A Review of the Best News of the Week on Identity Management & Web Fraud
USPS Site Exposed Data on 60 Million Users (Krebs on Security, Nov 21 2018)
“U.S. Postal Service just fixed a security weakness that allowed anyone who has an account at usps.com to view account details for some 60 million other users, and in some cases to modify account details on their behalf.”
Creepy or Not, Face Scans Are Speeding up Airport Security (Wired, Nov 21 2018)
Who cares if you hate it? This time- and effort-saving tech is spreading, and fast.
LinkedIn cuts off email address exports with new privacy setting (TechCrunch, Nov 21 2018)
A win for privacy on LinkedIn could be a big loss for businesses, recruiters and anyone else expecting to be able to export the email addresses of their connections. LinkedIn just quietly introduced a new privacy setting that defaults to blocking other users from exporting your email address.
Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.
Privacy laws do not understand human error (Help Net Security, Nov 20 2018)
Volumes of unstructured data are only going to increase, and inevitably so too will the risk of accidental loss. New laws like the NYDFS Cybersecurity Regulation, California AB 375 and GDPR have changed the game for compliance, and organizations need to start protecting unstructured data by default rather than as an after-thought.
DNS over HTTPS seeks to make internet use more private (Network World Security, Nov 20 2018)
The IETF has standardized DNS over HTTPS (DOH), which encrypts DNS queries so eavesdroppers can’t tell what sites users connect to.
The PCLOB Needs a Director (Schneier on Security, Nov 20 2018)
The US Privacy and Civil Liberties Oversight Board is looking for a director. Among other things, this board has some oversight role over the NSA. More precisely, it can examine what any executive-branch agency is doing about counterterrorism. So it can examine the program of TSA watchlists, NSA anti-terrorism surveillance, and FBI counterterrorism activities.
Microsoft’s MFA is so strong, it locked out users for 8 hours (Naked Security – Sophos, Nov 21 2018)
It’s a long time for Office 365 and Azure AD users to be locked out of such an important business platform, but MFA remains a good idea.
Microsoft Enables Account Sign-In via Security Key (Dark Reading, Nov 20 2018)
Account holders can use a FIDO2-compatible key or Windows Hello to authenticate sans username or password.
Online Fraud Losses Set to Hit Nearly $50bn by 2023 (Infosecurity Magazine, Nov 21 2018)
Juniper Research warns of rising synthetic ID fraud
Simplify granting access to your AWS resources by using tags on AWS IAM users and roles (AWS Security Blog, Nov 19 2018)
Recently, AWS enabled tags on IAM principals (users and roles). With this update, you can now use attribute-based access control (ABAC) to simplify permissions management at scale. This means administrators can create a reusable policy that applies permissions based on the attributes of the IAM principal (such as tags).
A look at recent phishing activity (Zscaler, Nov 21 2018)
Microsoft tops the list partly because of Microsoft’s multiple enterprise web properties, such as OneDrive, Office 365, Outlook Web Access, among others, being targeted by the threat actors. Microsoft was followed by Facebook and PayPal in the list.
Google Helps G Suite Admins Enforce Strong Passwords (SecurityWeek, Nov 16 2018)
Google announced new features to G Suite designed to help administrators enforce rigorous password requirements and increase security.
European Privacy Search Engines Aim to Challenge Google (SecurityWeek, Nov 21 2018)
In the battle for online privacy, U.S. search giant Google is a Goliath facing a handful of European Davids.