Selections from the top news items this week in the world of identity and application security.
IDENTITY + THE CLOUD
Why Do We Care So Much About Privacy?
From The New Yorker: The reason you’ve been receiving a steady stream of privacy-policy updates from online services, some of which you may have forgotten you ever subscribed to, is that the European Union just enacted the General Data Protection Regulation, which gives users greater control over the information that online companies collect about them. Since the Internet is a global medium, many companies now need to adhere to the E.U. regulation.
4 ways businesses and customers can build digital trust (while we wait for a blockchain solution)
From The Next Web: No one can accurately predict the future of digital ID, but some governments are moving towards digital forms of verification. The Estonian government, for example, supports e-identity where people can provide digital signatures with their ID-card, Mobile-ID or Smart-ID. This way, they can safely identify themselves and use e-services. The chip on the digital ID-card carries embedded files, and in combination with 2048-bit public key encryption, can be used as definitive proof of ID.
ThreatInsight Eliminates Passwords
From DZone: It was great speaking with Alex Salazar, Vice President Product, Development and Integration Ecosystem at Okta during Oktane18 where the company introduced ThreatInsight which enables organizations to replace passwords with stronger authentication for employees, partners, and customers. By combining signals such as device, location, and network context, with threat intelligence from across Okta's ecosystem through new ThreatInsight functionality, organizations will be able to use contextual access management to eliminate the login password as a primary factor of authentication.
Australians to soon get myGovID single government identity
From ZDNet: On Tuesday, Australia’s Minister for Human Services and Minister Assisting the Prime Minister for Digital Transformation Michael Keenan announced further details on Australia's digital identity. In a statement, Keenan said having 30 different log-ins for government services is "not good enough", and it is anticipated the single log-in will allow Australians to access almost all government services by 2025.
GDS loses digital identity policy to DCMS
From ComputerWeekly: The Government Digital Service (GDS) has lost responsibility for digital identity policy, with the Department for Digital, Culture, Media and Sport (DCMS) taking over. GDS will still be developing Gov.uk Verify, its in-house digital identity assurance system, but wider policy now rests with Matt Hancock, secretary of state at DCMS. The move took place last month, without any public announcement, but was revealed by Hancock during a press briefing last week.
Mac users: Your antivirus software could be letting malware slip by undetected
From TechRepublic: Many third-party security platforms are failing to properly implement Apple's code signing API, and the result could be malware passing itself off as signed software. The "code signing bypass" was discovered by Okta engineer Josh Pitts, who first uncovered it in February 2018 before publicly disclosing it on June 12, 2018. It affects numerous security platforms, including those from Facebook and Google, and Apple isn't accepting responsibility.
US Slaps Sanctions on Five Russian Entities, Three Individuals for Cyberattacks
From Dark Reading: The Trump administration announced sanctions this week against five Russian companies and three individuals for enabling and assisting Russia's intelligence and military units carry out cyberattacks against US interests. Three of the companies that have been slapped with the sanctions are cybersecurity firms, one is a manufacturer and supplier of underwater equipment, and another is a scientific research institute.
74 Arrested in International Email Scam Schemes
From Dark Reading: A coordinated effort has led to the arrest of 74 individuals around the world on charges of defrauding businesses and individuals. The so-called Operation Wire Wire that netted the suspects was a coordinated law enforcement effort by the DoJ, US Department of Homeland Security, US Department of the Treasury, and US Postal Inspection Service, along with law enforcement agencies from Nigeria, Poland, Canada, Mauritius, Indonesia, and Malaysia. Wire transfers are still commonly used to move money around the globe, and BEC attacks try to hijack those transfers and steal the money in motion. Among the 74 arrests, 42 came in the US, 29 in Nigeria, and three each in Canada, Mauritius, and Poland.
Dixons Carphone Breach & GDPR: What’s Next?
From Info Security Magazine: Yesterday high-street retailer Dixons Carphone became the first big-name brand to admit to suffering a significant data breach since GDPR came into force last month, after it confirmed a review of its systems revealed “unauthorized access to certain data held by the company.” It’s been reported that this unauthorized access had taken place in July 2017, but appears to have only been discovered by the company this week.
GDPR: The Biggest Data Breaches And The Shocking Fines (That Would Have Been)
From Forbes: Data is breached every single day but most of these breaches don’t make headlines. When the European Union’s General Data Protection Regulation (GDPR) came into effect May 25, 2018, many companies who experience a significant data breach won’t just be dealing with a public relations snafu and financial strain brought on by the breach, but will also face large fines mandated by the regulation. To get a sense for what the GDPR means for companies, we review a few of the world’s largest data breaches and the implications if GDPR penalties would have been in place at the time of the breach.
UK watchdog issues $330k fine for Yahoo’s 2014 data breach
From TechCrunch: Another fallout from the massive Yahoo data breach that dates back to 2014: The UK’s data watchdog has just issued a £250,000 (~$334k) penalty for violations of the Data Protection Act 1998. Yahoo, which has since been acquired by Verizon and merged with AOL to form a joint entity called Oath, is arguably getting off pretty lightly here for a breach that impacted a whopping ~500M users.
Exclusive interview: Okta CSO on skill shortages, passwordless authentication, and UX
From Security Brief Australia: As an organisation, identity and access management solutions provider Okta believes the key to this dilemma lies in embedding security in identity management to create a seamless user experience. Techday sat down with Okta chief security officer Yassir Abousselham at Oktane18 in Las Vegas to discuss passwordless authentication, company culture, and how Okta ensures its offerings remain secure.
Weight Watchers Swears No Customer Data Exposed After Dozens of Servers Found Publicly Accessible
From Gizmodo: Dozens of servers containing Weight Watcher’s data were left exposed after the company failed to password protect software used for managing application containers, according to German cybersecurity firm Kromtech. An Amazon cloud infrastructure used by Weight Watchers was left vulnerable—46 Amazon S3 buckets in total—including logs, passwords, and private encryption keys, Kromtech found.
Multiple layers of cloud security controls mitigate risk
From TechTarget: When it comes to securing the cloud, it's tempting to get engrossed entirely in the technical aspects, such as encryption techniques and security architecture. But, as explained in by expert Adam Gordon, author of The Official (ISC)2 Guide to the CCSP CBK, Second Edition, there are several other fronts where cloud resources need to be defended. It's important to use a multilayered approach for cloud security controls, but notes that every enterprise has unique needs.
DEVELOPERS + THE TECH INDUSTRY
Modern Authentication for Apps and Websites for Free
From DZone: It was great to be able to speak with Alex Salazar, VP Product, Development and Integration Ecosystem at Okta, about their new API offering. API Products for One App make it easy and affordable for engineering teams to use Okta to power modern authentication for any single website or application. Okta is also making API Products for One App – which includes Multi-Factor Authentication (MFA) – available for free with “Identity by Okta” branding.
Should every business be a social purpose business?
From Tech HQ: It was at identity management company Okta’s Oktane 2018 that I was personally given a first-hand experience of social purpose. I sat down to eat my breakfast. “Oh, if you’re going to rest your breakfast there, then you’ll need to tie a ribbon on our Okta For Good ‘heart string’ wall and receive a ten dollar gift card for the non-profit organization of your choice,” said the enthusiastic conference staff gentleman, who had clearly been on the high octane (pun intended) coffee for several hours already.
Learn more about the topics in the news this week:
- GDPR: We’re Ready, Are You?
- Security and the API Journey
- How to Prevent Your Users from Using Breached Passwords
- Becoming 100% Cloud: How Three Companies Went All-In on Cloud Adoption
- Investing in Ecosystems to Drive Social Good