the private sector for talent, it may be more beneficial for agencies to contract for it, he said.

“This isn’t to say that there’s not going to be government oversight; there’s still not going to be a [chief information security officer] in charge,” he said, “but I really think we are headed for a model where we are going to see security-as-a-service and you are going to see [security operations center, or SOCs] as a service.”

West added that DHS is already in talks to consolidate 12 to 13 “disparate SOCs” — which help monitor cyber security posture from across the agency’s networks — saying that it is a key priority for Secretary of Homeland Security Kirstjen Nielsen.

“She really wants to see that happen,” he said. “It really shows when you have a major incident — when we had the WannaCry incident last year, it became real clear some of the disorganization we had around reporting.”

Consolidation would precede SOC-as-a-service, West said, with DHS beginning to merge SOC operations in the National Capital Region.

“I think it’s the way we’re headed. I think you will hear more of the SOC consolidation at DHS next year. That’s going to be a big focus for us,” he said.

After that, West said, DHS would likely craft some prototypes to test the SOC-as-a-service model over the next three to four years.

“I think we have to start thinking about it now and planning, but I think it’s the way of the future,” he said.

Third Largest County in U.S. Almost Lost $888K in Phishing Attack

Back in September 2017, a cybercriminal exploited Hurricane Harvey repair and rebuild efforts in the Houston area to dupe Harris County, the third largest county in the U.S., into releasing $888,000. While the county managed to recoup the payment, they plan on hiring a cyber security firm to review their internal policies and security controls, as increasingly sophisticated attacks from all over continue to target local governments.

Phishing Attackers Almost Steal $888K from Harris County, Texas, Prompting Cyber security Review
Government Technology | By Mihir Zaveri

On Sept. 21, not three weeks after Houston was ravaged by Hurricane Harvey, the Harris County auditor’s office received an email from someone named Fiona Chambers who presented herself as an accountant with D&W Contractors, Inc.

The contractor was repairing a Harvey-damaged parking lot, cleaning up debris and building a road for the county, and wanted to be paid. Chambers asked if the county could deposit $888,000 into the contractor’s new bank account.

“If we can get the form and voided check back to you today would it be updated in time for our payment?” read a Sept. 25 email from Chambers.

On Oct. 12, Harris County sent the money out. The next day, the county quietly was scrambling to get it back, after being alerted that the account did not belong to D&W, that Chambers did not exist and that county employees had been duped by a fraudster.

The county recouped the payment, but the ongoing investigation into who tried to take the county’s money and nearly got away with it has ignited a debate over the financial security and cyber security of the third-largest county in America. That debate comes as experts point to a growing number of increasingly sophisticated attackers from around the world, homing in on untrained employees or system vulnerabilities.

The incident now has become wrapped into an FBI investigation into a group that has attempted to extort local governments around the world, law enforcement officials said.

Meanwhile, some officials are moving to revamp their practices as others say further scrutiny of county defenses is necessary.

“We live in a rapidly changing world of technology that you can’t just sit pat and expect that the bad guys aren’t going to come after you,” Harris County Judge Ed Emmett said. “I think we need to look at all of our systems to be sure that somebody can’t get in and steal taxpayer money.”

The investigation into the incident comes as the cyber security of local governments has received increased scrutiny after reports in 2016 of Russian-sponsored attempts to hack campaign finance databases and software used by poll workers.

Harris County information technology officials last year acknowledged a “spike” in attempts to hack servers from outside of America’s borders, but, citing concerns over emboldening the hackers, they declined to say how big of a surge in hacking attempts the county was experiencing, whether it was election-related or which systems had been targeted.

Alan Shark, executive director and CEO of the Washington, D.C.-based Public Technology Institute, which partners with the National Association of Counties, said the attempt to steal money from Harris County was not typical, but local governments increasingly are becoming targets for hackers or other cyber criminals.

Shark said statistics to illustrate the trends specific to governments are hard to find, though he said they “mirror” those of the private sector. One firm estimates that by 2021, cybercrime will cost the world $6 trillion each year, up from $3 trillion in 2015.

“This is not somebody sitting in a college dorm somewhere, dreaming this up,” Shark said. “In most cases these are very sophisticated, more often happening from another nation or another country.”

Shark said local governments are particularly vulnerable after disasters.

Harris County Precinct 1 Constable Alan Rosen said his office has “worked the case as far as you can go,” and said that no county employee had been implicated.

“We’re working with the FBI because there have been multiple attempts by this group throughout the United States and abroad to phish in county governments, city governments, things like that,” Rosen said. “We’re working very closely with them.”

He declined to provide more information about the group being investigated, referring questions to the FBI office in Los Angeles.

An FBI spokeswoman said Wednesday she could not confirm or deny the investigation.

Rosen said he had never investigated such an incident before.

“But that doesn’t mean it hasn’t happened,” he said. “I just have not heard of it.”

The county makes nearly 10,000 payments to vendors each month totaling about $141 million, about a third of those in the form of electronic transfers like that set up in September to send out the $888,000.

Harris County Auditor Michael Post said he had never seen an attempt like the one from the fraudulent D&W contractor.

