AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

#InfoSec News Nuggets – 06/10/2019

A “smart city” project in Canada has hit yet another snag, as mounting delays and privacy concerns threaten the controversial development along the Toronto’s eastern waterfront. The 12-acre Quayside project, a partnership between Google’s Sidewalk Labs and the city of Toronto, has come under increasing scrutiny amid concerns over privacy and data harvesting. This week, the US venture capitalist Roger McNamee warned that technology companies such as Google cannot be trusted to safely manage the data they collect on residents. “The smart city project on the Toronto waterfront is the most highly evolved version to date of … surveillance capitalism”, he wrote to the city council, suggesting Google will use “algorithms to nudge human behavior” in ways to “favor its business”.


2 ‘Messy’ Password Problem Isn’t Getting Better

The security world is facing a major issue that has led to widespread breaches, data exposure, and more – and it all stems from millions of insecure passwords used for everything from enterprise PCs to internet of things (IoT) devices. Poor password hygiene – including reusing passwords or picking easy-to-guess passwords – is greatly exacerbating many of the major issues that plague the cybersecurity landscape, said Troy Hunt, creator of — Have I Been Pwned?, who spoke Thursday at the Infosecurity Europe conference. Ultimately, “it all comes down to passwords,” said Hunt. “We see this over and over again with all sorts of security challenges that we come across.”


3 YouTube bans kids’ live-streaming without an adult present

In yet another step to scrape pedophiles off the bottom of its shoe, YouTube announced on Monday that it’s banning youngsters from live-streaming without adult supervision and that it’s limiting recommendations of videos that depict “minors in risky situations.” In Monday’s announcement, YouTube said that it had updated its live-streaming policy to disallow “younger minors” from live-streaming unless there’s clearly an adult nearby. Channels that don’t comply could lose their ability to live stream. The platform also launched new classifiers to find and remove the now-violative content. From the blog post: Responsibility is our number one priority, and chief among our areas of focus is protecting minors and families. With this update, we’ll be able to better identify videos that may put minors at risk and apply our protections […] across even more videos.


4 Microsoft Warns Against Bypassing Office 365 Spam Filters

Microsoft urges both administrators and users to not bypass the built-in Microsoft Office 365 spam filters in a support document published today and it also provides guidelines for cases when this can't be avoided. Office 365 admins and users should avoid enabling Allow or Block lists in the Spam Filter policies and skipping Transport Rules scanning according to Microsoft. Additionally, toggling on Safe and Blocked senders is also not recommended for Outlook or Outlook on the Web users and admins. "We recommend that you do not use these features because they may override the verdict that is set by Office 365 spam filters," says Redmond.


5 Minnesota joins nationwide election security 'academy'

Minnesota is joining a six-month election security “policy academy” as part of a nationwide effort to safeguard state voting systems in the aftermath of Russian hacking attempts during the 2016 presidential election. The National Governors Association picked Minnesota and five other states to work on response plans for attacks on voting systems and to boost communication among state agencies charged with protecting election integrity. “Minnesotans understand that voting is the cornerstone of our democracy, and that risking the integrity of our elections is not an option,” Gov. Tim Walz said Thursday in a statement. “That’s why I’m committed to finding security solutions for any existing and future threats to our elections.”


6 Watchdog: Current pipeline security plans weak on cybersecurity, coordination

The Transportation Security Administration's plans for pipeline security aren't keeping up with rising threats in cyberspace, according to the Government Accountability Office. An audit released June 5 found that the agency, which has primary responsibility for monitoring and securing the nation's 2.7 million miles of gas and oil pipelines, hasn't updated two plans that formally outline how agencies and other stakeholders should respond to security incidents in years. TSA last issued its Pipeline Security and Incident Recovery Protocol Plan, which outlines roles and responsibilities for federal agencies and the private sector in the wake of a pipeline security incident, in 2010.


7 Fortune 500 company leaked 264GB in client, payment data

A veteran Fortune 500 company has plugged a data leak which exposed 264GB in client and business data to the public. Tech Data, an IT infrastructure company with over 45 years in the business and $37.2 billion in sales for the 2019 fiscal year, was the source of the leak, vpnMentor researchers Noam Rotem and Ran Locar said in a blog post on Thursday. According to the team, a log management server was leaking system-wide information. After discovering the server through vpnMentor's web mapping project, the company took a sample of the leaked information, which was "a serious leak as far as we could see." With a simple search of the exposed database, our researchers were able to find the payment information, PII, and full company and account details for end-users and managed service providers (MSPs) — including for a criminal defense attorney, a utilities service provider, and more," vpnMentor says.


