InfoSec News Nuggets 1/9/2020

1 - U of O gives notice of potential privacy breach impacting 188 people The University of Ottawa has given notice of a potential privacy breach impacting 188 people, including elementary and high school students who attended a summer program on campus. The breach stems from an incident in late November 2019 when a password-protected laptop was stolen from a university employee’s vehicle, the administration said in a press release on Friday. The laptop was used for Destination Clic,…
Read More

InfoSec News Nuggets 1/8/2020

1 - Cybercriminals Fill Up on Gas Pump Transaction Scams Ahead of Oct. Deadline Gas stations are gearing up for a major change in credit-card fraud liability in October, when they will find themselves on the hook for card-skimming attacks at the pump. In the meantime though, cybercriminals will be targeting pay-at-the-pump point-of-sale mechanisms with a vengeance, researchers say. Fuel pumps represent a last bastion of non-encrypted transactions. Unlike when customers pay inside, the pump…
Read More

InfoSec News Nuggets 1/7/2020

1 - U.S. Government Issues Warning About Possible Iranian Cyberattacks Christopher C. Krebs, Director of Cybersecurity and Infrastructure Security Agency issued a warning about a potential new wave of Iranian cyber-attacks targeting U.S. assets after Maj. Gen. Qassim Suleimani was killed by a U.S. airstrike at the Baghdad airport in Iraq. "Given recent developments, re-upping our statement from the summer," Krebs said in a rare warning on Twitter.  "Bottom line: time to brush up on Iranian TTPs and pay close…
Read More

InfoSec News Nuggets 1/6/2020

1 - CCPA Kickoff: What Businesses Need to Know New year, new privacy regulations: The California Consumer Privacy Act (CCPA) went into effect on January 1, marking the start of a widespread law that will likely have implications beyond state lines. For businesses, it's high time to think about what this means and how to get ahead. CCPA, the original version of which was passed in 2018, was introduced to protect the personal data of…
Read More

InfoSec News Nuggets 1/3/2020

1 - Apple answers dev concerns that location tracking alerts will upset users When Apple released iOS 13 towards the end of September 2019 it brought with it a new warning that told users when an app repeatedly accessed their location data in the background. A new Wall Street Journal report (via MacRumors) notes that developers are worried that the alerts will make users doubt their apps. But Apple isn't concerned. According to the report…
Read More

InfoSec News Nuggets 1/2/2020

1 - Secure New Internet-Connected Devices During the holidays, internet-connected devices—also known as Internet of Things (IoT) devices—are popular gifts. These include smart cameras, smart TVs, watches, toys, phones, and tablets. Although this technology provides added convenience to our lives, it often requires that we share personal and financial information over the internet. The security of this information, and the security of these devices, is not guaranteed. For example, vendors often store personal information in…
Read More

InfoSec News Nuggets 12/31/2019

1 - 160,000 Belgian Allianz Partners clients affected by data theft An Allianz Partners strongbox containing back-up copies of data related to disaster claims was stolen in the Netherlands in August, the insurance and assistance company disclosed on Friday. According to an audit and analysis of the documents concerned, the strongbox contained data on 160,000 Belgian customers who had filed claims for disasters or breakdowns under their assistance contracts or travel insurance. The strongbox was…
Read More

InfoSec News Nuggets 12/30/2019

1 - A Twitter app bug was used to match 17 million phone numbers to user accounts A security researcher said he has matched 17 million phone numbers to Twitter  user accounts by exploiting a flaw in Twitter’s Android app. Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter’s contacts upload feature. “If you upload your phone number, it fetches user data in return,” he told TechCrunch. He said…
Read More

InfoSec News Nuggets 12/27/2019

1 - Chinese malware broker behind US hacks is now teaching computer skills in China A Chinese malware broker who was sentenced in the United States this year for dealing in malicious software linked to major hacks is back at his old workplace: teaching high-school computer courses, including one on Internet security. Mr Yu Pingan, who spent 18 months in a San Diego federal detention centre, had pleaded guilty to conspiracy to commit computer hacking.…
Read More

InfoSec News Nuggets 12/26/2019

1 - Apple eyes satellite internet for data project Apple is reportedly hiring engineers to help deliver a satellite project that would beam internet services directly to devices without the aid of mobile networks. Bloomberg reports that Apple has an early stage project with about 12 engineers from the aerospace, satellite and antenna design industries who hope to launch the project within five years. Exactly what Apple is cooking up is not clear and it could have…
Read More

