InfoSec News Nuggets

1 Listen to this AI spit out brutal death metal non-stop Puzzlomaly is a death metal album that sounds like others from the genre: it’s filled with screeching vocals, bludgeoning beats and dizzying guitar solos. However, the record – which you can listen to on Bandcamp or in the widget below – wasn’t produced by actual musicians. Rather, it was created by a pair of technologists, CJ Carr and Zack Zukowski, using a deep a…

1 Shopify API flaw offered access to revenue data of thousands of stores A security flaw in a Shopify API endpoint has been discovered by a researcher which can be exploited to leak the revenue and traffic data of thousands of stores. Application security engineer and bug bounty hunter Ayoub Fathi disclosed his findings in a Medium blog post this week. Shopify, which accounts for over 800,000 merchants in more than 175 countries, set up…

1 Facebook Collected Contacts from 1.5 Million Email Accounts Without Users' Permission Remember the most recent revelation of Facebook being caught asking users new to the social network platform for their email account passwords to verify their identity? At the time, it was suspected that Facebook might be using access to users' email accounts to unauthorizedly and secretly gather a copy of their saved contacts. Now it turns out that the collection of email contacts…

1 Game of Thrones Phishing Scams and How to Avoid Them The long night has finally ended. Game of Thrones fans can finally come in from the cold and, like a starving dragon, start devouring the latest and final season of the massively popular TV show. But unlike the fantasy series, what is far more real is the plethora of phishing scams facing enthusiasts. While there have been many such deceptions, from malware via pirate…

1 How to keep Alexa, Cortana, Siri, Google Assistant, and Bixby from recording you At their best, voice assistants from the likes of Microsoft, Apple, Google, Samsung, and Amazon empower us to be more productive. They queue up our favorite songs, give us previews of our weekly agendas, and place phone calls to friends and loved ones. But they’re also recording the commands we utter for posterity (and in some cases human review), which predictably…

1 Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support On Saturday, Microsoft confirmed to TechCrunch that some users of the company’s email service had been targeted by hackers. A hacker or group of hackers had first broken into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated…

1 Robocaller firm Stratics Networks exposed millions of call recordings If you’ve ever had a voicemail appear out of nowhere, there’s a good chance Stratics Networks was involved. The Toronto-based company is the self-proclaimed inventor of “ringless voicemails,” providing its customers a way of auto-dialing a list of phone numbers and dropping voicemails without leaving a missed call. The system uses a backdoor voicemail number typically reserved by the carrier to leave a voicemail directly…

1 Android 7.0+ Phones Can Now Double as Google Security Keys Google this week made it easier for Android users to enable strong 2-factor authentication (2FA) when logging into Google’s various services. The company announced that all phones running Android 7.0 and higher can now be used as Security Keys, an additional authentication layer that helps thwart phishing sites and password theft. As first disclosed by KrebsOnSecurity last summer, Google maintains it has not had…

1 New Module Suggests Fourth Team Involved in Stuxnet Development A new component discovered by researchers at Chronicle, a cybersecurity company owned by Google parent Alphabet, suggests that a fourth team was involved in the early development of the notorious Stuxnet malware. Stuxnet, believed to have been developed by the United States and Israel, is a worm designed to target industrial systems. It became known as the world’s first cyber weapon after it caused serious…

1 Huawei would reportedly sell 5G chips to Apple, if U.S. ban isn’t an issue In what may be the most unlikely business deal of the year, Huawei is apparently interested in selling 5G chips to Apple — exclusively. The team-up would make plenty of sense, if it wasn’t for the continued swirling of global controversies over the security of Huawei’s 5G hardware. The unlikely prospect of a Huawei-Apple deal was reported today by Engadget,…

1 Exodus Spyware Found Targeting Apple iOS Users The spyware that was recently found lurking in 25 different malicious apps on Google Play has been ported to the Apple iOS ecosystem. The surveillance package – dubbed Exodus – can exfiltrate contacts, take audio recordings and photos, track location data and more on mobile devices. Earlier this month, word came that Google had booted a raft of Exodus-laden apps. According to Lookout Security, it turns out…

