InfoSec News Nuggets – July 2, 2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – July 2, 2018

A massive cache of law enforcement personnel data has leaked

A data breach at a federally funded active shooter training center has exposed the personal data of thousands of US law enforcement officials, ZDNet has learned. The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training — known as ALERRT — at Texas State University. The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection. ZDNet obtained a copy of the database, which was first found by a New Zealand-based data breach hunter, who goes by the pseudonym Flash Gordon.

AT&T trials fixed-wireless 5G in Indiana

AT&T has announced a trial of fixed-wireless 5G in South Bend, Indiana, utilising its full-fibre broadband network and millimetre-wave (mmWave) spectrum. Unlike lab and field trials, the carrier is delivering 5G fixed-wireless services to several residential premises in the area, with one household seeing speeds of 1Gbps and latency of under 20 milliseconds. President of AT&T Technology and Operations Melissa Arnoldi said in a blog post that this allows the customers to use “bandwidth-heavy applications simultaneously and seamlessly — something that would be nearly impossible with current LTE technologies”. AT&T has also announced that it will be launching its full-fibre network in Bowling Green, Kentucky; Florence, South Carolina; Hattiesburg, Mississippi; and Lake Charles, Louisiana.

Plant Your Flag, Mark Your Territory

Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you. The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.

It only takes 6,000 smart phones to take down our Public Emergency Response System

Recent research published by the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel reveals that it only takes about 6,000 smartphones infected with malware to launch a DDoS attack capable of shutting down 9-1-1 emergency services or public service answering points (PSAPs) in a single U.S. state. Why is the situation so fragile? Well, ironically one reason is the law. Federal Communications Commission (FCC) regulations stipulate that wireless carriers must forward all 9-1-1 calls to a PSAP, regardless of caller validation, giving a malicious hacker the perfect opportunity to exploit this ruling with an anonymized form of a distributed denial-of-service (DDoS) attack.

California Passes Groundbreaking Consumer Data Privacy Law With Fines for Violations

California has passed a sweeping privacy law that gives consumers the right to demand that their data be deleted and to bar companies from selling their data without them losing access to services or being charged a higher price. The bill, passed today by the state’s legislature and quickly signed by Gov. Jerry Brown, affects all companies that do business in the state and collect data. It requires those businesses to disclose information they store, what purpose it’s for, and with which third parties it’s shared. For data breaches, consumers may be able to sue for up to $750 for each violation, while the state attorney general can sue for intentional violations of privacy at up to $7,500 each. For both consumer and state lawsuits, companies have to be given 30 days to fix the problem.

8 States Impose New Rules on Equifax After Data Breach

Equifax agreed to a number of data security rules under a consent order with eight state financial regulators that was announced on Wednesday, the latest regulatory response to the breach that allowed hackers to steal sensitive personal information on more than 147 million people. The order describes specific steps the credit bureau must take, including conducting security audits at least once a year, developing written data protection policies and guides, more closely monitoring its outside technology vendors, and improving its software patch management controls. Equifax has said that the attackers gained access to its systems last year through a known software flaw that was inadvertently left unfixed for months.

Facebook users can now see all the active ads run by a Page

Facebook today released a new tool that will allow users to see what advertisements a Page is running — whether or not all of those advertisements are targeted at that particular user. It’s the latest in a string of new features from Facebook to give users more insight into how advertisers are using its platform. Starting today, users will see a new button called “info and ads” at the top of a Page belonging to a business, nonprofit, or other organization. “Page info” will allow them to see when the Page was created and if its name has been changed at all, though the company said there would be more information available to view in the tab in the coming weeks. The “active ads” section will allow users to see what ads that page is currently running across Facebook, Instagram, and Messenger. The tool has previously been tested in Canada.

NSA deleting more than 685 million call records

The National Security Agency is deleting more than 685 million call records the government obtained since 2015 from telecommunication companies in connection with investigations, raising questions about the viability of the program. The NSA’s bulk collection of call records was initially curtailed by Congress after former NSA contractor Edward Snowden leaked documents revealing extensive government surveillance. The law, enacted in June 2015, said that going forward, the data would be retained by telecommunications companies, not the NSA, but that the intelligence agency could query the massive database. Now the NSA is deleting all the information it collected from the queries.

