AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

#InfoSec News Nuggets – 05/22/2019

Pier 400 in Los Angeles is North America’s largest shipping terminal. More than 1,700 trucks pass through, on average per day, even in the middle of the U.S.-China trade war. All that cargo translates into thousands of miles driven within the facility each day, mostly by diesel vehicles, spewing pollutants. For APM Terminals, the part of global shipping company A.P. Moller-Maersk A/S that runs the Los Angeles terminal, the future of cargo handling looks like the future of driving: electric motors replacing gasoline engines, autonomous software replacing human workers. The company says the changes are necessary to meet California rules requiring container terminals to reach zero emissions by 2030 and to keep business from leaving for other coasts.


2 DHS Warns of Data Theft via Chinese-Made Drones

The US Department of Homeland Security warns Chinese-made drones could be transmitting flight data to manufacturers and, in doing so, make it accessible to the Chinese government. Data security concerns aren't new when it comes to drones built in China: The US Army banned drones made by DJI in 2017, citing concerns about DJI sharing data with the Chinese government. DJI makes 80% of drones used in the US and Canada, reports CNN, citing industry analysis. Law enforcement officials and infrastructure firms in the US have adopted and now rely on drones. The Cybersecurity and Infrastructure Security Agency calls the drones "a potential risk to an organization's information," the report states, citing a copy of the alert obtained by CNN. Officials, who don't name drone makers, say drones "contain components that can compromise your data and share your information on a server accessed beyond the company itself."


3 Millions of Golfers Land in Privacy Hazard After Cloud Misconfig

Millions of golfer records from the Game Golf app, including GPS details from courses played, usernames and passwords, and even Facebook login data, were all exposed for anyone with an internet browser to see — a veritable hole-in-one for a cyberattacker looking to build profiles for potential victims, to be used in follow-on social-engineering attacks. Security Discovery researcher Bob Diachenko recently ran across an Elastic database that was not password-protected and thus visible in any browser. Further inspection showed that it belongs to Game Golf, which is a family of apps developed by San Francisco-based Game Your Game Inc. Game Golf comes as a free app, as a paid pro version with coaching tools and also bundled with a wearable. It’s a straightforward analyzer for those that like to hit the links – tracking courses played, GPS data for specific shots, various player stats and so on – plus there’s a messaging and community function, and an optional “caddy” feature.


4 Cyber Command's latest VirusTotal upload has been linked to an active attack.

The malware sample that U.S. Cyber Command uploaded to VirusTotal last week is still involved in active attacks, multiple security researchers tell CyberScoop. Researchers from Kaspersky Lab and ZoneAlarm, a software security company run by Check Point Technologies, tell CyberScoop they have linked the malware with APT28, the same hacking group that breached the Democratic National Committee during the 2016 election cycle. A variant of the malware is being used in ongoing attacks, hitting targets as recently this month. The targets include Central Asian nations, as well as diplomatic and foreign affairs organizations, Kaspersky Lab’s principal security researcher Kurt Baumgartner tells CyberScoop.


5 Brave browser concerned that Client Hints could be abused for tracking

The people at privacy-focused browser, Brave, have criticised an industry proposal it says would make it easier for websites to identify a browser using a passive, cookie-less technique called fingerprinting. Called HTTP Client Hints, the proposal provides a standard way for a web server to ask a browser for information about itself. It comes from the Internet Engineering Task Force (IETF). This organization works with industry members to create voluntary standards for internet protocols, and it has a lot of power. It standardized TCP and HTTP, two of the internet’s foundational protocols. HTTP already offers a technique called proactive negotiation, which lets a server ask a browser about itself. This technique makes the browser describe its capabilities every time it sends a request, though. That takes too much bandwidth, says the IETF. Client Hints makes things easier. It defines a new response header that servers can send whenever they like, asking the browser for information about things like its display width and height in pixels, the amount of memory it has, and its colour depth.

6 Bug-hunter reveals another 'make me admin' Windows 10 zero-day – and vows: 'There's more where that came from'

A bug-hunter who previously disclosed Windows security flaws has publicly revealed another zero-day vulnerability in Microsoft's latest operating systems. The discovered hole can be exploited by malware and rogue logged-in users to gain system-level privileges on Windows 10 and recent Server releases, allowing them to gain full control of the machine. No patch exists for this bug, details and exploit code for which were shared online on Tuesday for anyone to use and abuse. The flaw was uncovered, and revealed on Microsoft-owned GitHub, funnily enough, by a pseudonymous netizen going by the handle SandboxEscaper. She has previously dropped Windows zero-days that can be exploited to delete or tamper with operating system components, elevate local privileges, and so on.


7 G Suite'n'sour: Google resets passwords after storing some unhashed creds for months, years

Google admitted Tuesday its paid-for G Suite of cloudy apps aimed at businesses stored some user passwords in plaintext albeit in an encrypted form. Administrators of accounts affected by the security blunder were warned via email that, in certain circumstances, passwords had not been hashed. Hashing is a standard industry practice that protects credentials by scrambling them using a one-way encryption algorithm. Google was at pains to stress it was the enterprise non-consumer version of G Suite affected, that there were no signs of misuse of the passwords, and that the passwords were encrypted at rest on disk – though, we note, hashing them would have fully secured the sensitive info.

Related Posts