AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 08/05/2020

US government sites abused to redirect users to porn sites

In an ongoing blackhat SEO campaign tracked by BleepingComputer, scammers are using open redirects found on government websites to redirect visitors to pornography sites. An open redirect is an URL that anyone can use to redirect a visitor to a website of their choosing. Blackhat SEO scammers use these open redirects to get listings in search engines, such as Google, that show the page’s title being redirected to but are listed as if it is located on the government site. For about two weeks, scammers have been injecting government open redirect links into search engines as shown in the heavily redacted image below. While government system administrators have been playing whack-a-mole and removing open redirects as they find them, new ones keep appearing and being used to inject links to adult sites in search engines.

 

Granting employees admin status is convenient but risky

One of your employees needs access to part of your customer database so he can fulfill an urgent reporting request. You’re busy and this employee is trustworthy, so you grant him administrative status. Simple solution, right? You’ll revoke it later when you’re done with the other 600 critical things you’re working on right now. Right? Not so fast. In reality, freely granting employees admin status is one of the most common mistakes enterprises make. Even if employees don’t have malicious intent — and the vast majority do not — this move still exposes companies to serious risk. An employee with full admin access, for example, can see everything but is also free to make changes to the code and configuration of your applications, thinking they’re just “tweaking” their personal experience. A ton of important information can be accidentally deleted or altered with the click of a button. 

 

Apple announces remote work until 2021

Apple CEO Tim Cook announced that employees would not be returning to office work until 2021, joining other large tech companies’ plans for a work-from-home future. “We’ve kicked the time period that U.S. employees would come back until early next year. To go beyond that, it would depend on the success with a vaccine, success with therapeutics,” Cook told Bloomberg TV. Neighboring tech giant Google told workers last week they can work from home until July 2021, and Facebook is also significantly increasing remote work. Of all the large tech companies, Twitter has taken the most progressive remote work stance, with CEO Jack Dorsey telling employees they can keep working remotely permanently.

 

Robocall Legal Advocate Leaks Customer Data

A California company that helps telemarketing firms avoid getting sued for violating a federal law that seeks to curb robocalls has leaked the phone numbers, email addresses and passwords of all its customers, as well as the mobile phone numbers and other data on people who have hired lawyers to go after telemarketers. The Blacklist Alliance provides technologies and services to marketing firms concerned about lawsuits under the Telephone Consumer Protection Act (TCPA), a 1991 law that restricts the making of telemarketing calls through the use of automatic telephone dialing systems and artificial or prerecorded voice messages. The TCPA prohibits contact with consumers — even via text messages — unless the company has “prior express consent” to contact the consumer.

 

Zello resets all user passwords after data breach

The push-to-talk app, Zello, has disclosed a data breach that revealed user’s email addresses and hashed passwords after discovering unauthorized activity on their systems. Zello is a mobile service with 140 million users that allows first responders, hospitality services, transportation, and family and friends to communicate via their mobile phones using a push-to-talk app. Zello states that they discovered unauthorized activity on one of their servers on July 8th, 2020. As part of this access, the hacker may have accessed the email addresses and hashed passwords of Zello accounts. While Zello does not explicitly state that a database was accessed, this was most likely how the threat actor could access the customer information.

 

FCC chair says agency will take public comment on Trump social media petition

The Federal Communications Commission will take public comment for 45 days on a petition filed by the Trump administration seeking new transparency rules in how social media companies moderate content, FCC Chairman Ajit Pai said on Monday. Pai rejected calls from Democrats that he summarily dismiss the petition without public comment. The decision came after President Donald Trump directed the Commerce Department’s National Telecommunications and Information Administration (NTIA) to file the petition after Twitter Inc in May warned readers to fact-check his posts about unsubstantiated claims of fraud in mail-in voting. Pai has said previously he does not see a role for the FCC to regulate websites like Twitter, Facebook Inc or Alphabet Inc’s Google, but said on Monday the FCC “should welcome vigorous debate – not foreclose it. The American people deserve to have a say, and we will give them that chance.”

 

Morgan Stanley sued for failing to wipe client data from old computer equipment

A pair of lawsuits allege Morgan Stanley compromised sensitive client information — including Social Security, passport and account numbers — by failing to fully wipe decommissioned computer equipment that has since gone missing. The first lawsuit, filed Wednesday in federal court in New York, represents five current and former Morgan Stanley clients who were notified earlier in July about data breaches that occurred as early as 2016. The second lawsuit, filed two days later in the same court, represents two more individuals who also received the notification. The lawsuits are seeking class action status on behalf of affected clients. After closing two data centers in 2016, Morgan Stanley hired a vendor to remove customer data from the equipment, according to the notification sent to plaintiffs. Morgan Stanley subsequently learned that some devices still contained unencrypted data after they left the firm’s possession.

Related Posts