#AWS #IAM is easy!

You just create a user, then create a group, then set up MFA, then add the user to the group, then create permissions policies for all of the hundreds of services the user needs to use, then create a Role, then assign the policies to the Role, then the user can use STS to assume the Role, then they have an access token they can use. Make sure that you tag your services and use attribute based access control to make sure your policies have limited access.

SEE! SIMPLE! 😵‍💫

“A writer who waits for ideal conditions under which to work will die without putting a word on paper.”

Good advice on writing, from the greats.

https://www.themarginalian.org/2012/11/20/daily-routines-writers/

RT @[email protected]

We passed it a couple days ago, but it has been 10 years since "On Fire", the strip I did that became the meme "this is fine". https://gunshowcomic.com/648

WARNING FOR ALL AZURE ACTIVE DIRECTORY ADMINS: We will be mandating the use of #Microsoft #Azure Active Directory #MFA “Number Matching” on February 27, 2023. We will be removing the admin controls and enforce the number match experience tenant-wide for all users as of that date.

For more on why this mitigation is so critically important, read the following: https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/defend-your-users-from-mfa-fatigue-attacks/ba-p/2365677

For a how to guide on enabling Azure AD MFA Number Matching for your tenant: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

Notified Experian on Dec. 23 that their site was allowing anyone to see the credit report for, well, basically anyone, completely bypassing their lame 4-5 multiple guess questions and other security.

Or even in cases (like mine) where trying to get your credit report generates an error saying you have 3 other options for getting your free report from them (calling, mailing, or chat w/ rep). The site said Experian didn't have enough info to validate my identity, but when I changed the url slightly, it showed me my entire report. Glad I checked, too, because the info in there is so completely wrong I don't even know where to start.

So it's Dec. 27, and I still haven't heard anything from Experian. All you needed was the person's name, address, SSN and DOB. This info has been exposed on pretty much most Americans for many years now.

BTW, I checked this with several friends who volunteered to check their own reports, and they were able to fully replicate what I did.

It's bad enough that we can't stop companies like Experian from making $2B a quarter collecting and selling our info, but there has to be some real accountability. And as we saw with the Equifax settlement, class-actions and more laughable "credit monitoring" services aren't going to cut it.

Experian has shown this year especially that it gives exactly zero fscks about securing access to the data that drives its entire business.

https://krebsonsecurity.com/2022/08/class-action-targets-experian-over-account-security/

https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/

https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/