“I’m calling it a near miss,” Post said. “It was (nearly) $900,000. Oh my God, that happened. We did not want this to ever happen.”

He said while he cannot say for sure that it has not happened in the past, it likely would have been caught when whoever was supposed to receive the money did not.

Post said in the days after the incident, he created a five-person team that would begin reviewing every outgoing payment and double-checking that recipients are, in fact, who they say they are by calling and asking for verifying information. That team includes one individual certified by the Association of Certified Fraud Examiners.

Earlier this month, the auditor’s office staff went through training on how to review for fraudulent requests for payment.

Some say the changes so far do not go far enough.

Orlando Sanchez, the Harris County treasurer, who writes the actual checks for the county, said he would like to see a more comprehensive analysis of the county’s vulnerabilities. He said he has to write checks that are directed by the county auditor’s office, and he would like to see an outside agency or another county department audit the county’s payments.

On Jan. 9, Sanchez sought to hire an outside forensic financial investigation firm Briggs and Veselka to “review the county’s payment processes and controls” but a vote on the proposal was postponed by Harris County Commissioners Court after the county attorney’s office said it objected to some technical terms of the proposed contract.

Commissioners Court is expected to consider at its Jan. 30 meeting a proposal to hire a firm to look over the county’s internal policies and cyber security controls when it comes to the payment process.

“We are a big operation,” Emmett said. “Harris County has got more people than 26 states. We’re well into the billions of dollars on an annual budget. I think the more eyes the better.”

Strava Reviewing Features After Heat Map Exposes Military Locations

The App That Exposed the Location of Military Bases With a Heat Map is Reviewing Its Features
CNBC | By Ryan Browne

Strava, the fitness app that exposed the locations and activities of soldiers at U.S. military bases, is reviewing its features to prevent them from being compromised for malicious purposes.

The app, which calls itself a “social network for athletes,” lets users connect a GPS device to the service so that they can upload their workout logs online. This, in turn, revealed the movements of service personnel using the app and additional information about how frequently they were moving.

Strava Chief Executive James Quarles said that the company was “committed to working with military and government officials to address potentially sensitive data.” He added that Strava’s engineering and user experience teams were “simplifying” its privacy and safety features to inform users about how they can control their data.

“Many team members at Strava and in our community, including me, have family members in the armed forces,” Quarles said in an open letter Monday.

“Please know that we are taking this matter seriously and understand our responsibility related to the data you share with us.”

Quarles also emphasized that users could find existing details on how to manage their privacy on Strava’s website.

A U.S. military spokesperson told the Washington Post on Monday that it was revising its guidelines on the use of wireless devices on military facilities.

Homeland Security: Data Breach in 2014, Over 240K Workers Affected

The Inspector General for Homeland Security found that the personal information of more than 247,000 employees and others connected with the agency was compromised in 2014.

Data Breach Affected More Than 240,000 Homeland Security Workers, IG Confirms
Nextgov | By Joseph Marks |

Personal information about more than 247,000 Homeland Security Department employees and other people connected with the agency was compromised in 2014, the department’s internal auditor said Wednesday.

In May, the Homeland Security inspector general’s office found a copy of its investigative case management system—and the reams of personal information it contained—in the possession of a former inspector general’s office employee, according to a department statement.

Inspectors found the case management system as part of a criminal investigation but did not say if the former employee is the target of that investigation.

The statement also did not provide details about how the system ended up in the former employee’s possession except to say that it was not the result of a third-party cyberattack and that other employees’ personal information was not the target of the “unauthorized exfiltration.”

USA Today described the breach in November based on leaked documents but Homeland Security did not confirm the breach at that time.

The case management system contained personal information on 247,167 Homeland Security employees who worked for the department when the information was removed in 2014, the department said.

It also contained information about non-employees who were subjects, witnesses or complainants in inspector general investigations between 2002 and 2014, the department said. The statement does not say how many non-employees were in that group.

The department is “implementing additional security precautions to limit which individuals have access to this information and will better identify unusual access patterns” in the future, according to the statement.

The statement did not describe what personal information was compromised. Personal information can range from less sensitive information, such as names and phone numbers, to highly sensitive information, such as Social Security numbers and financial data.

The department is offering free credit monitoring to employees and other people whose information was compromised. Employees were informed about the breach in a Wednesday letter, but the department won’t directly notify non-employees because of “technological limitations.”

The notice includes a contact number for non-employees who were associated with Homeland Security inspector general investigations to request credit monitoring.

Security experts have often said credit monitoring is less effective at preventing criminals from profiting off your leaked information than other steps such as freezing your credit.

“The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information [with] which they are entrusted,” the notice states.

Border Agents are Searching Through More Travelers’ Devices Than Ever

Nextgov | By Jack Corrigan |

Customs and Border Protection released fresh guidelines on Friday detailing how and when border officials can examine information on electronic devices of travelers entering and leaving the country.

The new directive keeps intact most of the broad authorities given to federal officials at the border while putting some limits on how extensively they can search personal electronic devices. CBP dug through the electronic devices of 30,200 people entering and leaving the country in fiscal 2017, up from 19,051 the previous year.