Equifax Coder Settles Insider Trading Charges With SEC

An Equifax software engineer has settled an insider trading charge with the U.S. Securities and Exchange Commission, after he allegedly earned more than $75,000 after he made a securities transaction based on his suspicion that the credit bureau had suffered a data breach. Sudhakar Reddy Bonthu, 44, of Cumming, Georgia, was a product development manager of software engineering within Equifax’s Global Consumer Solutions business unit. Equifax fired Bonthu on March 12 after he refused to cooperate with internal investigation into violations of the company’s insider trading policies. “Bonthu owed a duty of trust and confidence to Equifax and its shareholders not to trade on the basis of material non-public information that he learned through his employment with Equifax, and was aware of his duty,” according to the SEC complaint.

The Next Big Cyber-Attack Vector: APIs

Hackers are moving to the path of least resistance and looking for new avenues to exploit. Many security experts believe the next wave of enterprise hacking will be carried out by exploiting Application Programming Interfaces (APIs). In fact, cyber adversaries are already targeting APIs when planning their attacks. The data breach at Panera Bread is a good example. The bakery-café chain left an unauthenticated API endpoint exposed on its website, allowing anyone to view customer information such as username, email address, phone number, last four digits of the credit card, birthdate, etc. Ultimately, data belonging to more than 37 million customers was leaked over an eight-month period.

Kroger will use autonomous vehicles to deliver groceries this fall

Now Nuro is announcing its first commercial partnership: with Kroger, one of the nation’s leading grocery chains. Starting this fall, Kroger plans to start delivering groceries to customers using Nuro’s autonomous vehicles. Initially, the partnership will only be active in a single market—the companies haven’t yet said which city that will be. But Nuro’s goal is to eventually provide service across Kroger’s entire retail footprint. And that footprint is large. In addition to Kroger stores, the company also owns the Dillons, Harris Teeter, QFC, Ralphs, Roundy’s, and Smiths supermarket chains, among others. In total, Kroger says it owns 2,800 stores in 35 states.

Linux distro hacked on GitHub, “all code considered compromised”

Gentoo, a popular distribution of Linux, has had its GitHub repository hacked. Here’s what they said, less than an hour after they spotted the compromise: [On] 28 June [2018] at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised. This does NOT affect any code hosted on the Gentoo infrastructure. Since the master Gentoo ebuild repository is hosted on our own infrastructure and since Github is only a mirror for it, you are fine as long as you are using rsync or webrsync from gentoo.org.

Capital Gazette shooter ID’d with facial recognition tech

After the man who killed five people and injured seven others at the Annapolis, Md.-based Capitol Gazette newsroom obscured his identity, authorities used facial recognition technology to identify him. The man, described in reports as a white male wearing a black t-shirt and olive pants, was taken into custody at the scene but authorities said he carried no identification and had damaged his fingers, prompting law enforcement to use facial recognition software to identify him, NBC News reported. William Krampf, the acting police chief of Anne Arundel County, Md., told reporters Thursday evening that he had no knowledge of the use of facial recognition technology by investigators.

Scammers abuse multilingual domain names

Cyber-criminals are abusing multilingual character sets to trick people into visiting phishing websites. The non-English characters allow scammers to create “lookalike” sites with domain names almost indistinguishable from legitimate ones. Farsight Security found scam sites posing as banks, loan advisers and children’s brands Lego and Haribo. Smartphone users are at greater risk as small screens make lookalikes even harder to spot. The Farsight Security report looked at more than 100 million domain names that use non-English character sets – introduced to make the net more familiar and usable for non-English speaking nations – and found about 27% of them had been created by scammers.

Grid hackers can expect retaliation, CEO warns

If hackers hit the U.S. power grid, they’ll be hit right back, Southern Co. CEO Tom Fanning said yesterday. “I can tell you the capability exists today, if somebody tries to take us down, they will have a bad day,” Fanning told attendees at the Aspen Institute’s weeklong Aspen Ideas Festival in Colorado. Fanning offered a rare window into the battle playing out between hackers and private companies, which he described as “the most underreported war in our history.” He suggested the Department of Defense should hold hackers accountable for crossing red lines at key U.S. companies, counterattacking either on the ground or in cyberspace. “This crossfire you never hear about, and yet it is happening every day,” Fanning said.

New Air Force cyber teams debut at exercise

New Air Force teams tasked with providing cyber defense for a mission participated in an exercise for the first time, the service said. Air Force leaders hope the new role will be ingrained throughout the service in the future. The Air Force’s cyber squadron initiative aims to protect the Air Force’s core missions by establishing and assigning personnel and cyber teams to wings and missions called mission defense teams. These teams will be an organic capability to Air Force wings within the squadron structure serving as the “beat cops,” so to speak, understanding the critical cyber terrain and networks of the wings and missions they’re assigned to even deploying with these units in some cases.