A Review of the Best News of the Week on Identity Management & Web Fraud

California Proposition 24 Passes (Schneier on Security, Nov 05 2020)
“California’s Proposition 24, aimed at improving the California Consumer Privacy Act, passed this week. Analyses are very mixed. I was very mixed on the proposition, but on the whole I supported it. The proposition has some serious flaws, and was watered down by industry, but voting for privacy feels like it’s generally a good thing.”

LexisNexis to Pay $5 Million Class Action Settlement for Selling DMV Data (VICE, Nov 05 2020)
LexisNexis had taken data from DMVs and then resold it to other organizations that did not have a legally permissible use for the information, the complaint said.

Attackers want Active Directory privileges. Here’s how to stop them. (SC Media, Nov 02 2020)
A growing number of threat actors use advanced persistent threat (APT)  tactics to progress their attacks. More and more target Active Directory (AD), domain controllers, and flaws in Kerberos tickets to find weaknesses, steal credentials, and escalate privileges.

Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~17,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn

California’s Prop. 24 Splits Privacy Advocates (Dark Reading, Nov 02 2020)
Critics worry that the curatives in Prop. 24 are worse than the disease of privacy-rights violations.

As California decides fate of privacy law, more CISOs could be hit by data regulations (SC Media, Nov 02 2020)
The ballot initiative, which is viewed by supporters as a patch for loopholes in the California Consumer Privacy Act, would create several new wrinkles for security and privacy personnel.

Californians Consider Expanding Landmark Data Privacy Law (SecurityWeek, Nov 03 2020)
Two years ago, California became the first state to pass a sweeping digital privacy law seen as the strongest of its kind in the United States. Voters are now deciding whether to refine and expand that law, or leave it as is.

Invoice or payment fraud attacks that target group email boxes jump more than 200% (SC Media, Oct 29 2020)
While invoice and payment fraud attacks on the c-suite are still prevalent, the sharp rise in attacks on group email boxes was significant because it pointed to a new favorite attack vector.

BEC attacks increase in most industries, invoice and payment fraud rise by 155% (Help Net Security, Nov 03 2020)
BEC attacks increased 15% quarter-over-quarter, driven by an explosion in invoice and payment fraud, Abnormal Security research reveals.

UK Banks Face Consumer Frustration Over Digital Identity Management (Infosecurity Magazine, Nov 02 2020)
Only 36% of UK banks capture and verify customer identities in the same digital channel

Beware a New Google Drive Scam Landing in Inboxes (Wired, Nov 01 2020)
Scammers are luring people into Google Docs in an attempt to get them to visit potentially malicious websites.

Fraud Prevention Strategies to Prepare for the Future (Dark Reading, Nov 02 2020)
While companies have largely adjusted to the new normal for security management, here are some tips for combatting fraud, post-COVID.

Ping Identity Acquires Symphonic to Boost API and Data Security Offering (Infosecurity Magazine, Nov 02 2020)
Deal will allow users to centralize administration and enforcement to critical resources and data

Fewer than 25 percent of companies deployed adequate security access control systems (SC Media, Nov 02 2020)
The survey also found that 60 percent of companies didn’t know if they had a security awareness training program, while another 20.6 percent say such programs are non-existent at their companies.

Swedish Insurer Folksam Exposes Data on 1 Million Customers (SecurityWeek, Nov 04 2020)
Swedish insurance company Folksam on Tuesday revealed that data on 1 million customers was inadvertently shared with third-parties.

Games in Microsoft Store Can Be Abused for Privilege Escalation on Windows (SecurityWeek, Nov 04 2020)
A researcher at cybersecurity services provider IOActive has identified a privilege escalation vulnerability in Windows that can be exploited by abusing games in the Microsoft Store.

Two Charged in SIM Swapping, Vishing Scams (Krebs on Security, Nov 03 2020)
“Two young men from the eastern United States have been hit with identity theft and conspiracy charges for allegedly stealing bitcoin and social media accounts by tricking employees at wireless phone companies into giving away credentials needed to remotely access and modify customer account information.”

Aligning IAM policies to user personas for AWS Security Hub (AWS Security Blog, Nov 02 2020)
AWS Security Hub provides you with a comprehensive view of your security posture across your accounts in Amazon Web Services (AWS) and gives you the ability to take action on your high-priority security alerts. There are several different user personas that use Security Hub, and they typically require different AWS Identity and Access Management (IAM)…

How to implement password-less authentication with Amazon Cognito and WebAuthn (AWS Security Blog, Oct 30 2020)
“In this blog post, I show you how to offer a password-less authentication experience to your customers. To do this, you’ll allow physical security keys or platform authenticators (like finger-print scanners) to be used as the authentication factor to your web or mobile applications that use Amazon Cognito user pools for authentication.”

Private Prison Operator GEO Group Discloses Data Breach (SecurityWeek, Nov 05 2020)
Florida-based private prison operator GEO Group this week revealed that it was recently targeted in a cyberattack that involved ransomware and which may have resulted in the theft of sensitive information.

BEC Scammers Exploit Flaw to Spoof Domains of Rackspace Customers (SecurityWeek, Nov 05 2020)
A threat actor specializing in business email compromise (BEC) attacks has been observed exploiting a vulnerability to spoof the domains of Rackspace customers as part of its operations.