Five-character passwords allegedly good enough for some firms, PayPal used by scammers and more.
Welcome to Cyber Security Today. It’s Friday July 22nd., 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
A number of companies and online services still have password policies with minimum standards that can be easily cracked. That’s the claim by a Stockholm-based company called Specops Software, which makes password management solutions. I haven’t been able to confirm the claim, but it alleges an e-commerce company and a provider of corporate customer support software allow users to create passwords as short as five characters. By contrast the U.S. National Institute for Standards and Technology recommends passwords should be no shorter than eight characters — but it also encourages the creation of longer passwords. Specops also says it found several big companies that allow customers to voluntarily use multifactor authentication as extra protection against password theft, but they don’t make it mandatory. Most experts agree token-based multi-factor authentication is vital for corporate protection these days.
Crooks are using PayPal to trick employees into paying for phony invoices as well as stealing their passwords. According to researchers at Avanan, the scammers create an account in PayPal, then use its features to create fake but realistic-looking invoices from well-known companies. One looks like it comes from security company Norton. The victim could be hit by paying the invoice or by calling the phone number in the fake invoice. The scam works because many email gateways allow attachments from PayPal. Earlier this year Avanan reported a similar scheme involving the abuse of free QuickBooks accounts set up by crooks. Employees need to be trained to scrutinize every email they read for suspicious signs. Those who aren’t expecting invoices should report them to managers.
Finally, there’s a new version of the QakBot malware going around. Researchers at Fortinet say one way it gets spread is by victims clicking on an infected email attachment. The attachment looks like an HTML file because it has a browser icon beside it. It downloads a compressed ZIP folder with file that has a Microsoft Write icon. The attacker could hope that tricks a victim into thinking the file is safe. Instead it runs the QakBot malware that copies sensitive data. Employees need to be warned that unexpected HTML attachments should be treated the same way other attachments are — with great suspicion.
That’s it for this morning’s podcast. But later today the Week in Review edition will be available. It will feature a discussion with Terry Cutler of Montreal’s Cyology Labs about this month’s internet and cellular network failure at Rogers Communications and about a report on how extensive the Log4j vulnerability is.
Links to details about podcast stories are in the text version at ITWorldCanada.com.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.