A Review of the Best News of the Week on Identity Management & Web Fraud

Should Failing Phish Tests Be a Fireable Offense? (Krebs on Security, May 29 2019)
“Would your average Internet user be any more vigilant against phishing scams if he or she faced the real possibility of losing their job after falling for one too many of these emails? Recently, I met someone at a conference who said his employer had in fact terminated employees for such repeated infractions. As this was the first time I’d ever heard of an organization actually doing this, I asked some phishing experts what they thought (spoiler alert: they’re not fans of this particular teaching approach).”

Facial Recognition Technology Is Facing A Huge Backlash In The US. But Some Of The World’s Biggest Tech Companies Are Trying To Sell It In The Gulf. (BuzzFeed News, May 30 2019)
Face recognition has been banned in San Francisco and linked by Alexandria Ocasio-Cortez to a rise in global fascism. But it’s being marketed in Dubai, which has spied on hundreds of dissidents, by American and Chinese tech giants.

Facebook took action against 2.19B fake accounts in first three months of 2019 (SC Magazine, May 24 2019)
The newly released third edition of Facebook’s Community Standards Enforcement report found that five percent of monthly active accounts registered on the social media website between October 2017 and March 2019 were fake. This represents a one-to-two percentage point increase in fake account “prevalence” since the second edition of the transparency report was published last…

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

OMB’s new identity management policy brings CDM more to the forefront (Federal News Network, May 27 2019)
A big part of the next focus area of CDM is trying to bring solutions around the problem of data and system access control. The identity access and credential management policy mentions CDM six times in the 13 page document, around things like aligning the federal ICAM architecture with the program or using the cybersecurity initiative to accelerate the procurement and deployment of ICAM tools and capabilities.

How Many Passwords Should be in a Password Blacklist? (Infosecurity Magazine, May 27 2019)
The answer should be as many as possible, but current advice is conflicting

G Suite to get Gmail confidential mode, on by default (Help Net Security, May 30 2019)
Earlier this year, Google introduced Gmail confidential mode for both consumer and G Suite users. While the former were able to use it immediately, the latter depended on whether their domain admin chose to enable it (as it was and is still in beta). But, starting on June 25, the feature will be turned on by default and it will be on admins to turn it off – if they don’t explicitly choose to disable…

Passwords Are Still a Problem According to the 2019 Verizon Data Breach Investigations Report (The LastPass Blog, May 22 2019)
Though the report is worth a read in its entirety, a few access and authentication-related findings especially stood out to us this year. The types of attacks and threat actions may evolve from year to year, but one thing has remained the same: Compromised passwords are still a leading contributor to successful attacks.

Georgia Supreme Court Rules that State Has No Obligation to Protect Personal Information (SecurityWeek, May 25 2019)
Almost exactly one year after the stringent European General Data Protection Regulation came into effect (May 25, 2019), the Supreme Court of the state of Georgia has ruled (May 20, 2019) that the state government does not have an inherent obligation to protect citizens’ personal information that it stores.

London Underground passengers told to turn off their Wi-Fi if they don’t want to be tracked (Graham Cluley, May 24 2019)
From 8 July 2019, travellers on London’s underground tube network may wish to turn off their Wi-Fi first… if they don’t like the idea of being tracked.

Google Ad Exchange in data privacy probe (Naked Security – Sophos, May 24 2019)
It was triggered by a complaint filed by Dr. Johnny Ryan, CPO of privacy-focused Brave browser, which is fighting Google’s search domination.

All the Ways Google Tracks You—And How to Stop It (Wired, May 27 2019)
Google knows more about you than you might think. Here’s how to keep it from knowing your location, web browsing, and more.

Germany Seeks Access to Encrypted Messages on WhatsApp, Telegram (Infosecurity Magazine, May 28 2019)
Not complying with this could end with companies being banned by the Federal Network Agency.

Facebook Removes a Fresh Batch of Iran-Linked Fake Accounts (Wired, May 28 2019)
Outside researchers tipped Facebook off that a social media network was pushing Iranian interests, posing as journalists, and even impersonating politicians.

Safari test points to a future with tracker-free ads (Naked Security, May 29 2019)
Apple thinks it has come up with a way for advertisers to track how well their ads are doing without compromising user privacy.

Privacy by design: Cybersecurity and the future of 5G (CSO Online, May 30 2019)
History has shown that when we rush to expand computing power and interconnectivity – IoT and cloud tech, to name two – we expose ourselves to new kinds of cyberattacks and bad actors. Can we get it right with 5G?

Impersonation Attacks Up 67% for Corporate Inboxes (Dark Reading, May 29 2019)
Nearly three-quarters of organizations hit with impersonation attacks experienced direct losses of money, customers, and data.

Businesses are struggling to implement adequate IAM and PAM processes, practices and technologies (Help Net Security, May 30 2019)
Businesses find identity and access management (IAM) and privileged access management (PAM) security disciplines difficult yet un-concerning.

Many are seeing the damage of cybercrime and identity theft firsthand (Help Net Security, May 30 2019)
As massive data breaches continue to make international headlines and the Internet is an integral part of our daily lives, consumers are now grasping the risks they face. In a new F-Secure survey, 71% of respondents say they feel that they will become a victim of cybercrime or identity theft, while 73% expressed similar fears about their kids.