8 Microsoft pulls open facial recognition dataset after Financial Times investigation

Earlier this week, Microsoft removed a database of more than 10 million faces, intended as a test and training dataset for facial recognition algorithms, according to a report by the Financial Times. Known as MS Celeb, the database contained more than 10 million images of roughly 100,000 people, largely scraped from publicly available online sources. While no individual photo in the dataset was difficult to find, the volume of images and the structured data accompanying them made the dataset extremely useful in training programs to recognize a person’s face across different photos. The takedown came after an earlier Financial Times investigation found that many of the people represented in the dataset were not aware of it and did not consent to having their pictures used. A number of experts speculated that the dataset might encounter legal issues under the General Data Protection Regulation, which imposes significant requirements for the storage and transfer of a subject’s personal data.


9 China to curb some technology exports to U.S.

China is preparing to curb some technology exports to the United States, the chief editor of China’s Global Times newspaper said on Saturday. If enacted, the measures suggest Beijing would retaliate over U.S. restrictions imposed on Shenzhen-based Huawei Technologies Co Ltd due to what Washington said were national security issues. In a tweet, the pro-CCP paper’s editor-in-chief Hu Xijin said that China “is building a management mechanism to protect China’s key technologies.” “This is a major step to improve its system and also a move to counter U.S. crackdown,” he added. “Once taking effect, some technology exports to the U.S. will be subject to the control.”


10 IRS Warns of New Tax Scams

The Internal Revenue Service (IRS) has issued a reminder urging consumers to look out for two new variations of tax-related phone and email scams. The phone scam involves pre-recorded messages threatening to suspend or cancel a victim’s Social Security number, and the email phishing scam involves a fake agency—the “Bureau of Tax Enforcement”—claiming that the victim owes past due taxes. The Cybersecurity and Infrastructure Security Agency (CISA) encourages taxpayers to review the IRS Alert and CISA’s Tip on Avoiding Social Engineering and Phishing Attacks for more information on avoiding tax scams year round. If you believe you have been a victim of a tax-related scam, visit the IRS webpage on Tax Scams – How to Report Them.


11 Facebook plans June 18th cryptocurrency debut

Facebook is finally ready to reveal details about its cryptocurrency codenamed Libra. It’s currently scheduled for a June 18th release of a white paper explaining its cryptocurrency’s basics, according to a source who says multiple investors briefed on the project by Facebook were told that date. Meanwhile, the company’s Head of Financial Services & Payment Partnerships for Northern Europe Laura McCracken told German magazine WirtschaftsWoche‘s Sebastian Kirsch that the white paper would debut June 18th, and that the cryptocurrency would indeed be pegged to a basket of currencies rather than a single one like the US dollar to prevent price fluctuations. Facebook declined to comment on any news regarding its cryptocurrency project.


12 Corporations beware: Dark web markets are selling tools targeting your accounts

If a cybercriminal wants to cause trouble for a major corporation, tools for the job are widely available on dark web markets, according to researchers who spent three months analyzing their activity and interacting with sellers. The wares — including malware and leaked credentials — are specifically promoted for breaching companies on the Fortune 500 and the Financial Times Stock Exchange 100 Index, according to Mike McGuire, a senior lecturer in criminology at the University of Surrey, and the security vendor Bromium. Their research includes data collected from Empire Market, The Hub, and the now-shuttered Dream and Wall Street markets, among others.


13 A backdoor in Optergy tech could remotely shut down a smart building ‘with one click’

Homeland Security has given the maximum severity score for a vulnerability in a popular smart building automation system. Optergy’s Proton allows building owners and managers to remotely monitor energy consumption and manage who can access the premises. The box is web-connected, and connects to other devices — like air conditioning and heating — in the building for real-time monitoring through a web interface. CISA, the government’s dedicated cybersecurity unit, said the device had serious vulnerabilities. An advisory said an attacker could gain “full system access” through an “undocumented backdoor script.”


14 The US Army will test a new GPS that’s resistant to jamming this fall

GPS jamming can also be a major liability for US and allied forces, which depend on the system for everything from troop movement to missile and drone guidance. Last fall, the US and NATO allies launched a major joint exercise in Norway called Trident Juncture, to test the joint readiness and training of a large, multinational coalition. Over the course of the exercise, the military noticed that GPS signals were being jammed, which Finland and Norway officials attributed to Russia. In April 2018, US officials said that the Russian military had been jamming the GPS systems for is drones operating in Syria. Members of the 2nd Cavalry Regiment located in Germany will get the devices this fall, and the Army is reportedly looking into developing a new generation of Inertial Navigational Systems that could be used as a back up.


15 No, the CIA will not call off a pedophilia probe into your life in exchange for Bitcoin

Fraudsters are posing as CIA investigators gone rogue in emails to marks, offering to take bribes to drop bogus investigations into the recipients and claims of online pedophilia, according to Kaspersky. The security shop says the scammers are spraying out spam messages in which they pretend to be Uncle Sam's agents conducting a probe into online pedophilia rings, as part of a "large international operation set to arrest more than 2000 individuals in 27 countries." The scare-tactic email claims each recipient has been caught up in the sweep, with investigators having collected the mark's home and work addresses, contact information, and relatives' details. Additionally, the scammers claim to have recorded each recipient's ISP and browsing history, Tor browsing activity, chat logs, and social media activity.

Related Posts