Global Cyber Pulse 30 September, 2024

September 30, 2024 | Cybersecurity
By Ashwani Mishra, Editor-Technology, 63SATS

NIST releases new password security guidelines emphasizing simplicity and strength, Meta Fined $102 Million by EU Over Facebook Password Security Lapse, Dutch police officers’ contact information is stolen in a major cyberattack, CERT-In issues an advisory on the emerging ‘quishing’ threat involving QR code phishing, and Vardhman Group Chairman S P Oswal is defrauded of Rs 7 crore in an elaborate cybercrime.

Stay tuned for more updates and trends in the world of cybersecurity.

NIST Releases New Password Security Guidelines

The National Institute of Standards and Technology (NIST) has issued updated guidelines for password security, highlighting a significant shift from traditional practices aimed at strengthening cybersecurity and enhancing user convenience.

Outlined in NIST Special Publication 800-63B, the new recommendations emphasize that password length is more crucial than complexity for maintaining security. Notably, NIST no longer suggests enforcing arbitrary complexity requirements, such as mixing upper and lower case letters, numbers, and symbols. Instead, the updated guidelines promote longer passwords as a more effective security measure.

“Longer passwords are generally more secure and easier for users to remember,” stated Dr. Paul Turner, a cybersecurity expert at NIST. “We’re moving away from complex rules that often lead to predictable patterns and towards encouraging unique, lengthy passphrases.”

The guidelines recommend a minimum password length of eight characters, while encouraging the use of passwords up to 64 characters to allow for secure passphrases. This change aims to simplify password management for users while ensuring enhanced protection against modern cybersecurity threats.

Meta Fined $102 Million by EU Over Facebook Password Security Lapse

Meta is facing a significant fine of over $100 million (91 million euros) from the Irish Data Protection Commission, the EU’s privacy regulator, for failing to properly secure Facebook users’ passwords. The penalty comes in the wake of an investigation initiated in 2019, after Meta disclosed that some passwords were stored in plaintext without adequate encryption measures.

This security oversight left sensitive information exposed to internal employees, constituting a violation of the General Data Protection Regulation (GDPR).

Although Meta voluntarily disclosed the vulnerability and assured authorities that no data had been leaked externally, the EU privacy watchdog deemed the lapse severe enough to impose a substantial fine, citing the potential risks posed by such exposure. The hefty penalty underscores the EU’s commitment to enforcing stringent privacy standards and holding companies accountable for safeguarding user data.

Dutch Police Officers’ Contact Information Stolen in Major Cyberattack

All contact details of Dutch police officers were stolen in a recent cyberattack, the Dutch Minister of Justice and Security, David van Weel, confirmed today. In a letter to the Dutch House of Representatives, van Weel stated that “work-related contact details” of all police officers had been compromised, although personal and research data were not affected.

The incident is under investigation, and the Dutch data protection authority has been informed. Authorities are evaluating whether the breach poses any risks to undercover officers. As investigations continue, more details will be provided to the parliament regarding the scope and nature of the stolen data.

The breach has highlighted vulnerabilities within law enforcement digital systems, raising concerns about data security and privacy protection for police personnel in the Netherlands.

Richmond Community Schools Reports Data Breach After Ransomware Attack

Richmond Community Schools has confirmed a data breach following a ransomware attack on Friday, September 27. The attack targeted the district’s data services network, compromising student and staff information stored in PowerSchool.

While there is no current evidence of misuse of the breached data, Richmond Community Schools has shut down the network as a precaution and initiated an investigation with the help of local, state, and federal authorities. The school district has warned that it could take several days for systems to return to full functionality.

“Although we are working to restore all systems as soon as possible, please be aware that it may take several days to regain full functionality in all systems,” the district shared via social media. This incident underscores the growing threat of ransomware attacks on educational institutions, which increasingly need to bolster cybersecurity defenses.

Vardhman Group Chairman S P Oswal Defrauded of Rs 7 Crore in Elaborate Cybercrime

S P Oswal, chairman of the Vardhman Group and a Padma Bhushan awardee, was defrauded of Rs 7 crore by an inter-state gang of cybercriminals posing as CBI officers, as per a report from The Indian Express.

Ludhiana Police reported that the fraudsters carried out an elaborate scheme, which included a staged online Supreme Court hearing, fake arrest warrants, and a two-day “digital surveillance over Skype” to intimidate Oswal.

The criminals, spread across Assam, West Bengal, and Delhi, used threats of fabricated arrest warrants supposedly issued by the Enforcement Directorate in Mumbai to extort money. They further manipulated Oswal by showing him a fake Supreme Court order that directed him to “release Rs 7 crore into a Secret Supervision Account (SSA),” after which the money was transferred to the fraudsters’ bank accounts.

Following an FIR filed on August 31, authorities have arrested two individuals from Guwahati, while efforts to capture seven more suspects are ongoing. This incident highlights the sophisticated tactics employed by cybercriminals to exploit even highly esteemed individuals.

CERT-In Issues Advisory on Emerging ‘Quishing’ Threat: QR Code Phishing

The Indian Computer Emergency Response Team (CERT-In) has issued a major advisory regarding a rising cybersecurity threat known as “quishing” — phishing attacks conducted through QR codes.

Cybercriminals are increasingly leveraging QR codes to direct unsuspecting users to malicious websites or download harmful content, with the aim of stealing sensitive information such as passwords, financial details, or other personal data.

Quick Response (QR) codes are commonly used in payments, marketing, and authentication processes, which makes them a prime target for attackers. CERT-In has recommended that users always check the URL associated with any QR code before interacting with it to avoid falling victim to such scams.

The advisory serves as a timely reminder of the importance of verifying digital information, particularly as QR codes become more prevalent in daily transactions.