1 Amazon's big internet plan: 3,236 satellites to beam faster, cheaper web to millions Amazon has plans to establish a constellation of 3,236 satellites in low Earth orbit to patch up areas with poor or no internet connectivity. Amazon's planned push into satellite-delivered broadband is taking shape under Project Kuiper, details of which appear in three documents filed with the International Telecommunication Union (ITU) last month. The documents were filed by Kuiper Systems LLC. First…

1 Windows 10 News App Blunder Made Users Think They're Infected A configuration mistake in the Microsoft News app caused Window 10 users to receive strange test notifications, which caused them to think they were infected. Last Friday, users on Reddit began posting about strange notifications they were receiving in the Windows 10 action center. These notifications indicated they were from the Microsoft News app, but were labeled as coming from Microsoft Movies. Even stranger,…

1 Walmart partners with Google on voice-enabled grocery shopping Following the latest wave of price cuts at Amazon’s Whole Foods, announced Monday evening, Walmart today introduced its own plans to challenge Amazon on grocery shopping through a partnership with Google. The company is rolling out a new voice-ordering capability, Walmart Voice Order, which works across Google Assistant-powered platforms, including Google’s smart speakers and displays, smartphones, smartwatches and more. The news follows several efforts by Walmart…

1 Delta, Southwest and others apologize after technical issue with contractor program Multiple airlines, including Delta, Southwest and United, experienced computer outages on Monday morning, according to the airlines' Twitter accounts. According to the airlines and to the Federal Aviation Administration, the problem has been resolved and flights have resumed with some delays. The outage was due to a technical issue with a program called AeroData, according to a statement from the FAA. The third-party…

1 Ransomware Hit Garage Used by Canadian Internet Registration Authority A parking garage used by employees of the Canadian Internet Registration Authority (CIRA) suffered a ransomware infection. At the end of their morning commute on 27 March, employees of CIRA arrived at a parking garage maintained by Precise Parklink. The garage typically uses Precise Parklink’s “Automated Parking Revenue Control System” to verify visitors by scanning their parking passes. But not this morning. The garage’s barriers…

1 Office Depot Pays $25 Million To Settle Deceptive Tech Support Lawsuit Office Depot and Support.com, Inc, a tech support software provided from California, agreed to pay $25 million and $10 million respectively for allegedly tricking their customers into paying for millions of US dollars worth of computer repair services using fake malware scans. According to a press release issued today by the U.S. Federal Trade Commission (FTC), the agency will use the money received…

1 Lexus, Toyota, Ford and Porsche panned for 'poor' keyless car security Keyless car security systems in Lexus, Toyota, Ford and Porsche cars have been labelled ‘poor' following a test by experts at Thatcham Research. And security on the Suzuki Jimny was found to be so bad that Thatcham labelled it "unacceptable". The poor security of the vehicles leaves them vulnerable to relay attacks, whereby thieves use wireless devices to activate cars' remote central locking…

1 How blockchain is becoming the 5G of the payment industry As more blockchain-based payment networks and fiat-backed digital currencies – including one from the largest U.S. bank – emerge, experts and analysts are predicting a sea change for the financial services industry. "I think you're starting to see a growing consensus," said Matt Savare, a partner who works in the technology group of New Jersey-based law firm of Lowenstein Sandler LLP. "I do quite…

1 Microsoft's Leaked Edge Browser Should Make Google Worried Over the weekend, a leaked build for the Chromium-based Edge browser has been released that is providing users with their first look at the upcoming browser from Microsoft. If you are currently using Chrome, the reports indicate that this Edge preview browser feels, performs, and has basically has the same features. Microsoft has been quiet regarding their upcoming Microsoft Edge Insider browser, but a slow trickle…

