A Review of the Best News of the Week on Identity Management & Web Fraud
Privacy vs. Surveillance in the Age of COVID-19 (Schneier on Security, Mar 30 2020)
“I think the effects of COVID-19 will be more drastic than the effects of the terrorist attacks of 9/11: not only with respect to surveillance, but across many aspects of our society. And while many things that would never be acceptable during normal time are reasonable things to do right now, we need to makes sure we can ratchet them back once the current pandemic is over.”
The Zoom Privacy Backlash Is Only Getting Started (Wired, Apr 01 2020)
A class action lawsuit. Rampant zoombombing. And as of today, two new zero-day vulnerabilities.
Privacy in critical care after telehealth demands jump (SC Media, Mar 31 2020)
As coughs and body aches drive anxious Americans to telemed services in record numbers, relieving the burden on medical facilities stressed to breaking with COVID-19 cases, the subsequent relaxation of privacy requirements puts them at risk of PHI compromises, cyberattacks and privacy violations.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
Government Tracking How People Move Around in Coronavirus Pandemic (WSJ, Mar 30 2020)
Government officials across the U.S. are using location data from millions of cellphones in a bid to better understand the movements of Americans during the coronavirus pandemic and how they may be affecting the spread of the disease.
MIT Researchers Launch Location-Tracking Effort for the New Coronavirus (WSJ, Mar 30 2020)
A project to track Covid-19 patients via their phones is being launched by Massachusetts Institute of Technology researchers, potentially the first large-scale project in the U.S. to trace their movement and those with whom they interact.
Domain Registrars Take Action Against Fraudulent COVID-19 Websites (Infosecurity Magazine, Mar 27 2020)
Namecheap and GoDaddy are attempting to thwart COVID-19 scammers
Should governments track your location to fight COVID-19? (Naked Security – Sophos, Mar 30 2020)
Google Maps data could help governments track patients that a newly-diagnosed COVID-19 sufferer has been in contact with.
Microsoft’s Edge browser to get breached credential alerts (Naked Security – Sophos, Apr 01 2020)
Microsoft has announced a list of new security and privacy features it plans to add to forthcoming versions in an effort to take on its rivals.
New – Use AWS IAM Access Analyzer in AWS Organizations (AWS News Blog, Mar 30 2020)
“AWS IAM Access Analyzer uses automated reasoning, a form of mathematical logic and inference, to determine all possible access paths allowed by a resource policy. We call these analytical results provable security, a higher level of assurance for security in the cloud.”
New York Attorney General Looks Into Zoom’s Privacy Practices (The New York Times, Mar 31 2020)
As the videoconferencing platform’s popularity has surged, Zoom has scrambled to address a series of data privacy and security problems.
Zoom is Leaking Peoples’ Email Addresses and Photos to Strangers (VICE, Mar 31 2020)
For at least a few thousand people, Zoom has treated their personal email addresses as if they all belong to the same company, letting them video call each other.
Zoom Phishers Register 2000 Domains in a Month (Infosecurity Magazine, Apr 02 2020)
As #COVID19 home working surges, cyber-criminals look to cash in
‘War Dialing’ Tool Exposes Zoom’s Password Problems (Krebs on Security, Apr 02 2020)
“As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom. But without the protection of a password, there’s a decent chance your next Zoom meeting could be “Zoom bombed” — attended or disrupted by someone who doesn’t belong. And according to data gathered by a new automated Zoom meeting discovery tool dubbed “zWarDial,” a crazy number of meetings at major corporations are not being protected by a password.”
Russians Shut Down Huge Card Fraud Ring (Krebs on Security, Mar 26 2020)
Federal investigators in Russia have charged at least 25 people accused of operating a sprawling international credit card theft ring. Cybersecurity experts say the raid included the charging of a major carding kingpin thought to be tied to dozens of carding shops and to some of the bigger data breaches targeting western retailers over the past decade.
In a statement released this week, the Russian Federal Security Service (FSB) said 25 individuals were charged with circulating illegal means of
Global E-Commerce Fraud to Top $25bn by 2024 (Infosecurity Magazine, Mar 30 2020)
Juniper Research says merchants need to improve customers education
Privacy Rights May Become Next Victim of Killer Pandemic (SecurityWeek, Mar 29 2020)
Digital surveillance and smartphone technology may prove helpful in containing the coronavirus pandemic — but some activists fear this could mean lasting harm to privacy and digital rights.
How Russia’s Troll Farm Is Changing Tactics Before the Fall Election (The New York Times, Mar 31 2020)
The Kremlin-backed Internet Research Agency, which interfered in the 2016 election, is using different methods to hide itself better.
QR code generator scam steals thousands in Bitcoin (Naked Security – Sophos, Apr 01 2020)
Every once in a while an attack comes along that is so simple to set up, and yet so effective, that it makes your jaw drop. Here’s one.
Phish of GoDaddy Employee Jeopardized Escrow.com, Among Others (Krebs on Security, Mar 31 2020)
“A spear-phishing attack this week hooked a customer service employee at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned. The incident gave the phisher the ability to view and modify key customer records, access that was used to change domain settings for a half-dozen GoDaddy customers, including transaction brokering site escrow.com.”