Pete Recommends – Weekly highlights on cyber security issues, October 14, 2023

Subject: Stumbling blocks abound in federal push to stronger identity and access management, CISA and NSA panel finds
Source: CISA/NSA via FedScoop

New federal guidance identifies challenges in agency adoption and implementation of multi-factor authentication and single sign-on security services. The adoption and implementation of multi-factor authentication and single sign-on security protocols at federal agencies has hit myriad roadblocks amid the government’s push to fully embrace the zero-trust cybersecurity goals set by the Office of Management and Budget last year, a report from Cybersecurity and Infrastructure Security Agency and the National Security Agency found.The guidance released this week from a CISA and NSA-led panel of government and industry experts highlighted confusion over MFA terminology and vague policy instructions as primary challenges that have so far prevented seamless application of the user authentication process….

RSS Feed:

Sample tagged RSS feed:

Subject: Phishers Spoof USPS, 12 Other Natl’ Postal Services
Source: Krebs on Security

Recent weeks have seen a sizable uptick in the number of phishing scams targeting U.S. Postal Service (USPS) customers. Here’s a look at an extensive SMS phishing operation that tries to steal personal and financial data by spoofing the USPS, as well as postal services in at least a dozen other countries.

KrebsOnSecurity recently heard from a reader who received an SMS purporting to have been sent by the USPS, saying there was a problem with a package destined for the reader’s address. Clicking the link in the text message brings one to the domain usps.informedtrck[.]com.

The landing page generated by the phishing link includes the USPS logo, and says “Your package is on hold for an invalid recipient address. Fill in the correct address info by the link.” Below that message is a “Click update” button that takes the visitor to a page that asks for more information.

This phishing domain was recently registered and its WHOIS ownership records are basically nonexistent. However, we can find some compelling clues about the extent of this operation by loading the phishing page in Developer Tools, a set of debugging features built into Firefox, Chrome and Safari that allow one to closely inspect a webpage’s code and operations.

A search on this domain at the always-useful shows that fly.linkcdn[.]to is tied to a slew of USPS-themed phishing domains. Here are just a few of those domains (links defanged to prevent accidental clicking):

Phishers tend to cast a wide net and often spoof entities that are broadly used by the local population, and few brands are going to have more household reach than domestic mail services. In June, the United Parcel Service (UPS) disclosed that fraudsters were abusing an online shipment tracking tool in Canada to send highly targeted SMS phishing messages that spoofed the UPS and other brands.

Subject: Privacy professionals need to be aware of tech abuse
Source: iapp

iapp, Simson Garfinkel, CIPP/US: “Features designed to improve privacy and protect children in online services, apps and networked devices also make it easier for abusers to maintain control in abusive relationships. “Ever since caller ID and GPS became part of our lives, we’ve known that digital technologies can be used by abusers to harm or track their victims, and that’s only become more complicated and more prevalent as technology has,” Clinic to End Tech Abuse Director of Operations Lana Ramjit told an audience of cybersecurity professionals and academics at the the USENIX Association’s Enigma 2023 Conference in January. Ramjit’s clinic, one of three in the U.S. dedicated to helping people in abusive relationships where technology plays an important factor, recently published a toolkit for others seeking to set up their own tech abuse clinics. …

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.


RSS feed:

Subject: Is That ATM Safe? 8 Tips to Protect Your Debit or Credit CardSource:
Source: PC Mag

“The idea of looking for ATM skimmers before you insert your card isn’t new. But checking for tampering on a point-of-sale device can be difficult, and until recently, it wasn’t necessary since those devices were usually operated by human employees. Now that more retailers are ditching human cashiers for self-checkout options, there are more chances for thieves to attach credit card skimmers to payment machines and ATMs and steal your money. For more about the motives and technology behind these kinds of crimes, check out our deep dive into the world of credit card shimming and skimming. To protect yourself from these kinds of attacks on your bank account, read our tips below and keep them in mind whenever you use an unattended payment machine…”

Subject: Cybercrime Classification and Measurement
Source: National Academies

Under congressional mandate, the National Academies’ Committee on National Statistics (CNSTAT), Computer Science and Telecommunications Board (CTSB), and Committee on Law and Justice (CLAJ) will conduct a consensus panel study to review current measurement and reporting of cybercrime, developing a taxonomy that can be used to measure cyber-enabled and cyber-dependent crimes experienced by individuals and businesses. This study will build on the Modernizing Crime Statistics consensus study (National Academies of Sciences, Engineering, and Medicine, 2016, 2018) and a study by the U.S. Government Accountability Office (2023), and is sponsored by the Federal Bureau of Investigation.
Posted in: Congress, Cybercrime, Cybersecurity, Economy, Financial System, Government Resources, Privacy