A Review of the Best News of the Week on Identity Mgt & Web Fraud

How Many Times Has Your Personal Information Been Exposed to Hackers? (The New York Times, Sep 14 2017)
An interactive quiz to find out which parts of your identity may have been stolen in major hacking attacks over the last four years.

Ayuda! (Help!) Equifax Has My Data! (Krebs on Security, Sep 14 2017)
First rule of website configuration: change username/password from admin/admin to something else. Krebs writes about an Equifax Argentina employee portal — known as Veraz or “truthful” in Spanish.

How to Hack Passwords: How Long Would It Take Your Grandmother To Do It? (Secure Thinking by Centrify, Sep 13 2017)
First step for Grandma is to visit Amazon and pickup some hardware. Perhaps a nice BitCoin mining rig that can compute SHA – 256 hashes at 60 GH per second. What does that mean? 1 MH/s is 1,000,000 (one million) hashes per second. 1 GH/s is 1,000,000,000 (one billion) hashes per second. So this rig can do 60 Billion hashes per second and it is only $699. Great Christmas present for this Grandma.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

India’s biometric database is a dystopian nightmare (VICE News, Sep 08 2017)
Seven years ago nearly 400 million people in India did not exist in the eyes of the government. They were “ghosts” who had no identity and no way of getting one, says Sahil Kini, one of the architects of India’s controversial Aadhaar database. In a country trying to modernize on the fly and take its place among the world’s superpowers, this massive yet unknown population presented a huge problem.

The Equifax Breach Exposes America’s Identity Crisis (Wired, Sep 08 2017)
“Considered along with the data stolen from various other breaches, hacks, and leaks, “it’s a safe assumption that everyone’s Social Security number has been compromised and their identity data has been stolen,” says Jeremiah Grossman, the chief of security strategy at the defense and threat monitoring firm SentinelOne.

US carriers partner on a better mobile authentication system (Engadget, Sep 08 2017)
Sprint, T-Mobile, Verizon and AT&T have formed a coalition called the Mobile Authentication Taskforce to come up with a new system. Working with app developers and others, they’ll explore the use of SIM card recognition, network-based authentication, geo-location, and other carrier-specific capabilities.

Why Relaxing Our Password Policies Might Actually Bolster User Safety (Dark Reading, Sep 11 2017)
Here’s another summary of recent recommendations, Special Publication 800-63-3: Digital Authentication Guidelines, released in June.

Chrome’s Plan to Distrust Symantec Certificates (Google Online Security Blog, Sep 11 2017)
At the end of July, the Chrome team and the PKI community converged upon a plan to reduce, and ultimately remove, trust in Symantec’s infrastructure in order to uphold users’ security and privacy when browsing the web.

Now Create and Manage AWS IAM Roles More Easily with the Updated IAM Console (AWS Security Blog, Sep 08 2017)
The AWS Identity and Access Management (IAM) console is updated to make it easier for you to create, manage, and understand IAM roles. This includes an updated role-creation workflow that better guides you through the process of creating trust relationships (which define who can assume a role) and attaching permissions to roles. Additionally, you can now view and understand the permissions attached to roles more easily by using policy summaries for each role in your account.

Senator Seeks Privacy Answers on Face ID (Pindrop, Sep 14 2017)
As tech enthusiasts pore over the design details of the iPhone X and swoon at the thought of a quarter-inch more screen space, some lawmakers are asking Apple for more details about the way the phone’s new Face ID authentication system works and what might be done with users’ faceprints.

Equifax Cyberattack Underscores Dangers in Post-Breach World (ThreatMetrix, Sep 13 2017)
Consumers are already getting what they want from first movers in banking, eCommerce, media, lending, insurance and other industries that have transitioned to today’s smart authentication systems. These technologies verify identities using hundreds of dynamic data elements and global, crowdsourced threat intelligence that can’t be faked. Trust is established instantly, streamlining the digital experience for legitimate customers, while blocking out fraudsters—even if they’re using valid credentials.

ID.me debuts FIDO U2F security keys as an extra layer of authentication for digital identity verification (ID.me Blog, Sep 12 2017)
To register, users insert the security key into a USB port, enter a password and tap the device when prompted. This will generate a cryptographic code that binds the physical token to their identity, proving that it is not someone pretending to be them. For future login, users follow the same simple process.

Securing Access to Data Stored in Amazon S3 Buckets (The Duo Blog, Sep 12 2017)
While ransomware appears to remain the topic du jour in the media, there’s another problem that isn’t quite as flashy but still irrevocably damaging – misconfigured access to Amazon S3 buckets.

Developing RESTful APIs with Loopback (Auth0 Blog, Sep 07 2017)
Learn how to build and secure RESTful APIs with Loopback.  TL;DR: In this tutorial, they show you how to leverage Loopback to build out your REST APIs quickly. Check out the repo to get the code.