InfoSec News Nuggets 12/23/2019

1 - FBI program offers companies data protection via deception The Federal Bureau of Investigations is in many ways on the front lines of the fight against both cybercrime and cyber-espionage in the US. These days, the organization responds to everything from ransomware attacks to data thefts by foreign government-sponsored hackers. But the FBI has begun to play a role in the defense of networks before attacks have been carried out as well, forming partnerships with some…
Read More

InfoSec News Nuggets 12/20/2019

1 - The weird future of brain-computer interfaces: Replacing passwords with thoughts and mind-reading bosses who can tell when you are bored Brain computer interfaces may sound futuristic, but adoption of such systems -- which allow signals from the brain to be recorded or used to control technology -- is on the rise. Much of the development work going on around BCIs is focused on medical uses for the tech, but consumer applications of BCIs…
Read More

InfoSec News Nuggets 12/19/2019

1 - ISIS Is Experimenting with This New Blockchain Messaging App The Islamic State has discovered blockchain. The technology that powers cryptocurrencies like bitcoin and ethereum promises to revolutionize almost all facets of society, from payment processing to online voting. Now ISIS is actively testing a blockchain-based messaging app that could provide everything it needs to thrive: secure, anonymous communication, a tamper-proof repository for beheading videos and other ISIS propaganda, and perhaps most ominously, the…
Read More

InfoSec News Nuggets 12/18/2019

1 - Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up As if the scourge of ransomware wasn’t bad enough already: Several prominent purveyors of ransomware have signaled they plan to start publishing data stolen from victims who refuse to pay up. To make matters worse, one ransomware gang has now created a public Web site identifying recent victim companies that have chosen to rebuild their operations instead of quietly acquiescing to their tormentors.…
Read More

InfoSec News Nuggets 12/17/2019

1 - Prosecutors say a man stole $88,000 from a bank vault. The FBI caught him after he flashed stacks of bills on social media. If you're systematically stealing money from a bank vault, it may not be a good idea to post the evidence on your social media pages. A bank employee in Charlotte, North Carolina, allegedly stole $88,000 from the bank's vault, according to a release from the United States Attorney's Office Western District of…
Read More

InfoSec News Nuggets 12/16/2019

1 - Google rolls out Verified SMS and Spam Protection in Android Google announced today two updates for Messages, the default SMS app in the Android mobile operating system. Starting today, Android users in the US and selected countries will get access to two new features named Verified SMS and Spam Protection. As the name of the first feature hints, Verified SMS works by confirming the identity of the SMS sender. "When a message is…
Read More

InfoSec News Nuggets 12/13/2019

1 - ‘Canadian eyes only’ intelligence reports say Canadian leaders attacked in cyber campaigns Russia is one of the hostile foreign states that has targeted Canada in recent “cyber influence” campaigns, according to secret intelligence records obtained exclusively by Global News. The records from Canada’s Communications Security Establishment (CSE) — labelled “Secret: Canadian Eyes Only” — say that due to their policies in eastern Europe, then-Minister of Foreign Affairs Chrystia Freeland and Minister of National…
Read More

InfoSec News Nuggets 12/11/2019

1 - Bitcoin-hungry hackers broke their own decryption tool, analysts warn Cybersecurity researchers warn that paying Bitcoin $BTC▼2.23% to retrieve files locked by the prolific Ryuk ransomware may still result in data loss. This means that Ryuk‘s latest victims are stuck between a rock and a hard place. If they refuse to send their attackers Bitcoin, they’ll lose access to their data altogether, but if they pay, the hackers will provide them with a decryption tool that doesn’t work. Software…
Read More

InfoSec News Nuggets 12/10/2019

1 - Britain investigating whether leaked trade papers were hacked British cyber security officials are investigating whether classified UK-U.S. trade documents that were shared online ahead of Thursday’s election were acquired by hacking or were leaked, two sources told Reuters.  Beside the fears that Russia could be meddling in another Western election, the disclosure of the classified documents has raised questions about the security of sensitive discussions between the United States and one of its…
Read More

InfoSec News Nuggets 12/09/2019

1 - Facebook accuses two Chinese nationals of using hacked accounts to spread ads Facebook is taking action against two Chinese nationals and a Hong Kong advertising firm for allegedly using the social media platform to distribute malware, then push misleading advertisements to try to make money. The lawsuit filed Thursday in the Northern District of California accuses ILikeAd Media International Company Ltd. and two individuals, Chen Xiao Cong and Huang Tao, of involvement with a…
Read More

InfoSec News Nuggets 12/06/2019

1 - How Internet resources worth R800 million were stolen and sold on the black market The theft and sale of large swaths of valuable African Internet resources was an inside job, Internet investigator Ron Guilmette has concluded after five months of detective work. Documents obtained from industry sources and public records in Uganda show that at least one insider at AFRINIC is also a shareholder of a company that received money for selling IP…
Read More

