Our website may use cookies to improve and personalize your experience and to display advertisements (if any). Our website may also include cookies from third parties like Google Adsense or Google Analytics. By using the website, you consent to the use of cookies. We’ve updated our Privacy Policy. Please click on the button to check our Privacy Policy.

AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – 07/26/2019

1 Equipment Benefits Administrator Reports Data Breach

A Michigan-based administrator for durable medical equipment benefits is the latest business associate to report a large health data breach affecting patients as well as healthcare providers. In a July 12 statement, Madison Heights, Michigan-based Northwood Inc. says that on May 6 it discovered "suspicious activity" involving an employee email account. "Working together with a leading computer forensics expert, our investigation determined that an unauthorized individual or individuals accessed the email account between May 3, 2019 and May 6, 2019," the statement says. "Because Northwood was unable to determine which email messages in the account may have been opened or viewed by the unauthorized actor, we reviewed the contents of the entire email account to identify what personal information was stored within it."

 

2 Facebook Fixing Messenger Kids App Flaw

Facebook is fixing a design flaw in its Messenger Kids app that allowed children under the age of 13 to enter into group chats with adults without their parents' permission. The social media company has notified "thousands" of parents this week that it's working on correcting the issue, a spokesperson says. The Facebook Messenger Kids app was launched in 2017 with the purpose of ensuring child safety. It allows children between the ages of 6 and 12 to chat only with users who have been approved by their parents. A bug in the app's group chat feature, however, blurred the privacy filters applied to one-on-one chats and allowed children to be part of groups and chat with its members who might not be approved by their parents, according to The Verge, which first reported on the issue Monday.

 

3 DEF CON Invites Kids to Crack Campaign Finance Portals

A new challenge at this year's DEF CON will let kid hackers take aim at simulated election campaign financial disclosure portals and use their findings to stage disinformation campaigns. DEF CON's Voting Village and AI Village have teamed up with r00tz Asylum, a nonprofit dedicated to educating kids about white-hat hacking, to teach budding infosec enthusiasts ages 8–16 about digital threats to democracy. Like the Voting Village, which lets adults explore flaws in election infrastructure, r00tz Asylum gives kids a chance to poke holes in election security.

 

4 Tax Professionals Warned by IRS to Create Data Security Plans

The Internal Revenue Service (IRS) issued a joint news release with the US tax industry and state tax agencies to remind professional tax preparers that they are required by federal law to have a data security plan. A data security plan should allow tax professionals to have appropriate safeguards in place to protect the sensitive taxpayer information they work with on a daily basis from data theft attacks. "Protecting taxpayer data is not only a good business practice, it’s the law for professional tax preparers," said IRS Commissioner Chuck Rettig. "Creating and putting into action a written data security plan is critical to protecting your clients and protecting your business."

 

5 Listen to this AI chat up a frustrated telemarketer for 15 minutes

Telemarketers are the bane of our existence. With the rise of robocalls and automated bots meant to call hundreds of numbers per hour, The Jolly Roger Telephone Company — a nod to the traditional skull and crossbones — is fighting fire with fire, using automation to keep these scammers on the line in an attempt to waste as much of their time as possible. In its latest example, a vacation scammer attempts to secure an upfront payment from a customer by warning of expiring “vacation credits” with a travel agent they’ve never contacted. Unfortunately for the telemarketer, she’s talking to a lifelike bot meant to waste her time. The bot, named “Ox-Gut McGee,” uses IBM’s Watson AI to process speech from the telemarketers.

 

6 Researchers propose ways to measure and encourage energy-efficient AI

Conventional AI development pipelines require processing power — and lots of it. It’s estimated that the computational baseline for AI research has been doubling every few months, resulting in a 300,000 times increase from 2012 to 2018. While that’s contributed to breakthroughs like highly dextrous robots and skilled poker-playing algorithms, the environmental costs have been enormous. One recent study found that a single model creates a carbon dioxide footprint of 284 tons during training, equivalent to five times the lifetime emissions of an average car. That’s why scientists at the Allen Institute for AI, Carnegie Mellon University, and the University of Washington advocate ramping up research in green AI, or AI that’s environmentally friendly and “inclusive.”