1 Don't have a heart attack but your implanted defibrillator can be hacked over the air Medical gear maker Medtronic is once again at the center of a hacker panic storm. This time, a number of its heart defibrillators, implanted in patients' chests, can, in certain circumstances, be wirelessly hijacked and reprogrammed, perhaps to lethal effect. On Thursday, the US government's Dept of Homeland Security issued an alert over two CVE-listed vulnerabilities in Medtronic's wireless…

1 Firefox 66 now blocks autoplaying audio by default It’s been on the to-do list for a while, but Mozilla announced yesterday that with the release of Firefox 66 for desktop and Firefox for Android this week, media autoplay of video or audio is now blocked on websites by default. According to Mozilla’s developer blog, this means that when users: Go to a site that plays videos or audio, the Block Autoplay feature will stop…

1 Volvo will use in-car cameras to combat drunk and distracted driving Volvo said on Wednesday it will use cameras installed inside its vehicles to monitor driver behavior and intervene if the driver appears to be drunk or distracted. It’s a risky move by an automaker, even one with a reputation for safety like Volvo, which could raise concerns among privacy advocates. Volvo’s in-car cameras will monitor eye movements to gauge driver distraction and /…

1 Home DNA kit company now lets users opt out of FBI data sharing FamilyTreeDNA emailed users last week to let them know that they can now opt out of DNA matching that will be used to help police identify the remains of deceased people or to help them track down violent criminals. It’s now calling that type of investigative DNA research Law Enforcement Matching (LEM). The gene-matching company also set up a separate process…

1  HERE'S WHAT IT'S LIKE TO ACCIDENTALLY EXPOSE THE DATA OF 230M PEOPLE As he Googled his company's name that morning last June, Hardigree found a growing list of headlines pointing to the 10-person marketing firm he'd founded three years earlier, Exactis, as the source of a leak of the personal records of nearly everyone in the United States. A friend in an office adjacent to the one he rented as the company's headquarters in…

1 The Hottest Chat App for Teens Is … Google Docs When the kids in Skyler’s school want to tell a friend something in class, they don’t scrawl a note down on a tiny piece of paper and toss it across the room. They use Google Docs. “We don’t really pass physical notes anymore,” said Skyler, 15, who, like all the other students in this story, is identified by a pseudonym. As more and more…

1 CYBERCOM Seeks Troops Who Can Unleash Artificial Intelligence The Defense Department’s cyber warriors shouldn’t be too concerned about artificial intelligence taking their jobs, according to their commander. Instead, U.S. Cyber Command is looking for troops able to wield AI like a weapon. During a budget hearing Wednesday held by the House Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities, Rep. Anthony Brown, R-Md., asked the Pentagon’s cyber leadership whether AI could help reduce…

1 A world of hurt after GoDaddy, Apple, and Google misissue >1 million certificates A major operational error by GoDaddy, Apple, and Google has resulted in the issuance of at least 1 million browser-trusted digital certificates that don’t comply with binding industry mandates. The number of non-compliant certificates may be double that number, and other browser-trusted authorities are also likely to be affected. The snafu is the result of the companies' misconfiguration of the open source…

1 Lawyers for alleged LinkedIn hacker appear ready to fight results of psychiatric evaluation The ongoing court case tied to an accused Russian hacker took another turn last week when the results of his psychiatric evaluation became a topic of contention. Now court deliberations in the case of Yevgeniy Nikulin, an alleged hacker accused of breaching LinkedIn, are scheduled to continue after a court-ordered psychiatric evaluation sought to determine whether he was fit to stand…

1 Attack on Software Giant Citrix Attributed to Iranian Hackers Software giant Citrix on Friday revealed that its internal network had been breached and the attackers may have stolen business documents. The company said it was informed by the FBI on March 6 that its systems had been breached by “international cyber criminals.” Citrix has launched a forensic investigation and it has taken action to secure its network.Citrix’s investigation so far suggests that the attackers…