InfoSec News Nuggets 12/05/2019

1 - Messaging / Smishing Attacks One of the most common ways cyber attackers attempt to trick or fool people is by scamming you in email attacks (often called phishing) or try to trick you with phone calls. However, as technology continues to advance bad guys are always trying new methods, to include tricking you with messaging technologies such as text messaging, iMessage/Facetime, WhatsApp, Slack or Skype. Here are some simple steps to protect yourself…
Read More

InfoSec News Nuggets 12/04/2019

1 - Apple's tap-and-go Express payments come to London public transport Paying for daily necessities using your phone might feel like the future, but the reality can sometimes be slower as mobile payments require authentication that can take time to approve. To combat this issue, Apple has brought its Express feature to London, making it far quicker and easier to use Apple Pay on services like the Tube. Apple's Express Mode can now be used on all Transport…
Read More

InfoSec News Nuggets 12/02/2019

1 - Top Senate Democrats unveil new online privacy bill, promising tough penalties for data abuse Senate Democrats on Tuesday proposed tough new punishments for Facebook, Google and other Silicon Valley tech giants that mishandle their users’ personal data, unveiling a sweeping new online privacy bill that aims to provide people their “Miranda rights” for the digital age. The effort, led by Sen. Maria Cantwell, a Washington state Democrat who previously worked in the tech…
Read More

InfoSec News Nuggets 11/27/2019

1 - Louisiana Motor Vehicles Offices Reopening After Cyberattack Eight regional locations for Louisiana’s Office of Motor Vehicles have reopened after a cyberattack crippled agency operations last week. Other branch locations will resume operations after technical staff ensures the computer systems are functioning properly. The regional offices that opened Monday are in Baton Rouge, New Orleans, Shreveport, Lake Charles, Alexandria, Monroe, Lafayette and Thibodaux. State officials asked people to delay their visits unless they have time-sensitive…
Read More

InfoSec News Nuggets 11/26/2019

1 - The California DMV Is Making $50M a Year Selling Drivers’ Personal Information In a public record acts request, Motherboard asked the California DMV for the total dollar amounts paid by commercial requesters of data for the past six years. The responsive document shows the total revenue in financial year 2013/14 as $41,562,735, before steadily climbing to $52,048,236 in the financial year 2017/18. The document doesn't name the commercial requesters, but some specific companies…
Read More

InfoSec News Nuggets 11/25/2019

1 - Google ups bug bounties for Android flaws, exploits ASR covers security vulnerabilities discovered in the latest available Android versions for Pixel phones and tablets, which are currently Pixel 4, Pixel 3a and Pixel 3a XL, and Pixel 3 and Pixel 3 XL. “Eligible bugs include those in AOSP code, OEM code (libraries and drivers), the kernel, the Secure Element code, and the TrustZone OS and modules. Vulnerabilities in other non-Android code, such as…
Read More

InfoSec News Nuggets 11/22/2019

1 - Midwest Gets First Cybercrime-Fighting Dog Police in Nebraska have recruited a highly trained dog to assist them in the fight against cybercrime. Two-year-old black Labrador Quinn has joined the Bellevue Police Department as the Midwest's first-ever electronic storage device K-9 officer. Unlike most sniffer dogs, who are taught to detect drugs, Officer Quinn has been specially trained to sniff out a particular chemical used in electronic devices like SIM cards, cell phones, and micro SD…
Read More

InfoSec News Nuggets 11/21/2019

1 - NTSB blames Uber’s 'inadequate safety culture' for self-driving fatality The NTSB has lambasted Uber's "inadequate safety culture" and "lack of risk assessment mechanisms" before its self-driving fatality. In March 2018, an autonomous 2017 Volvo XC90 struck and killed pedestrian Elaine Herzberg as she crossed the street in Tempe, Arizona. Officials have also assigned blame to the safety driver, who at the time was watching The Voice on her smartphone. NTSB chair Robert L. Sumwalt said "the collision was the last…
Read More

InfoSec News Nuggets 11/20/2019

1 - Wikipedia co-founder offers a Facebook/Twitter wannabe How much would you pay for a Facebook- or Twitter-like social network experience, but one in which you’re not tracked, your personal information and web history aren’t gobbled up, and you aren’t e-hounded by targeted ads? For those of us who haven’t already jumped the Facebook ship and might still be interested in relinquishing our roles as products, Wikipedia co-founder Jimmy Wales has set up a social…
Read More

