AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 05/14/2021

1 – I Mailed an AirTag and Tracked Its Progress

I live near Stratford-upon-Avon, in the United Kingdom, and I sent the AirTag to a friend south of London. I mailed this AirTag on Friday afternoon, and, with first-class postage, I expected the envelope to be delivered the next day. The AirTag weighs a mere 11g, so I put one taped to a card, then in a small bubble envelope for protection. I dropped it in the mailbox in my village, just down the road from my home. I made sure to open the Find My app on my iPhone when I was next to the mailbox; it showed the correct location. Mail is picked up around 5 pm, and a bit later than that, I checked the Find My app on my iPad. At 5:28, I found that my AirTag had reached the local sorting station. This means that someone, either the mailman who picked up the mail and delivered it to the sorting station, or another employee at the sorting station had an iPhone, which spotted the AirTag. Apple touts their network of nearly a billion devices capable of spotting AirTags, and if there are that many, it should be easy to track this envelope across the country.


2 – Police Doxxed After Ransom Dispute

Cyber-criminals appear to have leaked online data belonging to the Metropolitan Police Department of the District of Columbia after the law enforcement agency allegedly failed to comply with a ransom demand.  In April, ransomware gang Babuk claimed to have stolen more than 250GB of data from the MPD. Data posted by the gang to back up their claim appeared to contain MPD reports, mug shots, internal memos, and personal information belonging to some suspects who had been placed under arrest. MPD said on April 26 that it was “aware of unauthorized access on our server” and was working to determine what data may have been compromised. Vice reported that on Tuesday, Babuk started publishing what it claims are MPD files online after ransom negotiations broke down.  Babuk claims that an amount of money allegedly offered by MPD to secure the files the gang claims to have stolen was too low. 


3 – Verizon DBIR 2021: “Winners” No Surprise, But All-round Vigilance Essential

Verizon’s annual Data Breach Investigations Report (DBIR) is launched today and as always provides valuable insight into the cybersecurity challenges faced by organizations. We all know that 2020 was a year like no other. Phishing and ransomware were the most “successful” of the threats, up 11% and 6% respectively. However, the rapid innovations that many organizations made in 2020 did not always address information risk and security upfront, leading to further opportunities for compromise by malicious threats. Omdia’s annual ICT Enterprise Insights survey, last undertaken in mid-2020, found that the transformation of customer experience is the leading technological impact of COVID-19, with 34% describing it as “significantly more important”, and a further 42% as “more important” (n=4,961). This is because innovation must continue and many organizations have evolved and even changed the way they do business, with customers at the heart of that business (public and private sector alike).


4 – Colonial Pipeline Reportedly Paid Hackers $5 Million for Decryption Key That Wasn’t Very Useful

About a week ago, Colonial Pipeline apparently paid the ransomware group DarkSide approximately $5 million in exchange for a data decryption key that didn’t really decrypt that much data. An investigation from Bloomberg found that, despite earlier reports suggesting the company had no intention of paying the cybercriminals, Colonial actually did just that “within hours of the attack,” using an untraceable cryptocurrency. In exchange for that fat stack of cash, Colonial received a decryption tool that was so slow that the company had to rely on its own back-ups to continue restoring service, the news outlet reports. New York Times reporter Nicole Perlroth later stated that the ransom was paid using 75 Bitcoin. Gizmodo sent multiple emails to Colonial representatives for comment and will update this story when we hear back.


5 – Exploiting custom protocol handlers for cross-browser tracking in Tor, Safari, Chrome and Firefox

In this article we introduce a scheme flooding vulnerability, explain how the exploit works across four major desktop browsers and show why it’s a threat to anonymous browsing. In our research into anti-fraud techniques, we have discovered a vulnerability that allows websites to identify users reliably across different desktop browsers and link their identities together. The desktop versions of Tor Browser, Safari, Chrome, and Firefox are all affected. We will be referring to this vulnerability as scheme flooding, as it uses custom URL schemes as an attack vector. The vulnerability uses information about installed apps on your computer in order to assign you a permanent unique identifier even if you switch browsers, use incognito mode, or use a VPN.

Related Posts