NIST issues new password guidance: Cyber Security Today for September 30, 2024

Share post:

Hi, it’s Jim. Before we get into today’s episode, I want to tell you about another fantastic podcast: CDW Canada Tech Talks. If you’re passionate about technology and innovation, this is the podcast for you.

Join host KJ Burke, as he and industry experts dive into the latest trends, insights, and strategies shaping the tech landscape in Canada. From hybrid cloud to AI adoption, CDW Canada Tech Talks covers it all. Don’t miss out—visit cdw.ca/techtalks to tune in today. The link is in the show notes.

I was recently a guest on KJ’s podcast and I’m impressed to find another Canadian with real tech experience with a podcast.

NIST Issues New Password Security Guidelines, Shifts Focus to Length and Usability, “Octo2” Trojan Targets Bank Accounts by Posing as VPN and Chrome Apps on Android, Researchers Uncover Vulnerability That Plants False Memories in ChatGPT, OpenAI Fixes ChatGPT’s “Unprompted Messaging” Bug

This is Cyber Security Today. I”m your host, Jim Love


NIST Issues New Password Security Guidelines, Shifts Focus to Length and Usability

NIST has released updated password security guidelines that move away from traditional complexity rules and focus on usability and length. Instead of requiring uppercase, lowercase, numbers, and special characters, NIST recommends longer passwords as the main defense. “Longer passwords are generally more secure and easier for users to remember,” says Dr. Paul Turner of NIST. The new guidelines suggest a minimum password length of 8 characters, with a strong preference for passphrases up to 15 or more.

A major change: NIST no longer recommends mandatory password changes unless there’s evidence of compromise, arguing frequent resets can weaken security. Plus, password hints and knowledge-based questions are discouraged due to their susceptibility to guessing and social engineering. NIST also emphasizes the importance of multi-factor authentication as an added layer of security. Sarah Chen, CTO of SecurePass, notes that the changes “strike a good balance between security and usability.”
“Octo2” Trojan Targets Bank Accounts by Posing as VPN and Chrome Apps on Android

The full report is at: https://pages.nist.gov/800-63-4/sp800-63b.html

A new Android malware, “Octo2,” is making its rounds by posing as apps like NordVPN and Google Chrome. Cybersecurity firm ThreatFabric reports that once users download these malicious versions, they’re prompted to install a so-called “plugin,” which actually bypasses Android’s security settings and installs Octo2.
The malware uses “Zombinder,” a dropper tool from the dark web, to hide within legitimate apps. It can evade Android 13’s security, intercept sensitive data, and remotely access bank accounts. The trojan even captures screenshots and enhances them for clear visibility. Octo2 is part of the Exobot malware family, known for its “malware-as-a-service” nature, easily allowing cybercriminals to launch attacks. Users should enable Google Play Protect, download apps only from trusted sources, and be cautious with VPNs and browser downloads to avoid infection.

Researchers Uncover Vulnerability That Plants False Memories in ChatGPT

A researcher has discovered a cybersecurity flaw in ChatGPT that could alter its long-term memory and steal user data. Johann Rehberger, a security researcher, discovered a vulnerability that allows attackers to plant false memories in ChatGPT. It’s called “indirect prompt injection.” Essentially, by tricking the AI through specially designed content, like an image, hackers can change how ChatGPT remembers and interacts with a user. For example, they could make it believe a user is 102 years old, living in the Matrix, or even convince it that Earth is flat.

The worst part? This is persistent memory. Even after a new session starts, all input and output could be sent to an attacker’s server. Rehberger points out, “What is really interesting is this is memory-persistent now. When you start a new conversation, it actually is still exfiltrating the data.” OpenAI has issued a partial fix, but the potential for prompt injections still exists. For security-conscious users, it’s recommended to regularly review and clear stored memories in ChatGPT.