InfoSec News Nuggets 11/19/2019

1 - Phishers Targeting Microsoft Office 365 Admin Credentials Digital fraudsters are stealing Microsoft Office 365 administrator credentials as part of a broader phishing campaign targeting organizations. The campaign began with a phishing email that leveraged Microsoft and its Office 365 brand to lull recipients into a false sense of security. This attack email was unique, however, in that it originated from validated domains that don’t belong to Microsoft. Digital fraudsters are stealing Microsoft Office 365…
Read More

InfoSec News Nuggets 11/18/2019

1 - PrankDial.com Exposes 138 Million Records via Unprotected Database Prank calling service “PrankDial.com” has exposed 138 million log records after they have left a non-password protected database online for anyone to access. The discovery was made in October by Jeremiah Fowler of “Security Discovery”, who reported the incident to the company immediately. The platform secured the database on the same day, but the exposure could have led to the stealing of the sensitive data in the…
Read More

InfoSec News Nuggets 11/15/2019

1 - Ransom payments averaging $41,000 per incident The average ransom payment paid out by victims increased 13 percent, to $41,000, during the last three months, but researchers noted the rate of increase has plateaued. Researchers at Coveware credited the victims with being better prepared to restore their data on their own negating the need to pay the ransom. However, that was not enough to offset malicious actors using Sodinokibi and Globelmposter variants to go…
Read More

InfoSec News Nuggets 11/14/2019

1 - Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded The state of Iowa contracted with a prominent cybersecurity company to conduct “penetration tests” of certain municipal buildings in September, particularly courthouses.  In September, two employees of the company were arrested in the course of doing their jobs. The charges still have not been dropped. The incident has sparked concern across the cybersecurity industry, including worries that…
Read More

InfoSec News Nuggets 11/13/2019

1 - Microsoft says it will follow California's digital privacy law Microsoft is taking a step toward guarding customer privacy that will impact the bottom line. The company said in a blog post on Monday that it would honor California's privacy law throughout the United States, according to Reuters. The law called the California Consumer Privacy Act or CCPA, which goes into effect on Jan. 1. It is a strict set of rules meant to protect consumers and…
Read More

InfoSec News Nuggets 11/12/2019

1 - BlueKeep Attacks Crash Systems Due to Meltdown Patch The recent attacks exploiting the BlueKeep vulnerability to deliver cryptocurrency miners caused some systems to crash due to a Meltdown patch being deployed on the targeted machines. The BlueKeep vulnerability, officially tracked as CVE-2019-0708, affects Windows Remote Desktop Services (RDS) and it allows an unauthenticated attacker to execute arbitrary code by sending specially crafted Remote Desktop Protocol (RDP) requests. Microsoft released patches, including for unsupported versions of…
Read More

InfoSec News Nuggets 11/11/2019

1 - Brazilian government announces creation of AI lab network The Brazilian government has announced it will create a network of eight research facilities focused on artificial intelligence (AI). The minister of science, technology, innovation and communications, Marcos Pontes, made the announcement during the opening speech of an event focused on public sector innovation in the country's capital, Brasília. "[The creation of the centers] has been one of the priorities [for the Ministry] in order…
Read More

InfoSec News Nuggets 11/08/2019

1 - Cisco: All these routers have the same embedded crypto keys, so update firmware Security researchers have found that the firmware for several Cisco small-business routers contains numerous security issues. The problems include hardcoded password hashes as well as static X.509 certificates with the corresponding public-private key pairs and one static Secure Shell (SSH) host key. The static keys are embedded in the routers firmware and are used for providing HTTPS and SSH access…
Read More

InfoSec News Nuggets 11/07/2019

1 - LA is fast becoming a fintech hub as HMBradley launches another West Coast challenger bank Add HMBradley to the list of Los Angeles based startups looking to shake up the world of high finance typically dominated by East Coast giants with names like JPMorgan Chase, Citigroup, Morgan Stanley, and Goldman Sachs. The new Santa Monica, Calif.-based bank joins companies like Aspiration and Acorns in trying to offer consumers new ways to manage their finances. Founded…
Read More

InfoSec News Nuggets 11/06/2019

1 - Porcelain business raises suspicion amid China’s blockchain renaissance A porcelain and education business has attracted the suspicion of Chinese regulators after its stock recently boomed, CoinDesk reports. Guangdong Great Wall Group’s stock price rose for five consecutive days after Chinese President Xi Jinping encouraged civilians to embrace blockchain technology — and is now under investigation by the China Securities Regulatory Commission (CSRC). Founded in 1996, Great Wall Group started off as a creative porcelain business. However, its 2018 annual report, featured…
Read More

