A Review of the Best News of the Week on Identity Management & Web Fraud

What Would Regulating Facebook Look Like? (Wired, Mar 21 2018)
In an interview with WIRED, Mark Zuckerberg seemed to accept the idea of some US regulation. Other countries could provide the blueprint.

Cambridge Analytica controversy: Was there a Facebook data breach? (Graham Cluley, Mar 20 2018)
It’s not fair to describe what happened at Facebook as a data breach.
It’s much worse than that.

Nine years on, Firefox’s master password is still insecure (Naked Security – Sophos, Mar 20 2018)
A researcher has uncovered a big security weakness in the way Firefox secures browser passwords behind a master password.

Sponsored by LogRhythm
SIEM Magic Quadrant
Gartner Positions LogRhythm in SIEM Leaders Quadrant for 5th Consecutive Year. Get the report

5 PKI Trends to Expect in the Next Year (Tripwire, Mar 13 2018)
Today, our infrastructure is still coming up against its own challenges but fortunately, there are a wealth of amazing internet security researchers who are working together and helping the CA/B Forum develop ideas to bring forward new bylaws and baseline requirements that will keep PKI in line with current technology.

Telegram Must Give FSB Encryption Keys: Russian Court (SecurityWeek, Mar 20 2018)
Moscow – Russia’s Supreme Court on Tuesday ruled the popular Telegram messenger app must provide the country’s security services with encryption keys to read users’ messaging data, agencies reported.

The Legitimisation of Have I Been Pwned (Troy Hunt, Mar 21 2018)
“Indeed, my own comfort level with the legitimacy of running this service has changed over time and that’s really what I wanted to talk about here in this post: where it’s come from, where it is today and how over time, it’s been increasingly legitimised. This has changed most fundamentally in the last year and a bit so let me start there.”

Fraud Prevention Firm Sift Science Raises $53 Million (SecurityWeek, Mar 21 2018)
Fraud prevention and risk management solutions provider Sift Science today announced that it has closed a $53 million Series D funding round, bringing the total raised to date by the company to $107 million.

W3C Hits Milestone with Web Authentication specification (FIDO Alliance, Mar 20 2018)
WebAuthn is part of the FIDO2 Project to ensure widespread interoperability within the authentication ecosystem among devices, clients, and servers. This new specification from W3C defines how web browsers enable websites to offer simpler, stronger FIDO authentication to users with devices implementing FIDO2 Client to Authenticator Protocol (CTAP).

Twitter Users Bilked out of Big Money by Elon Musk Clones (Infosecurity Magazine, Mar 19 2018)
When a verified celebrity account posts a tweet, a fraud account using the same image and display name responds with a scam offer.

Alphabet’s ‘Outline’ Homebrew VPN Software Offers Open-Source, Easy Set-Up Privacy You Control (Wired, Mar 20 2018)
Alphabet tech incubator Jigsaw wants to make it easy to run your own, more private virtual private network.

Synthetic Voice |​​ Fraudsters Have Your Data — And Your Voice​ (Pindrop, Mar 21 2018)
Deep neural networks empower a machine to do what traditional biometrics cannot. Pindrop’s Deep Voice™ biometric engine uses this technology to work like a human brain — encompassing both optimistic and skeptical characteristics — and is capable of identifying synthetic speech.

Credential stuffing attack suspected after several UK National Lottery accounts compromised (SC Magazine, Mar 20 2018)
As many as 150 player accounts registered with the UK’s National Lottery were compromised, accessed and potentially viewed by an unauthorized party, according to an online statement from Camelot, the parent company that runs the sweepstakes.

Solving Digital Identity for Healthcare (ID.me, Mar 15 2018)
“The great thing about electronic prescription is that you keep the provider in the loop with a trusted device that represents that provider’s identity,” Hall said. “And, once the prescription has been filled, it’s voided. One prescription can’t be filled multiple times, or stolen, so this method stems the fraud driving the opioid crisis.”

LastPass Earns SOC 2 Type II Attestation (LastPass, Mar 21 2018)
A SOC 2 Type I report is a point in time assessment of a company’s systems, how management describes them, and what controls are in place to support them. It’s an expert and widely respected review of how systems and procedures are designed. A SOC 2 Type II report goes the extra mile – it evaluates, over many months, whether those systems and procedures operate effectively.

New Method Proposed for Secure Government Access to Encrypted Data (Dark Reading, Mar 19 2018)
Crumple Zones’ in crypto mechanisms can make it possible – but astronomically expensive – to access encrypted data, say researchers from Boston University and Portland State University.

Privilege escalation on Unix machines via plugins for text editors (Help Net Security, Mar 20 2018)
Several of the most popular extensible text editors for Unix environments could be misused by attackers to escalate privileges on targeted systems, SafeBreach researchers have found.

Email Fraud is a Top Business Risk for 2018 (Infosecurity Magazine, Mar 20 2018)
Businesses across the globe are concerned about email phishing campaigns

Fake Amazon ad ranks top on Google search results (Naked Security – Sophos, Mar 20 2018)
A tech support scam disguised as an Amazon ad was showing up above even the legitimate Amazon.com search result.

Understanding email fraud: Do you have visibility into email threats? (Help Net Security, Mar 21 2018)
82% of boards are concerned with email fraud, and 59% consider it a top security risk – no longer just an IT issue. Yet 30% of respondents to a survey conducted by Censuswide cited a lack of executive support as a key challenge to email fraud protection deployment, according to Proofpoint.

FIDO Alliance Expands Authenticator Certifications (Infosecurity Magazine, Mar 20 2018)
The FIDO Alliance has expanded its certification program to include multi-level security certifications.