A Review of the Best News of the Week on Identity Management & Web Fraud

Smartphone data reveal which Americans are social distancing (Wash. Post, Mar 24 2020)
D.C. gets an ‘A’ while Wyoming earns an ‘F’ for following coronavirus stay-at-home advice, based on the locations of tens of millions of phones

Poland is making quarantined citizens use a selfie app to prove they’re staying inside (CBS News, Mar 24 2020)
App users will get a random request for a selfie and they have 20 minutes to upload it or else the police will pay them a visit

Apple Safari now blocks all third-party cookies by default (Naked Security – Sophos, Mar 26 2020)
Starting in 13.1, advertisers and analytics firms can’t track us through browser cookies. Apple says this also kills login fingerprinting.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Location-tracking wristbands required on all incoming travelers to Hong Kong (Naked Security – Sophos, Mar 20 2020)
The government says the wristband isn’t privacy-invading because it won’t track your location, per se; just if you wander from COVID-19 quarantine.

FBI warns of COVID-19 phishing scams promising stimulus checks, vaccines (SC Media, Mar 23 2020)
The FBI’s Internet Crime Complaint Center (IC3) has issued a public service announcement warning citizens to watch out for email-based fraud and malware schemes that take advantage of the coronavirus pandemic. Among the scams to look out for are emails purporting to contain helpful information from the Centers for Disease Control…

People Are Looping Videos to Fake Paying Attention in Zoom Meetings (VICE, Mar 23 2020)
Zoom will narc on you to your boss if you’re not paying attention. Here’s how to stop it, somewhat believably.

Justice Dep’t tackles coronavirus scam site, first of probably many (Ars Technica, Mar 23 2020)
Scammers gonna scam, but the DOJ is trying to shut them down when they pop up.

The coronavirus pandemic is changing how your privacy is protected (CNET, Mar 24 2020)
Data protection officials around the world are loosening rules on how your data can be used during the COVID-19 outbreak.

Password vulnerability at Fortune 1000 companies (Help Net Security, Mar 25 2020)
Despite often repeated advice of using unique passwords for online accounts – or at least the most critical ones – password reuse continues to be rampant. And, according to breach discovery firm SpyCloud, employees of the Fortune 1000 are just as bad about reusing passwords as the rest of us.

What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign? (Dark Reading, Mar 25 2020)
ensure your email services are set up to use Sender Policy Framework (SPF) records or DomainKeys Identified Mail (DKIM) and also to use Domain-based Message Authentication, Reporting & Conformance (DMARC). These authentication technologies are used to validate that emails come from servers that are authorized to send from your email domain. While this won’t stop the bad actors from trying, it will allow victim email systems to better identify and block these fake messages.

Definitely Don’t Download The FBI’s Fitness App During Quarantine (VICE, Mar 25 2020)
With millions isolating at home, the Bureau has been pushing a suspicious app that accesses your phone’s location and other sensitive data.

Former Google engineer pleads guilty to stealing confidential document (Ars Technica, Mar 20 2020)
Anthony Levandowski could get more than 2 years in prison.

200M Records of US Citizens Leaked in Unprotected Database (Dark Reading, Mar 20 2020)
Researchers have not determined who owns the database, which was one of several large exposed instances disclosed this week.

CEO Claims More Fake LinkedIn Users Are Claiming to be Employees (Infosecurity Magazine, Mar 23 2020)
CEO complains of increased numbers of fake LinkedIn users claiming to be employees

Former Waymo Executive Passed Trade Secrets to Uber (Infosecurity Magazine, Mar 20 2020)
Ex Waymo executive admits stealing self-driving car trade secrets from Google subsidiary

Tour guide/Chinese spy gets four years for SD card dead drops (Naked Security – Sophos, Mar 23 2020)
The dead drops were very James Bond: once, the data mule taped the SD card to the underside of a desk in a hotel.

Russian Cyberspies Hacked High-Profile Email Accounts for Phishing (SecurityWeek, Mar 20 2020)
The Russia-linked cyber-espionage group known as Pawn Storm has been leveraging hijacked email accounts to send phishing emails to potential victims, Trend Micro’s security researchers reveal.

Interpol Seizes $14m in Fake #COVID19 Pharma Goods (Infosecurity Magazine, Mar 24 2020)
Global police disrupt 37 criminal gangs peddling counterfeits

Hackers Are Taking Over Twitter Accounts to Advertise Face Masks (VICE, Mar 24 2020)
Accounts pushed hundreds of tweets advertising a sketchy mask website on Tuesday.

Who’s Behind the ‘Web Listings’ Mail Scam? (Krebs on Security, Mar 23 2020)
“In December 2018, KrebsOnSecurity looked at how dozens of U.S. political campaigns, cities and towns had paid a shady company called Web Listings Inc. after receiving what looked like a bill for search engine optimization (SEO) services rendered on behalf of their domain names. The story concluded that this dubious service had been scamming people and companies for more than a decade, and promised a Part II to explore who was behind Web Listings. What follows are some clues that point to a very convincing answer to that question.”