AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – 06/17/2019

1 Yubico Replacing YubiKey FIPS Devices Due to Security Issue

Yubico is in the process of replacing YubiKey FIPS (Federal Information Processing Standards) security keys following the discovery of a potentially serious cryptography-related issue that can cause RSA keys and ECDSA signatures generated on these devices to have reduced strength. In a security advisory published on Thursday, the company informed customers that the issue impacts YubiKey FIPS series devices running versions 4.4.2 and 4.4.4 of the firmware (version 4.4.3 does not exist), including Nano FIPS, C FIPS and C Nano FIPS devices. No other Yubico products appear to be impacted.


2 Amazon is sued for storing unauthorized child recordings

Two lawsuits have been filed against Amazon for storing children’s recordings through its smart speaker, report experts in personal data protection. Claimants allege that the company does not have the consent of users to create voice records with which it could track the activity of an infant in the services enabled for voice assistant Alexa, which would allow the company to elaborate detailed profiles about children. The lawsuits, presented in Los Angeles and Seattle, claim that two children used Alexia for Internet searching, play music and videos, among other interactions; the plaintiffs claim that they never gave the company consent to record a profile of the children. For its part, the company claims that it only stores the information when the user explicitly expresses their consent, in addition to the parents being able to delete any voice record that Alexa has stored.


3 Congress Gives 'Hack Back' Legislation Another Try

Rep. Tom Graves, R-Ga., is today reintroducing a bill that would let businesses monitor for, locate, and potentially target cyberattackers. This isn't the first time Graves has attempted to making "hacking back" legal, CyberScoop reports. It had previously been found to violate the Computer Fraud and Abuse Act (CFAA), which prohibits computer access sans authorization. So why try again? Graves, who says businesses are already targeting intruders, points to a lack of rules around the practice. If the bipartisan bill is passed, he hopes businesses will share intelligence on cyberattacks with the government. The bill does not currently enforce this. While the US Cyber Command has recently been given the go-ahead for more offensive cyber operations, there are myriad reasons security experts think "hacking back" is a bad idea.


4 USPS Must Better Manage Its Cyber Funds

Though the U.S. Postal Service’s investment strategies have strengthened its cybersecurity practice, the agency must produce a solid operational cyber budget to adequately steer the program and fund annual expenses, according to the Office of Inspector General’s Semiannual Report to Congress released this week. In 2015, the agency approved millions in investments for Cybersecurity Decision Analysis Reports I and II. The total approved investment amounts are not publicly available but the OIG said it comprises “a capital investment, deployment investment expenses, and first-year operating expenses.” Though the Postal Service uses the DAR process to “approve, fund, and monitor” operating expenses for cybersecurity investments, the OIG said daily operational expenses necessary to support cyber efforts should be managed differently.


5 Study finds that a GPS outage would cost $1 billion per day

Since becoming fully operational in 1995, Global Positioning System technology has become widely adopted in the United States and abroad. The concept of satellite-based navigation has become so essential that other world powers, including China, Russia, the European Union, India, and Japan, have all started building their own regional or global systems. Now, one of the most comprehensive studies on the subject has assessed the value of this GPS technology to the US economy and examined what effect a 30-day outage would have—whether it's due to a severe space weather event or "nefarious activity by a bad actor." The study was sponsored by the US government's National Institutes of Standards and Technology and performed by a North Carolina-based research organization named RTI International.


6 Mysterious Iranian group is hacking into DNA sequencers

Web-based DNA sequencer applications are under attack from a mysterious hacker group using a still-unpatched zero-day to take control of targeted devices. The attacks have started two days ago, on June 12, and are still going on, according to Ankit Anubhav, a security researcher with NewSky Security, who shared his findings with ZDNet. Anubhav says the group, which operates from an Iran-based IP address, has been scanning the internet for dnaLIMS, a web-based application installed by companies and research institutes to handle DNA sequencing operations. The researcher told ZDNet the hacker is exploiting CVE-2017-6526, a vulnerability in dnaLIMS that has not been patched to this day after the vendor was notified back in 2017.


7 A widely used infusion pump can be remotely hijacked

An infusion pump widely used in hospitals and medical facilities has critical security flaws that allow it to be remotely hijacked and controlled, according to security researchers. Researchers at healthcare security firm CyberMDX found two vulnerabilities in the Alaris Gateway Workstation, developed by medical device maker Becton Dickinson. Infusion pumps are one of the most common bits of kit in a hospital. These devices control the dispensing of intravenous fluids and medications, like painkillers or insulin. They’re often hooked up to a central monitoring station so medical staff can check on multiple patients at the same time. But the researchers found that an attacker could install malicious firmware on a pump’s onboard computer, which powers, monitors and controls the infusion pumps. The pumps run on Windows CE, commonly used in pocket PCs before smartphones.


8 New Android Trojan Leads Users to Scam Sites via Notifications

A new Android Trojan that uses web push notifications to redirect users to scam and fraudulent sites has been discovered by security researchers on Google's Play Store. Multiple fake apps of well-known brands that distributed the malware dubbed Android.FakeApp.174 got removed in early June after researchers from Doctor Web reported them to Google. While the apps were only installed by a little over 1000 users, the malware operators could publish other similar apps at any time on the Play Store and might also be switching to more aggressive attack methods such as redirecting victims to malicious payloads, launching phishing attacks targeting bank customers, or spreading fake news.


