A Review of the Best News of the Week on Identity Management & Web Fraud

Silicon Valley Is Listening to Your Most Intimate Moments (Bloomberg, Dec 11 2019)
How the world’s biggest companies got millions of people to let temps analyse some very sensitive recordings.  

Ring’s Hidden Data Let Us Map Amazon’s Sprawling Home Surveillance Network (Gizmodo, Dec 09 2019)
As reporters raced this summer to bring new details of Ring’s law enforcement contracts to light, the home security company, acquired last year by Amazon for a whopping $1 billion, strove to underscore the privacy it had pledged to provide users.

Are You One Of Avast’s 400 Million Users? This Is Why It Collects And Sells Your Web Habits. (Forbes, Dec 09 2019)
Avast sells user data but says there’s no privacy risk, according to the newly appointed CEO.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~12,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

DHS Retreats on Possible Facial Screening of US Citizens (SecurityWeek, Dec 09 2019)
The Homeland Security Department is backing away from requiring that U.S. citizens submit to facial-recognition technology when they leave or enter the country.

Only 53% of Security Pros Have Ownership of Workforce IAM (Dark Reading, Dec 10 2019)
Most practitioners report an increase in identities, but many don’t have control over how those identities are protected from a range of attacks.

Real-time phishing alerts and stolen password warnings added to Chrome (SC Magazine, Dec 11 2019)
Google yesterday announced that its latest Chrome release adds real-time phishing alerts and password breach warning capabilities to the browser. The real-time anti-phishing capabilities represents an upgrade to Google’s Safe Browsing service, which compiles an ever-changing blacklist of dangerous websites that browsers can check against. Typically, when a Chrome user visits a website, the browser…

The post Real-time phishing alerts and stolen password warnings added to Chrome appeared first on

Data Leak Exposes 750K Birth Certificate Applications (Infosecurity Magazine, Dec 10 2019)
AWS misconfiguration leaves storage bucket wide open

How Attackers Used Look-Alike Domains to Steal $1 Million From a Chinese VC (Dark Reading, Dec 06 2019)
Money meant to fund an Israeli startup wound up directly deposited to the scammers.

LogMeIn updates its LastPass Identity solution with passwordless login for business customers (Help Net Security, Dec 05 2019)
LastPass Identity now delivers a complete passwordless login experience for employees across applications, VPNs and devices (PCs, Macs, Android & iOS mobile devices) through device-native biometric authentication, single sign-on and federated identity integrations, all while giving IT complete control over every access point.

Cookie-stealing malware wants to know your Facebook ad budget (Naked Security – Sophos, Dec 05 2019)
The AdKoob malware that sneakily peeks at how much you’re spending on ads is back.

What are the qualities of a good digital identity management program? (Help Net Security, Dec 10 2019)
A digital identity program should be:
Safe – To ensure security, privacy and compliance.
Flexible – To work across multiple platforms (on-premise and cloud); work with people, systems and devices.
Agile – To quickly adapt to end-user needs, IT requirements and new applications.
Scalable – To address the shifting requirements of the business — such as adding new users from an acquisition or managing an influx of customers.
Open – To accommodate many types of users, including employees, consumers, partners and contractors.
Private – To give users control over their information and an understanding of how it is used and how they can access it.
Frictionless – To provide a seamless and convenient experience for both users and cybersecurity administrators.
Resilient – To overcome potential service disruptions, technology failures, or cyber threats — whether on-premise or in the cloud.

TikTok settles class action over child privacy one day after it’s filed (Naked Security – Sophos, Dec 10 2019)
The $1.1m settlement is an “excellent result,” TikTok said, unsurprisingly: compared with its $5.7m FTC fine, it’s dirt cheap.

Exposed Data Shows Where Police Departments Fly Their Drones (VICE, Dec 10 2019)
Dronesense, which sells a platform for controlling drones to police, left customer data including flight plans exposed.

This Alleged Bitcoin Scam Looked a Lot Like a Pyramid Scheme (Wired, Dec 10 2019)
Five men face federal charges of bilking investors of $722 million by inviting them to buy shares in bitcoin mining pools. 

78% of people forgot a password in the past 90 days (Help Net Security, Dec 11 2019)
HYPR released the findings of a two and a half year Password Usage Study, which compiled data from over 500 full-time workers across the United States and Canada to better understand how individuals use, treat and manage their passwords.

It’s past time to contain identity sprawl. Here’s how to do it. (SC Magazine, Dec 11 2019)
Identity sprawl – too many usernames and too many passwords – has never been as big a concern as it is today: More devices are being brought into the enterprise, more people are working remotely and using their own devices, and more users continue to access on-premises and cloud data stores.

Younger Generations Drive Bulk of 2FA Adoption (Dark Reading, Dec 11 2019)
Use of two-factor authentication has nearly doubled in the past two years , pointing to a new wave of acceptance.

Active Directory password reset best practices (Help Net Security, Dec 12 2019)
Password change and password reset are terms that are often used interchangeably. However, they are not the same. A user will perform a password change when they remember their existing password, and a password reset when they have forgotten it.

How identity is addressed by enterprise IT security teams (Help Net Security, Dec 12 2019)
The majority of companies have experienced a five-fold increase in the number of workforce identities, which are being driven primarily by mobile and cloud technology. Encouragingly, one-hundred percent of IT security stakeholders report that a lack of strong IAM practices introduces security risk, an IDSA survey reveals.

Over One Billion Email-Password Combos Leaked Online (Infosecurity Magazine, Dec 12 2019)
Unsecured database featured a total of 2.7bn emails