CYBERSECURITY
WEEKLY NEWSLETTER
Keeping an eye on cyber news and threats
Happy Hack Wednesday everyone! To celebrate I’ve highlighted two patch releases that fix some critical vulnerabilities, and this week’s tip focuses on creating strong passwords and how to avoid password patterns based on human behaviour.
More vulnerabilities found on Microsoft Exchange servers
Microsoft issued patches for its Exchange servers back in February for some critical vulnerabilities, but it seems they discovered more and have patched these in April’s updates.
114 vulnerabilities were found with 19 of those rated as critical and 88 as important. One of the main flaws is a privilege escalation vulnerability which means a hacker can exploit the flaw to give themselves higher permissions on the system such as those of an administrator, and this is being actively exploited.
Four of the critical vulnerabilities that were patched were remote code execution (RCE) which allows a hacker to exploit the computer’s code remotely to read and modify data on the system, two of these were unauthenticated (no credentials required) and without any user interaction giving them a CVSS score of 9.8 out of 10.
No evidence has been found of these RCE vulnerabilities being exploited in the wild but obviously with a score that high it’s recommended to apply the updates as soon as possible, especially now that it’s common knowledge!
If you would like to read more about this with a more technical viewpoint you can read the source article here.
Two new 0-day exploits patched on Google Chrome
An update to Chrome has been released fixing a vulnerability that allows remote code execution (RCE) by exploiting a flaw in the JavaScript (the background code used by the browser).
A second flaw was also discovered of similar nature, which Google patched in the JavaScript but this hasn’t been included in the latest Chrome release and could still be exploitable.
A further update will be released shortly but I would recommend updating Chrome now as well to protect against one of the vulnerabilities at least. Chrome usually updates automatically but just check you are up to date by going to Settings > About Chrome in your Chrome browser.
This week’s top tip – How to create a strong password
We are constantly being told we need to create a strong password for our accounts that include numbers, uppercase and lowercase letters and a special character, but what makes a strong password that we can actually remember?
In my last issue, I wrote about password managers, and how they can generate a random string of characters that the app will remember for us, but what if you don’t want to use a password manager or you want to create a strong memorable password for your password manager?
It’s good to keep in mind some basic human behavioural psychology here because we tend to follow certain patterns and it’s the same when it comes to passwords. The introduction of password complexity requires did increase security somewhat, but it introduced behavioural patterns relating to where we placed those special characters and numbers or how we changed them when our password expired.
For example, the majority of people follow the pattern of Password1! where the first letter is capitalised, and the number and special character placed at the end. Then, when it’s time to renew the password this simply becomes Password2! and so on.
Hackers know this and it’s now said that regular password changes don’t really improve security but instead just encourage this behaviour, so we should create one strong password that doesn’t follow the usual pattern and be done with it.
So now the bit you’ve been waiting for – what makes a strong password?
8 characters is the suggested minimum but I would recommend at least 12, containing numbers, uppercase and lowercase and special characters in random places to avoid a pattern. Using three random words or a small humorous sentence is a good way to make it strong and memorable. You can substitute letters for numbers or symbols to make it easier to remember too, just be aware that hackers will also try common substitutes so be creative.
Don’t use anything that relates to you personally such as names, hobbies, sports, home and work addresses, phone numbers and so on; chances are that this information can be gathered from social media or guessed.
Think about what may be used as common passwords or letter strings and avoid them, such as qwerty123 or the word ‘password’ itself.
Here’s an example using my suggested format:
6r0wnF!ow3rpot
This password meets all the usual complexity requirements but is also 14 characters long, a memorable phrase (brown flowerpot) and the uppercase and symbols don’t follow the usual behavioural pattern.
That’s all for now, stay safe and see you next week.
Mike
Comments