Your password can ruin your life. It does sound dramatic, but it’s true. If someone figures out the password to your email, you’re in trouble. Social media? Even worse. Once hackers access your online bank account, they can wreck your finances, and you may feel the repercussions of that break-in for years.

Most of us have the wrong idea about passwords. We think they have to be convoluted messes, like F$%Th5l2K!&. This theory reigned for years – that passwords should be nonsensical and hard to remember.
It started in 2003 with guidelines from the National Institute of Standards and Technology (NIST), which insisted on random combinations of numbers, letters, and symbols. The organization’s manager, Bill Burr, spread this gospel for years. But in a recent interview with the Wall Street Journal, he admitted that this wasn’t nearly as effective as he’d thought.

Thanks to a new round of research, cyber-security experts have changed their tune. Yes, you should still avoid guessable passwords like “p@ssword1” or “letmein.” But a secure password also can be logical, fluid and easy to remember.

1. Passwords should withstand 100 guesses. No matter what your password is, it should withstand 100 guesses, which means it shouldn’t be tied to any public information about you or your family.
Hackers often turn to your social media profiles to find information about you, and a little data goes a long way, such as your birthday and the name of your pet. Experts believe that criminals can guess the average person's password nearly 73% of the time, and they can often access other accounts by using slight variations of the same password.

2. Use a phrase. Instead of thinking of your password as a secret code, think of it as a “passphrase.” These are strings of words that are both easy to memorize but hard for anyone else to crack.
Suppose you wanted to be an astronaut when you were a kid, and your favorite color is fuschia. You have never mentioned these facts online, and only your Mom knows such trivia about you. You could compose a passphrase like “ilikefuschiaastronauts.” You’ll never forget it, and the passphrase will confound hackers for (literally) centuries.

3. Choose something memorable. Remember, each password should be unique, but they don’t have to be cumbersome. The NIST calls passwords “memorized secrets.” You want to avoid the temptation to write down passwords, so pick a password that has enough meaning to you to stay in your mind.
Many people are not fans of password managers. I couldn’t exist without my 1Password. Other people I admire love LastPass. It doesn’t matter what software you do decide to use, but you’ll still have to develop one master password that does need to be memorable.
​
4. Get creative with characters. It may take websites some time to catch up to the latest NIST guidelines, but you can still create a memorable password that meets current restrictions. You might choose something like “ArizonaCardinalsfootballisnumber1!” or “Igivemyjob1000%everyday.” Those meet the requirements of having at least eight characters, a special character, and upper and lowercase letters.

Japanese researchers recently demonstrated artificial intelligence software capable of identifying and analyzing polyps found during a colonoscopy in less than a second.

The endoscopic system uses a magnified view of a colorectal polyp to study its features and compare it with 30,000 endocytoscopic images used for machine learning.

Researchers said they were able to predict the pathology of the polyp in less than a second, with 86% accuracy, based on a study assessing more than 300 polyps.

"The most remarkable breakthrough with this system is that artificial intelligence enables real-time optical biopsy of colorectal polyps during colonoscopy, regardless of the endoscopists’ skill," said Dr. Yuichi Mori, a researcher from Showa University in Yokohama, Japan and study lead, in a statement.

Mori said researchers now want to work on a broader study aimed at creating a system that can automatically detect polyps.

Its value to the medical world is a key reason why supporters such as Facebook CEO Mark Zuckerberg are excited about the future of artificial intelligence. During a Facebook Live chat in July, Zuckerberg discussed how AI can create safer cars and diagnose diseases earlier.

"I’m just much more optimistic in general on this," he said.
​
Critics of AI, most notably Tesla CEO Elon Musk, said governments should regulate how artificial intelligence is built and used to prevent potential global disasters.

Attackers are combining credential phishing, credit card data theft, and malware into a single campaign targeting banking details.

While it's common to see attacks involving phishing or malware, the combination of these tactics in a single campaign targeting Android devices of financial services and banking customers indicates the extent to which attackers are willing to play a more extended game to get to their goal.

The attacks combine phishing with the distribution of the Marcher Android trojan, a form of banking malware which has been active since at least late 2013. Lures previously used to distribute Marcher include a fake software update, a fake security update, and a fake mobile game.

Marcher first originated on Russian underground forums but has since become a global threat, with the trojan targeting bank customers around the world.

Uncovered by researchers at Proofpoint, the latest Marcher campaign has been ongoing since January and uses a multistep scheme to target customers of Austrian banks.

The attacks begin with phishing emails containing a shortened bit.ly link to a fake version of the Bank Austria login page, which has been registered to some different domains containing 'bankaustria' in the title, to trick the user into believing they're visiting the official site.

Those who visit the fake Bank Austria page are asked for their customer details, following which they are asked for their email address and phone number. These details provide the attackers with everything they need to move onto using social engineering to conduct the next stage of the campaign.

