A Review of the Best News of the Week on Identity Management & Web Fraud

Biometrics Flaws Uncovered To Bypass Apple FaceID (Threatpost, Aug 15 2019)
Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim’s FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim’s face the researchers demonstrated how they could bypass Apple’s FaceID in a specific scenario. The attack itself is difficult, given the bad actor would need to figure out how to put the glasses on an unconscious victim without waking them up.

Huge database found leaking biometric, personal info of millions (Help Net Security, Aug 14 2019)
While working on a web-mapping project, vpnMentor researchers Noam Rotem and Ran Locar discovered a publicly accessible database containing fingerprint records of over 1 million users, facial recognition information, personal information and much more.

Kaspersky Makes Changes After Products Raise Privacy Concerns (SecurityWeek, Aug 15 2019)
Kaspersky has made some changes to the way its products check web pages for malicious activity after a researcher discovered an issue that could have been exploited to track users online.

One of My Favorite Things
Since I started this curated newsletter in June 2017, I’ve clipped ~10,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Now you can use Android phones, rather than passwords, to log into Google* (Ars Technica, Aug 12 2019)
For now, fingerprint or lock screen authentication applies only to one Google property.

Protecting your organization against privileged identity theft (Help Net Security, Aug 14 2019)
Gartner recently listed privileged accounts as the number one project for security teams because privileged accounts have such a high probability of being breached.

#BHUSA: How GDPR Can Help Attackers Steal Identities (Infosecurity Magazine, Aug 08 2019)
A GDPR component was abused to get access to personally identifiable information

Instagram boots ad partner for location tracking and scraping stories (Naked Security – Sophos, Aug 09 2019)
A “preferred Facebook Marketing Partner” is alleged to have tracked millions of Instagram users’ locations and stories.

Twitter may have shared your data with its ad partners without your permission (Naked Security – Sophos, Aug 08 2019)
Some user data, such as country and device type, was exposed to some advertisers for over a year.

Your Skype Translator calls may be heard by humans (Naked Security – Sophos, Aug 09 2019)
A Skype Translator insider claims it’s good because humans are listening in and helping to train its artificial intelligence.

Researcher: GDPR’s Right of Access policy can be abused to steal others’ personal info (SC Magazine, Aug 09 2019)
An Oxford University scholar says he was able to trick dozens of European companies into sending him sensitive data about his fiancée, simply by impersonating her while invoking GDPR’s “Right of Access” policy.

FBI Plans to Monitor Social Media May Spark Privacy Issues (Dark Reading, Aug 12 2019)
A new initiative to pull data from social media platforms may clash with policies prohibiting the use of information for mass surveillance.

South Wales Police Slammed for New Facial Recog App (Infosecurity Magazine, Aug 12 2019)
Force under fire as court case continues

Chrome Incognito mode detection fix busted by researchers (Naked Security – Sophos, Aug 13 2019)
Remember that Chrome update that stopped websites from detecting Incognito mode? Well, researchers claim to have found a way around it.

DLL Hijacking Flaws Patched in Trend Micro Password Manager (SecurityWeek, Aug 15 2019)
Trend Micro recently patched a couple of DLL hijacking vulnerabilities in Password Manager that could allow malicious actors to escalate privileges, make their malware persistent, and to load and execute their payloads via a signed service.

Owners of Fake Tech Company Plead Guilty to Fraud Charges (SecurityWeek, Aug 15 2019)
Two Florida men have pleaded guilty to wire fraud charges filed in southern Illinois, where they targeted people with fake technical support services.

Hundreds of Thousands of People Are Using Passwords That Have Already Been Hacked, Google Says (VICE, Aug 15 2019)
New ‘Password Checkup’ Chrome extension found 1.5 percent of all website logins use compromised credentials, a figure that’s higher for porn websites.

The Facial Recognition System Amazon Sells to Cops Can Now Detect ‘Fear’ (VICE, Aug 13 2019)
Activists fear more family separations and round-ups as Amazon expands its face surveillance offerings.

Amazon’s Facial Recognition Misidentified 1 in 5 California Lawmakers as Criminals (VICE, Aug 13 2019)
The ACLU tested Rekognition, Amazon’s facial recognition technology, on photographs of California lawmakers. It matched 26 of them to mugshots.

Federal court says Facebook users can sue over use of facial recognition technology (SC Magazine, Aug 09 2019)
A federal appeals court has given Facebook users the nod to sue the social media giant for violating their privacy rights by using facial recognition technology without their consent.

Appeals court rejects Google privacy settlement over tracking cookies (SC Magazine, Aug 07 2019)
A federal appeals court tossed Google’s settlement of a class action suit accusing the company of privacy violations by using tracking cookies despite users’ privacy settings saying otherwise. A three-member Third Circuit Court of Appeals panel said it was unclear if the proposed $5.5 million settlement was sufficient or fair…