A Review of the Best News of the Week on Identity Management & Web Fraud

The CA DMV Is Making $50M a Year Selling Drivers’ Personal Info (Vice, Nov 25 2019)
A document obtained by Motherboard shows how DMVs sell people’s names, addresses, and other personal information to generate revenue.

NYPD fingerprint database touched by ransomware (SC Magazine, Nov 25 2019)
The New York City Police Department’s fingerprint database was hit with ransomware in October 2018, a local newspaper learned. The attack was brought in by a third-party vendor who was installing video equipment at the NYPD’s police academy when it connected its infected computer to the police network, according to the New York Post.

Healthcare Execs Charged in $1Bn Fraud Scheme (Infosecurity Magazine, Nov 27 2019)
According to the Department of Justice, the group sold pharmaceuticals clients ad inventory that they didn’t have, and under-delivered on ad campaigns, before falsifying performance data and patient engagement metrics.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Scammers try a new way to steal online shoppers’ payment-card data (Ars Technica, Nov 22 2019)
Rather than infecting a merchant’s checkout page with malware that skims the information, the thieves trick users into thinking they’ve been redirected to an authorized third-party payment processor.

New for Identity Federation – Use Employee Attributes for Access Control in AWS (AWS News Blog, Nov 22 2019)
When you manage access to resources on AWS or many other systems, you most probably use Role-Based Access Control (RBAC). When you use RBAC, you define access permissions to resources, group these permissions in policies, assign policies to roles, assign roles to entities such as a person, a group of persons, a server, an application, etc. Many AWS customers told us they are doing so to simplify granting access permissions to related entities, such as persons sharing similar business functions in the organisation.

Use attribute-based access control with AD FS to simplify IAM permissions management (AWS Security Blog, Nov 25 2019)
AWS Identity and Access Management (IAM) allows customers to provide granular access control to resources in AWS. One approach to granting access to resources is to use attribute-based access control (ABAC) to centrally govern and manage access to your AWS resources across accounts. Using ABAC enables you to simplify your authentication strategy by enabling you to scale your authorization strategy by granting access to groups of resources, as specified by tags, as opposed to managing long lists of individual resources.

Continuously monitor unused IAM roles with AWS Config (AWS Security Blog, Nov 20 2019)
Developing in the cloud encourages you to iterate frequently as your applications and resources evolve. You should also apply this iterative approach to the AWS Identity and Access Management (IAM) roles you create. Periodically ensuring that all the resources you’ve created are still being used can reduce operational complexity by eliminating the need to track unnecessary resources.

Identify unused IAM roles and remove them confidently with the last used timestamp (AWS Security Blog, Nov 19 2019)
As you build on AWS, you create AWS Identity and Access Management (IAM) roles to enable teams and applications to use AWS services. As those teams and applications evolve, you might only rely on a sub-set of your original roles to meet your needs. This can leave unused roles in your AWS account. To help you identify these unused roles, IAM now reports the last-used timestamp that represents when a role was last used to make an AWS request.

Azure DevOps will no longer support Alternate Credentials authentication (Azure DevOps Blog, Nov 25 2019)
“we’ve offered customers the ability to use Alternate Credentials in situations where they are connecting to Azure DevOps using legacy tools. While using Alternate Credentials was an easy way to set up authentication access to Azure DevOps, it is also less secure than other alternatives such as personal access tokens (PATs). As such, we believe the use of Alternate Credentials authentication represents a security risk to our customers because they never expire and can’t be scoped to limit access to the Azure DevOps data.”

Why do cryptocoin scams work, and how to avoid them? (Naked Security – Sophos, Nov 22 2019)
Loosely speaking, someone who wants to “market” an ICO can promise the world – and can do so without needing any existing products, or prototypes, or stock, or patents, or intellectual property, or indeed anything much at all except a cool-sounding name for their new cryptocoins and a groovy-looking website. Sadly, that makes it surprisingly easy for a cybercrook to invite “investments” – for example by using a bunch of fake testimonials and some judiciously chosen (and perhaps actually accurate) graphs showing how other cryptocurrency values have shot up to the apparently enormous benefit of those who joined in early on.

OneCoin crypto-scam lawyer found guilty of worldwide $400m fraud (Naked Security – Sophos, Nov 25 2019)
A Florida lawyer who boasted of making “50 by 50” – as in, $50m by the age of 50 – is now facing a potential 50+ years behind bars for money laundering and lying to banks about funds flowing from OneCoin, a cryptocoin Ponzi scheme that started in Bulgaria but spread like a money-sucking fungus around the world.

Civil Rights Groups Demand Congress Investigate Amazon’s ‘Surveillance Empire’ (VICE, Nov 26 2019)
The campaign to pressure consumers and lawmakers to take action arrives after five U.S. senators sent a letter to Jeff Bezos demanding answers about how the tech giant uses its surveillance data.

My Health Record failed to manage cybersecurity and privacy risks, audit finds (The Guardian, Nov 25 2019)
My Health Record failed to manage cybersecurity and privacy risks, audit finds  The Guardian

Facebook built a facial-recognition app that let employees identify people by pointing a phone at them (Business Insider, Nov 26 2019)
The employee-only tool, created around 2015 and 2016, used Facebook’s vast collection of facial data to automatically recognize people.

7 Ways to Hang Up on Voice Fraud (Dark Reading, Nov 27 2019)
Criminals are coming at us from all direction, including our phones. Don’t answer that next call without reading this tips first.

Google Sends 12,000 State Phishing Warnings in Three Months (Infosecurity Magazine, Nov 27 2019)
Government-backed cyber-attacks target global users

Firefox gets tough on tracking tricks that sneakily sap your privacy (Naked Security – Sophos, Nov 27 2019)
Firefox is getting ready to turn on its automatic anti-snooping tools to stop web ‘fingerprinting’ tricks.

How to Get Prepared for Privacy Legislation (Dark Reading, Nov 27 2019)
All the various pieces of legislation, both in the US and worldwide, can feel overwhelming. But getting privacy basics right is a solid foundation.