InfoSec News Nuggets – October 11, 2018

InfoSec News Nuggets
Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top. Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own. Security researcher source…
Read More

InfoSec News Nuggets – October 1, 2018

InfoSec News Nuggets
Facebook Security Breach Exposes Accounts of 50 Million Users Facebook, already facing scrutiny over how it handles the private information of its users, said on Friday that an attack on its computer network had exposed the personal information of nearly 50 million users. The breach, which was discovered this week, was the largest in the company’s 14-year history. The attackers exploited a feature in Facebook’s code to gain access to user accounts and potentially take control of them. Three software flaws in Facebook’s systems allowed hackers to break into user accounts, including those of the top executives Mark Zuckerberg and Sheryl Sandberg, according to two people familiar with the investigation but not allowed to discuss it publicly. Once in, the attackers could have gained access to apps like Spotify, Instagram…
Read More

InfoSec News Nuggets – September 26, 2018

InfoSec News Nuggets
Beware of Hurricane Florence Relief Scams If you’re thinking of donating money to help victims of Hurricane Florence, please do your research on the charitable entity before giving: A slew of new domains apparently related to Hurricane Florence relief efforts are now accepting donations on behalf of victims without much accountability for how the money will be spent. For the past two weeks, KrebsOnSecurity has been monitoring dozens of new domain name registrations that include the terms “hurricane” and/or “florence” and some word related to support (e.g., “relief,” “assistance,” etc.). Most of these domains have remained parked or dormant since their creation earlier this month; however, several of them became active only in the past few days, directing visitors to donate money through private PayPal accounts without providing any information…
Read More

InfoSec News Nuggets – September 25, 2018

InfoSec News Nuggets
Credit Freezes are Free: Let the Ice Age Begin A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to…
Read More

InfoSec News Nuggets – September 24, 2018

InfoSec News Nuggets
Google responds to lawmaker concerns over Gmail scanning In July, Senators John Thune (R-SD), Roger Wicker (R-MS) and Jerry Moran (R-KS) sent Google a letter that sought information on Google's practice of allowing third-party app developers access to its users' emails. While Google stopped scanning Gmail messages for ad-targeting purposes earlier this year, it still offers access to others if users give their consent. Now, Google has replied to the lawmakers' letter. In it, Susan Molinari, Google's VP of public policy and government affairs, confirmed that Google does allow third parties to access Gmail data, a practice the company described in a blog post earlier this year. "Before a developer can access a Gmail user's data, they must obtain consent from the user," she wrote. "And they must have a…
Read More

InfoSec News Nuggets – September 11, 2018

InfoSec News Nuggets
US government releases post-mortem report on Equifax hack The Government Accountability Office (GAO) has published a report to detail how the Equifax hack went down and how the credit reporting company answered during and after the incident. The report comes a day before the one-year anniversary of the public announcement of the Equifax breach that exposed the personal details of 145.5 million Americans, but also of millions of British and Canadian citizens. Some of the details included in the report were already known and previously reported, but there was also some new information. Chrome 69 Removing WWW and M subdomains From the Browser's Address Bar With the release of Chrome 69, Google has decided to strip the "www" and "m" subdomains from the URL displayed in Chrome's address bar. For…
Read More

InfoSec News Nuggets – September 10, 2018

InfoSec News Nuggets
How US authorities tracked down the North Korean hacker behind WannaCry The DOJ indictment, one of the largest of its kind in regards to the number of pages, lists a vast array of email addresses used to register domain names and buy hosting services used in all the hacks. It also includes IP addresses used to access malware command and control (C&C) servers, social media accounts, and hacked servers that hosted malware used in the attacks. Officials say they identified email and social media accounts Park used while working at Chosun Expo, and email and social media accounts used by Lazarus Group during its four-year hacking spree. Investigators especially point out a fake persona named "Kim Hyon Woo" that appears to have links either by IP address or email addresses…
Read More

InfoSec News Nuggets – September 5, 2018

InfoSec News Nuggets
Twitter testing new feature that reveals when you’re online The feature, revealed in a post from Twitter’s director of product management and shared more widely by Twitter CEO Jack Dorsey, reveals that the site is toying with the idea of displaying a green dot next to active, online users. What isn’t entirely clear, however, is whether Twitter plans to make the feature opt-in or opt-out when/if it eventually rolls out to the great unwashed masses. Why does that matter? Well, it’s an erosion of my privacy to share with the world that I’m currently online checking Twitter. And it’s easy to imagine how digital stalkers could use such a feature to harass victims (“I know you’re online… why haven’t you replied to my message?”) Chrome: Flash is almost, almost, almost…
Read More

InfoSec News Nuggets – September 4, 2018

InfoSec News Nuggets
Bitfi finally gives up claim cryptocurrency wallet is unhackable Earlier this month, McAfee said that "maybe calling it [Bitfi] unhackable was unwise." The slew of attacks and vulnerability reports has now forced the company to backtrack on its previous claims. On Twitter, the company posted a statement which said the company had hired external help in the form of a "Security Manager" who is "confirming vulnerabilities that have been identified by researchers." "Effective immediately, we will be removing the "Unhackable" claim from our branding which has caused a significant amount of controversy," the company added. "While our intention has always been to unite the community and accelerate the adoption of digital assets worldwide, we realize that some of our actions have been counterproductive to that goal." Researchers show Alexa “skill…
Read More

InfoSec News Nuggets – August 30, 2018

InfoSec News Nuggets
Voting machine maker claims vote machine hack-fests a 'green light' for foreign hackers Voting machine maker ES&S says it did not cooperate with the Voting Village at hacking conference DEF CON because it worried the event posed a national security risk. This is according to a letter the biz sent to four US senators in response to inquiries about why the manufacturer was dismissive of the show's village and its warnings of wobbly security in some systems that officials use to record, tally, and report votes. Among the vendors singled out was ES&S, sparking Senators to express concern that ES&S wasn’t serious about security. Yahoo and AOL scan your inbox for advertising purposes In the current climate of heightened privacy, Google and other tech giants have shied away from scanning…
Read More