AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – 07/02/2019

Huntington Ingalls, the Navy’s largest shipbuilder, was compromised by a large-scale hacking campaign waged by several organs of the Chinese government, according to a Reuters report. However, the company denied the allegation in a June 27 email to Fifth Domain, saying, “there was no breach of information” from Newport News Shipyard, nor were their systems connected to a foreign server controlled by a Chinese group, known as APT10. The sophisticated campaign, dubbed “Cloud Hopper,” targeted Hewlett Packard Enterprise’s cloud using it to attack many of its customers, the June 26 report stated.


2 Google, U of Chicago hit with lawsuit over patient data sharing

The University of Chicago Medical Center and Google were served with a lawsuit on June 26 that alleges the hospital violated HIPAA by sharing thousands of patients' records with the technology giant without hiding date stamps or physicians' notes, according to The New York Times. Google partnered with the University of Chicago and its medical center in 2017. The goal was to unlock data within patient records and improve predictive analysis. Google has been exploring ways technology can be used to read EHRs and help physicians identify medical conditions. "We believe our health care research could help save lives in the future, which is why we take privacy seriously and follow all relevant rules and regulations in our handling of health data," a Google spokesperson told NYT. The University of Chicago has denied the allegations of wrongdoing.


3 Mozilla takes swipe at Chrome with 'Track THIS' project

Mozilla this week touted Firefox's anti-ad tracking talents by urging users of other browsers to load 100 tabs to trick those trackers into offering goods and services suitable for someone in the 1%, an end-times devotee and other archetypes. Tagged as "Track THIS," the only-semi-tongue-in-cheek project lets users select from four personas – including "hypebeast," "filthy rich," "doomsday prepper," and "influencer" – for illustrative purposes. Track THIS then opens 100 tabs "to fool trackers into thinking you're someone else." If it works, the browser will start showing online ads for products the trackers' algorithms believe will be attractive to that persona. "It's really just throwing off brands who want to advertise to a very specific type of person," Mozilla wrote in a June 25 post to one of its blogs.


4 Lawyer for alleged LinkedIn hacker wants out, says client is 'not sane'

The attorney for Yevgeniy Nikulin has had enough. Defense counsel Arkady Bukh has asked Judge William Alsup of the Northern District of California to allow him to withdraw as the lawyer for the Russian man accused of stealing more than 100 million usernames and passwords from LinkedIn, Dropbox, and other sites. The court filing in San Francisco on Tuesday marks the end of a chapter in Nikulin’s long and strange story. The alleged scammer arrived in the U.S. more than a year ago after he was arrested in Prague on charges related to stealing some 117 million usernames and passwords. Nikulin since then has refused to cooperate in his defense, and underwent a court-ordered psychiatric evaluation in which he ultimately was determined fit to stand trial.


5 Tesla 3 navigation system fooled with GPS spoofing

Cybersecurity researchers have fooled the Tesla Model 3’s automatic navigation system into rapidly braking and taking a wrong turn on the highway. Israeli firm Regulus Cyber spoofed signals from the Global Navigation Satellite System (GNSS), fooling the Tesla vehicle into thinking it was at the wrong location. The spoofing attack caused the car to decelerate rapidly, and created rapid lane-changing suggestions. It also made the car signal unnecessarily and try to exit the highway at the wrong place, according to the company’s report. The GNSS is a constellation of satellites that beam location information to earthbound receivers. It’s an umbrella term for the variety of regional systems in use, such as the US GPS system, China’s BeiDou, Russia’s GLONASS, and Europe’s Galileo. Spoofing the signals replaces them with false signals to fool receivers. Regulus used this to attack Tesla’s Navigate on Autopilot (NoA) feature.


6 Some insulin pumps vulnerable to cyberattacks, says Health Canada

Health Canada is warning diabetics and health-care providers that some insulin pumps could be susceptible to cyberattacks. The health agency released a statement Saturday that says the affected models distributed between 2010 and 2015 are at risk. The statement says 2,620 of Medtronic MiniMed 508 and MiniMed Paradigm pumps have been sold in Canada. Health Canada says there are no concerns with how the device functions, but they are vulnerable to attacks that could affect operations. The agency says cyberattacks could affect the device’s settings which could result in an incorrect dose of insulin, but the agency is not aware of such incidents occurring.


