AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – 07/11/2019

              July 11, 2019

1 Bank voice authentication can be hacked via deepfake audio

An investigation conducted by IT security audit specialists from cybersecurity firm Symantec has detected at least three cases of financial fraud involving the use of fake audio generated by artificial intelligence software, a practice known as deepfake, frequently used on adult content sites. This kind of software can be trained using a considerable amount of audio records; in this case, the records corresponded to bank executives who never imagined that this kind of unsecured information could be used for a cyberattack. Hugh Thompson, IT security audit specialist in charge of this investigation, says threat actors could have used any voice records at their disposal, including company-owned audiovisual material, bankers’ media statements, conferences, voice notes, among other resources to build a victim’s voice model. “To work as expected, the voice record created with artificial intelligence must be almost perfect”, he says.


2 Bug in Anesthesia Machines Allows Changing Gas Mix Levels

A vulnerability in the firmware of some anesthesia machines used in hospitals could be abused to change normal functionality up to the point of adjusting the level of inhalational substances. The flaw affects GE Aestiva and GE Aespire anesthesia systems, models 7100 and 7900, from GE Healthcare (part of General Electric Company) and permits sending them commands over the local network. A threat actor would need to be on the same network as the vulnerable machines and there is not need for special privileges. If the system is connected to a terminal server, knowing the IP address of the targets is not necessary.


3 Apple aims privacy billboard at Google’s controversial smart-city

Apple has a new billboard and a far more specific target. This time, the company has erected a privacy billboard at the site of a developing “smart city” called Quayside. Some are calling the neighborhood, on Toronto’s eastern waterfront, a privacy dystopia in the making. It’s going to be sensor-thick, and it’s tangled up with the uber data-collecting Google: the developer is Sidewalk Labs, which is a subsidiary of Google’s parent company, Alphabet. Apple’s new billboard, positioned outside Sidewalk Toronto headquarters, again depicts an iPhone. The tagline: “We’re in the business of staying out of yours.” The vision for Quayside is that of a smart city built “from the internet up”. As the Atlantic reported last November, sensor-collected data will be used “to disrupt everything:” traffic congestion, healthcare, housing, zoning regulations, and greenhouse-gas emissions.


4 Facebook and Twitter have not been invited to White House social media summit

The White House has not extended invitations to Facebook and Twitter to attend its social media summit on Thursday, people familiar with the matter said. The people, who spoke to CNN Business on the condition of anonymity, suggested it was not surprising. They said they believe the summit would amount to a right-wing grievance session and was not aimed at seriously discussing some of the issues facing large technology companies. A spokesperson for the White House declined to comment. The White House announced the summit in June, describing it as an event to bring together "digital leaders for a robust conversation on the opportunities and challenges of today's online environment."


5 Philadelphia Federal Credit Union confirms security breach

Joe Goldberg met outside of the Philadelphia Federal Credit Union at Stanwood Street and Roosevelt Boulevard Monday. He says his account was hacked. "I bought Phillies tickets yesterday and afterwards I thought let me check my balance and see what I got left," said Goldberg. He says there wasn't much. In fact, if he had wrote just one more check out of his account it likely would have bounced. Goldberg said, "It was $90, which was way wrong you know." He's just one victim. Maggie Fulmer is another. "We noticed all these withdraws were taken out," she said. They're just two of many victims with the credit union that had their accounts hacked over the weekend. Monday morning customers say once they realized something was wrong they came rushing down to their branch at Standwood Street and Roosevelt Boulevard.


6 Raspberry Pi admits to faulty USB-C design on the Pi 4

The Raspberry Pi 4 was announced two weeks ago as a major new upgrade to the line of cheap single-board hobbyist computers. The Pi 4 featured a faster CPU, options for up to 4GB of RAM, and a new, modern USB-C port for power delivery. The Pi 4 was the Raspberry Pi Foundation's first ever USB-C device, and, well, they screwed it up. As detailed by Tyler Ward, the Raspberry Pi 4 has a non-compliant USB-C charging port and doesn't work with as many chargers as it should. Thanks to the open nature of Raspberry Pi (even the schematics are online!), Ward was able to discover that Raspberry Pi just didn't design its USB-C port correctly. Two "CC" pins on a USB-C port are supposed to each get their own 5.1K ohms resistor, but Raspberry Pi came up with its own circuit design that allows them to share a single resistor. This is not a compliant design and breaks compatibility with some of the more powerful USB-C chargers out there.


7 Using Autonomous Vehicles for Delivering Groceries

Ask any executive from Amazon, Walmart, Kroger, Albertsons or executives from other grocery retailers what the Holy Grail of last-mile delivery for groceries is, and odds are high the answers will be the same: groceries being delivered by an autonomous vehicle. Intuitively, many individuals will immediately understand that the value to grocery retailers is that delivering groceries by an autonomous vehicle (which requires no driver) is cheaper, much cheaper. What most individuals don’t know is that delivering groceries and other products in an autonomous vehicle creates one of the biggest challenges in logistics—something I call ‘the longest yard.’


