The FBI and other US agencies have issued a travel advisory for a cyber threat at international hotels. You can read the full advisory here. While we often think about the physical dangers US citizens face when traveling abroad, we often overlook the danger to information security. Your data is a very large target. It's important to remember that your personal property can be seized by any government for just about any reason. We have some protections as US citizens while in the US, but very few protections in other countries. I almost wound up in a Mexican jail and had my truck seized in Mexico while on a mission trip years ago for "speeding". Paying my "fine" on the spot kept us out of jail. Don't let your laptop, thumbdrives or other valuable data storage devices end up as "contraband". Take only what you need and try to leave all your critical data at home and connect to it remotely. You can't lose what you don't have.
The FBI has pushed back the date for shutting down the DNS server which served the DNSChanger malware sites. The FBI reports there are nearly 500,000 systems still infected and using the rogue DNS server.
Network administrators should check their systems at https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS to ensure they are not impacted. Once the deadline of July 9th comes, any system using the rogue servers will be unable to access the internet until the malware has been removed and correct DNS settings are restored.
By the way...All you Mac users out there? This affects you too! Anti-malware software really is a necessity on all platforms.
Over the past few years there has been a lot of discussion and research on the weakness of password use. Should passwords be changed on a periodic basis? What's the best compromise on complexity requirements and one's ability to memorize the password? Is single sign on too risky? Are passwords even effective at all? The arguments, and proponents or opponents for each, can be found everywhere.
Being the rational, level headed guy I am, I like to look at each scenario from a risk based perspective. You really have to consider the vulnerability and threat and pick a proper control to address the specific risk identified. In some cases you'll pick multiple controls to address multiple risks.
Will changing passwords every 90 days stop a phishing attack? No. End user training should address this risk. Will it stop a brute force attack? No. Complex passwords should address this risk. What it does address is the length of exposure from a compromised account. Will a savvy attacker create a new account to use so that when the compromised password is changed they still have access? Yes. Hopefully someone is reviewing the creation of new accounts via event monitoring and will identify the attacker's newly created account though.
The truth is, no security control is perfect. They are designed to address risk, a specific threat against a specific vulnerability. The lesson is to only use the controls which address risks which concern you. So when deciding to use passwords, determine first your risks, and then choose the controls which minimize the risks you're most concerned with.