AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

#InfoSec News Nuggets – 05/30/2019

The news and social media aggregator Flipboard disclosed on Tuesday that it suffered a breach, unauthorized users had access to some databases storing user information. Hackers had access to the company systems between June 2, 2018, and March 23, 2019, and again on April 21-22, 2019. On April 23, the internal staff noticed suspicious activity in its infrastructure. “We recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials,” reads the incident notice published by Flipboard. “In response to this discovery, we immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.”


2 Huawei files motion to challenge sweeping US ban, calling it ‘not normal’

Huawei this morning began the process of challenging the Trump administration’s sweeping ban. The Chinese hardware giant has filed a motion for summary judgement that calls into question the constitutionality of the section of the National Defense Authorization Act used to halt imports. The company’s Chief Legal Officer cited Huawei’s usual arrays of arguments against the U.S. government. “Politicians in the U.S. are using the strength of an entire nation to come after a private company,” Song Liuping said in a prepared statement. “This is not normal. Almost never seen in history.” Huawei, of course, has long been scrutinized by the U.S. over alleged ties to the Chinese government tied to security concerns with its mobile devices and networking equipment, including 5G infrastructure. The company has also been dinged for alleged violations of U.S. sanctions with countries like Iran.



Forensic analysts have been able to identify some digital characteristics they can use to detect meddling, but these indicators don't always paint a reliable picture of whatever digital manipulations a photo has undergone. And many common types of "post-processing," like file compression for uploading and sharing photos online, strip away these clues anyway. But what if that tamper-resistant seal originated from the camera itself? The NYU team demonstrates that you could adapt the signal processors inside—whether it's a fancy DSLR or a regular smartphone camera—so they essentially place watermarks in each photo's code. The researchers propose training a neural network to power the photo development process that happens inside cameras, so as the sensors are interpreting the light hitting the lens and turning it into a high quality image, the neural network is also trained to mark the file with indelible indicators that can be checked later, if needed, by forensic analysts.


4 US Senate passes anti-robocalling bill

A portal has been partially opened that may, just maybe, eventually, lead the country out of its robocaller misery. The endangered species known as a bipartisan bill sailed through the US Senate on Thursday. The bill, designed to fight illegal robocalling, passed with an overwhelming 97-1 vote, and now it’s headed to the House of Representatives. From there, it’s on to the desk of President Trump. Senators John Thune and Ed Markey introduced the bill, which is titled the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, or the TRACED Act, in January. Markey told reporters that robocalls are driving people nuts on both sides of the aisle: There are no red robocalls, there are no blue robocalls. There are only robocalls that drive every family in America crazy every single day. If the bill makes it through the House and is signed into law, it will empower the Federal Communications Commission (FCC) to inflict hefty new fines – as much as $10,000 per call – for illegal robocalls. The legislation would also increase the statute of limitations for bringing such cases, thereby giving FCC regulators more time to track down offenders.


5 Tech-Support Scammers Cheat Elder of $136,000, Risk Decades in Jail

Three individuals have been arrested on charges related to running tech support scams for several years. The victims were mostly elderly who stated they were tricked into paying for fake computer repair services. Allegedly pretending to be affiliated with major tech companies, Gunjit Malhotra, Gurjet Singh, and Jas Pal accessed victims' computers and caused them to malfunction in order to convince that repairs were required. This scam was allegedly being conducted for about seven years, between 2013 and 2019, and used multiple companies to charge for the fake computer services, making in excess of $1.3 million. The charges for all three perpetrators are for mail fraud with a maximum sentence of 20 years of jail time; and conspiracy to access a computer for fraudulent purposes, with a minimum sentence is two years in prison. Singh is also charged with aggravated identity theft carrying a minimum sentence of two years.


6 Chinese database exposes 42.5 million records compiled from multiple dating apps

Tens of millions of records about users of different dating apps have been discovered in a single database that doesn’t include any password protection, according to new research findings. The records discovered by researcher Jeremiah Fowler mostly were about American users, based on accessible IP addresses and geolocation information. A sampling of 10,000 users revealed that 8,063 were from the U.S., 356 were from the U.K., 219 from Canada and 151 from Australia and other random English-speaking countries, he said in an email to CyberScoop. Other data included age, location and account names — a roadmap Fowler followed to identify users across multiple other platforms and dating apps to verify they were real. About 42.5 million records were exposed, Fowler said. Dating logs made up 38.3 million records, while 3.87 million consisted of “geonames,” Fowler said. He did not reveal the location of the database, which uses the Elastic format.



A new incident involving large technology companies and the privacy of their users has been reported. According to website security specialists, Apple faces a class-action lawsuit for the illegal and intentional disclosure of iTunes users’ information with third parties. The plaintiffs claim that Apple has been sharing iTunes user data without their express consent; this information could include data such as user name, age, location details, and history of musical preferences on the platform. The lawsuit was filed by three U.S. citizens. In the lawsuit it is claimed that Apple sells a set of data belonging to a thousand people for about $130 USD.  “A company could request a list of information from all single women, older than 70 years, with university studies and minimum income of $80k USD per year that listen to country music on iTunes, for example”, is mentioned in the lawsuit.


