A Review of the Best News of the Week on Identity Management & Web Fraud

Insider Attack on the Carnegie Library (Schneier on Security, Sep 08 2020)
“Greg Priore, the person in charge of the rare book room at the Carnegie Library, stole from it for almost two decades before getting caught.
It’s a perennial problem: trusted insiders have to be trusted.”

What happens to funds once they have been stolen in a cyberattack? (Help Net Security, Sep 08 2020)
SWIFT and BAE Systems published a report that describes the complex web of money mules, front companies and cryptocurrencies that criminals use to siphon funds from the financial system after a cyber attack. The report highlights the ingenuity of money laundering tactics to obtain liquid financial assets and avoid any subsequent tracing of the funds.

Here’s How Police Request Data From WhatsApp and Facebook (VICE, Sep 10 2020)
Facebook has chosen to review user data requests manually, without screening the email address of people who request access to the portals, which are made for law enforcement agents only.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~16,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

Fake Data and Fake Information: A Treasure Trove for Defenders (Dark Reading, Sep 03 2020)
Cybersecurity professionals are using false data to deceive cybercriminals, enabling them to protect networks in new and innovative ways.

Sophisticated Phishing Scam Targeting Lloyds Bank Customers (Infosecurity Magazine, Sep 04 2020)
Phishing messages are attempting to redirect customers to a fraudulent site

Vishing scams use Amazon and Prime as lures – don’t get caught! (Naked Security – Sophos, Sep 03 2020)
How do you deal with scam calls on a phone number you keep for emergencies?

CBP Bought ‘Unlimited’ Use of a Nationwide Tracking Database (VICE, Sep 10 2020)
A map and files obtained by Motherboard show Customs and Border Protection bought access to a license plate reader database that can locate vehicles far from the border region.

Faulty Facial Recognition Led to His Arrest—Now He’s Suing (VICE, Sep 04 2020)
Michael Oliver is the second Black man found to be wrongfully arrested by Detroit police because of the technology—and his lawyers suspect there are many more.

Creepy ‘Geofence’ Finds Anyone Who Went Near a Crime Scene (Wired, Sep 04 2020)
Police increasingly ask Google and other tech firms for data about who was where, when. Two judges ruled the investigative tool invalid in a Chicago case.

We Didn’t Encrypt Your Password, We Hashed It. Here’s What That Means: (Troy Hunt, Sep 03 2020)
You’ve possibly just found out you’re in a data breach. The organisation involved may have contacted you and advised your password was exposed but fortunately, they encrypted it. But you should change it anyway. Huh? Isn’t the whole point of encryption that it protects data when exposed to unintended parties?

How to Boost WhatsApp’s Privacy and Better Protect Your Data (Wired, Sep 07 2020)
The Facebook-owned company has end-to-end encryption by default—but that doesn’t mean the service’s settings are as private as they could be.

Mapping the motives of insider threats (Help Net Security, Sep 08 2020)
Insider threats can take many forms, from the absent-minded employee failing to follow basic security protocols, to the malicious insider, intentionally seeking to harm your organization. Some threats may stem from a simple mistake, others from a personal vendetta. Some insiders will work alone, others at the behest of a competitor or nation-state. Whatever the method and the motives, the results can be devastating.

Top 5 Identity-Centric Security Imperatives for Newly Minted Remote Workers (Dark Reading, Sep 09 2020)
In the wake of COVID-19, today’s remote workforce is here to stay, at least for the foreseeable future. And with it, an increase in identity-related security incidents.

Fake Alert Scams Increasingly Targeting Mobile Networks (Infosecurity Magazine, Sep 09 2020)
The “vast majority” of fake alerts in malvertising networks target mobile browsers

The Essential Role of IAM in Remote Work (The Security Ledger, Sep 08 2020)
The sudden shift to 100% remote work has been jarring. How can businesses ensure remote workers are productive, while protecting sensitive data and minimizing cyberthreats? Rachael Stockton of LogMeIn and LastPass provides some tips.

Portland adopts strictest facial recognition ban in nation to date (Ars Technica, Sep 10 2020)
New laws ban public and private use of the tech, in nationwide first.

Meet the Middlemen Who Connect Cybercriminals With Victims (Dark Reading, Sep 09 2020)
An analysis of initial access brokers explains how they break into vulnerable organizations and sell their access for up to $10,000.

FBI adds iris recognition to its growing biometrics portfolio (Federal News Network, Sep 10 2020)
The FBI’s Criminal Justice Information Services, nearly seven years after piloting the concept, will add iris recognition technology to its portfolio of identification services for law enforcement…

Judge Dismisses Privacy Lawsuit Against University of Chicago (Infosecurity Magazine, Sep 09 2020)
In 2017, Google received the anonymized data of University of Chicago Medicine patients for research purposes. The data was sent by University of Chicago Medicine under an initiative to improve predictive analysis of hospitalizations and subsequently raise the level of patient care.

Google Reveals Work Profile Privacy Features in Android 11 (SecurityWeek, Sep 10 2020)
Google this week announced improved privacy and security features in Android 11, including a series of enhancements aimed specifically at employees.