Here’s the last of the news chum collections for this morning. This one has to do with safety and security.
- Tiny Dots and Phish. Hopefully, you’ve been getting trained on how to recognize phishing threats, and how to distrust links in email or on websites. But it’s getting even trickier, as this article notes. Miscreants are using characters in other character sets that ļȯоķ like other characters. Hint: Always look at how addresses look when you hover over them, and even then be suspicious.
- Complex Passwords Don’t Solve All Problems. So you’ve gotten smart: you are using complex passwords everywhere. But every solution contains a problem: reusing complex passwords can give your identity away. Research showed, the rarer your password is, the more it “uniquely identifies the person who uses it. If a person uses the same unique password with multiple accounts, then that password can be used as a digital fingerprint to link those accounts.” Although this is not something previously unknown, there seems to be a lack of awareness about the practice. Remember: complex passwords, never reused, and use a password manager.
- Two Factor Authentication. Using 2FA can also help. Here’s a handy guide on how to set it up on most major websites. Here’s a list of all major websites, and whether they support 2FA.
- Protecting Your Social Security. This article from Brian Krebs explores abuse of the social security system, and contains some advice I hadn’t known: go create your account at SSA.gov now to protect yourself. That’s something I need to do; I tried to do it this morning but it wouldn’t accept the proof for the upgraded account, and I have to (a) find a previous year’s W2 and (b) wait 24 hours to try again.
- Predicting Problems. A few articles on predictive algorithms. One explores whether predictive algorithms should be part of public policy. Essentially, should they have a hand in shaping jail sentences and predicting public policies? Government agencies are now using algorithms and data mining to predict outcomes and behaviors in individuals, and to aid decision-making. In a cyber-vein, there are calls to add prediction to the NIST cyber-security framework. The argument: With AI and machine learning, companies should now be considering how to predict threats before they even appear. Speaking of the NIST Framework, Ron Ross tweets that it is being incorporated into FIPS 200 and the RMF.
- Building It In. The NIST effort — especially with SP 800-160 — is to emphasize the importance of engineering in and designing in security from the very beginning, not bolting it on at the end. Good news: The government is finally coming around to that realization as well. The link is a summary of the recent updates to the NIST pub. It’s an area I’ve been exploring as well, and I’ve been working on some modifications to the process to make it even more accepted. The first report on the effort is under review right now; I hope to publish something soon.