A new Android malware, “Octo2,” is making its rounds by posing as apps like NordVPN and Google Chrome. Cybersecurity firm ThreatFabric reports that once users download these malicious versions, they’re prompted to install a so-called “plugin,” which actually bypasses Android’s security settings and installs Octo2.
The malware uses “Zombinder,” a dropper tool from the dark web, to hide within legitimate apps. It can evade Android 13’s security, intercept sensitive data, and remotely access bank accounts. The trojan even captures screenshots and enhances them for clear visibility. Octo2 is part of the Exobot malware family, known for its “malware-as-a-service” nature, easily allowing cybercriminals to launch attacks. Users should enable Google Play Protect, download apps only from trusted sources, and be cautious with VPNs and browser downloads to avoid infection.

Gmail Tightens Security: New App Password Rules Go Into Effect for Google Workspace Users

Google is rolling out new password rules for Gmail access. Starting September 30, all Google Workspace users must use a more secure type of login to access Gmail data. Gone are the days when less secure third-party apps could access your account with just a username and password. Instead, Google is moving to OAuth, a more secure protocol that doesn’t require direct password sharing.
What does this mean? If you use Outlook 2016 or older, you need to switch to Microsoft 365 or the latest Outlook. Thunderbird users must add their Gmail accounts back and use IMAP with OAuth. And for those on iOS or macOS Mail, you’ll have to re-add your account using the “sign in with Google” option. These changes aim to bolster security for all Workspace accounts—leaving personal Gmail accounts mostly unaffected.

OpenAI Fixes ChatGPT’s “Unprompted Messaging” Bug

We weren’t going to cover this story until we got some proof that it wasn’t just a hoax. But we also had a similar experience that made this more believable.

Users of OpenAI’s ChatGPT saw a bizarre glitch over the weekend — the AI chatbot appeared to initiate conversations on its own. A Reddit user shared a screenshot showing ChatGPT asking, “How was your first week at high school?” without any prior input. The exchange quickly went viral, raising questions about whether OpenAI was testing a new feature allowing ChatGPT to reach out proactively.

Some suggested the behavior might be related to OpenAI’s new AI models, “o1-preview” and “01-mini,” which are designed to “reason” more like humans. But OpenAI clarified that it was just a bug, not a new feature. “We addressed an issue where it appeared as though ChatGPT was starting new conversations,” the company said. “The issue occurred when the model tried to respond to a message that didn’t send properly.”

While AI developers showed how similar behavior could be reproduced with certain custom instructions, some users reported genuine experiences of ChatGPT following up on past queries. The internet had a laugh over the situation, with one user joking, “We were promised AGI; instead, we got a stalker.”

That’s our show for today.  Thanks to our sponsor, CDW and KJ Burke’s CDW Canada Tech Talks. Check it out if you get the chance. You can find it like us on Spotify, Apple or wherever you get your podcasts.

You can find links to reports and other details in our show notes at technewsday.com. We welcome your comments, tips and the occasional bit of constructive criticism at editorial@technewsday.ca
I’m your host, Jim Love thanks for listening.

SUBSCRIBE NOW

Related articles

Exploring the 2024 CDW Canadian Hybrid Cloud Report with K J Burke, Field CTO for CDW Canada

In this episode of Hashtag Trending, the weekend edition, host Jim Love delves into the evolution and current...

Leverage best research and psychology to increase cyber security training results: Cyber Security Today, the Weekend for October 5, 2024

Unveiling the Truth: Insights into Cyber Security Awareness and Phishing In a special crossover episode of Cyber Security Today...

OpenAI raises big money. But can it ever make money? Hashtag Trending for Friday, October 4, 2024

Hi, it’s Jim.  One more reminder about CDW Canada Tech Talks. If you’re passionate about technology and innovation,...

National Vulnerabiity Database facing a huge backlog, update on CIRA study and more: Cyber Security Today for Friday, October 4, 2024

Hi, it’s Jim. Before we get into today’s episode, I want to tell you about another fantastic podcast:...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways