As agencies look for solutions, the hope is that the report and simulation tool inform more nuanced conversations about identity verification by showing the “trade-off considerations” that agencies should consider, said Taka Ariga, GAO chief data scientist and director of the GAO Innovation Lab.
Many panelists suggested a federated framework, the report states, where program offices can use third-party credentials for identity verification, and citizens choose what service provider they want to use.
Several panelists also suggested a shift to a more risk-based approach.
Instead of requiring the same identity verification controls for everyone that interacts with a program, agencies could use data to power a “risk-based transaction management system.”
Source: Help Net Security
In this Help Net Security video, Sanjay Gupta, SVP and Managing Director, Mitek Systems, talks about how combating this threat will require a multi-layered approach from both HR and recruiting teams in addition to IT.The FBI recently issued a warning that malicious attackers are using deepfakes to apply for a variety of remote work positions via virtual interviews over the internet. These positions include IT, database, and developer positions with access to customer details, financial data, and proprietary information – making organizations incredibly vulnerable to a brand-new attack method should deep-faked candidates get hired.
Subject: North Korean hackers target crypto experts with fake Coinbase job offers
Source: Bleeping Computer
A new social engineering campaign by the notorious North Korean Lazarus hacking group has been discovered, with the hackers impersonating Coinbase to target employees in the fintech industry.
A common tactic the hacking group uses is to approach targets over LinkedIn to present a job offer and hold a preliminary discussion as part of a social engineering attack.
According to Hossein Jazi, a security researcher at Malwarebytes who has been following Lazarus activity closely since February 2022, the threat actors are now pretending to be from Coinbase, targeting candidates suitable for the role of “Engineering Manager, Product Security.”
Coinbase is one of the world’s largest cryptocurrency exchange platforms, allowing Lazarus to lay the ground for a lucrative and enticing job offer at a prestigious organization.
When victims download what they believe to be a PDF about the job position, they are actually getting a malicious executable using a PDF icon. In this case, the file is named “Coinbase_online_careers_2022_07.exe,” which will display the decoy PDF document shown below when executed while also loading a malicious DLL.
Subject: Pretty Good Phone Privacy Masks Your Android Device ID, Mobile Data
As marketers, data brokers, and tech giants endlessly expand their access to individuals’ data and movements across the web, tools like VPNs or cookie blockers can feel increasingly feeble and futile. Short of going totally off the grid forever, there are few options for the average person to meaningfully resist tracking online. Even after coming up with a technical solution last year for how phone carriers could stop automatically collecting users’ locations, researchers Barath Raghavan and Paul Schmitt knew it would be challenging to convince telecoms to implement the change. So they decided to be the carrier they wanted to see in the world.The result is a new company, dubbed Invisv, that offers mobile data designed to separate users from specific identifiers so the company can’t access or track customers’ metadata, location information, or mobile browsing. Launching in beta today for Android, the company’s Pretty Good Phone Privacy or PGPP service will replace the mechanism carriers normally use to turn cell phone tower connection data into a trove of information about users’ movements. And it will also offer a Relay service that disassociates a user’s IP address from their web browsing.
PGPP’s ability to mask your phone’s identity from cell towers comes from a revelation about why cell towers collect the unique identifiers known as IMSI numbers, which can be tracked by both telecoms and other entities that deploy devices known as IMSI catchers, often called stringrays, which mimic a cell tower for surveillance purposes. Raghavan and Schmitt realized that at its core, the only reason carriers need to track IMSI numbers before allowing devices to connect to cell towers for service is so they can run billing checks and confirm that a given SIM card and device are paid up with their carrier. By acting as a carrier themselves, Invisv can implement their PGPP technology that simply generates a “yes” or “no” about whether a device should get service.
Source: ZDNet via beSpacific
Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved.
The Commission voted Thursday to issue a notice of their proposed rulemaking and solicit public comment.
The Federal Trade Commission is looking at boosting its efforts to combat commercial surveillance and relaxed data security, in an effort to protect online consumer privacy.
As part of this effort, the FTC seeks public comment on its Advance Notice of Proposed Rulemaking on online consumer privacy. The FTC is soliciting comments on harms from commercial surveillance and if new rules are necessary to protect people’s privacy and information.“Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like,” FTC Chair Lina M. Khan said.Companies can collect information based on a person’s “online activity, their family and friend networks, browsing and purchasing histories, location and physical movements, and a wide range of other personal details.” This information is then analyzed and used to sell ads or sell products.
“Case-by-case enforcement has not systemically deterred unlawful behavior in this market,” she added.
Source: The New York Times
The Mount Sinai Health System began an effort this week to build a vast database of patient genetic information that can be studied by researchers — and by a large pharmaceutical company. The goal is to search for treatments for illnesses ranging from schizophrenia to kidney disease, but the effort to gather genetic information for many patients, collected during routine blood draws, could also raise privacy concerns.
The data will be rendered anonymous, and Mount Sinai said it had no intention of sharing it with anyone other than researchers. But consumer or genealogical databases full of genetic information, such as Ancestry.com and GEDmatch, have been used by detectives searching for genetic clues that might help them solve old crimes.
(Those two government projects involve whole-genome sequencing, which reveal an individual’s complete DNA makeup; the Mount Sinai project will sequence about 1 percent of each individual’s genome, called the exome.)
A health system in northeast Pennsylvania, Geisinger Health System, has also built a database of more than 185,000 DNA sequences, through a partnership with Regeneron. That database played a role in the discovery of mutations that can protect against obesity and fatty liver disease.