8 Microsoft is Shutting Down their Classic Internet Games Service

It has been a good run, but Microsoft has finally decided to shutdown the services  powering their classic multiplayer Microsoft Internet Games. After almost 20 years of entertainment, Windows users will no longer be able to fire up Internet Spades, Backgammon, or Checkers and get quick game with someone on the other side of the world. Even today, if you fire up Internet Spades on Windows 7, you will quickly get into a game with four players ready to win some tricks. While you were never able to say whatever you wanted, Microsoft created a list of questions, answers, and statements that you could send to your live opponents to make things more interactive.


9 A massive international email scam netted $3 million worth of top-secret US military equipment

A crew of international con artists allegedly convinced a US defense contractor to send them millions of dollars worth of sensitive military gear they weren’t even supposed to know existed, according to court documents obtained by Quartz. Some of the items shipped to the fraudsters are not known to the public and are reportedly so top-secret, “even a photograph [is] considered controlled.” The “highly sensitive communications interception equipment” was valued at $3.2 million, and requires a license to export out of the country. The manufacturer is named in legal filings only as “Company B,” based in Maryland. Members of the ring posed as a Navy contracting officer named “Daniel Drunz” to acquire the restricted technology.


10 Former IT Administrator Sentenced to More than 2 Years in Prison for Hacking into His Ex-Employer’s Computers, Deleting Their Files

An Arizona man has been sentenced to 27 months in federal prison for breaking federal computer intrusion laws governing the deletion of electronic files after he hacked into computer systems operated by his former employer, an Irvine-based company, and then deleted its website and marketing materials in retaliation for being stripped of some of his job duties. Nikishna Polequaptewa, 37, of Avondale, Arizona, was sentenced on Monday afternoon by United States District Judge Cormac J. Carney, who also ordered him to pay $53,305 in restitution to his former employer. Polequaptewa, who was a Garden Grove resident during the criminal conduct, was indicted by a federal grand jury in 2016. After a five-day trial in November 2018, a jury found him guilty of one felony count of unauthorized impairment of the integrity and availability of data, programs, systems, and information.


11 AT&T will automatically block fraud calls for new customers

AT&T is making quick use of FCC rules explicitly allowing carriers to block robocalls by default. The network will start automatically blocking fraud calls (and issuing suspected spam call alerts) for new phone customers as a matter course, at no extra charge. You'll have to opt out if you don't want the company to screen calls this way. Existing customers, meanwhile, will see the feature automatically reach their accounts in the "coming months." If you like the capabilities, you can turn it on right now either by downloading the AT&T Call Protect app or enabling it through your myAT&T account settings.


12 Man gets caught with unassembled 3D printed gun at airport

It turns out, it’s not OK to bring gun parts onto a plane, even if they aren't assembled and 3D-printed. A man from Kansas learned this the hard way at LaGuardia Airport on July 3. He was reportedly stopped by a TSA officer when he tried to pass the pieces in his bag through the airport security X-ray machines. The pieces were discovered in the man’s roller bag, Fox 5 reports. The components were reportedly disassembled at the time, although that didn’t make it OK to bring on a plane. While the man was eventually allowed to fly, he was not allowed to bring the gun body and trigger with him on the plane.


13 FCC kills part of San Francisco’s broadband-competition law

The Federal Communications Commission today voted to preempt part of a San Francisco ordinance that promotes broadband competition in apartment buildings and other multi-tenant structures. But it's not clear exactly what effect the preemption will have, because San Francisco says the FCC's Republican majority has misinterpreted what the law does. FCC Chairman Ajit Pai's plan partially overturns San Francisco's Article 52, which lets Internet service providers use the existing wiring inside multi-unit buildings even if another ISP already serves the building. The FCC said it's preempting the law "to the extent it requires the sharing of in-use wiring." But Pai's proposal admits the FCC doesn't know whether the San Francisco law actually requires sharing of in-use wiring, which makes it difficult to understand whether the FCC preemption will change anything in practice.


14 Navy holds AI and cybersecurity contest with $150,000 in cash prizes

The Navy launched a competition this week for finding machine learning and artificial intelligence solutions for real-world cybersecurity challenges. The challenge — dubbed the Artificial Intelligence Applications to Autonomous Cybersecurity Challenge (AI ATAC) — holds a $100,000 first place and $50,000 second place awards. It is open to all citizens and permanent residents, be they defense contractors, researchers, students or just technology-curious private citizens. The contest is sponsored by Naval Information Warfare Systems Command (NAVWAR) and Program Executive Office for Command, Control, Communications, Computers and Intelligence (PEO C4I). It’s a way to lower barriers for the private industry to work with the military.