1 Beyond Hybrid War: How China Exploits Social Media to Sway American Opinion We studied Chinese state-run social media influence operations and concluded that the Chinese state utilized techniques different from the Russian state. These differences in technique are driven by dissimilar foreign policy and strategic goals. President Xi Jinping has global strategic goals for China different from those President Vladimir Putin has for Russia; as a result, the social media influence techniques used by…

1 New York, Beijing Chip Away at Silicon Valley Amazon.com Inc. may have dropped plans to build a campus in New York, but many technology industry leaders say the city is on track to become a go-to innovation source for businesses world-wide in the next few years, according to a study by KPMG LLP. More than half of the executives recently surveyed by the accounting giant said Silicon Valley will cease to dominate global tech…

1 U.S. Army Assures Public That Robot Tank System Adheres to AI Murder Policy Last month, the U.S. Army put out a call to private companies for ideas about how to improve its planned semi-autonomous, AI-driven targeting system for tanks. In its request, the Army asked for help enabling the Advanced Targeting and Lethality Automated System (ATLAS) to “acquire, identify, and engage targets at least 3X faster than the current manual process.” But that language…

1 Researchers granted server by gov officials link Sharpshooter attacks to North Korea Analysis of a command-and-control (C2) server awarded to researchers by law enforcement after seizure has provided valuable information on the threat actors behind a global hacking campaign. Dubbed "Operation Sharpshooter" by McAfee cybersecurity researchers, the campaign was first uncovered in December 2018. Operation Sharpshooter targets government departments, telecoms, energy, defense, and other organizations worldwide. The attack wave predominantly focuses on targets in…

1 Montreal-based UN aviation agency tried to cover up 2016 cyberattack In November 2016, the Montreal-based International Civil Aviation Organization (ICAO) was hit by the most serious cyberattack in its history, and internal documents obtained by CBC suggest key members of the team that should have prevented the attack tried to cover up how badly it was mishandled. As the United Nations body that sets standards for civil aviation around the world, ICAO is the…

1 U.S. Cyber Command operation disrupted Internet access of Russian troll factory on day of 2018 midterms The U.S. military blocked Internet access to an infamous Russian entity seeking to sow discord among Americans during the 2018 midterms, several U.S. officials said, a warning that the Kremlin’s operations against the United States are not cost-free. The strike on the Internet Research Agency in St. Petersburg, a company underwritten by an oligarch close to President Vladi­mir…

1 A simple and secure biometric login for Android 7.0+ FIDO Alliance announced that Android is now FIDO2 Certified, bringing simpler, stronger authentication capabilities to over a billion devices that use this platform every day. With this news, any compatible device running Android 7.0+ is now FIDO2 Certified out of the box or after an automated Google Play Services update. This gives users the ability to leverage their device’s built-in fingerprint sensor and/or FIDO security…

1 More Internal Facebook Documents Leak Online, Revealing How Facebook Planned to Sell User Data On Friday, more internal emails started trickling out. Nearly 100 new pages, first reported by Computer Weekly, include court filings and internal discussions by Facebook employees, including CEO Mark Zuckerberg, about how to charge developers for access to Facebook users’ data, how to make more money off gaming apps, special access to Facebook data for whitelisted partners, and an emergency…

1 New flaws in 4G, 5G allow attackers to intercept calls and track phone locations A group of academics have found three new security flaws in 4G and 5G, which they say can be used to intercept phone calls and track the locations of cell phone users. The findings are said to be the first time vulnerabilities have affected both 4G and the incoming 5G standard, which promises faster speeds and better security, particularly against…

1 A third of all Chrome extensions request access to user data on any site The same survey also found that roughly 85 percent of the 120,000 Chrome extensions listed on the Chrome Web Store don't have a privacy policy listed, meaning there's no legally-binding document describing how extension developers are committing to handling user data. Additional survey findings include the fact that 77 percent of the tested Chrome extensions didn't list a support site,…

