Identity Mgt & Web Fraud – The Week’s Best News – 2019.04.25

A Review of the Best News of the Week on Identity Management & Web Fraud

Facial recognition fail allows laptop access (Graham Cluley, Apr 24 2019)
“So, I was wondering why the battery on my laptop was running down every time I left it at home.Turns out the kids have been using my election leaflets to get through the facial recognition lock…”

G7 Comes Out in Favor of Encryption Backdoors (Schneier on Security, Apr 23 2019)
“There is a weird belief amongst policy makers that hacking an encryption system’s key management system is fundamentally different than hacking the system’s encryption algorithm. The difference is only technical; the effect is the same. Both are ways of weakening encryption.”

FBI Crime Report Lists Business Email Compromise as Top Scam (eWEEK, Apr 24 2019)
Then, normally when the CEO is on travel, they strike. “There’s usually an urgent email from the CEO or CFO asking for an immediate transfer of funds,”…Because the scammers have been studying the company and its staff for a while, the email will usually contain references that seem to establish legitimacy, such as references to some personal fact or activity. And the tone will resemble language usually used by the senior executive.

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

FBI’s Facial Recognition Programs Under Fire Over Privacy, Accuracy Concerns (Nextgov, Apr 20 2019)
The bureau has largely ignored the Government Accountability Office’s concerns about its use of facial recognition in criminal investigations.

European Parliament Approves Mass ID Database Plans (Infosecurity Magazine, Apr 23 2019)
Privacy fears of Big Brother state swirl around Brussels

UK’s NCSC Suggests Automatic Blocking of Common Passwords (SecurityWeek, Apr 23 2019)
A recent survey from the UK’s National Cyber Security Centre (NCSC, part of GCHQ), conducted by Ipsos Mori, suggests that 52% consider their most prevalent online security consideration to be protecting their privacy, while 51% consider it to be the loss of their money.

DHS plan for face scanning at airports sparks alarm (TheHill, Apr 24 2019)
Lawmakers and civil liberties advocates are calling on the Department of Homeland Security (DHS) to halt plans to begin using facial recognition technology on nearly all departing air passengers within the next four years.

GoDaddy Removes 15,000 Subdomains That Were Scamming Users (eWEEK, Apr 25 2019)
Researchers from the Unit 42 threat intelligence team at Palo Alto Networks discovered a vast network of scam affiliate marketing sites that were using subdomains, setup on compromised GoDaddy users accounts.

Helpdesk 101: How to Safeguard Access to the Admin Dashboard – The LastPass Blog (The LastPass Blog, Apr 25 2019)
“we soon realized that an all-or-nothing approach to admin access didn’t meet the needs of many organizations. What if the Finance department needed to view billing statements? Or what if the IT helpdesk staff needed to help employees with basic LastPass tickets? The challenge was giving key employees access to the information they needed to do their jobs – without giving them the ability to change policies, delete users, or potentially abuse LastPass admin powers.”

NYC subway denies using “real-time face recognition screens” in Times Square (The Verge, Apr 20 2019)
The camera feed is just there to scare fare-evaders.

NYPD forgets to redact facial recognition docs, asks for them back (Naked Security – Sophos, Apr 24 2019)
The privacy think tank had them for 20 days, and one of the docs was already displayed at a conference, but the NYPD is still clawing them back.

Creator of Hub for Stolen Credit Cards Sentenced to 90 Months (Dark Reading, Apr 18 2019)
Coming eight years after he launched the site, the steep sentence for the cybercriminal operator is based on a tab of $30 million in damages calculated by Mastercard and other credit card companies.

Will the US Adopt a National Privacy Law? (Dark Reading, Apr 23 2019)
Probably not before the 2020 election. But keep an eye on this Congress as legislators debate how to define personal data and what limits to place on how companies use it.

Washington state legislature passes data breach law, but punts on privacy law (SC Magazine, Apr 23 2019)
The Washington state legislature went one-for-two this month in its attempt to pass major data breach and privacy regulations. Lawmakers unanimously passed HB 1071, which firms up and expands requirements for public breach notifications, but the state apparently has failed to approve a sweeping new state privacy law…

Where data privacy executives plan to focus their strategies and budgets (Help Net Security, Apr 25 2019)
The top five priorities for 2019 are:
– Adapting to a volatile regulatory environment
– Establishing a privacy strategy to support digital transformation
– Implementing an effective third-party risk management program
– Strengthening customer trust and brand loyalty
– Identifying metrics to measure privacy program effectiveness

Facebook sets aside $3 billion in anticipation of FTC privacy violations fine (SC Magazine, Apr 25 2019)
Facebook’s Q1 2019 financial results may have beat Wall Street expectations – racking up $15.08 billion rather than the predicted $14.97 – but its earnings per share was dampened by the $3 billion the company put aside in anticipation of fines that will be owed to the Federal Trade Commission (FTC) for consumer privacy violations.…

Teen sues Apple for $1 billion over Apple stores’ facial recognition (Naked Security – Sophos, Apr 25 2019)
He claims that Apple allegedly uses the technology to spot shoplifters and that it falsely linked him to a series of Apple store thefts.

Eight Steps to Data Privacy Regulation Readiness (SecurityWeek, Apr 25 2019)
With more legislation expected, every company should ensure they have a robust framework in place along with strong data mapping capabilities to both understand what information they’re collecting, by whom, how it’s being disclosed, and how best to ensure they’re responsive to both consumers and requirements under the law.

6 Ways Attackers Are Still Bypassing SMS 2-Factor Authentication (SecurityWeek, Apr 24 2019)
In theory, non-SMS 2FA has a smaller threat surface (drop 1-4). Social engineering (5) is always going to work; that problem can’t be fixed by technology. The final attack method, as shown by the Modlishka framework (6), is the one that concerns me the most and is the inspiration for this listicle.

Congress asks Google to explain why it tracks users’ ‘whole pattern of life’ (BitDefender, Apr 25 2019)
The US Congress has issued an open letter asking Google CEO Sundar Pichai to explain in detail why his company keeps a database of the precise location information of hundreds of millions of consumers.

Share on facebook
Share on twitter
Share on linkedin