AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 1/3/2020

1 – Apple answers dev concerns that location tracking alerts will upset users

When Apple released iOS 13 towards the end of September 2019 it brought with it a new warning that told users when an app repeatedly accessed their location data in the background. A new Wall Street Journal report (via MacRumors) notes that developers are worried that the alerts will make users doubt their apps. But Apple isn’t concerned. According to the report some developers have expressed concerns that the new alerts pop up every few days, sometimes even after a user has tapped the “Always Allow” option. Developers worry that the repeated alerts will reflect poorly on their apps, potentially causing users to look elsewhere.


2 – Apple’s change of plan: iPhones and iPads will use Imagination chip designs after all

Two years after Apple ditched Imagination, the UK chip designer powering iPhones and iPads, the Cupertino giant has had a change of heart. The two companies have announced that a new deal is on the table, although the exact terms of the agreement have not been disclosed. In a short statement, Imagination said the “multi-year, multi-use license agreement” that started in 2014 and which was ended by the iPhone maker in 2017, will be replaced by “an agreement under which Apple has access to a wider range of Imagination’s intellectual property in exchange for license fees”.


3 – Samsung and LG go head to head with AI-powered fridges that recognize food

Get ready for a smart fridge showdown at CES 2020, because Samsung and LG will both be unveiling fridges with added artificial intelligence capabilities this year. Samsung’s latest edition of its Family Hub refrigerator and LG’s second-generation InstaView ThinQ fridge both tout AI-equipped cameras that can identify food. The idea is that the cameras can scan what’s inside and let users know what items they’re short on, even making meal suggestions based on the ingredients they still have.


4 – Starbucks Devs Leave API Key in GitHub Public Repo

One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users. The severity rating of the vulnerability was set to critical as the key allowed access to a Starbucks JumpCloud API. Vulnerability hunter Vinoth Kumar found the key in a public GitHub repository and disclosed it responsibly through the HackerOne vulnerability coordination and bug bounty platform.


5 – Popular U.S. Restaurant Owner Hit by Credit Card Stealing Malware

Landry’s, a U.S. restaurant chain and property owner has disclosed that they were infected with a point-of-sale (POS) malware that allowed attackers to steal customer’s credit card information. Landry’s owns and operates over 600 restaurants, with 60 well-known brands such as Landry’s Seafood, Chart House, Saltgrass Steak House, Bubba Gump Shrimp Co., Claim Jumper, Morton’s The Steakhouse, McCormick & Schmick’s, Mastro’s Restaurant, Rainforest Cafe, Del Frisco’s Grill, and many more. In a “Notice of Data Breach”, Landry’s has disclosed that an unauthorized user was detected on their systems and after completing an investigation it was discovered that POS malware was present on their systems between March 13, 2019, and October 17, 2019. At some locations, the malware may have been installed as early as January 18, 2019.


6 – Remote Command Execution Vulnerability Affects Many D-Link Routers

Proof-of-concept (PoC) exploits were recently made public by researchers for remote command execution and information disclosure vulnerabilities affecting many D-Link routers. Miguel Méndez Zúñiga and Pablo Pollanco of Telefónica Chile recently disclosed the details of the vulnerabilities in a couple of blog posts published on Medium. In addition to technical details and PoC code, they have posted videos showing how each of the flaws can be exploited. According to D-Link, the company first learned of the vulnerabilities in mid-October, but its initial security advisory only listed DIR-859 routers as being affected — this was the model on which the researchers conducted their tests.


7 – US Accounting Firm Moss Adams Discloses Data Breach

One of the largest public accounting firms in the United States, Moss Adams, has suffered a data breach. The firm suffered the security breach that potentially exposed the names and Social Security Numbers of the customers. The firm disclosed the details of the incident in a statement shared on the website of the California Attorney General. As revealed, the firm noticed some unusual activity with one of their employee’s email account in October 2019. Investigating the matter revealed that the email account had some personal information of the customers or employees. Thus, they suspect that attackers might have accessed this data.


8 – H2Go Power seeks to power drones with a ‘happy gas’

When you think about hydrogen and flight, the image that comes to mind for most is the Hindenburg airship in flames. But in a lab deep in the basement of Imperial College in London, a young team has built what it believes is the future of air travel. H2Go Power is seeking a patent to store the explosive gas cheaply and safely. Until now, storing hydrogen required ultra-strong and large tanks which could withstand pressures of up to 10,000 pound-force per square inch (psi). That is hundreds of times greater than what you would find in a car tyre.


9 – Firefox will now let you delete your collected data

Firefox browser will now let you delete all data it collects in its upcoming version rolling out on January 7. The company is taking this step to comply with The California Consumer Privacy Act (CCPA), which came into effect on January 1.  The new act — akin to Europes General Data Protection Regulation (GDPR) — gives a right to people in California to know and control personal data collected by websites. While CCPA will give folks in California more command over their data, Firefox’s new change will roll out to all users of its browser.


10 – New Year’s Eve malware attack strikes Travelex, services still offline

Travelex has been forced offline and into manual mode following a malware attack launched on New Year’s Eve.  On Thursday, the London-based currency exchange said a “software virus” compromised its services, prompting the decision to pull all services offline as a “precautionary measure.” “Our investigation to date shows no indication that any personal or customer data has been compromised,” Travelex said in a statement posted on Twitter. 

Related Posts