Carbonite: Carbonite sent out an email to all customers to reset their passwords. They claim that they have not been hacked but that they are seeing a large number of attempts to log in by third parties.
They say that based on their security review, they have no evidence that they have been hacked.
If none of these attempts to get in was successful, then why force millions of people to change their password? Likely, at least some of these attempts were successful.
Source: Carbonite web site.
GoToMyPC: GoToMyPC, a division of Citrix that allows users to remotely access their PCs, is also forcing all of their users to change their passwords.
Apparently so many users decided to do this at the same time that Carbonite had effectively performed a denial of service attack on their own web site.
Citrix provided little additional information about the situation.
Source: BBC News.
Both of these events point to the fact that as hundreds of millions of passwords are compromised every year, users are being forced to up their game. Some recommendations are:
- Use a password manager so that you don’t have to remember all those passwords. Many of them, such as LastPass, will automatically log you in, making the password step easier. While this is a security risk in itself, it is likely less of a risk than using simple passwords.
- DO NOT reuse passwords across important sites like online backups, banking, email and remote access. Unique passwords combined with a password manager is not just a best practice, it is a survival tip.
- For any important web site, such as banking, Amazon and others, use two factor authentication. I know it adds an extra step to the login process, but it makes stealing passwords much less useful.
DHS and CISA: DHS released the final rules for the data sharing rules of engagement that were part of the CISA bill that was sneaked into the Defense appropriations bill last year. The bill created a voluntary system trying to encourage businesses to share threat data with the government. The system has two automated tools, STIX or Structured Threat Information Exchange and TAXII or Trusted Automated eXchange of Indicator Information to scrub and categorize the data. Out of the 30 million or so businesses in the United States, so far 30 are using it. That would be .0001 percent. I think it is going to need some more users to be effective. To be fair, it is, pretty much, a new thing and around 70 more companies are planning to participate.
FBI: The FBI, by way of those super secret National Security Letters or NSLs, has been asking for the kitchen sink and leaving it up to companies to tell them no. Big companies with lots of expert attorneys such as Microsoft, Google, Apple and Yahoo, have told them to have a nice day, but small tech companies don’t have an army of lawyers and likely have given the government whatever they asked for.
Michael German, of the Brennan Center said “there’s a behind the curtains push” to get information from “groups who either don’t want to fight or are otherwise inclined to help the FBI get the records they want. And it’s all happening in secret.”
The FBI also keeps any data that it is illegal for them to ask for if uninformed companies give it to them. The DoJ Inspector General said that at least one company turned over email messages including images, which is expressly prohibited in the statute.
Now they (the FBI) are going to have to pick a fight in Congress to get the law changed if they want to get more data from companies and Congress-critters are unlikely to approve that in an election year.