InfoSec News Nuggets – September 10, 2018

InfoSec News Nuggets
How US authorities tracked down the North Korean hacker behind WannaCry The DOJ indictment, one of the largest of its kind in regards to the number of pages, lists a vast array of email addresses used to register domain names and buy hosting services used in all the hacks. It also includes IP addresses used to access malware command and control (C&C) servers, social media accounts, and hacked servers that hosted malware used in the attacks. Officials say they identified email and social media accounts Park used while working at Chosun Expo, and email and social media accounts used by Lazarus Group during its four-year hacking spree. Investigators especially point out a fake persona named "Kim Hyon Woo" that appears to have links either by IP address or email addresses…
Read More

InfoSec News Nuggets – September 5, 2018

InfoSec News Nuggets
Twitter testing new feature that reveals when you’re online The feature, revealed in a post from Twitter’s director of product management and shared more widely by Twitter CEO Jack Dorsey, reveals that the site is toying with the idea of displaying a green dot next to active, online users. What isn’t entirely clear, however, is whether Twitter plans to make the feature opt-in or opt-out when/if it eventually rolls out to the great unwashed masses. Why does that matter? Well, it’s an erosion of my privacy to share with the world that I’m currently online checking Twitter. And it’s easy to imagine how digital stalkers could use such a feature to harass victims (“I know you’re online… why haven’t you replied to my message?”) Chrome: Flash is almost, almost, almost…
Read More

InfoSec News Nuggets – September 4, 2018

InfoSec News Nuggets
Bitfi finally gives up claim cryptocurrency wallet is unhackable Earlier this month, McAfee said that "maybe calling it [Bitfi] unhackable was unwise." The slew of attacks and vulnerability reports has now forced the company to backtrack on its previous claims. On Twitter, the company posted a statement which said the company had hired external help in the form of a "Security Manager" who is "confirming vulnerabilities that have been identified by researchers." "Effective immediately, we will be removing the "Unhackable" claim from our branding which has caused a significant amount of controversy," the company added. "While our intention has always been to unite the community and accelerate the adoption of digital assets worldwide, we realize that some of our actions have been counterproductive to that goal." Researchers show Alexa “skill…
Read More

InfoSec News Nuggets – August 30, 2018

InfoSec News Nuggets
Voting machine maker claims vote machine hack-fests a 'green light' for foreign hackers Voting machine maker ES&S says it did not cooperate with the Voting Village at hacking conference DEF CON because it worried the event posed a national security risk. This is according to a letter the biz sent to four US senators in response to inquiries about why the manufacturer was dismissive of the show's village and its warnings of wobbly security in some systems that officials use to record, tally, and report votes. Among the vendors singled out was ES&S, sparking Senators to express concern that ES&S wasn’t serious about security. Yahoo and AOL scan your inbox for advertising purposes In the current climate of heightened privacy, Google and other tech giants have shied away from scanning…
Read More

InfoSec News Nuggets – August 27, 2018

InfoSec News Nuggets
New facial recognition tech catches first impostor at D.C. airport Facial recognition technology caught an impostor trying to enter the U.S. on a fake passport that may have passed at face value with humans, federal officials said Thursday. And the groundbreaking arrest came on just the third day the biometric technology has been used at Washington Dulles International Airport. The 26-year-old man arrived Wednesday on a flight from Sao Paulo, Brazil, and presented a French passport to the customs officer, according to the U.S. Customs and Border Protection (CBP). Using the new facial comparison biometric system, the officer determined the unidentified traveler did not match the passport he presented. Spyware firm SpyFone leaves customer data, recordings exposed online it appears that an oversight by spyware developer SpyFone has led to…
Read More

InfoSec News Nuggets – August 22, 2018

InfoSec News Nuggets
Kaspersky Ban Draws Few Public Comments How concerned are government and industry about a new law requiring federal agencies and contractors to rid themselves of any trace of Kaspersky anti-virus software? Not very concerned, by the looks of two calls for public comments on implementing the law, which responds to intelligence community concerns that the Russian company’s software could be used as a Kremlin spying tool. The main call for comments on a joint rule implementing the law by the General Services Administration, Defense Department and NASA closed Aug. 14 with only three comments. The three comments were: a complaint from an alleged Pentagon employee that there was no government point of contact to help implement the rule; a request, seemingly from industry, for more specificity about how broadly the…
Read More

InfoSec News Nuggets – August 21, 2018

InfoSec News Nuggets
Google: To be clear, this is how we track you even with Location History turned off Google has updated its help page about turning Location History on or off to more accurately reflect that it actually does sometimes store the places you go even with the setting toggled to off. Though Google originally said its help page was clear and correct, the updated page now clarifies that turning off the setting can still allow location data to be stored in apps like Search and Maps. "This setting does not affect other location services on your device, like Google Location Services and Find My Device," the page reads. "Some location data may be saved as part of your activity on other services, like Search and Maps. When you turn off Location…
Read More

InfoSec News Nuggets – August 9, 2018

InfoSec News Nuggets
EXTORTIONISTS INCREASINGLY USING RECIPIENTS' PERSONAL INFORMATION TO INTIMIDATE VICTIMS The Internet Crime Complaint Center (IC3) has recently received an increase in reports about extortion attempts received via e-mail and postal mail and using specific user information to add authenticity. While there are many variations in these extortion attempts, they often share certain commonalties. Extortion attempts vary widely, but there are a few common indicators of the scam. The following list of commonalities is not exhaustive, but intended as examples of red flags. It is import to remember these extortion scams change to take advantage of current events such as high profile breaches or new trends involving the Internet to add authenticity. Medical Records of 90 Million People Left Vulnerable to Critical Security Flaws Security researchers have found more than 20…
Read More

InfoSec News Nuggets – August 8, 2018

InfoSec News Nuggets
Ex-Tesla Worker Accused of Hacking Seeks $1M in Counterclaim A former Tesla Inc. employee at the electric car maker's battery plant in Nevada is seeking at least $1 million in defamation damages after it accused him of sabotage, hacking into computers and stealing confidential information leaked to the media. Lawyers for Martin Tripp filed a counterclaim in federal court this week alleging any damages Tesla incurred were caused or contributed to by Tesla's "own negligence, acts or omissions." Tripp alleges that between $150 million and $200 million worth of battery module parts for Tesla's Model 3 vehicle were incorrectly handled as scrap earlier this year. He said more than 700 dented and/or punctured battery modules were not discarded and instead were being shipped or were in the process of being…
Read More

InfoSec News Nuggets – August 6, 2018

InfoSec News Nuggets
Pence Calls on Senate to Create New Cyber Agency at DHS Vice President Mike Pence told the DHS Cybersecurity Summit in New York on Tuesday that “this critical issue requires more than new funding.” “America also needs a central hub for cybersecurity,” he said. “And today we call on the United States Senate to follow the lead of the House of Representatives and, before the end of this year, enact legislation to create a new agency under the authority of DHS. The time has come for the Cybersecurity and Infrastructure Security Agency to commence.” Pence said the agency “will bring together the resources of our national government to focus on cybersecurity.” Lawyers can no longer certify web domain ownership Lawyers will no longer be allowed to certify someone's ownership of…
Read More