InfoSec News Nuggets – August 30, 2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – August 30, 2018

Voting machine maker claims vote machine hack-fests a ‘green light’ for foreign hackers

Voting machine maker ES&S says it did not cooperate with the Voting Village at hacking conference DEF CON because it worried the event posed a national security risk. This is according to a letter the biz sent to four US senators in response to inquiries about why the manufacturer was dismissive of the show’s village and its warnings of wobbly security in some systems that officials use to record, tally, and report votes. Among the vendors singled out was ES&S, sparking Senators to express concern that ES&S wasn’t serious about security.

Yahoo and AOL scan your inbox for advertising purposes

In the current climate of heightened privacy, Google and other tech giants have shied away from scanning users’ e-mail for the purpose of gathering information to sell to advertisers. Oath, the Verizon subsidiary that owns AOL and Yahoo, however, is apparently doubling down on the controversial practice. According to a recent report from The Wall Street Journal, Oath has been pitching a service to advertisers which analyzes more than 200 million Yahoo inboxes for data about products a consumer may be interested in purchasing. A person familiar with the matter told the publication that the practice at Yahoo began more than a decade ago and has expanded over the years. Oath even said the practice extends to AOL Mail.

How to remove personal data from connected cars

“Your car is a computer that stores a lot of information about you. When you sell or donate your car, that personal data might be accessible to the next owner if you don’t take steps to remove it,” the Federal Trade Commission has warned consumers on Monday. “Some cars have a factory reset option that will return the settings and data to their original state. But even after a factory reset, you may still have work to do. For example, your old car may still be connected to subscription services like satellite radio, mobile wi-fi hotspots, and data services. You need to cancel these services or have them transferred to your new vehicle,” FTC’s Consumer Education Specialist Colleen Tressler pointed out.

Fiserv Flaw Exposed Customer Data at Hundreds of Banks

Fiserv, Inc., a major provider of technology services to financial institutions, just fixed a glaring weakness in its Web platform that exposed personal and financial details of countless customers across hundreds of bank Web sites, KrebsOnSecurity has learned. Brookfield, Wisc.-based Fiserv [NASDAQ:FISV] is a Fortune 500 company with 24,000 employees and $5.7 billion in earnings last year. Its account and transaction processing systems power the Web sites for hundreds of financial institutions — mostly small community banks and credit unions. According to FedFis.com, Fiserv is by far the top bank core processor, with more than 37 percent market share.

Rate limit vulnerabilities left AT&T, T-Mobile customer PINs prone to brute-force attacks

Third-party vulnerabilities discovered in the websites for Apple’s online store and phone insurance company Asurion reportedly endangered account PINs belonging to T-Mobile and AT&T customers, respectively. Now patched, the flaws could have been exploited by attackers using a brute-force attack to guess users’ PINs until they came upon the correct numeric combination, according to a report from BuzzFeed. If they were to have accessed these PINs, the actors could have then hijacked customers’ phone numbers, along with any online accounts can be reset via SMS or SMS-based two-factor authentication.

Google denies Trump claim that it ‘rigged’ news searches

Google disputed U.S. President Donald Trump’s claim that the search engine behemoth was displaying only negative news about the president when searching for his name, saying the company does not favor search results for political purposes. Trump accused Google and other U.S. tech companies of rigging search results about him “so that almost all stories & news is BAD” — and though he offered no evidence, a top adviser says the White House is “taking a look” at whether Google should face federal regulation.

Scammers Threaten to Review Bomb a Travel Company Unless it Pays Ransom

One company says a group is attempting to extort it with the threat of spreading a wave of fake, negative reviews and complaints across Instagram and Twitter. “We are experts in destroying personal or company reputation online,” the group, calling itself STD Company, wrote to its targets, according to a copy of the email provided to Motherboard by the victim. The target is CheapAir, a flight price comparison website. “Once we complete our job, even if your site remains on Google, you can be sure that all first page would be full of negative results about your company,” the email adds, signing off with the name “Semyon.”

FTC Promotes Resources to Prevent Cyberbullying

The Federal Trade Commission (FTC) has released an announcement on the importance of addressing cyberbullying. As children return to school, FTC encourages parents and educators to monitor kids’ online activity and engage in conversations about preventing cyberbullying. NCCIC encourages users to review FTC’s article.

Are you the target of a Smishing attack?

Internet scam artists have found a new way to deceive user to surrender their personal information. It’s called SMISHING — when someone tries to trick you into giving them your private information (including user IDs and passwords) via a text or SMS message. It is an emerging and growing threat, a form of criminal activity using social engineering techniques in the same way Phishing is for email scamming. Smishing may include tricking the user into downloading a Trojan horse, virus or other malware onto their cell phone or other mobile device. Criminals love Smishing because users tend to trust text messages, as opposed to email, of which people are naturally more suspicious.