InfoSec News Nuggets 11/05/2019

1 - Conveyancing law firms targeted in new multimillion-rand cyber scam A new multimillion-rand cyber fraud scam allegedly headed by Nigerians and targeting attorneys dealing with big-money property transactions has been exposed in a graft case in the Joburg Commercial Crime Court. Olutunji Abdul, a Nigerian, and Siphosihle Sithole, a South African, are standing trial in a R7.8million matter in what investigators termed the new “business email compromise” (BEC) fraud. Last week in the Joburg…
Read More

InfoSec News Nuggets 11/04/2019

1 - Windows BlueKeep RDP Attacks Are Here, Infecting with Miners The BlueKeep remote code execution vulnerability in the Windows Remote Desktop Services is currently exploited in the wild. Vulnerable machines exposed to the web are apparently compromised for cryptocurrency mining purposes. The attempts have been recorded by honeypots that expose only port 3389, specific for remote assistance connections via the Remote Desktop Protocol (RDP). Security researcher Kevin Beaumont noticed on Saturday that multiple honeypots…
Read More

InfoSec News Nuggets 11/01/2019

1 - Scammers are now faking voicemail notifications to steal Office 365 login credentials Security researchers have found a new phishing campaign that leverages fake voicemail messages to trick victims into stealing their Office 365 email credentials. The scam — uncovered by cybersecurity firm McAfee — made use of fraudulent email attachments, which when opened, redirected users to a phishing website that siphoned the login information with an aim to impersonate staff members and gain wider access…
Read More

InfoSec News Nuggets 10/31/2019

1 - Apple Patches Tens of Vulnerabilities in macOS Catalina, iOS 13 Security updates released by Apple this week for iOS 13 and macOS Catalina 10.15 address roughly 40 vulnerabilities, including issues that affect both operating systems. macOS Catalina 10.15.1, the first security update for the latest major version of the operating system, fixes 33 vulnerabilities, including flaws that can be exploited through malicious applications or by getting the targeted user to process a specially crafted file.…
Read More

InfoSec News Nuggets 10/30/2019

1 - iPhone 5 users risk losing internet access Apple iPhone 5 users have been warned to update their software before the weekend or face losing access to the internet. The technology giant said users who did not download iOS 10.3.4 by 3 November would be locked out of features that rely on the correct time and date. This includes the App Store, email, web browsing and storage service iCloud. While it is not the latest…
Read More

InfoSec News Nuggets 10/29/2019

1 - UniCredit reveals data breach exposing 3 million customer records UniCredit has revealed a data breach resulting in the leak of information belonging to three million customers. On Monday, the Italian bank and financial services organization said that a compromised file, generated in 2015, is the source of the security incident. In total, roughly three million records were exposed, revealing the names, telephone numbers, email addresses, and cities where clients were registered. While UniCredit caters to an international…
Read More

InfoSec News Nuggets 10/28/2019

1 - Facebook starts testing News, its new section for journalism Facebook’s news section, which was previously reported to be imminent, is here: The company is rolling out Facebook News in a limited test in the U.S. as a home screen tab and bookmark in the main Facebook app. In a blog post, Facebook’s Campbell Brown (vice president of global news partnerships) and Mona Sarantakos (product manager, news) said that news articles will continue to appear in the main…
Read More

InfoSec News Nuggets 10/24/2019

1 - Ransomware Hits B2B Payments Firm Billtrust Business-to-business payments provider Billtrust is still recovering from a ransomware attack that began last week.  The company said it is in the final stages of bringing all of its systems back online from backups. With more than 550 employees, Lawrence Township, N.J.-based Billtrust is a cloud-based service that lets customers view invoices, pay, or request bills via email or fax. In an email sent to customers today, Billtrust said…
Read More

InfoSec News Nuggets 10/23/2019

1 - Vatican's wearable rosary gets fix for app flaw allowing easy hacks The road to internet-connected salvation is paved with cybersecurity issues. The Vatican discovered that Thursday, after a security researcher disclosed a severe vulnerability with the "Click to Pray" eRosary app. On Wednesday, the Vatican announced its $110 wearable rosary, an internet of things device that syncs with an app from the Pope's Worldwide Prayer Network. One advantage of IoT devices is that they open up a…
Read More

InfoSec News Nuggets 10/22/2019

1 - Open AWS buckets expose more than 200K CVs at two online recruitment firms Unsecured AWS servers belonging to two online recruitment firms – U.S.-based Authentic Jobs and Sonic Jobs in the U.K. – have exposed more than 250,000 CVs of job candidates. Unsecured AWS servers belonging to two online recruitment firms – U.S.-based Authentic Jobs and Sonic Jobs in the U.K. – have exposed more than 250,000 CVs of job candidates.   2…
Read More