• Senators Urge FTC to Probe ID.me Over Selfie Data

    Some of more tech-savvy Democrats in the U.S. Senate are asking the Federal Trade Commission (FTC) to investigate identity-proofing company ID.me for "deceptive statements" the company and its founder allegedly made over how they handle facial recognition data collected on behalf of the Internal Revenue Service, which until recently required anyone seeking a new IRS account online to provide a live video selfie to ID.me.

  • When Your Smart ID Card Reader Comes With Malware

    Millions of U.S. government employees and contractors have been issued a secure smart ID card that enables physical access to buildings and controlled spaces, and provides access to government computer networks and systems at the cardholder's appropriate security level. But many government employees aren't issued an approved card reader device that lets them use these cards at home or remotely, and so turn to low-cost readers they find online. What could go wrong? Here's one example.

  • DEA Investigating Breach of Law Enforcement Data Portal

    The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.

  • Microsoft Patch Tuesday, May 2022 Edition

    Microsoft today released updates to fix at least 74 separate security problems in its Windows operating systems and related software. This month's patch batch includes fixes for seven "critical" flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.

  • Your Phone May Soon Replace Many of Your Passwords

    Apple, Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but caution that a true passwordless future may still be years away for most websites.

  • Russia to Rent Tech-Savvy Prisoners to Corporate IT?

    Faced with a brain drain of smart people fleeing the country following its invasion of Ukraine, the Russian Federation is floating a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation's prison population to perform low-cost IT work for domestic companies.

  • You Can Now Ask Google to Remove Your Phone Number, Email or Address from Search Results

    Google said this week it is expanding the types of data people can ask to have removed from search results, to include personal contact information like your phone number, email address or physical address. The move comes just months after Google rolled out a new policy enabling people under the age of 18 (or a parent/guardian) to request removal of their images from Google search results.

  • Security and privacy laws, regulations, and compliance: The complete guide

    This directory includes laws, regulations and industry guidelines with significant security and privacy impact and requirements. Each entry includes a link to the full text of the law or regulation as well as information about what and who is covered.CSO updates this directory, originally published on January 28, 2021, frequently as new laws and regulations are put in place.Click on a link to skip to information and resources on that law:Broadly applicable laws and regulations Sarbanes-Oxley Act (SOX) Payment Card Industry Data Security Standard (PCI DSS) Payment Service Directive, revised (PSD2) Gramm-Leach-Bliley Act (GLBA) Customs-Trade Partnership Against Terrorism (C-TPAT) Free and Secure Trade Program (FAST) Children's Online Privacy Protection Act (COPPA) Fair and Accurate Credit Transaction Act (FACTA), including Red Flags Rule Federal Rules of Civil Procedure (FRCP) Industry-specific guidelines and requirements Federal Information Security Management Act (FISMA) North American Electric Reliability Corp. (NERC) standards Title 21 of the Code of Federal Regulations (21 CFR Part 11) Electronic Records Health Insurance Portability and Accountability Act (HIPAA) The Health Information Technology for Economic and Clinical […]

  • Patching the latest Active Directory vulnerabilities is not enough

    If you are as old as I am, you remember when you first had to deal with domains and Active Directory (AD). Even if you aren’t as old as I am, you still probably must deal with domains and Active Directory. If you are just starting out at a new firm, you probably know only Azure Active Directory as your building block. The reality for the rest of us is that we must patch and maintain AD. Active Directory has been in the security news again for yet another vulnerability that may need more actions than merely patching to properly protect your network from future attacks. The May 10, 2022, security updates include several patches relating to certificates. To read this article in full, please click here

  • HYAS brings security threat detection, response to production networks

    Bringing threat detection and response capabilities to production networks, cybersecurity company HYAS Infosec is set to release a new, specifically targeted security solution dubbed HYAS Confront.Aiming to address security issues on cloud-based production networks — which the company defines as the infrastructure behind businesses' outward-facing, revenue-driving applications — the software is designed to continuously monitor traffic to uncover anomalies and enhance risk mitigation."HYAS is focused on providing our clients and customers with the solutions that they require for true business resiliency, continuity, and risk management," says HYAS CEO David Ratner.  HYAS Confront "has already been proven in live deployments" among some customers, Ratner says, and will be available in general availability to customers in June.To read this article in full, please click here

  • Exium expands SASE, 5G-based security for midsize enterprise networks

    The on-premises module offers new capabilities, based on 5G standards, for midsize businesses.

  • 7 machine identity management best practices

    Machine identities are a large, and fast-growing part of the enterprise attack surface. The number of machines—servers, devices, and services—is growing rapidly and efforts to secure them often fall short.Cybercriminals and other threat actors have been quick to take advantage. Cyberattacks that involved the misuse of machine identities increased by 1,600% over the last five years, according to a report released last spring by cybersecurity vendor Venafi.Research firm Gartner named machine identity as one of the top cybersecurity trends of the year, in a report released last fall. In 2020, 50% of cloud security failures resulted from inadequate management of identities, access, and privileges, according to another Gartner report. In 2023, that percentage will rise to 75%.To read this article in full, please click here

  • DOJ: Good faith security research won’t be charged under Computer Fraud and Abuse Act

    The U.S. Department of Justice (DOJ) has revised its policy regarding charging violations of the Computer Fraud and Abuse Act (CFAA), stating that good faith security research does not warrant federal criminal action. Effective immediately, all federal prosecutors who wish to charge cases under CFAA are required to follow the new policy and consult with Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges, the DOJ said. However, the DOJ also acknowledged that claiming to be conducting security research is not a free pass for those acting in bad faith.Good faith research key to cybersecurity advancement In a press release on its website, Deputy Attorney General Lisa O. Monaco said that computer security research is a key driver of improved cybersecurity. “The department has never been interested in prosecuting good faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good faith security researchers who root out vulnerabilities for the common good.”To read this article in full, please click here

  • IDaaS explained: How it compares to IAM

    It is often said that identity is the new perimeter in the world of cloud-native ecosystems and zero trust. Identity is inarguably at the center of everything we do in modern systems and it is key to facilitating zero trust architectures and proper access control. That said, running identity and access management (IAM) at scale can be a daunting task, which is why more organizations are adopting identity-as-a-service (IDaaS) solutions.IDaaS has its pros and cons, but first let’s clarify what IDaaS is.What is IDaaS? IDaaS is a cloud-based consumption model for IAM. Much like everything else in today’s modern technology ecosystem, IAM can be offered as a service. While there are some exceptions, IDaaS is typically delivered via the cloud and can be offered as a multitenant offering or dedicated delivery model depending on the organizational requirements and the capabilities of the provider in question.To read this article in full, please click here