Using the stolen information, the attackers send the users a warning in a message featuring Bank Austria branding which claims the target doesn't have the "Bank Austria Security App" installed on their smartphone. 
The message claims EU money laundering guidelines mean that the new Bank Austria app is mandatory for customers and that failure to install it will lead to the account being blocked. The user is directed to a shortened URL and with the claim that following the link will lead to the installation of the app.

Those who click through to this are provided with additional instructions on how to download the app. The directions say that the user needs to alter their security settings to allow the download of applications from unknown sources. This is a part of the Android ecosystem which attackers regularly exploit to install malware, which in this case enables the installation of Marcher.

The fake app requires extensive permissions including writing and reading external storage, access to precise location, complete control over SMS messages, the ability to read contact data, the ability to read and write system settings, the ability to lock the device and more. 

Once fully installed, the malware places a legitimate looking icon on the phone's home screen, again using branding stolen from Bank Austria.

But this version of Marcher isn't just a banking trojan; it also enables the direct theft of credit card details. Those who've installed Marcher are asked for their credit card information when they open applications such as the Google Play store.

The attackers also ask for information including date of birth, address, and password to ensure they have all the data they require to exploit the stolen credentials fraudulently. Each of the overlays is designed to look official via the use of stolen branding.

Data suggests almost 20,000 people clicked through to the campaign, potentially handing their banking details and personal information into the hands of hackers. Similar attacks have also started targeting Raiffeisen and Sparkasse banks.
​
To avoid falling victim to this type of campaign, users should be wary of unusual domains in general and should be skeptical of any email communication from a bank asking for any sort of credentials. Users should also be wary of downloading apps from unofficial sources which ask for extensive permissions.

Deloitte just announced the availability of audit technology for smaller accounting firms through a new venture it recently formed.

Deloitte created Auvenir as an in-house startup and tasked it with developing its own auditing technology that could be offered to small firms. Next week, Deloitte plans to announce the North American launch of the technology, known as the Auvenir Audit Smarter platform, which leverages artificial intelligence to help auditors with their work.

Auvenir doesn’t use Deloitte’s own proprietary auditing technology, but it was developed with input from Deloitte’s audit team. The Auvenir team also interviewed a number of small to midsized audit firms and their clients across North America to identify the issues they encounter with audits. It has been beta testing the Audit Smarter technology with several auditing firms in Canada.

Deloitte global audit and assurance innovation leader Chris Thatcher said he was tasked by his boss with coming up with the kind of technology that a startup might develop in competition with Deloitte. “One of the things he was quite concerned about, that kept him up at nights, was a couple of guys in a garage thinking about how you could do audit completely differently to how we would have done it traditionally in the past,” he said. “My boss basically challenged me to think about defending ourselves from disruption.”

 “From our perspective at Auvenir, we spoke to hundreds of auditors and clients, primarily in that part of the market, the smaller auditing firms and smaller clients, and what we found is that a lot of the technology that’s available to them is not the right size technology for the size of engagements they’re dealing with,” Auvenir CEO Pete Myers said. “We want to open this up for any accounting firm. We’re not restricting who uses it. It’s available to any firm out there.”

The platform uses cloud-based storage, machine learning and artificial intelligence to improve workflow and collaboration between auditors and their clients.

The machine learning component helps auditors judge whether there is a low or high risk from the trends they are seeing. “It would be like saying nine out of 10 auditors when they were looking at this industry thought this was a high risk, but giving those insights in a real way,” said Myers. “It’s really providing those insights and tips, as someone who is working through the engagement or going through their decision-making to just have somewhat more confidence in the decisions they’re making. One thing that’s very clear, as a platform we’re not taking on the audit itself. We’re just a tool to be used by auditors, and we’re not making any of the decisions that need to be made in coming to an opinion.”

Deloitte admitted last month to a data breach in which hackers were able to access client data from its internal email system (see Deloitte email platform and client data hit by cyberattack). However, Auvenir is using separate servers and is emphasizing security.

“We host the data, and it’s completely separate from where Deloitte hosts their data,” said Myers. “Data security is one of our most important governing principles. In conversations with auditors and clients, it’s top of mind that the data is secure. Basically all of our customer and application data is encrypted whenever it’s being transmitted between our servers or with a customer device. It’s also encrypted anytime it’s stored on our servers. The data is never stored or transferred to a customer without strong encryption and then our encryption algorithms are all compliant or exceed ISO and NISD standards. And in addition to that, we’re making sure we’re going through an independent SOC 2 certification to make sure we’re complying with the SOC 2 and ISO 27001 security standards.”
​
Deloitte sees the technology as an innovation for the audit profession. “We believe this is quite radical innovation,” said Thatcher. “This is radically different innovation from what we’ve seen traditionally from ourselves and from others in the market. This is the very first venture we have done as a global audit business and certainly we hope it is not our last.”