AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 06/16/2021

Baby Clothes Giant Carter’s Leaks 410K Customer Records

Baby clothes retailer Carter’s inadvertently exposed the personal data of hundreds of thousands of its customers, dating back years, according to a new disclosure. The issue started with Linc, which is a vendor the company used to automate purchases online, according to analysts with vpnMentor who first discovered the issue. The Linc system was delivering customers shortened URLs with Carter’s purchase and shipping details without basic security protections. The links contained everything from purchase details to tracking information and more. “Furthermore, by modifying the Linc URLs (to which the shortened URLs were redirecting), it was possible to access backend JSON data, which revealed even more personal information about customers that wasn’t exposed by the confirmation pages, such as: Full names delivery addresses and phone numbers,” the report explained.


Notification no-nos: What to avoid when alerting customers of a breach

An important and often mandatory step in the incident response process is notifying your customers and the general public that an attack has transpired. There are important considerations when taking such an action. After all, there are some mistakes you should absolutely never make – missteps that can cost your business its reputation, and get you into hot water with consumers, the hacking community or legal and regulatory authorities. Over the last year, companies such as Facebook, Fatface, Mobikwik, SolarWinds and Ubiquiti have all faced accusations of mishandling certain aspects of their incident notification. SC Media asked experts in the field what they believe are some of the biggest unforced errors you can make when it comes to notification no-nos. Here is a sampling.


Identity management is now mostly about security

IDSA released a study based on an online survey of over 500 IT decision makers. The report examines the impact that the pandemic and increase in remote work had on identity and access management (IAM) in the enterprise, as well as the implementation of identity-focused security strategies. Over the last year, the shift to remote work has led to an increase in the number of identities, an increased focus on identity security, but a decrease in confidence in the ability to secure employee identities. Four out of five participants believe that while identity management used to just be about access, it’s now mostly about security. In accordance, the majority of organizations have made changes to better align security and identity functions, with one of those changes being increasing CISO ownership of IAM.


Critical entities targeted in suspected Chinese cyber spying

A cyberespionage campaign blamed on China was more sweeping than previously known, with suspected state-backed hackers exploiting a device meant to boost internet security to penetrate the computers of critical U.S. entities. The hack of Pulse Connect Secure networking devices came to light in April, but its scope is only now starting to become clear. The Associated Press has learned that the hackers targeted telecommunications giant Verizon and the country’s largest water agency. News broke earlier this month that the New York City subway system, the country’s largest, was also breached. Security researchers say dozens of other high-value entities that have not yet been named were also targeted as part of the breach of Pulse Secure, which is used by many companies and governments for secure remote access to their networks.


Menominee Casino Resort temporarily closes after cyberattack

It all started last month when a cyberattack shut down one of the largest oil pipelines in the United States. Now a local casino has fallen victim to hackers. The Menominee Casino Resort confirms it’s experiencing technical difficulties following a cyberattack. A statement from the casino said the issues were caused by an “attempted external attack on our computer systems.” Tribal Legislature Chairman Gunnar Peters told NBC 26 the security breach happened Friday.  And casino employees like Caldwell say the past few days have been nerve wracking. “Our computer system was shut down, so we couldn’t open up the gift shop,” Caldwell said. “We had to shut that down. We had to shut down the hotel.”


Apple Is Killing Email Tracking With a Single Popup

A lot of people were bummed when Apple didn’t announce new hardware during WWDC 2021 Keynote event. More so since Silicon chips got huge limelight and a nice reception last year. However, privacy has always been at the heart of Apple and they ensured it stays the major selling point this year as well. When the Keynote started, a good fifty minutes were given to showcase subtle software upgrades and enhancements in Apple’s stocks apps. It felt slowish for a while, and many of us might’ve snoozed off. Yet the first mention of “privacy” was enough for everyone to sit up and take notice. Following up on a tense year that was marred with criticism over the iOS 14 App Tracking Transparency feature, very few were expecting a major privacy announcement this time.


Hackers made Doom run on a $15 Ikea smart lamp

There are very few things out there that have not already been made to run one version of Doom or another — everything from calculators, iPods, inkjet printers, a Porsche 911, a single keyboard key display, the Touch Bar on Apple MacBooks, a McDonald’s cash register, John McAfee’s “unhackable” crypto wallet, the Playdate handheld console, the Commodore 64, and various ATMs. There’s even custom silicon designed to run nothing else but Doom, and a CAPTCHA that is actually fun to complete. Perhaps one of the most impressive attempts yet is that of a team of hackers over at next-hack led by software engineer Nicola Wrachien, who was able to run Doom on the hardware that powers a $15 smart lamp from Ikea.

Related Posts