A Review of the Best News of the Week on Identity Management & Web Fraud

A new camera can photograph you from 45 kilometers away (MIT Tech Review, May 13 2019)
Developed in China, the lidar-based system can cut through city smog to resolve human-sized features at vast distances.

San Francisco Bans Facial Recognition Use by Police and the Government (VICE, May 14 2019)
The technology hub is now the first US city to have issued a moratorium on the invasive spy technology.

Amazon Is Losing the War on Fraudulent Sellers (Schneier on Security, May 09 2019)
“Excellent article on fraudulent seller tactics on Amazon: The most prominent black hat companies for US Amazon sellers offer ways to manipulate Amazon’s ranking system to promote products, protect accounts from disciplinary actions, and crush competitors. Sometimes, these black hat companies bribe corporate Amazon employees to leak information from the company’s wiki pages and business reports, which they then resell to marketplace sellers for steep prices.”

Without data, your security strategy is just a guess.
The Mosaic Security Research Market Intelligence Platform provides the data you need for OWASP’s Cyber Defense Matrix. Learn a better way to build your strategy.

Google ups commitment to privacy (SC Magazine, May 09 2019)
Google Tuesday punched up its privacy commitment in Made By Google products, making it easier for Chrome users to block or clear cookies and baking privacy into its products. Promising to be transparent about data collection, to not to sell personal information and to give users more control over reviewing, moving and deleting data…

Reverse Engineering a Chinese Surveillance App (Schneier on Security, May 13 2019)
Human Rights Watch has reverse engineered an app used by the Chinese police to conduct mass surveillance on Turkic Muslims in Xinjiang. The details are fascinating, and chilling.

A Tough Week for IP Address Scammers (Krebs on Security, May 15 2019)
“In the early days of the Internet, there was a period when Internet Protocol version 4 (IPv4) addresses (e.g. were given out like cotton candy to anyone who asked. But these days companies are queuing up to obtain new IP space from the various regional registries that periodically dole out the prized digits. With the value of a single IP hovering between $15-$25, those registries are now fighting a wave of shady brokers who specialize in securing new IP address blocks under false pretenses and then reselling to spammers. Here’s the story of one broker who fought back in the courts, and lost spectacularly.”

Is curiosity killing patient privacy? (Help Net Security, May 08 2019)
Though employees can lose their jobs, their professional licenses, or even face prison time for inappropriately accessing or sharing a patient’s data, the temptation to snoop often proves too great. In fact, almost 60 percent of healthcare data breaches originate from insiders.

Don’t Tackle Data Privacy Alone (Gartner Blog Network, May 14 2019)
The most common misconception around data privacy, however, is that the CIO is always accountable. Although the CIO plays a vital role in data privacy, it is an enterprise-wide concern that needs the support of other risk functions.

GoTrustID releases a smart phone alternative to USB FIDO Key (Help Net Security, May 12 2019)
A Bluetooth (BLE) connection between your phone and your computer replaces the USB FIDO Key.

Websites Continue to Collect PII Data Insecurely (Infosecurity Magazine, May 09 2019)
A year on from the GDPR compliance deadline, 10% of websites are not collecting data securely

Holiday Scammers Made £7m in 2018 (Infosecurity Magazine, May 08 2019)
Warning to UK travellers of possible rise in fraud this summer

FTC renews call for single federal privacy law (Naked Security – Sophos, May 10 2019)
It also wants to be the country’s data-privacy police: commissioners called for more resources and ability to impose penalties.

DHS warns against ‘password spray’ brute force attacks (SC Magazine, May 09 2019)
The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by “password spray” attacks. In these attacks brute force login attacks, attempt to break into accounts using these simple passwords with the goal of stealing sensitive information and unlike social engineering…

Create fine-grained session permissions using IAM managed policies (AWS Security Blog, May 13 2019)
As a security best practice, AWS Identity and Access Management (IAM) recommends that you use temporary security credentials from AWS Security Token Service (STS) when you access your AWS resources. Temporary credentials are short-term credentials generated dynamically and provided to the user upon request.

What The NIST Privacy Framework Draft Means For Privacy and Cybersecurity (Cybersaint, May 16 2019)
CyberSaint Chief Product Officer Padriac O’Reilly shares his thoughts on the draft NIST Privacy Framework and how it will connect to the wildly popular NIST CSF.

Microsoft Builds on Decentralized Identity Vision (Dark Reading, May 15 2019)
The company elaborates on its plan to balance data control between businesses and consumers by giving more autonomy to individuals.

$100 million GozNym cybercrime network dismantled as suspects charged (Graham Cluley, May 16 2019)
The sophisticated conspiracy saw tens of thousands of victims’ computers infected with the GozNym malware in order to steal online banking passwords, and raid accounts.

SilverTerrier – 2018 Nigerian Business Email Compromise (Palo Alto Unit42, May 16 2019)
Email applications topped the list with SMTP, POP3, and IMAP securing the first, second, and fourth most common delivery applications, respectively. In terms of metrics, we observed malware in 219k SMTP sessions, 46k POP3 sessions, and 8.4k IMAP sessions. Web browsing remained the third most common delivery application with malware detected in 20k sessions while FTP ranked fifth with only 654 sessions.