A Review of the Best News of the Week on Identity Management & Web Fraud
FBI recommends passphrases over password complexity (ZDNet, Feb 24 2020)
Longer passwords, even consisting of simpler words or constructs, are better than short passwords with special characters.
What’s next in making Encrypted DNS-over-HTTPS the Default – Future Releases (Mozilla blog, Feb 25 2020)
More than 70,000 users have already chosen on their own to explicitly enable DoH in Firefox Release edition. We are close to releasing DoH in the USA, and we have a few updates to share.
Gartner Says Over 40% of Privacy Compliance Technology Will Rely on Artificial Intelligence in the Next Three Years (Gartner, Feb 25 2020)
“More than 60 jurisdictions around the world have proposed or are drafting postmodern privacy and data protection laws as a result. Canada, for example, is looking to modernize their Personal Information Protection and Electronic Documents Act (PIPEDA), in part to maintain the adequacy standing with the EU post-GDPR.”
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
The Amazon Prime phishing attack that wasn’t… (Naked Security – Sophos, Feb 21 2020)
When we followed the phishing trail, we found ourselves at a web page we weren’t expecting……but instead of reaching a page that demanded our Amazon password, which is what we expected, we ended up at the crooks’ very own remote access backdoor:
How a Web Design Company Crowdfunded Millions and Completely Disappeared (VICE, Feb 25 2020)
The Grid suddenly locked customers out of their websites and went silent for a year. Now, the CEO says he was naive. “I can imagine there’s a few people who are pissed off.”
Washington state Senate passes bill to rein in facial recognition (Naked Security – Sophos, Feb 21 2020)
The bill now goes to the House, which has a stiffer competing bill pending that would call for a 3.5 year moratorium.
Looking at the future of identity access management (IAM) (Help Net Security, Feb 21 2020)
Here are three IAM predictions for 2020:
1. Single sign-on (SSO) protocols steadily decrease the need for unique accounts and credentials for every resource, so Active Directory (AD) is put on notice.
2. Downstream resources benefit from improved integration.
3. Multi-factor authentication (MFA) pervades our login attempts and increases the security of delivery to stay a step ahead.
GDPR Protection Will Continue After Google’s US Data Move, Says Lawyer (Infosecurity Magazine, Feb 21 2020)
Data protection expert argues decision unlikely to have anything to do with Brexit
Users still engaging in risky password, authentication practices (Help Net Security, Feb 24 2020)
IT security practitioners are aware of good habits when it comes to strong authentication and password management, yet often fail to implement them due to poor usability or inconvenience, according to Yubico and Ponemon Institute.
Over 120 Million US Consumers Exposed in Privacy Snafu (Infosecurity Magazine, Feb 24 2020)
Market analysis firm Tetrad left S3 bucket misconfigured
Canada Privacy Watchdog Probes Facial Recognition Startup (SecurityWeek, Feb 24 2020)
Canada’s privacy watchdog on Friday announced an investigation into a US software startup reportedly capable of matching images of unknown faces to photos it mined from millions of websites and social media networks.
Removing a GPS tracking device from your car isn’t theft, court rules (Ars Technica, Feb 24 2020)
Indiana high court: Removing a small unmarked device from your car isn’t theft.
BEC Group Abuses Google G Suite in Scheme Targeting Thousands of Firms (SecurityWeek, Feb 25 2020)
A group of business email compromise (BEC) scammers that targeted thousands in the United States employed Google’s G Suite for their infrastructure, Agari reports.
Google stops indexing WhatsApp chats; other search engines still at it (Naked Security – Sophos, Feb 25 2020)
Private chat invites aren’t meant to be unfindable, Facebook says, though a snippet of code eventually shielded them from Google indexing.
Is Conditional Access the Right Approach to Authentication? It Depends. (SecurityWeek, Feb 26 2020)
What You Need to Know to Make Sure You’re Headed in the Right Direction on Your Authentication Journey.
Transmit Security, Authentication Company Used by Banks, Hacked (VICE, Feb 25 2020)
The breach impacted email addresses, passwords, phone numbers, and other sensitive information, according to a researcher mentioned in a breach notification obtained by Motherboard.
Unit testing IAM policies across multiple accounts (AWS DevOps Blog, Feb 19 2020)
When migrating applications from a development account to a testing or production account, customers often find that AWS IAM policies or Service Control Policies (SCP) for their applications need significant modification to allow the application to deploy and function correctly.
Preview of Active Directory authentication support on Azure Files (Microsoft Azure Blog, Feb 21 2020)
“We are excited to announce the preview of Azure Files Active Directory (AD) authentication. You can now mount your Azure Files using AD credentials with the exact same access control experience as on-premises. You may leverage an Active Directory domain service (AD DS) either hosted on-premises or on Azure for authenticating user access to Azure Files for both premium and standard tiers.”
How to set case sensitivity in the Amazon Cognito console (AWS Security Blog, Feb 24 2020)
AWS recently updated how Amazon Cognito user pools are created so that new user pools are case insensitive by default. An Amazon Cognito user pool is a user directory that helps you manage end-user identities. With this new feature, the native user name, email alias, and preferred user name alias are marked as case insensitive when a new user pool is created. For example, [email protected] is now treated the same as [email protected]
How to define least-privileged permissions for actions called by AWS services (AWS Security Blog, Feb 21 2020)
When you perform certain actions in AWS, the service you called sometimes takes additional actions in other AWS services on your behalf. AWS Identity and Access Management (IAM) now includes condition keys to make it easier to grant only the minimum level of access necessary for IAM principals (users and roles) and AWS services to take those actions.