AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – 07/15/2019

' 2dNgyg


1 Self-driving shuttle crashed in Las Vegas because manual controls were locked away

The National Transportation Safety Board (NTSB) has wrapped up a more than year-long investigation into a low-speed crash between a self-driving shuttle and a delivery truck in Las Vegas on November 8th, 2017. The agency determined two main probable causes for the accident: the truck driver’s assumption that the shuttle would move to avoid him, and that the safety operator inside the shuttle didn’t have direct access to the manual override controls. That the truck driver was somewhat to blame jives with the immediate descriptions of the crash, which happened on the shuttle’s first day of operation. On that day, a Las Vegas government official described the truck grazing the stopped shuttle as it backed into an alley, which is ultimately what the NTSB found in its investigation.


2 Leveraging Artificial Intelligence to Proactively Detect, Track and Minimize Data Loss Threats

This article outlines at a high level how artificial intelligence (AI) can help organizations proactively detect data breaches in their earliest stages in order to prevent them from escalating into major events. Machine learning is used to curate and extract meaningful information from the immense amount of data on the Deep Dark Web (DDW) by reducing and optimizing the search space. In this way, analysts can more easily identify risk markers for data losses. Sophisticated data visualization tools take this information, i.e., the exposure of PII or loss of other sensitive data, to create a timeline of events on the DDW leading up to a data security breach that can subsequently be used as the basis for an early warning system.


3 Amazon continues work on mobile home robot as it preps new high-end Echo, says report

Amazon is still working on a mobile home robot, according to a report from Bloomberg’s Mark Gurman. It’s also planning to add a high-end Echo to its lineup of Alexa devices. We first heard about Amazon’s plans to build a wheeled home robot in April last year. The project is reportedly codenamed “Vesta” (after the Roman goddess of the hearth), and rumors suggest it’s a sort of “mobile Alexa” that’s able to follow users around their homes. Today’s report doesn’t add significantly to this picture, but it seems Amazon is still keen to build the mobile device. It was apparently slated to launch this year but wasn’t ready for mass-production. Engineers have reportedly been pulled from other projects to work on Vesta, and Gurman reports that prototypes are “waist-high and navigate with the help of an array of computer-vision cameras.” They can also be summoned using voice commands.


4 Donald Trump blasts Facebook’s Libra, demands strict regulation

Donald Trump is not a fan of Libra, Facebook's proposed cryptocurrency, the president made clear in a series of tweets on Thursday evening. "Facebook Libra’s 'virtual currency' will have little standing or dependability," Trump tweeted. "If Facebook and other companies want to become a bank, they must seek a new banking charter and become subject to all banking regulations, just like other banks." Trump is the latest—and most high-profile—public official to raise doubts Facebook's cryptocurrency plans. On Wednesday, Federal Reserve chairman Jerome Powell warned that "Libra raises many serious concerns regarding privacy, money laundering, consumer protection and financial stability."


5 'Robot umpires' debut in independent Atlantic League

"Robot umpires" have arrived. The independent Atlantic League became the first American professional baseball league to let a computer call balls and strikes Wednesday night at its All-Star Game. Plate umpire Brian deBrauwere wore an earpiece connected to an iPhone in his pocket and relayed the call upon receiving it from a TrackMan computer system that uses Doppler radar. He crouched in his normal position behind the catcher and signaled balls and strikes. "Until we can trust this system 100 percent, I still have to go back there with the intention of getting a pitch correct because if the system fails, it doesn't pick a pitch up or if it registers a pitch that's a foot-and-a-half off the plate as a strike, I have to be prepared to correct that," deBrauwere said before the game. It didn't appear deBrauwere had any delay receiving the calls at first but players noticed a big difference.


6 U.S. to hold hearing on French tax investigation Aug. 19

The U.S. Trade Representative’s (USTR) Office will hold a hearing on Aug 19 in its probe of France’s new planned tax on big technology companies, calling the proposal “unreasonable.” President Donald Trump on Wednesday ordered an investigation into the tax, which could lead to the United States imposing new tariffs or other trade restrictions. USTR said in a public notice the levy was an “unreasonable tax policy.” The plan departs from tax norms because of “extraterritoriality; taxing revenue not income; and a purpose of penalizing particular technology companies for their commercial success,” it said.


7 Fake CS: GO, PUBG, Rust Cheats Push Password-Stealing Trojan

Some users of online team-based shooters, battle royale, or survival games commonly use game hacking or cheats to give themselves an advantage over their opponents. Unfortunately, in many cases these cheats do nothing but compromise the user's own data as installing them infects a computer with password and information stealing Trojans. Such is the case with a malicious campaign discovered by security researcher .sS.! where a YouTube user named Pirate Hack is creating videos that offer free aimbot, wall hack tools, and cheats for popular games such as CS GO, PUBG, and Rust. These videos will demonstrate supposed game hacks and then include a mega.nz download link in the description where a user can download the tool for free.


8 Troll lawyer uploads porn to Pirate Bay, extorts downloaders to settle ‘copyright’ claims

If you use torrent software and search engines to download copyrighted content illegally, you may run the risk of being warned by ISPs or legal representatives that further infractions could lead to prosecution — especially if you do so without the use of VPNs or IP masking. However, it is not every day that you come across a case when an attorney deliberately uploads copyrighted, adult material for torrent users to download in order to extort them for money. In an interesting case of legal professionals abusing their knowledge of the IP system to conduct fraud, an attorney in Florida has found himself behind bars after being involved in a "multi-million dollar fraud scheme," the US Department of Justice (DoJ) said on Tuesday.