1 Samsung’s foldable phone is the Galaxy Fold, available April 26th starting at $1,980 Samsung first teased its foldable phone back in November, and at the company’s Galaxy Unpacked event today, it’s further detailing its foldable plans. Samsung’s foldable now has a name, the Samsung Galaxy Fold, and the company is revealing more about what this unique smartphone can do. Samsung is planning to launch the Galaxy Fold on April 26th, starting at $1,980, through…

1 A Real Tube Carrying Dreams of 600-M.P.H. Transit California just decided to sharply scale back its plans for a high-speed rail artery meant to transform travel up and down the state. But in the desert outside Las Vegas, the transportation ambitions still seem limitless. Here, engineers working for Virgin Hyperloop One are testing a radically different type of mass transit: one that aims to move people and cargo in small wheel-less pods in a…

Academics Confirm Major Predictive Policing Algorithm is Fundamentally Flawed Last week, Motherboard published an investigation which revealed that law enforcement agencies around the country are using PredPol—a predictive policing software that once cited the controversial, unproven “broken windows” policing theory as a part of its best practices.  In a 2014 presentation to police departments obtained by Motherboard, the company says that the software is “based on nearly seven years of detailed academic research into the…

Lenovo Watch X Riddled with Security Vulnerabilities Researchers are raking the Lenovo Watch X over the security coals in a report that blasts the device for shipping with a half dozen “disturbing” privacy and security vulnerabilities. The budget ($50) smartwatch was introduced in June 2018 and was initially praised for its design, features and affordability. But months following the launch, the Lenovo X Watch has since been hearing an earful from usability, and now security,…

Some GPS receivers may malfunction on or after April 6 April sees the GPS network go through a mini "millennium bug" of its own because the week number will roll back to a zero. While this is a known issue arising from the way the system works, it's recommended that those in charge of critical infrastructure which make use of GPS, along with other businesses and users who believe a malfunction would result in problems,…

Hackers Charged With Making Threats to Schools Two computer hackers were charged with sending false shooting and bomb threats to hundreds of schools and other institutions in the U.S. and Britain, federal prosecutors said Tuesday. The men are members of Apophis Squad, a worldwide collective of hackers intent on using the internet to “sow chaos,” the Department of Justice said in Los Angeles. Timothy Vaughn of Winston-Salem, North Carolina, was arrested this week by the…

              February 13, 2019   Microsoft States Windows Update DNS Issues are Finally Fixed Starting in late January, Windows 10 users began reporting that when they tried to perform an update, Windows would state that it could not connect to the Windows Update service. At the time, Microsoft did not disclose the cause of the issue, but as users could fix the problem by changing their DNS servers, it was widely thought to be a…

Facebook 'youth team' to focus on Messenger Kids app for under-13s Facebook is restructuring its “youth team” with a greater focus on Messenger Kids, its instant-messaging app for under-13s, reports say. The team, a small group within the company responsible for getting children to use the social network, had previously been working on an experimental new feature called LOL, described by industry news site TechCrunch as a “cringey teen meme hub”. With categories such as…

Foreign VPN apps need a close look from DHS, senators say The Department of Homeland Security should assess the security threat posed by foreign VPN applications to U.S. government employees, a bipartisan pair of senators says. Some popular VPN apps send a phone’s web-browsing data to servers in countries interested in targeting federal personnel, raising “the risk that user data will be surveilled by those foreign governments,” Sens. Marco Rubio, R-Fla., and Ron Wyden, D-Ore.,…

Crooks Continue to Exploit GoDaddy Hole Godaddy.com, the world’s largest domain name registrar, recently addressed an authentication weakness that cybercriminals were using to blast out spam through legitimate, dormant domains. But several more recent malware spam campaigns suggest GoDaddy’s fix hasn’t gone far enough, and that scammers likely still have a sizable arsenal of hijacked GoDaddy domains at their disposal. On January 22, KrebsOnSecurity published research showing that crooks behind a series of massive sextortion…