9 Baltimore won't be able to send water bills again this month as ransomware recovery continues

Baltimore residents will not receive water bills again this month, officials said Wednesday. Sheryl Goldstein, a deputy chief of staff for the Young administration, said restoring the water billing system and the city’s ability to produce and mail the bills is a priority as Baltimore’s tech crews work to fix operations caused by the May 7 ransomware attack. She said customers can use the last bill they received as an estimate for the current amount due, and send a payment by mail to the water department at 200 N. Holliday St. Any payment should include the customer’s account number. The city’s staff will also accept a payment made in person at the Holliday Street office. The city will not charge late fees or penalties for payments missed while the system is offline.


10 NSA dares students to break the cyber code, and then recruits them

The National Security Agency’s best and brightest cybersecurity experts are putting their skills to the test. No, it’s not by stopping the Chinese or Russians from hacking government systems—though they are doing that too, we think. Rather, it’s by developing a cyber challenge and daring more than 330 schools and 2,600 students to solve it. Kathy Hutson, the senior strategist for industry and academic engagement at the NSA, said the Codebreaker Challenge has become one of the best ways to attract the next generation of talent to the federal government. “We are doing the high touch and personal approach to educate and attract students. Through the Codebreaker Challenges, we are using a non-traditional approach, which also teaches good fundamental skills for NSA as well as the nation,” Hutson said on Ask the CIO.


11 AMCA data breach has now gone over the 20 million mark

A security breach at American Medical Collection Agency (AMCA), a provider of billing services for the US healthcare sector, has now exposed the personal and financial information of over 20 million Americans, possibly more. The exposed data belongs to Americans who paid laboratory work at various clinical and blood testing labs across the US and used AMCA's billing portal. The breach, first reported by DataBreaches.net, took place after a hacker group compromised AMCA's IT network and stole payment information, which they later put up for sale on carding forums. Exposed data included names, home addresses, phone numbers, dates of birth, Social Security numbers, payment card details, and bank account information.


12 Millions of Venmo transactions scraped in warning over privacy settings

A computer science student has scraped seven million Venmo transactions to prove that users’ public activity can still be easily obtained, a year after a privacy researcher downloaded hundreds of millions of Venmo transactions in a similar feat. Dan Salmon said he scraped the transactions during a cumulative six months to raise awareness and warn users to set their Venmo payments to private. The peer-to-peer mobile payments service faced criticism last year after Hang Do Thi Duc, a former Mozilla fellow, downloaded 207 million transactions. The scraping effort was possible because Venmo payments between users are public by default. The scrapable data inspired several new projects — including a bot that tweeted out every time someone bought drugs.


13 The US Has Allegedly Placed Malware Deep in Russia's Power Grid

The U.S. has deployed “American computer code” into Russian systems operating the nation’s power grid, the New York Times reported on Saturday, as part of the Donald Trump administration’s efforts to “deploy cybertools more aggressively.” According to the Times, which cited “current and former officials” with knowledge of the situation, the Pentagon’s U.S. Cyber Command has moved to act on new authorities and independence granted by the White House and Congress (which themselves build off attacks authorized by Trump’s predecessor, Barack Obama). The government has remained publicly quiet on what specific actions have been taken, the paper wrote, but national security adviser John Bolton said on Tuesday that the U.S. was taking a more aggressive offensive stance in cyberspace “to say to Russia, or anybody else that’s engaged in cyberoperations against us, ‘You will pay a price.’” 


14 Genius said it used morse code to catch Google stealing lyrics

Genius is, well, genius. The company recently accused Google of lifting song lyrics from its site, reports the Wall Street Journal.  How did Genius know Google was stealing? In 2016, Genius made a few changes to the punctuation in its song lyrics. Sometimes, it used a straight apostrophe. Other times, a curly one.  Genius did this in a very specific sequence because (are you ready for this?) when "the two types of apostrophes were converted to the dots and dashes used in Morse code, they spelled out the words 'Red Handed.'" That's how Google was caught, according to Genius. Google denied stealing any lyrics. Instead, it claimed, the lyrics that show up in the "information panels" that pop up in a Google search are from licensed partners. Genius, however, says it found more than 100 examples of Google taking its content. 


15 Is Target still down? After long waits and store closings, nationwide register outage ends

It was a tough afternoon to be at Target. After a two-hour nationwide outage Saturday, Target’s registers are back online in the retailer's 1,849 U.S. stores, spokesman Joe Poulos confirmed to USA TODAY. "The temporary outage earlier today was the result of an internal technology issue that lasted for approximately two hours," Poulos said in a statement. "Our technology team worked quickly to identify and fix the issue, and we apologize for the inconvenience and frustration this caused for our guests." "After an initial but thorough review, we can confirm that this was not a data breach or security-related issue, and no guest information was compromised at any time," Poulos said. 


16 Federal Watchdog Asks Agencies to Please Stop Relying on Credit Rating Firms After Equifax Hack

The Government Accountability Office is warning federal agencies including the U.S. Postal Service, the Social Security Administration, Veterans Affairs, and the Centers for Medicare and Medicaid Services in a report this week that they should stop relying on credit agencies to verify identities after a devastating hack of Equifax in 2017 that compromised the information of around 150 million Americans. Those agencies currently check if an individual is who they say they are by asking users to provide personal information and then cross-check it with credit files provided by one of three major agencies: Equifax, Experian, and TransUnion. Per TechCrunch, the report notes that in 2017, the National Institute of Standards and Technology (NIST) issued guidance that “effectively prohibits agencies from using knowledge-based verification for sensitive applications” due to the possibility that malicious parties could have access to the Equifax data, or that even more such data could be compromised in the future.

Related Posts