A Review of the Best News of the Week on Identity Management & Web Fraud
Verkada Workers Had Extensive Access to Private Customer Cameras (Bloomberg, Mar 10 2021)
More than 100 employees at security camera startup Verkada Inc. could peer through the cameras of its thousands of customers, including global corporations, schools and police departments, according to three former employees aware of the company’s security protocols.
Virginia Passes New Data Protection Law (Infosecurity Magazine, Mar 08 2021)
Virginia Consumer Data Protection Act signed into law
Facial Recognition Company Sued by California Activists (SecurityWeek, Mar 11 2021)
Civil liberties activists are suing a company that provides facial recognition services to law enforcement agencies and private companies around the world, contending that Clearview AI illegally stockpiled data on 3 billion people without their knowledge or permission.
Filter Out the Noise
Since I started this curated security news in June 2017, I’ve clipped ~19,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
New Social Security Scam Spoofs Government Badges (Dark Reading, Mar 04 2021)
Criminals text or email photos of fake government identification badges to trick people into sending money.
Fraudsters Circumvent 3D Secure with Social Engineering (Infosecurity Magazine, Mar 05 2021)
Widespread chatter on dark web highlights gaps in payment protection
Feds indict John McAfee for cryptocurrency pump-and-dump fraud (Ars Technica, Mar 06 2021)
Federal prosecutors have indicted noted cybersecurity eccentric John McAfee for securities and wire fraud for misleading investors at the peak of the last cryptocurrency boom. In late 2017 and early 2018, McAfee urged his hundreds of thousands of Twitter followers to invest in a number of obscure cryptocurrencies. Prosecutors say he failed to disclose his own financial stake in those tokens—and in some cases outright lied about it.
Through automation, New Belgium Brewing has privacy on tap (SC Media, Mar 05 2021)
SC Media spoke to Tye Eyden, collaboration business systems analyst at New Belgium Brewing about ongoing efforts to stay ahead of privacy regulations, crediting workflow automation for bringing the company into compliance with the California Privacy Rights Act in just five months.
Ukrainians Extradited to U.S. for Providing Money Laundering Services to Cybercriminals (SecurityWeek, Mar 08 2021)
Two Ukrainians charged for their involvement in a network providing cash-out and money laundering services to cybercriminals have been extradited to the United States.
Students Are Easily Cheating ‘State-of-the-Art’ Test Proctoring Tech (VICE, Mar 05 2021)
Students are using HDMI cables and hidden phones to cheat on exams administered through invasive proctoring software like Proctorio.
Privacy-First Browser Brave Is Launching a Search Engine (Wired, Mar 07 2021)
Unlike Google, Brave Search won’t track or profile people who use it.
How to Tell Which Emails Quietly Track You (Wired, Mar 07 2021)
Your emails know more about you than you might think, like when you open them or when you forward them to others. But you can reclaim your privacy.
Airline passenger data breached following “highly sophisticated attack” (Graham Cluley, Mar 08 2021)
SITA, which provides IT services to about 90% of the global aviation industry, has revealed that it suffered a cyber attack which exposed details of passengers from many airlines.
Hacking Digitally Signed PDF Files (Schneier on Security, Mar 08 2021)
“Interesting paper: “Shadow Attacks: Hiding and Replacing Content in Signed PDFs“:
Abstract: Digitally signed PDFs are used in contracts and invoices to guarantee the authenticity and integrity of their content. A user opening a signed PDF expects to see a warning in case of any modification. In 2019, Mladenov et al. revealed various parsing vulnerabilities in PDF viewer implementations.They showed attacks that could modify PDF documents without invalidating the signature.”
Flaws in Apple Location Tracking System Could Lead to User Identification (SecurityWeek, Mar 09 2021)
Vulnerabilities identified in offline finding (OF) — Apple’s proprietary crowd-sourced location tracking system — could be abused for user identification, researchers said in a report released this month.
Scammers are already targeting the next round of coronavirus relief checks (Washington Post, Mar 09 2021)
The Cybersecurity 202: Scammers are already targeting the next round of coronavirus relief checks
T-Mobile will sell your web-usage data to advertisers unless you opt out (Ars Technica, Mar 09 2021)
Data sales begin April 26 unless you opt out; T-Mobile claims it’ll be anonymous.
Digitally Transforming Trusted Transactions Through Biometrics, ML & AI (Dark Reading, Mar 10 2021)
The pandemic has increased the appetite for e-commerce and contactless payments, and biometrics and artificial intelligence are playing a larger role in securing those transactions.
Florida Prison System Bought Location Data from Apps (VICE, Mar 10 2021)
The Florida Department of Corrections is the first reported state agency to buy access to app-based location tracking tech.
How to delegate management of identity in AWS Single Sign-On (AWS Security Blog, Mar 03 2021)
“In this blog post, I show how you can use AWS Single Sign-On (AWS SSO) to delegate administration of user identities. Delegation is the process of providing your teams permissions to manage accounts and identities associated with their teams. You can achieve this by using the existing integration that AWS SSO has with AWS Organizations…
Reducing risk through credit card fraud detection (Google Cloud Blog, Mar 03 2021)
Practically every company relies on credit card transactions to fuel their business and facilitate the exchange of funds. In fact, many companies, especially those with digitally focused missions, now only accept credit card payments.