A Review of the Best News of the Week on Identity Mgt & Web Fraud

Experian Site Can Give Anyone Your Credit Freeze PIN (Krebs on Security, Sep 21 2017)
A free online service offered by big-three credit bureau Experian allows anyone to request the personal identification number (PIN) needed to unlock a consumer credit file that was previously frozen at Experian.

SecureAuth to Merge with Core Security (Dark Reading, Sep 20 2017)
K1 Investment Management, which owns Core Security, plans to acquire the identity management and authentication company for more than $200 million.

Gartner Privileged Access Management Market Overview 2017 (Secure Thinking by Centrify, Sep 20 2017)
Gartner just published their 2017 Market Overview guide for PAM. The drivers for PAM are similar to last year’s, with a new emphasis on the need for “a comprehensive cybersecurity defense strategy, specifically for critical infrastructure.” Here’s Gartner’s list of drivers…

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

How One of Apple’s Key Privacy Safeguards Falls Short (Wired, Sep 15 2017)
Researchers say they’re doing it wrong. For the past year, Apple has touted a mathematical tool that it describes as a solution to a paradoxical problem: mining user data while simultaneously protecting user privacy. That secret weapon is “differential privacy,” a novel field of data science that focuses on…

Why SMS two-factor authentication puts your bitcoins at risk (Naked Security – Sophos, Sep 20 2017)
In a video uploaded on Monday, researchers from the Russian security firm Positive Technologies demonstrated that they were able to use the SS7 flaws to take control of a Coinbase Bitcoin wallet and suck out funds.

AWS IAM Policy Summaries Now Help You Identify Errors and Correct Permissions in Your IAM Policies (AWS Security Blog, Sep 15 2017)
AWS updated policy summaries to help you identify and correct errors in your IAM policies. Now, you will see a warning if policy elements (Actions, Resources, and Conditions) defined in your IAM policy do not match.

How to Enable Your Users to Access Office 365 with AWS Microsoft Active Directory Credentials (AWS Security Blog, Sep 14 2017)
You can now enable your users to access Microsoft Office 365 with credentials that you manage in AWS Directory Service for Microsoft Active Directory, also known as AWS Microsoft AD.

A Note on Consumer Identity World US 2017 (Axiomatics, Sep 19 2017)
UX, Security, Privacy and CIAM. Ryan Fox of Capital One came to introduce their API-first strategy. As a bank, they are implementing and offering a set of APIs to enable business interactions that deliver better consumer experiences. This goes through an API that can be used for user identity verification.

FIDO Standards Provide Easy, Secure Way for European Payments Industry to Meet PSD2 Strong Authentication Requirements (FIDO Alliance, Sep 20 2017)
While the final draft RTS requires two secure and distinct factors of authentication, it also recognizes that these factors can be housed in a single “multi-purpose” device – such as a mobile phone, tablet or PC – as long as “separate secure execution environments” are used (such as trusted execution environments (TEE), secure elements (SE) and trusted platform modules (TPM)).

Trusted insider at the federal level raises concerns (CSO Online Cyber Crime, Sep 21 2017)
Charged with bank fraud, Imran Awan provided IT services to the U.S. House of Representatives for 14 years. Is he a white-collar criminal or something more sinister?

5 Insights on Why Proving Identity Online Is Hard (and What Can Be Done to Make It Easier) (ID.me Blog, Sep 18 2017)
Moderated by ID.me CEO Blake Hall, the panel discussed why identity proofing has become a challenge and how organizations can work towards creating a more secure identity ecosystem.

Hey Chef, What’s the Length of your Encrypted Password? (Okta blogs, Sep 21 2017)
Does your organization, or one you are testing/auditing, use Chef Data Bags or SaltStack Pillar with the GPG.renderer to secure secrets for deployment and operations?

“Admin from Hell” holds company to ransom with porn makeover (Naked Security – Sophos, Sep 21 2017)
The IT admin demanded $10,000, when he didn’t get it things got X-rated.