Subject: Stumbling blocks abound in federal push to stronger identity and access management, CISA and NSA panel finds
Source: CISA/NSA via FedScoop
New federal guidance identifies challenges in agency adoption and implementation of multi-factor authentication and single sign-on security services. The adoption and implementation of multi-factor authentication and single sign-on security protocols at federal agencies has hit myriad roadblocks amid the government’s push to fully embrace the zero-trust cybersecurity goals set by the Office of Management and Budget last year, a report from Cybersecurity and Infrastructure Security Agency and the National Security Agency found.The guidance released this week from a CISA and NSA-led panel of government and industry experts highlighted confusion over MFA terminology and vague policy instructions as primary challenges that have so far prevented seamless application of the user authentication process….
RSS Feed: https://fedscoop.com/feed/
Sample tagged RSS feed: https://fedscoop.com/tag/identity-and-access-management/feed/
Source: Krebs on Security
Recent weeks have seen a sizable uptick in the number of phishing scams targeting U.S. Postal Service (USPS) customers. Here’s a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries.
KrebsOnSecurity recently heard from a reader who received an SMS purporting to have been sent by the USPS, saying there was a problem with a package destined for the reader’s address. Clicking the link in the text message brings one to the domain usps.informedtrck[.]com.
The landing page generated by the phishing link includes the USPS logo, and says “Your package is on hold for an invalid recipient address. Fill in the correct address info by the link.” Below that message is a “Click update” button that takes the visitor to a page that asks for more information.
This phishing domain was recently registered and its WHOIS ownership records are basically nonexistent. However, we can find some compelling clues about the extent of this operation by loading the phishing page in Developer Tools, a set of debugging features built into Firefox, Chrome and Safari that allow one to closely inspect a webpage’s code and operations.
A search on this domain at the always-useful URLscan.io shows that fly.linkcdn[.]to is tied to a slew of USPS-themed phishing domains. Here are just a few of those domains (links defanged to prevent accidental clicking):
Phishers tend to cast a wide net and often spoof entities that are broadly used by the local population, and few brands are going to have more household reach than domestic mail services. In June, the United Parcel Service (UPS) disclosed that fraudsters were abusing an online shipment tracking tool in Canada to send highly targeted SMS phishing messages that spoofed the UPS and other brands.
iapp, Simson Garfinkel, CIPP/US: “Features designed to improve privacy and protect children in online services, apps and networked devices also make it easier for abusers to maintain control in abusive relationships. “Ever since caller ID and GPS became part of our lives, we’ve known that digital technologies can be used by abusers to harm or track their victims, and that’s only become more complicated and more prevalent as technology has,” Clinic to End Tech Abuse Director of Operations Lana Ramjit told an audience of cybersecurity professionals and academics at the the USENIX Association’s Enigma 2023 Conference in January. Ramjit’s clinic, one of three in the U.S. dedicated to helping people in abusive relationships where technology plays an important factor, recently published a toolkit for others seeking to set up their own tech abuse clinics. …
Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.