These researchers worry more about cybercriminals hacking the grid than nation-state hackers

Researchers at Cybereason say cybercriminal groups may pose a more immediate threat than nation state groups to electricity providers and other critical infrastructure such as wastewater facilities or manufacturing plants. Government-backed intruders tend to focus on quietly gathering information about the systems they penetrate, while cybercrime groups often use more amateurish techniques to compromise a network. That means they’re more likely to damage equipment or cause disruptions, even if they don’t intend to. “They’re not looking to throw the switch, but they might throw the switch by accident,” Ross Rustici, Cybereason’s senior director of intelligence, told me.

Experian Rolls Out Scan To Detect Child Identity Theft

To help parents protect against child identity theft, Experian is rolling out a Child ID scan. The service comes as 1 million children had their identities stolen last year, and Experian has designated Saturday (Sept. 1) as Child Identity Theft Awareness Day, the company said in an announcement. The scan seeks to find if a child’s Social Security number (SSN) matches an Experian credit file. If a credit file is found, the company’s fraud resolution team will seek to guide parents or guardians through their next steps. In terms of statistics, the company found through a survey that victims believed they were 12 years old on average when the identity theft occurred. Furthermore, about half — or 45 percent — of respondents didn’t learn of the theft until they were between 16 and 18 years old. “A child’s SSN is like gold to identity thieves and a clean slate for criminals to do damage over possibly a long period of time,” said Michael Bruemmer, vice president of Consumer Protection at Experian, in the announcement.

Senators Criticize Google CEO for Declining to Testify

Google’s Sundar Pichai is facing bipartisan criticism for refusing to testify at a Senate Intelligence Committee hearing next week, but the panel’s chairman signaled he’s unlikely to issue a subpoena to force the chief executive officer to appear. “I don’t normally subpoena people to be part of the solution,” Senator Richard Burr of North Carolina said Tuesday when asked if he’s considering such a step. “Google chooses not to participate and being part of the solution. That’s a decision they made.” Twitter Inc. CEO Jack Dorsey and Facebook Inc. Chief Operating Officer Sheryl Sandberg are said to be planning to testify at the Sept. 5 Senate committee hearing on social media and Russian meddling.

Air Canada confirms mobile app data breach

Air Canada  has confirmed a data breach on its mobile app, which the airline said may affect 20,000 people — or 1 percent — of its 1.7 million app users. The company said it had “detected unusual log-in behavior” occurring between August 22-24. According to an email to customers, attackers may have accessed basic profile data, including names, email addresses and phone numbers — but also more sensitive data that users may have added to their profiles, including passport numbers and expiry date, passport country of issuance, NEXUS numbers for trusted travelers, gender, dates of birth, nationality and country of residence. But credit card data was not accessed, the airline said.

US Court of Appeals: An IP address isn’t enough to identify a pirate

In a win for privacy advocates and pirates, the Ninth Circuit Court of Appeals ruled that an IP address alone is not enough to go after someone for alleged copyright infringement. They ruled that being the registered subscriber of an infringing IP address does not create a reasonable inference that the subscriber is also the infringer. The case began back to 2016 and has been playing out in the legal system ever since. The creators of the film ‘The Cobbler’ alleged that Thomas Gonzales had illegally downloaded their movie and sued him for it. Gonzales was a Comcast subscriber and had set up his network with an open Wi-Fi access point. At some point, someone had used his network to download the movie and the film creators captured Gonzales’s IP address.

FCC can define markets with only one ISP as “competitive,” court rules

An appeals court has upheld a Federal Communications Commission ruling that broadband markets can be competitive even when there is only one Internet provider. The FCC can “rationally choose which evidence to believe among conflicting evidence,” the court ruling said. The FCC voted last year to eliminate price caps imposed on some business broadband providers such as AT&T and Verizon. The FCC decision eliminated caps in any given county if 50 percent of potential customers “are within a half mile of a location served by a competitive provider.” This is known as the “competitive market test.” Because of this, broadband-using businesses might not benefit from price controls even if they have just one choice of ISP.

State Department Visa Analysis System Wasn’t Patched or Scanned for Viruses

The State Department’s consular division isn’t sufficiently protecting the data on a computer system it uses to analyze whether people seeking U.S. visas are being forthright about who they are and where they’ve traveled, according to an audit released Tuesday. The division’s information security team also wasn’t regularly patching the system, scanning it for computer viruses or auditing for evidence about whether it had been compromised by hackers, according to the inspector general’s report. The State Department system is partially populated with information from a Homeland Security Department system to track arrival and departure information for U.S. visa holders, but it’s transferred to a standalone system used by the consular section’s fraud prevention office, the audit said.

Hacktivist Drama ‘Mr. Robot’ to End With 4th Season in 2019

In a statement, “Mr. Robot” creator Sam Esmail says he decided that it was time to bring the story to a close next season. “Mr. Robot” will conclude the way he’d envisioned it since it began, Esmail says. Malek plays Elliot, a troubled cyber-security engineer and hacker who’s drawn into a revolutionary movement. Christian Slater also stars in the Peabody Award-winning drama. An air date for the final season of “Mr. Robot” was not announced.