15 Apple is silently removing Zoom’s web server software from Macs

After all of the drama over Zoom’s use of a hidden web server on Macs, Apple itself has decided to step in, TechCrunch reports. It is issuing a silent update — meaning your Mac will get it without any interaction on your part — to remove the web server, which was designed to save Safari users an extra click, from any Mac that has Zoom’s software installed. Although Zoom itself issued an emergency patch yesterday to remove that web server, apparently Apple is concerned that enough users won’t update or are unaware of the controversy in the first place that it’s issuing its own patch. It makes perfect sense not only because many users may not open Zoom for some time, but also because many of them had uninstalled the app.


16 What the US needs to counter ‘unprecedented’ Chinese influence in South America

As China continues to expand its global footprint, the Pentagon’s top official for South America is sounding a clear alarm: China’s influence in the region has reached “unprecedented levels of influence and leverage,” which will require a whole of government approach from the U.S. to counter. Adm. Craig Faller, the head of U.S. Southern Command, told the Senate Armed Services Committee’s Emerging Threats subcommittee that China is only going to increase its efforts to live “inside our own neighborhood seeking to displace the United States as the partner of choice and weaken the commitment of our partners to the rule of law and democracy.” “Strong partnerships — enabled by engagements and presence, intelligence and information exchanges, and education and training — are our primary bulwark against the influence of malign actors in the hemisphere and are bolstered by our work together on military professionalism,” Faller said.


17 T-Mobile says it can’t be sued by users because of forced-arbitration clause

T-Mobile US is trying to force customers into arbitration in order to avoid a class-action lawsuit that accuses the phone carrier of violating federal law by selling its customers' real-time location data to third parties. T-Mobile yesterday filed a motion to compel arbitration in US District Court in Maryland, saying that customers agreed to terms and conditions that require disputes to be handled in arbitration instead of courts. The two plaintiffs named in the lawsuit did not opt out of the arbitration agreement, T-Mobile wrote. "As T-Mobile customers, each Plaintiff accepted T-Mobile's Terms and Conditions ('T&Cs')," T-Mobile wrote in a memorandum of law. "In so doing, they agreed to arbitrate on an individual basis any dispute related to T-Mobile's services and to waive their right to participate in a class action unless they timely opted out of the arbitration procedure outlined in the T&Cs. Neither Plaintiff elected to opt out. Accordingly, Plaintiffs have brought their grievances to the wrong forum and their claims should be dismissed in favor of arbitration."


18 Former Tesla employee admits uploading Autopilot source code to his iCloud

Guangzhi Cao, a former engineer at Tesla, admitted in a court filing this week that he uploaded zip files containing Autopilot source code to his personal iCloud account in late 2018 while still working for the company. Tesla sued Cao earlier this year for allegedly stealing trade secrets related to Autopilot and bringing them to Chinese EV startup Xiaopeng Motors, also known as Xmotors or XPeng, which is backed by tech giant Alibaba. Cao denied stealing sensitive information from the automaker in the same filing. His legal team argued he “made extensive efforts to delete and/or remove any such Tesla files prior to his separation from Tesla.” Cao is now the “head of perception” at XPeng, where he is “[d]eveloping and delivering autonomous driving technologies for production cars,” according to his LinkedIn profile.


19 ‘Robot umpires’ make independent league baseball debut

Four months after being announced, so-called “robotic umpires” have made their debut in baseball’s Atlantic League. The addition is one of several tweaks currently being piloted in the independent league in an attempt to update some fundamentals of America’s pastime. The system utilizes TrackMan radar to determine whether a pitch is a ball or strike, a Doppler-based system that’s already in use at 30 Major League Baseball Stadiums and many more minor league parks. Information from the system is relayed to a human umpire via an iPhone and earpiece. The system isn’t replacing home plate umpires entirely, and for now the human ump is required to monitor pitches as a kind of fail-safe.


20 Google Translate’s camera feature now detects and translates a whopping 88 languages

As someone who’s writing this from a foreign country, I know it’s often insanely hard for foreigners to navigate a town when every sign is written in a different language. At times like this, Google Translate app’s instant camera translate feature becomes really handy. Now, Google has updated it with faster on-device translation, support for 60 more languages, and automatic language detection. Earlier, you had to select the source language and the language you wanted to translate the text in manually. With the new update, you can point the camera to a sign, and the Translate app will automatically detect the language. To use that feature, you have to select “Detect language” as the source language. Google has also refreshed the interface and placed instant, scan, and import features at the bottom for easier access.

CategoriesInfoSec News Nuggets

Related Posts