InfoSec News Nuggets – August 6, 2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – August 6, 2018

Pence Calls on Senate to Create New Cyber Agency at DHS

Vice President Mike Pence told the DHS Cybersecurity Summit in New York on Tuesday that “this critical issue requires more than new funding.” “America also needs a central hub for cybersecurity,” he said. “And today we call on the United States Senate to follow the lead of the House of Representatives and, before the end of this year, enact legislation to create a new agency under the authority of DHS. The time has come for the Cybersecurity and Infrastructure Security Agency to commence.” Pence said the agency “will bring together the resources of our national government to focus on cybersecurity.”

Lawyers can no longer certify web domain ownership

Lawyers will no longer be allowed to certify someone’s ownership of an internet domain name, and the public Whois no longer represents proof of ownership, when it comes to assigning security certificates to site owners. That means, for example, you can no longer pay a lawyer $500 to write you a letter asserting you own a particular domain name, and use that to obtain an SSL/TLS cert for it, nor use the Whois database to back up your claims of ownership. These two security loopholes were shut down this week in revised rules for Certificate Authorities (CAs) – the folks that issue, typically via intermediaries, HTTPS certificates for websites.

DEF CON plans to show US election hacking is so easy kids can do it

Last year, the hackers at DEF CON showed how shockingly easy it was to crack into voting machine software and hardware. Next week, the 2018 conference’s Vote Hacking Village will let kids have a shot at subverting democracy. Beginning on Friday, August 10, teams in three age ranges, 8-11, 12-14 and 15-16, will be let loose on replica American government websites that report election results. In elections in the Ukraine and Ghana, these were hacked to spread confusion about the voting process and its results – and the village’s organizers hope the youngsters can do the same with US-style tech.

Google Maps’ location sharing will now share your phone’s battery status, too

Wondering why anyone might care about the status of your battery? If you try to ping someone’s location and their phone is dead, there’s not much an app can do. Most location-sharing apps will just sit there and spin while they wait for some sort of response, leaving you to worry about all the reasons their phone might not be responding with a current location. Did they lose signal? Did someone steal their phone? By clueing you in on whether someone’s phone is just about to die, you’ve at least got a better idea as to what’s going on when the updates go silent.

CYBER ACTORS USE INTERNET OF THINGS DEVICES AS PROXIES

Cyber actors actively search for and compromise vulnerable Internet of Things (IoT) devices for use as proxies or intermediaries for Internet requests to route malicious traffic for cyber-attacks and computer network exploitation. IoT devices, sometimes referred to as “smart” devices, are devices that communicate with the Internet to send or receive data. Examples of targeted IoT devices include: routers, wireless radios links, time clocks, audio/video streaming devices, Raspberry Pis, IP cameras, DVRs, satellite antenna equipment, smart garage door openers, and network attached storage devices.

Jersey Mike’s Warns Customers To Reset Passwords

Jersey Mike’s Subs’ recent emails to its customers have made them suspicious of a cyber attack. The firm has warned its customers to ensure their accounts’ security and has asked them to change passwords. However, they advise that Jersey Mikes has not been a source of any data breach insinuating that some third party may be.

Jury Convicts Anonymous Hacker Who DDoSed Children’s Hospital, Later Got Lost at Sea

A member of the Anonymous hacker collective was found guilty this week in a trial for a series of cyber-attacks the man had conducted in 2014, including some aimed at children’s hospitals. The hacker —Martin Gottesfeld, 32, of Sommerville, Massachusetts— was one of the main driving forces behind the #OpJustina Anonymous campaign. According to court documents obtained by Bleeping Computer, Gottesfeld learned about the case of Justina Pelletier, a young child that was at the center of a nationwide controversy. But before the custody battle clarified, Gottesfeld and other Anonymous hackers decided to take matters into their own hands by starting #OpJustina and launching cyber-attacks against the Wayside facility in March 2014, and the Boston Children’s Hospital in April, the same year.

Student Charged in Elaborate Digital Money Theft Scheme

A Massachusetts college student who was named his high school’s valedictorian for his savvy tech skills hacked into unsuspecting investors’ personal cellphones, email and social media accounts to steal at least $2 million in digital currency like Bitcoin, according to documents provided by California prosecutors Wednesday. Joel Ortiz was taken into custody July 12 at Los Angeles International Airport ahead of a flight to Boston, according to prosecutors. The 20-year-old faces more than two dozen charges including grand theft, identity theft and computer hacking, court documents show. He’s held on $1 million bail.