7 2001: Linux is cancer, says Microsoft. 2019: Can we join the official linux-distros mailing list?

Microsoft's transformation into a fully paid-up member of the Linux love-train continued this week as the Windows giant sought to join the exclusive club that is the official linux-distros mailing list. The purpose of the linux-distros list is used by Linux distributions to privately report, coordinate, and discuss security issues yet to reach the general public; oss-security is there for stuff that is already out in the open or cannot wait for things to bounce around for a few days first. Sasha Levin, who describes himself as a "Linux kernel hacker" at the beast of Redmond, made the application for his employer to join the list, which if approved would allow Microsoft to tap into private behind-the-scenes chatter about vulnerabilities, patches, and ongoing security issues with the open-source kernel and related code. These discussions are crucial for getting an early heads up, and coordinating the handling and deployment of fixes before they are made public.


8 Cat flap uses AI to punish pet's killer instincts

A cat flap that automatically bars entry to a pet if it tries to enter with prey in its jaws has been built as a DIY project by an Amazon employee. Ben Hamm used machine-learning software to train a system to recognise when his cat Metric was approaching with a rodent or bird in its mouth. When it detected such an attack, he said, a computer attached to the flap's lock triggered a 15-minute shut-out. Mr Hamm unveiled his invention at an event in Seattle last month. The presentation was subsequently brought to light by tech news site The Verge.


9 Bill Proposes Easing HIPAA Enforcement Action in Some Cases

Bipartisan healthcare legislation that a Senate health committee passed on Wednesday includes a provision that would incentivize healthcare entities to adopt "strong cybersecurity practices" by encouraging federal regulators to consider organizations' security efforts when making HIPAA enforcement decisions. The Health, Education, Labor and Pensions Committee voted 20 to 3 to approve the Lower Health Care Costs Act of 2019, which includes a package of 54 proposals from 65 senators, including 36 Democrats and 29 Republicans. "I hope we can present [this bill] to Majority Leader [Mitch] McConnell, R-Ky., and Minority Leader [Chuck] Schumer, D-N.Y., for the full Senate to consider next month and would expect that other committees will have their own contributions," said Senate health committee chairman Lamar Alexander, R-Tenn., in a statement about the passage of the bill.


10 OnePlus Accidentally Sends Global Push Notification Saying 'Ha Ha Ha Ha Ha' in Chinese

In the early hours of Monday morning, some OnePlus 7 Pro owners may have taken a gander at their phones only to find some cryptic, indecipherable messages. A botched internal test resulted in two global push notifications, with one message reading “hahahahaha” in Chinese and the other a string of gibberish English. Some users were understandably worried their phones had been hacked. Others assumed it was spam, and others still laughed it off. In any case, OnePlus has since clarified with a statement. “The push messages occurred while the OxygenOS team was conducting a software test for the upcoming Android Q system update. Due to an error during the testing process, we accidentally pushed a routine test message to some of our OnePlus 7 Pro OxygenOS users.”


11 The day the e-books stopped working

Consumers who bought ebooks via Microsoft's online store are losing access to their libraries. The service, which launched in 2017, relied on the use of a web browser rather than a dedicated app and failed to build a significant audience. Titles purchased or offered for free will no longer be available. Out-of-pocket users are, however, being offered refunds including a $25 (£20) credit if they made highlights or notes, which will also be lost. Microsoft first warned customers of its move in April after giving up on its ambition of making its Surface computers a popular choice for reading digital novels and textbooks. This marks the third time the company has pulled out of the market.