8 Two weeks after Microsoft warned of Windows RDP worms, a million internet-facing boxes still vulnerable

The critical Windows Remote Desktop flaw that emerged this month may have set the stage for the worst malware attack in years. Rob Graham of Errata Security claimed today he has already found nearly one million unpatched boxes exposed on the internet. Specifically, Graham said he was able to, over the course of a few hours, find some 932,671 public-facing computers still vulnerable to CVE-2019-0708. To do this, he scanned the public internet for machines that had the Windows Remote Desktop network port (3389) open, using his masscan tool, and against those 7,629,102 matching machines, he ran a second script that sniffed out whether each box was running a vulnerable version of the service.


9 Baltimore Says It Will Not Pay Ransom After Cyberattack

The US city of Baltimore, a victim this month of a cyberattack that paralyzed part of its computer network, will not pay a ransom to undo the damage, Mayor Bernard Young said Tuesday. Hackers reportedly had demanded $100,000 in bitcoin, but Young told a news conference "I'm not considering" paying it. "As a matter of fact, we are going to work with other cities, encouraging them not to pay either," he said. Baltimore was the latest big US city, after Atlanta, Georgia and San Antonio, Texas, to be hit with a ransomware attack. Smaller cities like Greenville, North Carolina and Allentown, Pennsylvania also have been targeted.


10 Darknet Fentanyl Dealer Indicted for Selling Deadly Drug for Bitcoin

A darknet drug dealer has been indicted for leveraging bitcoin’s apparent anonymity to sell fentanyl online, announced U.S. Attorney for the Northern District of Texas Erin Nealy Cox. A federal grand jury charged Sean Shaughnessy, 51, with conspiracy to possess with intent to distribute controlled substances, distribution of a controlled substance, distribution of a controlled substance analogue, and eight counts of money laundering.  Today, he waived his detention hearing, and will remain in custody until trial. “Darknet dealers often believe that by using bitcoin, they can evade authorities. This prosecution proves that’s not the case,” said U.S. Attorney Nealy Cox. “We will continue to pursue anyone peddling this deadly drug – on the streets or online.”


11 You can soon use a Fitbit to pay for a subway or bus ride in NYC

Fitbit’s contactless payment system, Fitbit Pay, is starting to expand transit payment support in the US. Starting on May 31st, Fitbit users with a Fitbit Pay-capable device can use it to pay for their rides on select buses and trains on the New York City MTA system. Fitbit joins Apple and Google as payment systems that the MTA’s pilot program will accept. The program, called One Metro New York (OMNY), will be available first to buses servicing Staten Island and the 4 / 5 / 6 subway lines between Grand Central in Manhattan and Atlantic Avenue-Barclays Center in Brooklyn. The MTA says it plans to extend support to cover the entire system by 2021. Those without a contactless payment wearable can also use apps on their smartphones to enter.


12 IEEE tells contributors with links to Chinese corp: Don't let the door hit you on Huawei out

Compsci academics are startled by how the US-based IEEE is complying with American sanctions on Huawei. That includes halting peer review by anyone connected to the Chinese company – and banning them from buying IEEE-branded coffee mugs. The New York-headquartered Institute of Electrical and Electronics Engineers, one of the world's leading technological academic bodies, issued a statement on 22 May setting out in detail (PDF) what "Listed Persons" (employees of Huawei and its affiliates) can and cannot do under the IEEE's banner. That has caused academics worldwide to question the institution's independence of US governmental influence. As the preeminent standards-setting body and professional discussion forum for everything from Wi-Fi to phone networking technologies, the IEEE is the place to be when it comes to cutting-edge research.


13 Amazon adds ‘Alexa, delete what I said today’ command

Buried in this morning’s Echo Show 5 announcement are a couple of new security features worth highlighting. In addition to the inclusion of a built-in camera shutter on the new smart display are a pair of Echo  commands that let users delete voice recordings with an Alexa command. “Alexa, delete what I said today” rolls out to Alexa users starting today. “Alexa, delete what I just said” will be arriving in the U.S. in the coming weeks and other countries where the smart assistant is available in the next month. Amazon  has offered the ability to delete recordings via the app for some time now, but this brings the functionality to the front with a simple via command. The process works similarly to deleting recordings via the app, starting the deletion process immediately. While the company has long contended that it doesn’t actively record conversations and protects records on encrypted servers, the always-on nature of Echo and similar smart home products have raised alarms among security analysts and regular users alike.


14 Google Maps adds ability to see speed limits and speed traps in 40+ countries

Google  Maps is gaining some features previously exclusive to Google’s navigation app, Waze. The company confirmed it’s rolling out the ability for Google Maps users to see speed limits, speed cameras, and mobile speed cameras in over 40 countries worldwide — an expansion of its earlier launch of these features, which were previously limited to select markets. The change was noted earlier by ZDNet and, of course, Reddit. Google confirmed with TechCrunch the full list of supported countries, which now includes: Australia, Brazil, U.S., Canada, U.K., India, Mexico, Russia, Japan, Andorra, Bosnia and Herzegovina, Bulgaria, Croatia, Czechia, Estonia, Finland, Greece, Hungary, Iceland, Israel, Italy, Jordan, Kuwait, Latvia, Lithuania, Malta, Morocco, Namibia, Netherlands, Norway, Oman, Poland, Portugal, Qatar, Romania, Saudi Arabia, Serbia, Slovakia, South Africa, Spain, Sweden, Tunisia, and Zimbabwe.

Related Posts