InfoSec News Nuggets – September 25, 2018

Home / InfoSec News Nuggets / InfoSec News Nuggets – September 25, 2018

Credit Freezes are Free: Let the Ice Age Begin

A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file). And because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.

Freelance workers targeted in new malware campaign

Cyberattackers have turned their attention towards freelance workers in a new campaign which is spreading malware via malicious documents masquerading as job briefs and offers. According to MalwareHunterTeam, the scheme has been discovered on both Fiverr, a freelance services marketplace, and Freelancer.com, a platform which offers the services of freelance workers to millions of businesses. Freelancers, casual workers, and international contractors often rely on emails and communication over the Internet not only to retain relationships with employers but also to find and secure new opportunities. As a result, emailed communication and document attachments are commonplace. Unfortunately, it is this standard practice that cybercriminals are now targeting.

28-year-old Romanian Woman Pleads Guilty for Hacking 126 Computers Associated With Surveillance Cameras

A Romanian Woman Eveline Cismaru. 28, pled guilty to federal charges for illegally gaining access to more than 126 computers that connected to Surveillance cameras installed and used by Metropolitan Police Department (MPD) and infected them with ransomware. She pled guilty before the Honorable Dabney L. Friedrich to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer fraud, carry statutory maximums of 20 years and five years in prison, Cismaru agrees to cooperate fully in the investigation and she is to be sentenced on Dec. 3, 2018. Investigators arrested Cismaru, 28, and a co-defendant, Mihai Alexandru Isvanca, 25 in Romania, Cismaru extradited to the united states on July 26, 2018, and Isvanca pending extradition to the United States.

Users Forcibly Being Logged Into Chrome When Signing Into a Google Service

With the release of Chrome 69, it was discovered that when you log into your Google account, or any Google service for that matter, you will also be automatically logged into Chrome whether you want to or not. So what’s the big deal? According to a Adrienne Porter Felt, an engineer and manager on the Google Chrome team, it is not a big deal and this should just be seen an visual indicator that the user is logged into Google, but does not mean that data is actually being uploaded. On the other hand, Matthew Green, a cryptography professor at Johns Hopkins university, feels that this is a really big deal as it associates a browser with a Google account, which should never happen unless you choose to login to Chrome. Even if browsing data is not uploaded and sync is not enabled, there is data that could be gathered simply by the authentication process alone.

Yahoo! Data Breach Estimated to Cost Successor Company Net $47 Million

Altaba Inc., the successor company of Yahoo Inc., recently noted in a filing with the Securities and Exchange Commission that after its settlement of consumer and shareholder suits relating to Yahoo’s data breach that affected all 3 million of its users, it will have paid a net $47 million in expenses. This estimate is based upon a tentative agreement to resolve pending state and federal class action suits, as well as a shareholders derivative suit, which is on top of a securities class action suit settlement of $80 million (including $14.4 million in attorneys’ fees) that recently received final approval from the court. That settlement has been touted as the largest securities class action in history involving a data breach.

Firefox bug crashes your browser and sometimes your PC

A security researcher who two weeks ago found a bug that could crash all WebKit-based apps on iPhones, iPads, and Macs, has now discovered another browser bug that can crash Firefox browsers, and sometimes the entire operating system underneath it. The bug is just the latest addition to Browser Reaper, a web portal set up by Sabri Haddouche, a software engineer and security researcher at encrypted instant messaging app Wire. Haddouche has been researching denial of service (DoS) vulnerabilities as a hobby and has now identified one in every major browser engine –Chrome, Safari (WebKit), and Firefox. His latest addition, the Firefox bug, will crash Firefox’s browser process on Macs and Linux systems, resulting in the browser showing its classic Crash Reporter popup.

Wendy’s faces lawsuit for unlawfully collecting employee fingerprints

A class-action lawsuit has been filed in Illinois against fast food restaurant chain Wendy’s accusing the company of breaking state laws in regards to the way it stores and handles employee fingerprints. The lawsuit was filed on September 11, in a Cook County court, according to a copy of the complaint obtained by ZDNet. The complaint is centered around Wendy’s practice of using biometric clocks that scan employees’ fingerprints when they arrive at work, when they leave, and when they use the Point-Of-Sale and cash register systems. Plaintiffs, represented by former Wendy’s employees Martinique Owens and Amelia Garcia, claim that Wendy’s breaks state law –the Illinois Biometric Information Privacy Act (BIPA)– because the company does not make employees aware of how the company handles their data.

Credential stuffing attacks are a growing threat

According to Akamai report titled “[state of the internet] / security CREDENTIAL STUFFING ATTACKS“  the credential stuffing attacks are a growing threat and often underestimated. Credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services. The experts detected 8.3 Billion malicious login attempts from bots in May and June, an overall number of 30 billion malicious logins were observed between November 2017 and June 2018, an average of 3.75 billion per month. These botnets attempt to log into a target site in order to assume an identity, gather information, or steal money and goods.” states the report published by Akamai.

Researchers develop invisibly thin spray-on antennas

The promise of wearables, functional fabrics, the Internet of Things, and their “next-generation” technological cohort seems tantalizingly within reach. But researchers in the field will tell you a prime reason for their delayed “arrival” is the problem of seamlessly integrating connection technology – namely, antennas – with shape-shifting and flexible “things.” But a breakthrough by researchers in Drexel’s College of Engineering, could now make installing an antenna as easy as applying some bug spray. The group reports on a method for spraying invisibly thin antennas, made from a type of two-dimensional, metallic material called MXene, that perform as well as those being used in mobile devices, wireless routers and portable transducers.