9 Academics steal data from air-gapped systems via a keyboard's LEDs

The Caps Lock, Num Lock, and Scroll Lock LEDs on a keyboard can be used to exfiltrate data from a secure air-gapped system, academics from an Israeli university have proved. The attack, which they named CTRL-ALT-LED, is nothing that regular users should worry about but is a danger for highly secure environments such as government networks that store top-secret documents or enterprise networks dedicated to storing non-public proprietary information. The attack requires some pre-requisites, such as the malicious actor finding a way to infect an air-gapped system with malware beforehand. CTRL-ALT-LED is only an exfiltration method. But once these prerequisites are met, the malware running on a system can make the LEDs of an USB-connected keyboard blink at rapid speeds, using a custom transmission protocol and modulation scheme to encode the transmitted data. A nearby attacker can record these tiny light flickers, which they can decode at a later point, using the same modulation scheme used to encode it.


10 Why Cyber Command’s latest warning is a win for the government's information sharing efforts

When U.S. Cyber Command warned last week that a hacking group was using a Microsoft Outlook vulnerability previously leveraged by an Iran-linked malware campaign, it appeared to be signaling just how much the military knows about those operations. But the alert was significant in other ways: behind-the-scenes details uncovered by CyberScoop show that it is an example of how the U.S. government has built up its use of the information-sharing platform VirusTotal so the private sector gets more information sooner. Along with Cyber Command’s warning, which also was shared in a tweet, the Department of Homeland Security (DHS) released its own private warning to industry, CyberScoop has learned. The department’s traffic light protocol (TLP) alert covered the same threat that Cyber Command would eventually post to VirusTotal.


11 US mayors group adopts resolution not to pay any more ransoms to hackers

The US Conference of Mayors unanimously adopted yesterday a resolution not to pay any more ransom demands to hackers following ransomware infections. "Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit," the adopted resolution reads. "The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm," it said. "NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach."


12 Apple restores banned parental control app OurPact to the App Store

Apple has reversed course on its ban of parental control app OurPact, allowing the ousted software to return to the App Store in its original form and without any limitations or restrictions. The move marks an end to a months-long dispute between Apple and a variety of parental control companies affected by Apple’s restrictions. The fact that Apple removed or prevented updates to many of these apps (including OurPact) raised eyebrows because it allegedly stemmed from a sudden change in policy that reclassified the apps as unsafe, due to the technology they relied on for managing kids’ devices. The issue was that these apps were using a suite of tools called MDM, or multi-device management, designed for management of hardware in IT and school environments. It was still allowed on the App Store in a variety of enterprise-level apps after Apple’s rule change, despite using the exact same technology and seemingly putting their users at the same purported risk.


13 Facial Recognition Tech Is Growing Stronger, Thanks to Your Face

Dozens of databases of people’s faces are being compiled without their knowledge by companies and researchers, with many of the images then being shared around the world, in what has become a vast ecosystem fueling the spread of facial recognition technology. The databases are pulled together with images from social networks, photo websites, dating services like OkCupid and cameras placed in restaurants and on college quads. While there is no precise count of the data sets, privacy activists have pinpointed repositories that were built by Microsoft, Stanford University and others, with one holding over 10 million images while another had more than two million.


14 Waymo has now driven 10 billion autonomous miles in simulation

Alphabet’s Waymo  autonomous driving company announced a new milestone at TechCrunch Sessions: Mobility on Wednesday: 10 billion miles driving in simulation. This is a significant achievement for the company, because all those simulated miles on the road for its self-driving software add up to considerable training experience. Waymo  also probably has the most experience when it comes to actual, physical road miles driven — the company is always quick to point out that it’s been doing this far longer than just about anyone else working in autonomous driving, thanks to its head start as Google’s self-driving car moonshot project.


15 Privacy and Mobile Device Apps

Applications (apps) on your smartphone or other mobile devices can be convenient tools to access the news, get directions, pick up a ride share, or play games. But these tools can also put your privacy at risk. When you download an app, it may ask for permission to access personal information—such as email contacts, calendar inputs, call logs, and location data—from your device. Apps may gather this information for legitimate purposes—for example, a ride-share app will need your location data in order to pick you up. However, you should be aware that app developers will have access to this information and may share it with third parties, such as companies who develop targeted ads based on your location and interests.


16 Visa's vision for the future of payments is password-free

Visa believes the payment industry can move away from passwords in the next five years thanks to advancements in authentication and anti-fraud technologies that are already making "static" cardholder verification (CVM) methods such as signature and PINs optional. With the ability of financial institutions and merchants to share 10 times more data with each other than ever before, and the growing sophistication of artificial intelligence (AI) that is making fraud detection faster and more accurate, Visa head of product Axel Boye-Moller believes that as this ecosystem evolves to be more secure, and AI and biometrics capabilities further mature, there is a future where legacy verification methods are eventually eliminated.


17 Facebook, Google, Amazon, Apple will be under fire on Capitol Hill this week

Silicon Valley will have a big presence in Washington, D.C., this week as big tech companies get ready for the spotlight, with several high-profile Congressional hearings scheduled for this week. On Tuesday, July 16, alone, lawmakers will hold the first hearing on Libra (Facebook’s cryptocurrency offering), four big tech companies will go before a House antitrust panel, and a Senate Judiciary subcommittee will hold a hearing looking at Google. This comes as tech giants are under increasing scrutiny from lawmakers in both parties — over data privacy, antitrust issues, and accusations of partisan censorship. On Friday, the Wall Street Journal reported the FTC agreed to a $5 billion settlement with Facebook (FB) over its privacy missteps.

Related Posts