A Review of the Best News of the Week on Identity Management & Web Fraud
Rioters Had Physical Access to Lawmakers’ Computers. How Bad Is That? (VICE, Jan 07 2021)
Several Trump supporters gained access to computers in the U.S. Capitol building. Is the security of the building’s networks compromised?
How China Uses Stolen US Personnel Data (Schneier on Security, Dec 24 2020)
“Interesting analysis of China’s efforts to identify US spies:
By about 2010, two former CIA officials recalled, the Chinese security services had instituted a sophisticated travel intelligence program, developing databases that tracked flights and passenger lists for espionage purposes. “We looked at it very carefully,” said the former senior CIA official. China’s spies “were actively using that for counterintelligence and offensive intelligence. The capability was there and was being utilized.”
SolarWinds Campaign Focuses Attention on ‘Golden SAML’ Attack Vector (Dark Reading, Dec 22 2020)
Adversaries that successfully execute attack can achieve persistent anytime, anywhere access to a victim network, security researchers say.
Happy New Year!
Hello 2021! Since I started this curated newsletter in June 2017, I’ve clipped ~18,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype.
Thanks! – Lucas Samaras
Ticketmaster admits it hacked rival company before it went out of business (Ars Technica, Jan 04 2021)
Ticketmaster used stolen passwords and URL guessing to access confidential data.
GDPR Fines Exceeded €170 Million in 2020 (SecurityWeek, Jan 05 2021)
Fines issued for violations of the EU’s General Data Protection Regulation (GDPR) in 2020 exceeded €170 million, or roughly $200 million.
SMS Phishing Is Getting Out Of Control (VICE, Jan 06 2021)
Consumers and security companies report a concerning increase in scams via text message phishing, also known as smishing.
New Ad Fraud Scheme Highlights a Growing Problem for Streaming TV (WSJ, Dec 17 2020)
The operation, which Oracle Data Cloud has dubbed “StreamScam,” took advantage of flaws in streaming-TV ad-serving technology and the supply chain to fool marketers into paying for ads that were never actually seen by viewers on real devices and apps, the company said.
DHS Works to Improve Biometric Scanning of Masked Faces (Nextgov, Dec 20 2020)
Almost 600 human volunteers participated in a recent technology evaluation.
Healthcare.gov Data Thief Jailed (Infosecurity Magazine, Dec 17 2020)
Prison for tech company employee who stole PII and used it for financial gain
Will the US Move to a Federal Privacy Law in 2021? (Infosecurity Magazine, Dec 18 2020)
Experts discuss impact of CPRA and other recent events on privacy rules in the US
Stolen Card Prices Soar 225% in Two Years (Infosecurity Magazine, Dec 21 2020)
Flashpoint claims pandemic has had big impact on dark web pricing
Non-profit founded by Gates Foundation suffers massive exposure of student records (SC Media, Dec 31 2020)
An exposed AWS bucket left hundreds of thousands of student-related records exposed to the internet, but officials from the non-profit say most of the data was old and obsolete.
Account takeovers: Insiders need not be malicious to cause chaos (SC Media, Dec 24 2020)
With 2020 coming to a close, SC Media is delivering through a series of articles our picks of the most high impact events and trends of the last year, which we predict will factor into community strategies in 2021 and beyond. This is the first in that series.
Credential phishing attack impersonating USPS targets consumers over the holidays (SC Media, Dec 23 2020)
The credential phishing attack impersonated the U.S. Postal Service that sought to get victims to give up their credit card credentials and pay a special delivery fee within three days to ensure package delivered.
Facebook is again pushing back on new Apple privacy rules for its mobile devices, this time saying in full page newspaper ads that the social media giant is standing up for small businesses
New NIST guide helps healthcare orgs securely deploy PACS (Help Net Security, Dec 22 2020)
Every so often, security researchers discover confidential medical images left exposed online. To help healthcare organizations prevent this from happening in the future, NIST has published NIST SP 1800-24: Securing Picture Archiving and Communication System (PACS). The cybersecurity challenges of securing PACS Medical imaging is a critical component in providing patient care and PACS is where these images and accompanying clinical information are stored and delivered from when needed.
Phishers Spoof New York Department of Labor (Infosecurity Magazine, Dec 22 2020)
Attacker impersonates New York State to steal sensitive data from seekers of COVID-19 financial relief
Amazon Gift Card Scam Delivers Dridex This Holiday Season (Dark Reading, Dec 24 2020)
Dridex operators launch a social engineering scam that promises victims a $100 gift card but delivers a banking Trojan.
Working together to suppress complex and organized fraud (Help Net Security, Dec 28 2020)
As the entire world has learned throughout 2020, effective suppression of the COVID-19 pandemic requires concerted responses and coordinated action. Medical professionals must adopt new protocols; local, state, and national governments must implement track-and-trace programs; everyday citizens must adopt risk-minimizing tactics like wearing masks and physical distancing. Unfortunately, fraudsters have taken advantage of the pandemic to rob and steal.
21 arrested after allegedly using stolen logins to commit fraud (WeLiveSecurity, Dec 29 2020)
UK police also give some food for thought to those on the verge of breaking the law