What NIST’s latest password standards mean, and why the old ones weren’t working
Say goodbye to the days of using the “@” symbol to mean “a” in your password or replacing an “S” with a “$.”
The U.S. National Institute of Standards and Technology (NIST) recently announced new guidelines for the ways website and organizations should handle password creation and management that will do away with many of the “common sense” things we’ve thought about passwords for years now.
Here is a tl;dr version of what these proposed guidelines say:
- Passwords need to be at least eight characters long, and sites should have an additional recommendation to make them at least 15 characters long.
- Credential service providers (CSPs) should allow users to make their passwords as long as 64 characters.
- CSPs should allow ASCII and Unicode characters to be included in passwords.
- Rather than setting a regular cadence for changing passwords, users only need to change their passwords if there is evidence of a breach.
- There should not be requirements to implement a certain number of numbers or special characters into passwords. (Ex., “Password12345!”)
- Do away with knowledge-based authentication or security questions when selecting passwords. (Think: “What was the name of your college roommate?”)
Now, we should make a few things here clear. Just because NIST is proposing these doesn’t mean anyone *has* to abide by them, these are merely guidelines that some of the larger tech companies in the U.S. can choose to adopt. And these are proposed rules for the time being, meaning the public and tech companies have time to weigh in on the matter before they are codified in any way.
While these proposals may seem counterintuitive, it should make traditional text-based login credentials more manageable for users and admins. Studies have shown that requiring a mixture of special characters and numbers has led users to create easier-to-guess passwords like “$ummer2024!” or “P@ssword”.
And policies that require users to change their passwords often have led them to create passwords that are neigh-impossible to remember, so users end up storing these passwords in easy-to-locate places near their computers, like on a physical piece of paper or saved to a .txt file on their desktop.
The hope from NIST is that enforcing longer passwords will make it harder for adversaries to guess and less intimidating for users to manage their passwords.
Of course, using a third-party password manager is usually the most secure option for anyone. But what NIST is proposing is still a step in the right direction, and if nothing else will make those of us who are more security-minded have a better time when creating a new account.
The one big thing
The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings. October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities. The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.
Why do I care?
CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability. The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.
So now what?
Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 - 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 - 301036 and 301041.
Top security headlines of the week
Chinese state-sponsored actors are suspected to have breached several U.S. telecommunications providers to spy on U.S. government phone calls. AT&T, Verizon and Lumen may have all been victims of the alleged counter-spying operation from the newly named APT Salt Typhoon. The actor potentially accessed information from systems that the U.S. government uses for court-authorized network wiretapping requests, all in the name of trying to steal government secrets. Though it’s still unclear how long Salt Typhoon had access to these networks, it’s clear they at least spent a few months on these networks, commonly used to cooperate with lawful U.S. requests for communication data. The attackers may have also accessed large amounts of other generic internet traffic through this operation. A separate Chinese APT known as Volt Typhoon became a major topic of conversation earlier this year for allegedly trying to infiltrate networks at U.S. military bases and other critical infrastructure sites. (Wall Street Journal, Washington Post)
Microsoft and the U.S. Department of Justice announced they had deactivated more than 60 domains and other attacker infrastructure associated with the Russian state-sponsored ColdRiver group. ColdRiver is believed to be connected to Russia’s Federal Security Bureau (FSB) and recently has targeted non-governmental organizations, think tanks, military officials and intelligence officials in Ukraine and NATO countries. "The Russian government ran this scheme to steal Americans' sensitive information, using seemingly legitimate email accounts to trick victims into revealing account credentials," U.S. Deputy Attorney General Lisa Monaco stated during the announcement of the disruption. ColdRiver (aka Callisto Group, Seaborgium and Star Blizzard) has been active since at least 2017. The U.S. State Department is now also offering up to a $10 million reward for any information that could help locate or identify any individual members of ColdRiver. (Security Magazine, Bleeping Computer)
With genetic testing company 23AndMe floundering, customers are left wondering what could happen to their personal information if the company goes bankrupt or goes out of business altogether. 23AndMe, known for collecting DNA samples from customers and then providing them with a report about their ancestry, has lost millions of dollars in its valuation and stock price over the past few years. However more than 15 million individuals have submitted their DNA to the company since it was founded in 2006, and privacy advocates are warning them to manually delete their data now before anything happens to the company. The company also has several data-sharing agreements with other private companies, which use 23AndMe data to conduct other studies and research. And because 23AndMe’s services do not fall under health care in the U.S., the company does not have to adhere to traditional HIPAA rules. Last year, the company was hit with a massive data breach that it said affected 6.9 million customer accounts, including 14,000 people who had their passwords stolen. U.S. law enforcement has also tried to access the company’s data in the past (requests that have been declined), and it is unclear if those requests would be allowed should the company no longer exist. (NPR, Business Insider)
Can’t get enough Talos?
- Cisco Talos: Advanced intelligence for global cyberthreats
- New MedusaLocker Ransomware Variant Deployed by Threat Actor
- MedusaLocker ransomware variant paired with ‘paid_memes’ toolkit
- Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project
Upcoming events where you can find Talos
MITRE ATT&CKcon 5.0 (Oct. 22 - 23)
McLean, Virginia and Virtual
Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.
it-sa Expo & Congress (Oct. 22 - 24)
Nuremberg, Germany
White Hat Desert Con (Nov. 14)
Doha, Qatar
misecCON (Nov. 22)
Lansing, Michigan
Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.
Most prevalent malware files from Talos telemetry over the past week
SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca
MD5: 71fea034b422e4a17ebb06022532fdde
Typical Filename: VID001.exe
Claimed Product: N/A
Detection Name: RF.Talos.80
SHA 256: 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8
MD5: b209df2951e29ab5eab4009579b10b8d
Typical Filename: FileZilla_3.67.1_win64_sponsored2-setup.exe
Claimed Product: FileZilla
Detection Name: W32.76491DF69A-95.SBX.TG
SHA 256: c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a
MD5: 3bc6d86fc4b3262137d8d33713ed6082
Typical Filename: 8c556f0a.dll
Claimed Product: N/A
Detection Name: Gen:Variant.Lazy.605353
SHA 256: f0d7a2bb0c5db162332418747ba4987027b8a746b24c919a24235ff3b70d25e3
MD5: 0d849044612667362bc88780baa1c1b7
Typical Filename: CryptX.dll
Claimed Product: N/A
Detection Name: Gen:Variant.Lazy.605353
SHA 256: 331fdf5f1f5679a6f6bb0baee8518058aba8081ef8f96e57fa3b74291fcbb814
MD5: f23b90fc9bc301baf3e399e189b6d2dc
Typical Filename: B.dll
Claimed Product: N/A
Detection Name: Gen:Variant.Lazy.605353