AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 08/18/2022

In Post Roe v. Wade Era, Mozilla Labels 18 of 25 Popular Period and Pregnancy Tracking Tech With *Privacy Not Included Warning

Eighteen out of 25 reproductive health apps and wearable devices that Mozilla investigated for privacy and security practices received a *Privacy Not Included warning label. These findings raise concerns in the post-Roe landscape that data could be used by authorities to determine if users are pregnant, seeking abortion information or services, or crossing state lines to obtain an abortion. Mozilla researched ten popular period tracking apps, ten pregnancy tracking apps, and five health and fitness wearable devices that track fertility, including Flo, Glow, Ovia, Period Calendar Period Tracker, and My Calendar Period Tracker.

 

New macOS 12.5.1 and iOS 15.6.1 updates patch “actively exploited” vulnerabilities

Apple has released a trio of operating system updates to patch security vulnerabilities that it says “may have been actively exploited.” The macOS 12.5.1, iOS 15.6.1, and iPadOS 15.6.1 updates are available for download now and should be installed as soon as possible. The three updates all fix the same pair of bugs. One, labeled CVE-2022-32894, is a kernel vulnerability that can allow apps “to execute arbitrary code with kernel privileges. The other, CVE-2022-32893, is a WebKit bug that allows for arbitrary code execution via “maliciously crafted web content.” Both discoveries are attributed to an anonymous security researcher. WebKit is used in the Safari browser as well as in apps like Mail that use Apple’s WebViews to render and display content.

 

TheTruthSpy exposed: This spyware lookup tool says if your Android device was compromised

A TechCrunch investigation in February 2022 revealed that a fleet of consumer-grade spyware apps, including TheTruthSpy, share a common security vulnerability that is exposing the personal data of hundreds of thousands of Android users. Our investigation found victims in virtually every country, with large clusters in the United States, Europe, Brazil, Indonesia and India. But the stealthy nature of the spyware means that most victims will have no idea that their device was compromised unless they know where on their device to look. Then, in June, a source provided TechCrunch with a cache of files dumped from the servers of TheTruthSpy’s internal network. The cache included a list of every Android device that was compromised by any of the spyware apps in TheTruthSpy’s network, including Copy9, MxSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, GuestSpy and FoneTracker. Other than their names, these apps are almost identical and all communicate with the same server infrastructure.

 

Janet Jackson’s ‘Rhythm Nation’ apparently vibed too hard for some laptops

While it’s normal for friends to judge our music tastes and take away your aux privileges, our devices usually won’t complain about our listening habits (even if we ask them to repeatedly play a song that most humans would find insufferable). However, according to a story shared by Microsoft principal software engineer Raymond Chen on his blog The Old New Thing, some Windows XP-era laptops did end up taking exception to the music video for Janet Jackson’s “Rhythm Nation” because it contained a sound that crashed their hard drives. According to Chen, an unnamed “major computer manufacturer” discovered that some of their computers were crashing when trying to play the song and that playing the song on one laptop could even crash another computer nearby that was just minding its own business. The manufacturer also discovered that the issue cropped up on other companies’ laptops as well.

 

NIST CSF 2.0 Workshop emphasizes global appeal, metrics and assessment

The U.S. National Institute of Standards and Technology (NIST) hosted its first workshop yesterday on the Cybersecurity Framework (CSF) 2.0, an update to the CSF 1.1 released in 2018, which was itself an update to the original CSF released in 2014. Many cybersecurity professionals, and some NIST experts, consider the framework to be the “Rosetta stone” for managing all organizations’ cybersecurity risks. Heading into the workshop, NIST issued a request for information, asking commenters to answer questions about bringing the CSF up-to-speed on some emerging developments that were only partially covered in the first two versions or not referenced at all. Comments submitted to NIST reflected a wide range of considerations, encouraging NIST to make several improvements including a greater emphasis on measurements and metrics related to the CSF, beefing up supply chain security sections, and offering more implementation guidance on how to adopt the framework. Overall, commenters praised the effort as valid and valuable.

 

Software developer cracks Hyundai car security with Google search

A developer says he was able to run his own software on his car infotainment hardware after discovering the vehicle’s manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples. Daniel Feldman, a Minneapolis, Minnesota-based software engineer, wanted to modify the in-vehicle infotainment (IVI) system in his 2021 Hyundai Ioniq SEL. To do so, he would have to figure out how to connect to the device and bypass its security.

Related Posts