AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 01/22/2021

Vehicle Manufacturers Face Cybersecurity Challenges

Over the last several decades, there have been significant advancements in automotive technology. Today’s vehicles are equipped with more and more sophisticated computer systems than ever before. But as our reliance on technology continues to grow, so does the potential for cybersecurity attacks and resulting litigation. That’s why it’s becoming increasingly important for car manufacturers to pay close attention to the legal landscape. One recent case illustrates what’s going on. On March 27, 2020, the U.S. District Court for the Southern District of Illinois dismissed an automotive cybersecurity class action lawsuit, Flynn v. FCA US LLC. In Flynn, the plaintiffs alleged that the Uconnect system that allows integrated control over phone, navigation, and entertainment functions in certain vehicles was vulnerable to hackers seeking to take remote control of those vehicles.


Touchless tech mimics the ability to ‘press’ an elevator button

In their COVID—19 information page, both the CDC and the WHO warn people against touching their faces with unwashed hands, since the virus can survive on surfaces. There’s been a rise in the use of touchless technologies as a result, and Singaporean studio Stuck Design envisions a world wherein passengers won’t even have to press elevator buttons with their fingers to get to where they need to go. The studio’s Kinetic Touchless technology can mimic the movement of one’s fingers and recreate the tactile response of pushing a button. It works by using motion as an input method so it doesn’t need direct contact and can imitate the movement from a distance.


How Law Enforcement Accesses Encrypted Data

Increasingly, law enforcement agencies and lawmakers are asking smartphone developers like Apple and Google to create backdoors into the encryptions that protect user data. But even without them, investigators can access your data. Wired recently reported that cryptographers at John Hopkins University used publicly available documentation from Apple and Google to study the hardness of the Android and iOS encryptions. Lead researcher and cryptographer Matthew Green found that smartphone operating systems aren’t extending encryptions as far as he originally assumed. Vulnerabilities that allow access to decryption keys, which open access to additional data, are more than often found when a phone is unlocked for the first time after rebooting.  Apple states that these types of attacks are very costly to develop and aren’t typical type of security work they focus on to protect personal information from hackers, thieves, and criminals. Security layers could be deeper, but Apple’s goal is to balance security with user experience and convenience.


Controversial anti-tracking feature is about to go live in iOS 14

“Release Candidate” is Apple’s new name for “Golden Master.” It’s the final version of the sent out early for testing, before the general public get access. People testing earlier beta versions iOS 14.4 and iPadOS 14.4 report that they force iPhone applications to specifically ask if they can track the user for advertising purposes. Apple touted this privacy feature at its 2020 developers conference, but companies like Facebook that make their money from tracking users are opposed to the feature, so the debut was pushed back by months. But the wait is seemingly almost over. There are other tweaks in the new versions, too. Like, the process of handing off audio to a HomePod has been enhanced. And the update warns iPhone users if the camera was replaced with one that not a genuine Apple part.


Phishing scam had all the bells and whistles—except for one

Criminals behind a recent phishing scam had assembled all the important pieces. Malware that bypassed antivirus—check. An email template that got around Microsoft Office 365 Advanced Threat Protection—check. A supply of email accounts with strong reputations from which to send scam mails—check. It was a recipe that allowed the scammers to steal more than 1,000 corporate employee credentials. There was just one problem: the scammers stashed their hard-won passwords on public servers where anyone—including search engines—could (and did) index them. “Interestingly, due to a simple mistake in their attack chain, the attackers behind the phishing campaign exposed the credentials they had stolen to the public Internet, across dozens of drop-zone servers used by the attackers,” researchers from security firm Check Point wrote in a post published Thursday. “With a simple Google search, anyone could have found the password to one of the compromised, stolen email addresses: a gift to every opportunistic attacker.”


Microsoft Edge is the latest browser to get leaked passwords warning

Microsoft is adding a new Edge feature that will be familiar to Chrome and select other browser users: an alert when your password is compromised. Called Password Monitor, the security feature is designed to alert users when their password has been discovered as the result of a third-party breach, such as from an old forum you used to post on that was later compromised. According to Microsoft, Edge’s new Password Monitor won’t reveal your password to Microsoft as part of the alert. No one, including third-parties, will be made aware of the passwords the user enters. This is made possible, according to the company, using innovations from its Microsoft Research division.

Related Posts