The 2018 worst password fails, by that Dashlane means worst offenders this year, are:

1. Kanye West for unlocking his iPhone on TV in the White House with 000000.

2. The Pentagon for protecting weapon systems with default passwords, as well have having such pitiful admin passwords that the GAO audit team could guess them in nine seconds.

3. Cryptocurrency owners for failing to remember their passwords to their digital wallets in order to cash out while cryptocurrencies were at record-level highs.

4. Nutella for telling Twitter followers to use “Nutella” as a password — advice sent out on World Password Day.

5. U.K. law firms, 500 of them, for their 1 million corporate email and password combinations, stored in plaintext, which were discovered by researchers on the dark web.

6. The state of Texas for exposing over 14 million voter records thanks to a server that didn't have password protection.

7. White House staff for a member writing down his email login and password and then leaving the White House stationery document at a Washington, D.C., bus stop.

8. Google for leaving a Google admin page with a blank username and password combo, allowing an engineering student to get access to a TV broadcast satellite.

9. The United Nations for its staff failing to password-protect collaboration projects using Trello, Jira, and Google Docs. Anyone with the right “link could access secret plans, international communications and plaintext passwords.”

10. University of Cambridge for leaving a password in plaintext on GitHub, allowing anyone to access the data of millions of people — data that had been extracted from the Facebook quiz app myPersonality.

Other cybersecurity news:

December 2018 Patch Tuesday

Microsoft fixed 39 vulnerabilities, nine of which are rated critical, and a zero-day being exploited in the wild. The zero-day elevation-of-privilege (EoP) flaw is in the Windows kernel. Microsoft also patched another publicly disclosed vulnerability in .Net Framework which could allow denial of service in .Net Framework web apps. Out of nine browser and scripting engine flaws that were patched, six can be exploited via browsers, making them a priority according to Qualys.

It may not be surprising that PowerPoint had a remote code execution vulnerability, but is a bit odd to see a remote code execution flaw in Microsoft’s text-to-speech.

The Adobe Flash zero-day fix, which got an out-of-band fix by Adobe last week, was part of the patches rolled out by Microsoft. In all, Adobe patched 87 vulnerabilities, six rated as critical and three rated as important.

Update security by Check for Updates makes you a tester of unstable Windows 10 updates

As for the Windows 10 October Update that Microsoft yanked and then re-released, you may still want to hold off, as various other issues keep popping up even after Microsoft fixed the problem with the update eating users’ files.

Microsoft reportedly admitted that Windows users who click on the “Check for Updates” button will be put in the “seeker” category and be given “C” and “D” non-security preview updates for which the users will act in a tester category for those unstable updates. In Microsoft’s words:

We also release optional updates in the third and fourth weeks of the month, respectively known as “C” and “D” releases. These are preview releases, primarily for commercial customers and advanced users “seeking” updates. These updates have only non-security fixes. The intent of these releases is to provide visibility into, and enable testing of, the non-security fixes that will be included in the next Update Tuesday release. Advanced users can access the “C” and “D” releases by navigating to Settings > Update & Security > Windows Update and clicking the “Check for updates” box. The “D” release has proven popular for those “seeking” to validate the non-security content of the next “B” release.

Update to Notepad in the newest, albeit boring, Windows Insider build 18298

One of the biggest “updates” coming out in the newest Windows Insider build, which was a Fast, not Slow ring release, is for Notepad. The Register kindly warned users not to get too excited about the 18298 build, as it is “about as exciting as new socks.”

New nation-state campaign targeting critical infrastructure has ties to Lazarus Group

The McAfee Advanced Threat Research team revealed a new nation-state campaign dubbed Operation Sharpshooter that has targeted 87 organizations in government, defense, nuclear, energy, and financial sectors. It is interesting to note that Operation Sharpshooter has numerous technical links to the Lazarus Group. The Rising Sun implant being used in this campaign “uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries.”