A Review of the Best News of the Week on Identity Management & Web Fraud

Account security – a divided user perception (Elie Bursztein, Feb 18 2019)
This post considers the perception clash that exists between what users perceive to be their most valuable accounts (email and social networks) and those they think they should protect the most (online banking).

Mega-crackers back with nearly 100 million new stolen data records (Naked Security – Sophos, Feb 18 2019)
Sounds like the crooks who tried to sell more than 600 million records last week are back with nearly 100 million more…

US Facebook Fine Over Privacy Could Be in Billions: Reports (SecurityWeek, Feb 18 2019)
A US investigation into privacy violations by Facebook could result in a record fine running to billions of dollars, media reports said Friday.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

UK committee hammers Facebook on privacy failures (SC Magazine, Feb 19 2019)
A U.K. parliament report condemning a multitude of actions by Facebook called for closer regulation of the social media giant stating the company often ignored its own privacy policy and its executives were less than forthcoming when testifying before a parliament committee.

Value of Stolen Card and Amazon Account Details Rockets (Infosecurity Magazine, Feb 21 2019)
Top10VPN report reveals surging dark web prices in some categories

Password managers leaking data in memory, but you should still use one (Naked Security – Sophos, Feb 21 2019)
Several popular password managers appear to do a weak job at scrubbing passwords from memory once they are no longer being used.

Introducing the WebAuthn Authenticator Open-Source Library (The Duo Blog, Feb 13 2019)
…recent work has centered around demystifying WebAuthn and making it more accessible and understandable to end-users and developers alike. Toward the end of January we announced our new Guide to Web Authentication, as well as the revamp of webauthn.io, our WebAuthn demonstration site.

Report describes Scarlet Widow romance cyber scam (SC Magazine, Feb 14 2019)
“They string their victims along for months or even years, always finding a new reason to request money, always finding an excuse for being unable to meet in person,” ACID says. Typical targets are farmers, the elderly, the disabled, and divorced.

NATO Group Catfished Soldiers to Prove a Point About Privacy (Wired, Feb 18 2019)
With $60 and a few fake Facebook accounts, researchers were able to identify service members in a military exercise, track their movement, and even persuade them to disobey orders.

Potential Privacy Lapse Found in Americans’ 2010 Census Data (SecurityWeek, Feb 19 2019)
An internal team at the Census Bureau found that basic personal information collected from more than 100 million Americans during the 2010 head count could be reconstructed from obscured data, but with lots of mistakes, a top agency official disclosed Saturday.

API Security: Applying the Separation of Concerns Design Principle (Forgerock Blog, Feb 11 2019)
You may have been wondering what a clever person like Edsger Dijkstra would have considered the best way to approach API security. You aren’t the only one.

Hackers Found Phishing for Facebook Credentials (Dark Reading, Feb 15 2019)
A “very realistic-looking” login prompt is designed to capture users’ Facebook credentials, researchers report.

Azure AD Identity Protection now revolves around risky users and risky sign-ins (Help Net Security, Feb 15 2019)
Launched in September 2018, Microsoft Threat Protection (MTP) integrates a number of Microsoft services to provide a fully integrated, end-to-end solution for securing the entire attack surface of enterprises: identities, endpoints, user data, cloud apps, and infrastructure.

Will the EU’s new copyright directive ruin the web? (Naked Security – Sophos, Feb 18 2019)
Articles 11 and 13 live on, with the dreaded ‘link tax’, ‘meme killer’, ‘censorship machine’ and all.

If you think your deleted Twitter DMs are sliding into the trash, you’re wrong (Naked Security – Sophos, Feb 19 2019)
They’re never deleted, just erased from the UI. You can still see archived messages if you download your data.

How to build privacy for security and achieve sustained compliance (SC Magazine, Feb 19 2019)
“Privacy must be built into the product and operations of a company by design and by default. Your goal in building a privacy team is to create a mentality shift whereby every member of the company gives pause to consider the privacy implications of their actions. Only when this mindset settles in across the entire organization can companies achieve ongoing compliance.”

450,000 usernames and passwords stolen from Coinmama cryptocurrency broker (Graham Cluley, Feb 19 2019)
Coinmama, a site that is supposed to “make it fast, safe and fun” to buy Bitcoins and Etherium with a credit card, has suffered a data breach that has resulted in almost half a million customers having their personal details breached.

Hard-to-detect credential-theft malware has infected 1,200 and is still going (Ars Technica, Feb 20 2019)
Separ’s living-off-the-land approach bypasses many antimalware providers.

The Anatomy of a Lazy Phish (Dark Reading, Feb 20 2019)
A security engineer breaks down how easy it is for unskilled attackers to trick an unsuspecting user to submit credentials to a phishing site.

Phishers’ new trick for bypassing email URL filters (Help Net Security, Feb 20 2019)
Phishers have come up with another trick to make Office documents carrying malicious links undetectable by many e-mail security services: they delete the links from the document’s relationship file (xml.rels). The trick has been spotted being used in a email spam campaign aimed at leading victims to a credential harvesting login page. Why does this approach work? “Office documents (.docx, .xlsx, .pptx) are made up of a number of XML files that include all the … More →

The post Phishers’ new tri