AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

#InfoSec News Nuggets – 05/27/2019

When sickle cell disease patients experiencing a pain crisis show up at the emergency department hoping for relief, they’re often treated with a heavy dose of opioids and other medications. But St. Jude Children’s Research Hospital is trying something new. To enhance the effect of medication, cut the amount of opioids used in treatment and lower the chances a patient is admitted, the Memphis, Tenn., hospital is experimenting with virtual reality to see if it can reduce pain. As part of an ongoing clinical trial, half of the sickle cell patients who visit the ED during an acute pain crisis receive the standard care; the other half receive standard care plus 15 minutes in a virtual reality headset that allows patients to travel through an underwater world firing bubbles at turtles, whales and dolphins that swim by. “The virtual reality engages pathways in the brain that would otherwise be occupied to translate pain."

 

2 Snapchat Employees Abused Data Access to Spy on Users

Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users, Motherboard has learned. Two former employees said multiple Snap employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user's Story).

 

3 Maker of US border's license-plate scanning tech ransacked by hacker, blueprints and files dumped online

The maker of vehicle license plate readers used extensively by the US government and cities to identify and track citizens and immigrants has been hacked. Its internal files were pilfered, and are presently being offered for free on the dark web to download. Tennessee-based Perceptics prides itself as "the sole provider of stationary LPRs [license plate readers] installed at all land border crossing lanes for POV [privately owned vehicle] traffic in the United States, Canada, and for the most critical lanes in Mexico." In fact, Perceptics recently announced, in a pact with Unisys Federal Systems, it had landed "a key contract by US Customs and Border Protection to replace existing LPR technology, and to install Perceptics next generation License Plate Readers (LPRs) at 43 US Border Patrol check point lanes in Texas, New Mexico, Arizona, and California."

 

4 Comcast wants to track your bedroom and bathroom habits

Not content with bringing TV, broadband and phone services to your home, Comcast is now developing a healthcare device that will use sensors to monitor your vitals and habits – including some that take place behind closed doors. Unlike most health monitoring devices, which track blood pressure, heart rate and activity level, Comcast's device will use sensors to monitor whether you're spending more time in bed than normal, and whether you're making more trips than usual to the bathroom. That might sound intrusive, but frequent bathroom breaks can be a sign of digestive or prostate problems that are much easier to treat if caught early.

 

5 Why telcos 'handed over' people's GPS coords to a bounty hunter: He just had to ask nicely

A bounty hunter was able to get the live location of a number of different individuals from American cellphone networks through a single phone call, it is claimed. Matthew Marre was charged [PDF] last month with allegedly obtaining "confidential phone record information … by making false and fraudulent statements and representations." It is claimed he called a hotline run by various mobile networks, and asked for the GPS location of specific cellphones – all of which belonged to people that were wanted for skipping bail. The ruse was apparently extremely successful, according to Colorado federal court documents that have subsequently been restricted from public view. The paperwork, submitted by prosecutors, alleged that, last year, he successfully persuaded T-Mobile USA to hand over location data for six phone numbers, and as a result he collared three people who were using the numbers.

 

6 Cisco vulnerability fix for thrangrycat carries risks

Depending on contract terms, Cisco is prepared to cover the replacement costs if its fix for the thrangrycat vulnerability in 150 varieties of switches and routers leaves the hardware unusable. The flaw, reported last week by security firm Red Balloon Security, could let a hacker mount an attack remotely and commandeer the affected hardware, which also includes some firewalls and communication devices. Fixing the hardware requires much more than a software update. Instead, someone has to physically reprogram a semiconductor component called the Field Programmable Gate Array (FPGA). Because of the sensitivity of the FPGA, there is a risk of doing irreparable harm when patching the Cisco vulnerability.

 

7 Carders Prefer Audio Skimmers over Less Efficient Flash Skimmers

Although web skimming attacks are rampant these days, the underground market for physical card skimming devices is thriving and changing at the rate of technological advancements. Card skimming is when cybercriminals add their own spying equipment to an automated teller machine (ATM) or point-of-sale system (PoS) to copy the information they process from credit or debit cards. Known as "real/offline carding," this technique is ancient and has been giving headaches to both banks and the customers that got their cards copied.

 

8 EPA Cybersecurity Weaknesses Are Going Untracked and Unpatched

The Environmental Protection Agency has a detailed process for dealing with new cybersecurity weaknesses: develop a plan to remediate with clear goals and milestones, then attack the problem. The only issue: Those plans aren’t being logged, managed or tracked, according to the agency inspector general. The agency created an automated tool for logging vulnerabilities that will take time to remediate and track progress through official plans of action and milestones. According to an inspector general report released Tuesday, many of those plans were never entered into the system, meaning they were never tracked and, in some cases, the vulnerabilities were never patched.