The order comes as the Trump administration looks to tighten border security and travelers enter the U.S. with record numbers of phones, laptops and tablets in tote.

The policy replaces the previous directive issued in 2009, adapting and providing more thorough instructions on how officials should handle encryption and other advanced technologies.

“In this digital age, border searches of electronic devices are essential to enforcing the law at the U.S. border and to protecting the American people,” said CBP Deputy Executive Assistant Commissioner John Wagner in a statement. “CBP’s authority for the border search of electronic devices is and will continue to be exercised judiciously, responsibly, and consistent with the public trust.”

Electronic device searches help combat terrorism and other illegal activity like child pornography and visa fraud, according to CBP. Despite the nearly 60 percent increase in searches, only about one in every 13,600 international travelers has their devices searched.

Officials still can check local data, but under the new guidance they cannot conduct a more thorough search unless they have reasonable suspicion that the person broke the law or presents “a national security concern.” The order maintains that “many factors” can cause suspicion and justify an “advanced search,” which uses external equipment to review, copy and analyze the contents of a device.

Federal agents also have the power to access encrypted or password-protected information stored on personal electronics. If individuals don’t cooperate in unlocking an inaccessible device, CBP can seize and open it with technical assistance.

The guidance also details the conditions under which CBP can store and share information gathered from personal devices and how agents should deal with sensitive information like medical records and attorney-client communication. Officials also shouldn’t detain devices for more than five days without extenuating circumstances, according to the order.

While the policy change marks a shift away from the more ambiguous, wide-ranging authority given to border officials under the Obama administration, some civil liberty advocates don’t think it goes far enough.

“It is positive that CBP’s policy would at least require officers to have some level of suspicion before copying and using electronic methods to search a traveler’s electronic device,” said Neema Singh Guliani, legislative counsel at the American Civil Liberties Union, in a statement. “However, this policy still falls far short of what the Constitution requires: a search warrant based on probable cause.”

Guliani reiterated travelers should not be obligated to give officials access to their private information and called on Congress to push CBP to further change its policy.

#1 Password Found in Data Dumps for 2017: “123456”

Splash Data, a password management utilities provider, compiled a list of five million user credentials leaked this year and found the most commonly used password to be 123456. Attackers use these leaked records to build similar lists of leaked passwords, which are assembled as “dictionaries” for carrying out account brute-force attacks.

“123456” Remains Most Common Password Found in Data Dumps in 2017

Bleeping Computer | By Catalin Cimpanu |
For the second year in a row, “123456” remained the top password among the millions of cleartext passwords exposed online thanks to data breach incidents at various providers.

While having “123456” as your password is quite bad, the other terms found on a list of  Top 100 Worst Passwords of 2017 are just as distressing and regretful.

Some of these include an extensive collection of sports terms (football, baseball, soccer, hockey, Lakers, jordan23, golfer, Rangers, Yankees), car brands (Mercedes, Corvette, Ferrari, Harley), and various expressions (iloveyou, letmein, whatever, blahblah).

But, by far, the list was dominated by names, with the likes of Robert (#31), Matthew (#32), Jordan (#33), Daniel (#35), Andrew (#36), Andrea (#38), Joshua (#40), George (#48), Nicole (#53), Hunter (#54), Chelsea (#62), Phoenix (#66), Amanda (#67), Ashley (#69), Jessica (#74), Jennifer (#76), Michelle (#81), William (#86), Maggie (#92), Charlie (#95), and Martin (#96), showing up on the list.

List compiled from five million leaked credentials

The list was put together by SplashData, a company that provides various password management utilities such as TeamsID and Gpass. The company said it compiled the list by analyzing over five million user records leaked online in 2017 and that also contained password information.

“Use of any of the passwords on this list would put users at grave risk for identity theft,” said a SplashData spokesperson in a press release that accompanied a two-page PDF document containing a list of the most encountered passwords.

This is because attackers use these same leaked records to build similar lists of leaked passwords, which they then assemble as “dictionaries” for carrying out account brute-force attacks.

Attackers will use the leaked terms, but they’ll also create common variations on these words using simple algorithms. This means that by adding “1” or any other character combinations at the start or end of basic terms, users aren’t improving the security of their password.

Advising users on best password policies is a doctoral paper in its own right, but for the time being, users should look into using unique passwords per account, possibly employing a password manager, using more complex passwords, and above all, staying away from the terms below.

1 – 123456 (rank unchanged since 2016 list)
2 – password (unchanged)
3 – 12345678 (up 1)
4 – qwerty (Up 2)
5 – 12345 (Down 2)
6 – 123456789 (New)
7 – letmein (New)
8 – 1234567 (Unchanged)
9 – football (Down 4)
10 – iloveyou (New)
11 – admin (Up 4)
12 – welcome (Unchanged)
13 – monkey (New)
14 – login (Down 3)
15 – abc123 (Down 1)
16 – starwars (New)
17 – 123123 (New)
18 – dragon (Up 1)
19 – passw0rd (Down 1)
20 – master (Up 1)
21 – hello (New)
22 – freedom (New)
23 – whatever (New)
24 – qazwsx (New)
25 – trustno1 (New)