AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 01/13/2022

Fact-checkers label YouTube a ‘major conduit of online disinformation’

Fact-checking organisations around the world say that YouTube is not doing enough to prevent the spread of misinformation on the platform. Some 80 groups have signed a joint letter to the Google-owned platform’s chief executive Susan Wojcicki. The letter says it is “one of the major conduits of online disinformation and misinformation worldwide”. The organisations want YouTube to take firmer action against anti-vaccine videos, and election disinformation. Among the signatories from Europe, Africa, Asia, the Middle East, and the Americas are UK charity Full Fact, and the Washington Post’s fact-checking team.

 

Security researcher claims to have hacked into over 25 Teslas in 13 countries

The problem is not with Tesla’s system or infrastructure, but rather with the third-party software, he says. A 19-year-old security researcher claims to have uncovered a security flaw in third-party software provided for Tesla vehicles that could enable hackers to take control of some of the vehicle’s functionality from the outside. David Colombo, who is from Germany, said he could remotely access some functions of more than 25 Tesla cars in 13 countries by exploiting the flaw, without the owners’ knowledge. He was able to see if a driver was in the car and could identify its exact location, Colombo claimed. In addition, he was able to remotely open the doors and windows of the cars, disable their security systems, start the engine, flash headlights, turn on their radios and “remotely rick roll the affected owners by playing Rick Astley on YouTube in their Teslas”.

 

White House hosts open-source software security summit in light of expansive Log4j flaw

Tech giants and federal agencies will meet at the White House on Thursday to discuss open-source software security, a response to the widespread Log4j vulnerability that’s worrying industry and cyber leaders. Among the attendees are companies like Apple, Facebook and Google, as well as the Apache Software Foundation, which builds Log4j, a ubiquitous open-source logging framework for websites. “Building on the Log4j incident, the objective of this meeting is to facilitate an important discussion to improve the security of open source software — and to brainstorm how new collaboration could rapidly drive improvements,” a senior administration official said in advance of the meeting.

 

Apple and T-Mobile say iOS 15.2 didn’t switch off iCloud Private Relay

Apple has denied that last month’s iOS 15.2 update is behind the difficulty some iPhone owners have faced with using the iCloud Private Relay feature on cellular networks. Verizon, AT&T, and T-Mobile earlier this week said they weren’t blocking the VPN-like feature, but T-Mobile claimed to have identified that iOS 15.2 toggled it off by default. Now Apple says that’s not the case. After releasing an updated beta of iOS 15.3 that clarifies the language in iCloud settings, Apple issued a statement to 9to5Mac saying that iOS 15.2 wasn’t the problem. “No changes were made to iCloud Private Relay in iOS 15.2 that would have toggled the feature off,” the statement reads. “Users are encouraged to check their Settings to see if Private Relay is enabled on their device or for a specific network.”

 

NSO spyware found targeting journalists and NGOs in El Salvador

The University of Toronto’s Citizen Lab along with Access Now have found the Pegasus spyware developed by the now-sanctioned NSO Group was used to target journalists and non-government organisations operating in El Salvador. In total, the investigation found 35 individuals were targeted across 37 devices, with Citizen Lab having a high degree of confidence that data was exfiltrated from devices belonging to 16 targets. “In several cases, Pegasus apparently exfiltrated multiple gigabytes of data successfully from target phones using their mobile data connections,” Citizen Lab said in a blog post. “We observed extensive targeting using zero-click exploits, however we also identified specific instances in which targets were sent one-click infection links via SMS message.”

 

Ransomware targets Edge users

Unless you’ve been hiding under a rock for the last twenty years, you’ve probably heard the one about “keeping your software up to date”. Applying software updates promptly is arguably the single most useful thing you can do to keep yourself secure online, and vendors, experts, pundits, and blogs like ours, never let users forget it! And because it’s good advice that’s easy to follow, cybercriminals like to use fake software updates to con users. Fake software updates have been a go-to tactic for getting users to download malware for many years. A convincingly-branded message that tells users they need to update their out of date software taps into all the good security messaging users have soaked up, it gives them a reason to install strange software from the Internet, and it carries exactly the right mixture of implied threat and urgency that social engineers like.

Related Posts