12 New ISIS Cyber Campaign Announced as Supporters Share U.S. Agency Vulnerabilities

A group operating under ISIS’ hacking division announced in a Friday statement a new campaign “to destroy your websites, your devices and your data,” while an ISIS supporters’ IT help desk highlighted a Senate report revealing cybersecurity failures and vulnerabilities at several government agencies. At the beginning of the year, the new Caliphate Cyber Shield was announced as “an extension of the United Cyber Caliphate (UCC).” In March, Kim Anh Vo, 20, of Hephzibah, Ga., was arrested on allegations that she joined the UCC in 2016 and disseminated propaganda including “kill lists” with mass quantities of personal identifying information on Americans. In 2018, the UCC threatened to kill gray-hat #OpISIS hackers, including Anonymous hacktivists, who had been waging a lengthy online campaign to take down ISIS social media accounts and websites; the UCC claimed in the threat that “you know very well that your strongest branch has joined us.” Last week’s CCS message distributed in ISIS forums announced “a new phase of our struggle, and of the history of the cyber warfare.”


13 Microsoft Teams Can Be Used to Download and Run Malicious Packages

The update mechanism as it is currently implemented in Microsoft Teams desktop app allows downloading and executing arbitrary files on the system. The same issue affects GitHub, WhatApp, and UiPath software for desktop computers but it can be used only to download a payload. These applications rely on the open source Squirrel project to manage installation and updating routines, which uses NuGet package manager to create the necessary files. Multiple security researchers discovered that using the 'update' command for a vulnerable application it is possible to execute an arbitrary binary in the context of the current user. The same goes for 'squirrel.exe.'


14 Gay dating app fined $240,000 for leaking nude and private photos

The maker of a gay dating app has been fined $240,000 in New York after the company failed to respond to a vulnerability report and left its customers' private photos available online for over a year. The fine was announced on Friday by the Office of New York Attorney General Letitia James. According to the settlement between the app maker, Online Buddies, Inc., and the New York officials, the company must also "make substantial changes to improve security." New York officials said they started an investigation into the company after several press reports about the data leak in February. At the time, tech news sites like the BBC, Ars Technica, and The Register, ran stories about a security researcher's findings who found nude and private photos on an AWS S3 server left exposed online without a password or any other security mechanism.


15 Baltimore approves $10M for ransomware relief, expects $18M in damages

Baltimore officials approved using $10 million in excess revenue to cover ongoing expenses related to a ransomware attack that immobilized several of the cities computer systems in early May. The city’s budget office estimates the total cost of responding to the attack will be $18 million after threat actors demanded $80,000 in ransom to unlock the systems, but city officials have been advised by law enforcement not to pay. A Baltimore technology official told ABC News the city had initially resisted help from the state after the attack.


16 Microsoft to Require Multi-Factor Authentication for Cloud Solution Providers

It might be difficult to fathom how this isn’t already mandatory, but Microsoft Corp. says it will soon force all Cloud Solution Providers (CSPs) that help companies manage their Office365 accounts to use multi-factor authentication. The move comes amid a noticeable uptick in phishing and malware attacks targeting CSP employees and contractors. When an organization buys Office365 licenses from a reseller partner, the partner is granted administrative privileges in order to help the organization set up the tenant and establish the initial administrator account. Microsoft says customers can remove that administrative access if they don’t want or need the partner to have access after the initial setup. But many companies partner with a CSP simply to gain more favorable pricing on software licenses — not necessarily to have someone help manage their Azure/O365 systems. And those entities are more likely to be unaware that just by virtue of that partnership they are giving someone at their CSP (or perhaps even outside contractors working for the CSP) full access to all of their organization’s email and files stored in the cloud.


17 All the countries where someone managed to shut down the entire internet — and why they did it

Taking down an entire country's internet service is easier than you think. It happens hundreds of times each year. Many shutdowns occur at the behest of dictators in corrupt developing countries. But the largest takedowns have been in the US (by hackers) and in India (by the police). Here's a list of all the most recent occasions on which the internet has been removed on a national or regional basis.


18 ‘Deepfake’ revenge porn is now illegal in Virginia

Virginia has expanded a revenge porn law to include “deepfakes,” the fabricated or manipulated videos and images of people made using machine learning that have begun popping up with increasing regularity. The law, which went into effect Monday, now makes it illegal to share nude photos of videos of someone without their permission— whether they’re real or fake ones. The law also covers photoshopped images or any other kind of fake footage, not just the more advanced, and harder to spot, deepfake imagery and videos.

Virginia has had a revenge porn law on the books since 2014. But it didn’t properly cover fabricated images and videos, an act that has become more common thanks to advances in software.

Related Posts