 

7 Microsoft Office 365 Webmail Exposes User's IP Address in Emails

If you use Office 365's webmail interface to prevent email recipients from seeing your local IP address, you are out of luck. When sending email through Office 365, your local IP address will be injected into the message as an extra mail header. Operating a web site and focusing on infosec related topics has made me a paranoid person.  This leads me to send replies to stranger's emails via webmail so I do not expose my local IP address for security and to protect my privacy. It turns out that if you have been using the Office 365 webmail interface to hide your IP address, you are not hiding anything. 

 

8 A computing visionary looks beyond today’s AI

Siegelmann, who holds two appointments, one with the University of Massachusetts at Amherst as professor of computer science, and one as a program manager at the Defense Advanced Research Projects Agency, DARPA, sat down with ZDNet to discuss where neuromorphic computing goes next, and the insights it can bring about artificial intelligence, especially why AI succeeds and fails. 

Today's deep learning form of AI, for all its achievements, has serious shortcomings, in Siegelmann's view. "There are many issues with deep learning," says Siegelmann. "You see the brittleness of it: If it is presented with a new situation, it won't know what to do. Generalization is very thin with deep learning; only when the new data has the same statistical properties as the training and validation data will generalization work."

 

9 In push for chip independence, Apple buys Intel unit for $1 billion

Apple Inc (AAPL.O) took a major step toward supplying its own smartphone chips by purchasing the majority of Intel Corp’s (INTC.O) modem business in a deal valued at $1 billion, the companies said on Thursday. Under the deal, about 2,200 Intel employees will join Apple, along with intellectual property, equipment and leases. Combined with its existing portfolio, Apple will have 17,000 wireless technology patents, ranging from cellular communication standards to modems, making it a more powerful player in global licensing talks that will likely take place between major 5G patent holders such as Huawei Technologies Co Ltd.

 

10 Cryptocurrency loan site YouHodler exposed unencrypted user credit cards and transactions

A cryptocurrency loan startup exposed reams of customer credit cards and user transactions for almost a month — because it forgot to protect the server with a password. Security researchers Noam Rotem and Ran Locar found the database belonging to YouHodler, a lending platform designed for cryptocurrency, which claims to have processed $10 million in loans to more than 3,500 customers. The researchers shared their findings exclusively with TechCrunch, and to verify the authenticity of the data. The researchers also wrote up their findings. Once the researchers reported the leaking data, the company pulled the database offline.

 

11 Equifax Might Owe You $125 for Its Massive Data Breach. Here's How to File a Claim

After the enormous 2017 data breach that revealed the private information of millions of people, credit bureau Equifax plans to pay millions to those affected. The company recently settled to pay up to $700 million in restitution and fines to settle with the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau. $425 million will go to those who were affected by the breach, which exposed social security numbers of nearly 150 million people. The website where those affected can file a claim is now live. To find out if you were one of the people impacted by the breach, Equifax has set up a tool to check.

 

12 Russia targeted election systems in all 50 states, Senate concludes

The U.S. Senate Intelligence Committee has concluded that election systems in all 50 states were targeted by hackers linked to the Russian government, according to a heavily redacted report released today. In 2017, we’d heard 39 states, and the Department of Homeland Security officially admitted that 21 states had been targeted later that year. It was only this April that a joint report from DHS and the FBI indicated that Russian hackers may have tried to probe every single U.S. state’s election infrastructure for flaws. Because the relevant sections of today’s report are mostly blacked out, it’s not clear how sure the Senate Intelligence Committee is that Russia probed every state, or what the evidence might be.

 

13 Neo-Nazi SWATters Target Dozens of Journalists

Nearly three dozen journalists at a broad range of major publications have been targeted by a far-right group that maintains a Deep Web database listing the personal information of people who threaten their views. This group specializes in encouraging others to harass those targeted by their ire, and has claimed responsibility for dozens of bomb threats and “swatting” incidents, where police are tricked into visiting potentially deadly force on the target’s address. At issue is a site called the “Doxbin,” which hosts the names, addresses, phone number and often known IP addresses, Social Security numbers, dates of birth and other sensitive information on hundreds of people — and in some cases the personal information of the target’s friends and family.

Related Posts