 

9 Lawmakers Want to Ban Warrantless Device Searches at the Border

Lawmakers want to start requiring federal agents to obtain a warrant before through Americans’ electronic devices at the border. Sens. Ron Wyden, D-Ore., and Rand Paul, R-Ky., on Wednesday introduced legislation that would increase digital privacy protections for U.S. residents crossing the border and limit the situations in which agents could legally seize their devices. If enacted, the Protecting Data at the Border Act would curb law enforcement’s extensive authority over electronic information at the border. Rep. Ted Lieu, D-Calif., introduced a companion bill in the House.

 

10 Amazon Is Working on a Device That Can Read Human Emotions

The wrist-worn gadget is described as a health and wellness product in internal documents reviewed by Bloomberg. It’s a collaboration between Lab126, the hardware development group behind Amazon’s Fire phone and Echo smart speaker, and the Alexa voice software team. Designed to work with a smartphone app, the device has microphones paired with software that can discern the wearer’s emotional state from the sound of his or her voice, according to the documents and a person familiar with the program. Eventually the technology could be able to advise the wearer how to interact more effectively with others, the documents show.

 

11 Android Users Being Spammed Using Fake Missed Call Alerts

Scammers are abusing the Notifications and Push APIs and Google Chrome on Android devices to push spam alerts customized to look like a missed phone call. The two APIs are used on mobile devices for push notifications – short alerts designed to re-engage the user. The messages can be triggered by a local application or a server, regardless if the app is running or not. "The Notifications API lets us display notifications to the user. It is incredibly powerful and simple to use. Where possible, it uses the same mechanisms a native app would use, giving a completely native look and feel," reads the description for the Notifications API.

 

12 Adding a Recovery Phone Number Blocks 100% of Automated Bot Attacks, Finds Google

Google found that users who add a recovery phone number to their accounts effectively block 100 percent of automated bot attacks by doing so. The tech giant arrived at this finding after teaming up with New York University and the University of California, San Diego to investigate the efficacy of basic account hygiene in preventing account hijacking. It then presented the results of this year-long study on 22 May at The Web Conference. Google researchers Kurt Thomas and Angelika Moscicki explained that Google responds to a suspicious sign-in attempt such as from a new location or device by asking the user to provide additional proof of identity as a means of verifying themselves. They found that those who’ve signed into their phones or who use a recovery phone number in those instances can protect their accounts against all automated bot attacks. The same went for other verification measures such as last sign-in location and security keys, though a secondary email address was effective against just 73 percent of automated bots attempts.

 

13 Shubert Organization Informs Customers of Data Breach

TicketNews has learned that The Shubert Organization – one of the largest operations in theatre both on and beyond Broadway – has suffered a data breach, including customer email addresses, names, and credit card numbers and expiration dates. At this time, it is unclear whether this is a limited-scale breach involving a handful of accounts, or a wider breach that could affect the organization’s foundation or ticketing operations – which includes ownership of Telecharge as well as secondary market operations like Entertainment Benefits Group. An email request for details on the breach sent to a media relations executive for the company Tuesday morning has not yet received a response. Affected customers have been contacted via a letter providing notice of the breach, one of which was forwarded to TicketNews. The letter detailed what Shubert knows regarding the breach, and that it is providing 24 months of credit monitoring services through TransUnion Interactive system. It also included information on “Steps You Can Take to Protect Against Identity Theft and Fraud.”

 

14 First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records

The Web site for Fortune 500 real estate title insurance giant First American Financial Corp. [NYSE:FAF] leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified this week by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a Web browser. Santa Ana, Calif.-based First American is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in more than $5.7 billion in 2018.

 

15 U.S. Military to Trawl Through 350 Billion Social Media Messages

The U.S. military plans to analyze 350 billion social-media posts from around the world to help it track how popular movements evolve. A tender for the project, based at the Naval Postgraduate School in Monterey, California, calls for screening messages from at least 200 million users from more than 100 countries in more than 60 languages to better understand “collective expression.” Messages, including user names, will be examined for comments, metadata, location and hometown identifiers. While it’s part of an existing Department of Defense Analysis effort to harness big data for social research, “the scale and global reach of this program is striking,” Antoine Bousquet, a senior lecturer in international relations at Birkbeck, University of London, said by email. The study’s purpose is to look at social-media messages posted publicly between July 2014 and December 2016 on a single platform, according to a solicitation request. No private communications will be included and individual users won’t be identified in the research, according to the Navy.

Related Posts