AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 1/29/2020

1 – Watch out Google. You’ve got competition. Verizon has a new ‘privacy-focused’ search engine

Verizon has slung out a new, privacy-focused search engine in an effort to win over customers who prefer not to have their browsing habits tracked by ad-slingers and the like. Verizon said the new search engine, named One Search, won’t share user’s personal information with advertisers, or store their search history. A new “Advanced Privacy Mode” will encrypt search terms and URLs against third-party tracking. The decision to make a privacy-focused search engine is apparently in line with Verizon’s “commitment to trust and transparency” and the way the company has led the industry “over the last couple decades.”


2 – Amazon engineer calls for Ring to be ‘shut down immediately’ over privacy concerns

“The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society,” Max Eliaser, an Amazon software-development engineer, said in a post published on Medium on Sunday. “The privacy issues are not fixable with regulation and there is no balance that can be struck. Ring should be shut down immediately and not brought back.” Eliaser’s comments are striking because Ring is owned by Amazon, whose corporate employees rarely speak out against the company. (Amazon bars employees from speaking about the company without prior approval.) Amazon and Ring did not immediately respond to requests for comment.


3 – Wawa Breach May Have Compromised More Than 30 Million Payment Cards

In late December 2019, fuel and convenience store chain Wawa Inc. said a nine-month-long breach of its payment card processing systems may have led to the theft of card data from customers who visited any of its 850 locations nationwide. Now, fraud experts say the first batch of card data stolen from Wawa customers is being sold at one of the underground’s most popular crime shops, which claims to have 30 million records to peddle from a new nationwide breach. On the evening of Monday, Jan. 27, a popular fraud bazaar known as Joker’s Stash began selling card data from “a new huge nationwide breach” that purportedly includes more than 30 million card accounts issued by thousands of financial institutions across 40+ U.S. states.


4 – LabCorp data breach exposes information of 7.7 million consumers

A day after Quest Diagnostics announced 12 million patients were affected by a data breach, another medical testing company says its patients’ data was also compromised. In a filing with the U.S. Securities and Exchange Commission on Tuesday, LabCorp. said “approximately 7.7 million consumers” are affected by a breach at third-party collections firm American Medical Collection Agency, also known as AMCA. According to the SEC document, the breach happened between Aug. 1, 2018, and March 30, 2019. Information that could have been exposed includes names, addresses, dates of birth and balance information.


5 – A Christian-friendly payment processor spilled 6 million online transaction records

A little-known payment processor, which announces itself as a Christian-friendly company that “does not process credit card transactions for morally objectionable businesses,” left online a database that contained years of payment transactions. customers. The database contained 6.7 million records since 2013, and was updated day by day. But the database was not protected with a password, which allowed anyone to look inside. Security researcher Anurag Sen found the database. Newsdio identified its owner as Cornerstone Payment Systems, which provides payment processing to ministries, nonprofit organizations and other morally aligned companies in the US. UU., Including churches, religious radio personalities and pro-life groups.


6 – Apple iOS 13.3.1 Released With Fix for Location Tracking

Apple has released iOS 13.3.1 with numerous bug fixes including a new setting that allows you to disable the constant location checks being performed by the iPhone 11 U1 chip. In December 2019, Brian Krebs reported that even with location services disabled for all system services and applications, the new iPhone 11 would still occasionally check for a user’s location. In a statement to TechCrunch, Apple stated that this is caused by the new U1 ultra-wideband (UWB) that needs to be turned off in certain locations due to international regulatory requirements. Due to this, iOS will use Location Services to determine if the phone is in a prohibited location, and if it is, will disable ultra-wideband.


7 – What ‘Have I been Pwned?’ taught DHS’s internal cyber chief about passwords

A website that informs users if their email address has been swept up in a data breach isn’t just popular with vigilant business owners or private security sleuths. The man charged with protecting the Department of Homeland Security’s systems from hackers also maintains an account on the “Have I been Pwned?” website, and it regularly reminds him of the risks passwords pose. “I get emails from this website on a monthly or basis,” DHS CISO Paul Beckman said Tuesday at the Zero Trust Security Summit presented by Duo and produced by FedScoop and CyberScoop. “That’s how often my username and password is getting compromised.” Beckman said he registered both his personal and DHS emails on the website. The good news for him is that he uses a “second factor” — something like a SMS message or an authentication app — to log into his accounts and keep hackers out of them.


8 – The Department of Justice Files Actions to Stop Telecom Carriers Who Facilitated Hundreds of Millions of Fraudulent Robocalls to American Consumers

The Department of Justice filed civil actions for temporary restraining orders today in two landmark cases against five companies and three individuals allegedly responsible for carrying hundreds of millions of fraudulent robocalls to American consumers, the Department of Justice announced.  The Department of Justice alleges that the companies were warned numerous times that they were carrying fraudulent robocalls — including government- and business-imposter calls — and yet continued to carry those calls and facilitate foreign-based fraud schemes targeting Americans.  The calls, most of which originated in India, led to massive financial losses to elderly and vulnerable victims across the nation. 


9 – SEC Publishes Cybersecurity Practices of Financial Industry

The US Securities and Exchange Commission (SEC) has published a 10-page document detailing cybersecurity practices observed to be in use in the financial industry. The observations were gathered by the SEC’s Office of Compliance Inspections (OCIE) and are based on thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges, and other SEC registrants. OCIE issued the examination observations yesterday on the SEC website with the hope of providing firms with guidelines for how to strengthen their cybersecurity. 


10 – Travelex says UK money transfer and wire services back online after hack

Travelex’s UK international money transfer service and wire offering is fully operational again, it said on Tuesday, almost a month after a crippling ransomware attack forced staff to use pen and paper to calculate foreign currency exchanges. The cyber attack forced the company to take all its systems offline, causing chaos for New Year holidaymakers and business travellers seeking online currency services. It is more than a week since the company, owned by Finablr, said that the first of its customer-facing systems in Britain was up and running again and a phased global restoration of systems “firmly underway”.

Related Posts