AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 1/16/2020

1 – Production company data breach exposes personal data of Dove ‘real people’ ad participants

A data breach at UK-based Fresh Film Productions, which makes adverts for high-profile companies including Unilever, has exposed sensitive personal data of participants in antiperspirant brand Dove’s ‘real people’ campaign. The company inadvertently exposed the data, which included bank details and passport scans, by leaving a company server hosted online on an unsecured Amazon Web Services S3 bucket. This meant that it could be freely accessed by anyone with an internet connection.

 

2 – Tinder, Grindr Accused of Illegally Sharing User Data

Popular dating apps like Tinder and Grindr are sharing the personal data of their users to third parties in breach of EU regulations, a Norwegian consumer rights group said Tuesday. A new report by the Norwegian Consumer Council (NCC) details how Grindr, which markets itself as the “world’s largest social networking app for gay, bi, trans and queer people,” shares the GPS data, IP addresses, ages and genders of its users with a multitude of third-party companies to help them improve advert targeting. According to the government-funded non-profit organisation, the sharing of this data implicitly discloses users’ sexual orientations.

 

3 – NSA’s First Public Vulnerability Disclosure: An Effort to Build Trust

The U.S. National Security Agency (NSA) started a new chapter after discovering and reporting to Microsoft a vulnerability tracked as CVE-2020-0601 and impacting Windows 10 and Windows Server systems. In a phone conference that Bleeping Computer joined, NSA’s Director of Cybersecurity Anne Neuberger said that this is the first time the agency decided to publicly disclose a security vulnerability to a software vendor. “We thought hard about that. When Microsoft asked us, ‘Can we attribute this vulnerability to NSA?’ we gave it a great deal of thought. And then we elected to do so and here is why,” Neuberger explained.

 

4 – P&N Bank discloses data breach, customer account information, balances exposed

P&N Bank is informing customers of a data breach in which personally identifiable information (PII) and sensitive account information was exposed. On Wednesday, a security researcher going under the Twitter handle @vrNicknack pinged Troy Hunt, the operator of the Have I Been Pwned? search engine, with a notice he had received from the bank. P&N Bank, a division of Police & Nurses Limited and operating in Western Australia, sent the notice which warned of an “information breach” occurring through its customer relationship management (CRM) platform.

 

5 – Iowa caucuses to use new smartphone app despite cybersecurity fears

Iowa’s Democratic Party will use a smartphone app to calculate the results from the state’s caucuses next month, according to NPR. The move came despite warnings of potential cybersecurity breaches in light of Russia’s election interference in 2016. The caucuses are scheduled to take place Feb. 3 in public buildings and churches throughout the state. The internet-connected app is supposed to help get the results out in a more timely fashion, according to Troy Price, the chairman of the state Democratic Party, allowing caucus leaders to compile the results from participants and submit them to the central party via the app.

 

6 – Google now treats iPhones as physical security keys

The latest update to Google’s Smart Lock app on iOS means you can now use your iPhone as a physical 2FA security key for logging into Google’s first-party services in Chrome. Once it’s set up, attempting to log in to a Google service on, say, a laptop, will generate a push notification on your nearby iPhone. You’ll then need to unlock your Bluetooth-enabled iPhone and tap a button in Google’s app to authenticate before the login process on your laptop completes. The news was first reported by 9to5Google.

 

7 – Twitter’s Jack Dorsey on edit button: ‘We’ll probably never do it’

Twitter users have been asking for the option to edit tweets ever since the service launched in 2006, but the company has always prevaricated, saying it’s looking into the problem, or considering it deeply, or a hundred other ways of saying “please stop bothering us about this, please.” Now, Twitter CEO Jack Dorsey has given perhaps the most definitive answer on the question to date. During a video Q&A with Wired, Dorsey was asked if there’ll be an edit button for Twitter in 2020. He replies, with a faint smile: “The answer is no.”

 

8 – Nemty Ransomware to Start Leaking Non-Paying Victim’s Data

The Nemty Ransomware has outlined plans to create a blog that will be used to publish stolen data for ransomware victims who refuse to pay the ransom. A new tactic started by the Maze Ransomware and now used by Sodinokibi ​​​​​​is to steal files from companies before encrypting them. If a victim does not pay the ransom, then the stolen data will be leaked little-by-little until payment has been made or it has all been released. The theory behind this is that companies may be more apt to pay a ransom if it costs less than the possible fines, data breach notification costs, loss of trade and business secrets, tarnishing of brand image, and potential lawsuits for the disclosing of personal data. 

 

9 – Google Chrome’s privacy changes will hit the web later this year

Google’s Chrome team, advancing its web privacy effort, later this year will begin testing the “privacy sandbox” proposals it unveiled in 2019. The Chrome tests, which Google announced Tuesday, are part of an effort to make it harder for publishers, advertisers and data brokers to harvest your personal data without your permission and to track you online. Other browsers, including Apple’s Safari, Brave Software’s Brave, Mozilla’s Firefox and Microsoft’s new Chromium-based Edge, have pushed steadily to cut tracking for the last few years. Google’s privacy sandbox plan came later in the process, but carries enormous importance given that Chrome dominates browser usage, accounting for 64% of web activity, according to analytics firm StatCounter.

 

10 – UK data watchdog kicks £280m British Airways and Marriott GDPR fines into legal long grass

The UK Information Commissioner’s Office has kicked £280m in data breach fines against British Airways and US hotel chain Marriott into the long grass. As spotted by City law firm Mishcon de Reya, the ICO has extended the time before it will fine the two companies what it claimed would be a total of £282m, split between BA’s £183m and Marriott’s £99m. In a statement the UK’s data protection regulator said: “Under Schedule 16 of the Data Protection Act 2018, BA [and Marriott] and the ICO have agreed to an extension of the regulatory process until 31 March 2020. As the regulatory process is ongoing we will not be commenting any further at this time.”

Related Posts