AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 02/11/2021

Accused murderer wins right to check source code of DNA testing kit used by police

A New Jersey appeals court has ruled that a man accused of murder is entitled to review proprietary genetic testing software to challenge evidence presented against him. Attorneys defending Corey Pickett, on trial for a fatal Jersey City shooting that occurred in 2017, have been trying to examine the source code of a software program called TrueAllele to assess its reliability. The software helped analyze a genetic sample from a weapon that was used to tie the defendant to the crime. The maker of the software, Cybergenetics, has insisted in lower court proceedings that the program’s source code is a trade secret. The co-founder of the company, Mark Perlin, is said to have argued against source code analysis by claiming that the program, consisting of 170,000 lines of MATLAB code, is so dense it would take eight and a half years to review at a rate of ten lines an hour.


Researcher hacks over 35 tech firms in novel supply chain attack

A researcher managed to breach over 35 major companies’ internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, in a novel software supply chain attack. The attack comprised uploading malware to open source repositories including PyPI, npm, and RubyGems, which then got distributed downstream automatically into the company’s internal applications. For his ethical research efforts, the researcher has earned well over $130,000 in bug bounties.


PyPI, GitLab dealing with spam attacks

Spammers have inundated the Python Package Index (PyPI) portal and the GitLab source code hosting website with garbage content, flooding both with ads for shady sites and services. The attacks were unrelated to each other. The biggest of the two attacks took place on PyPI, the official package repository for the Python programming language, and a website that hosts tens of thousands of Python libraries. For the past month, spammers have been abusing the fact that anyone can create entries on the PyPI website to generate pages for non-existent Python libraries that basically served as giant SEO ads for various shady sites.

But while the spam attack on PyPI appears to have been going on for at least a month, a new one was detected at GitLab, a website that allows developers and companies to host and sync work on source code repositories. An unknown threat actor appears to have spammed the Issues Tracker for thousands of GitLab projects with spam content on Sunday and Monday that, each, triggered an email to account holders. Just like the spam on PyPI, these comments also redirected users to shady sites.


TikTok sale to Oracle and Walmart shelved as Biden reviews security, say reports

Oracle and Walmart’s plan to buy TikTok’s US operations has reportedly been pushed back indefinitely, as the US president, Joe Biden, reviews the previous administration’s efforts to address potential security risks posed by Chinese tech companies. The administration of the former president Donald Trump had cited national security concerns in its targeting of TikTok, arguing the personal data of US users could be obtained by China’s government. TikTok denies the allegation. It comes as TikTok’s owner, ByteDance, finds itself in a legal tussle with the US government, with many federal courts barring the commerce department’s attempt to shut down TikTok’s operations in the US.


Apple Maps to gain Waze-like features for reporting accidents, hazards and speed traps

Apple Maps is inching into more Waze-like territory with an update that will give drivers the ability to report road hazards, accidents, or even speed traps. The new features are live now in the iOS 14.5 beta, which is now open to public beta testers as well as developers, but won’t roll out to the general public until later this spring, Apple says. To use the new features, drivers will be able to report road issues and incidents by using Siri on their iPhone or through Apple’s CarPlay. For example, during navigation, they’ll be able to tell Siri things like “there’s a crash up head,” “there’s something on the road,” or “there’s a speed trap here.” They’ll also be able to correct stale accident or hazard alert information by saying things like “the hazard is gone” or the “incident is no longer here.”


People are often the collateral damage of attacks on corporations

Thanks to cyberattacks making regular headlines in the news, it’s no secret that massive data breaches are a significant threat to organizations. However, a report from F-Secure highlights the rarely-discussed impact these attacks can have on people and families using online services.  According to the report, nearly 3 out of every 10 respondents to the survey experienced some type of cybercrime (such as malware/virus infections, unauthorized access to email or social media accounts, credit card fraud, cyber bullying, etc.) in the 12 months prior to answering. However, cybercrime was roughly three times more common among respondents using one or more online services that had been breached by attackers. 60% of respondents belonging to this group – called “The Walking Breached” in the report – experienced cybercrime in the 12 months leading up to the survey, compared to just 22% of other respondents.


Clubhouse, the invite-only audio app, explained

The audio chat app Clubhouse is built for two types of people: the talkers and the listeners. Tesla founder Elon Musk is a talker. So is Facebook’s Mark Zuckerberg. Robinhood’s Vlad Tenev is a talker, as are many other influential Silicon Valley figures, like investors Ben Horowitz and Marc Andreessen, who have staked millions of dollars into Clubhouse’s success. A regular user can be a talker too, although there’s no promise anyone (besides a few friends) will show up and stick around. As a listener, though, the app offers a smorgasbord of chatrooms on virtually any topic you can think of: foreign language practice, wealth management, Instagram marketing tips, therapy, a 24/7 lo-fi music streaming service. Toggling between public rooms on the homepage is simple: A listener can quietly drop, already muted, into rows of audience members and tune into the unfolding conversation.

Related Posts