Russian Threat ‘Is Real,’ Trump Officials Say, Vowing to Protect U.S. Elections

Top national security officials vowed Thursday to defend American elections against what they called real threats from Russia. “Russia attempted to interfere with the last election,” Mr. Wray told reporters in the White House briefing room, “and continues to engage in malign influence operations to this day. This is a threat we need to take extremely seriously and to tackle and respond to with fierce determination and focus.” Dan Coats, the director of national intelligence, echoed that assessment, saying that “Russians are looking for every opportunity, regardless of party, regardless of whether or not it applies to the election, to continue their pervasive efforts to undermine our fundamental values.”

The Information on School Websites Is Not as Safe as You Think

The home page of Pinellas County Schools in Florida is brimming with information for families, students, staff members and the public: an easy-to-use dashboard of news, shortcuts and links to the district’s Facebook page, Twitter feed and YouTube channel. But Pinellas’s home page has been supplying information to another audience, an unseen one, as well this year. An array of tracking scripts were embedded in the site, designed to install snippets of computer code into the browsers of anyone clicking on it, to report their visits or track their movements as they traveled around the web. The trackers were detected last winter during a study by Douglas Levin, a Washington-based expert on educational technology. Asked about them in April, the district expressed surprise and said it would have them removed. But Mr. Levin found 22 trackers when he checked back last month.

Telegram Passport is already drawing fire for not being secure enough

The first piece of blockchain-related tech from Telegram was shown off last week, but experts are claiming that its just waiting to be hacked. Telegram Passport is meant to be a secure way of managing identity documents. It pegs itself as being able to provide a “unified authorization method” that makes supplying services (like ICOs and exchanges) with real world IDs more straightforward. But there’s a massive spanner in the works: researchers say they have found Telegram Passport to be completely vulnerable to brute force attacks. Software security firm Virgil Security have released analysis, spotted by CoinDesk, that claims certain design choices could compromise users’ passwords.

Scare off burglars with this ridiculous Alexa skill

Some people leave lights, music or the TV on when they’re away from home in an attempt to ward off burglars, but a new Alexa skill called “Away Mode” has a different idea. Instead of lights and noises, you can keep your home safe from unwanted visitors by playing lengthy audio tracks that sound like real – and completely ridiculous – conversations. When you launch Away Mode, Alexa will play one of seven audio tracks penned by comedy writers from SNL, It’s Always Sunny in Philadelphia, and UCB. The company doesn’t have permission to share all the writers’ names at this time, but says there were half a dozen involved, including Kristin Belka Maier of “Always Sunny…”

Apple ordered to pay US$145 million in damages to Canada’s WiLan

A federal jury in California has awarded Canadian patent licensing company WiLan US$145.1 million in damages against Apple for patent infringement, according to a court filing on Wednesday. The jury in San Diego determined that versions of Apple’s iPhone infringed two WiLan patents relating to wireless communications technology, WiLan, a unit of Quarterhill, said in a statement. Apple confirmed it plans to appeal. The company earlier rejected claims of infringement in pre-trial filings.

How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards

Last year, Joseph Dixon* posted a picture of himself on Instagram, tagging it #T-Mobile, the company he works for as a store manager. The photo gathered a fair amount of likes, and also got the attention of someone who had an unusual business proposal. “Do you wanna make some money?” the person—a would-be scammer—wrote in an Instagram private message, according to Dixon. (*Dixon’s name has been changed because he was not authorized by T-Mobile to speak to the press.) The deal was simple: the person would send Dixon the name, phone number, personal details of a T-Mobile customer such as SSN and home address along with the number of a new SIM card. Dixon would then log into T-Mobile’s online employee portal for customer service, called Quickview, transfer that phone number to the new SIM card and collect $100 in Bitcoin.

Criminal hacking group targets U.S., U.K. agencies in Pakistan

A criminal hacking group concentrated in Pakistan has in recent months carried out a string of attacks on American, British, Russian, and Spanish governmental organizations, according to new research from cybersecurity company Palo Alto Networks. The hacking collective known as the Gorgon Group “has been performing criminal operations against targets across the globe, often using shared infrastructure with their targeted attack operations,” Palo Alto Networks’ threat intelligence arm, Unit 42, said in a blog post Thursday.

Bugcrowd launches Disclose.io to provide a safe harbor for white hat hackers

Bugcrowd and Amit Elazari, a University of California, Berkeley doctoral candidate and CLTC grantee, announce the launch of Disclose.io — a project to standardize practices for providing a safe harbor for security researchers within bug bounty and vulnerability disclosure programs (VDPs). Current U.S. anti-hacking laws, such as the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA), along with public incidents have had a chilling effect on the security researcher community. Disclose.io enables organizations to protect both themselves and researchers submitting to their bug bounty and vulnerability disclosure programs by incorporating safe harbor language outlining authorization, with clear scope.