AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 10/10/2019

Twitter says user data meant for security purposes may have been used for advertising

Twitter said on Tuesday email addresses and phone numbers uploaded by users to meet its security requirements may have been ‘inadvertently’ used for advertising purposes. The micro-blogging site said the issue was rectified as of Sept. 17, without disclosing how many users were impacted. “This was an error and we apologize,” the company said in a blog post. Social media companies, including Twitter and Facebook, have faced heat from users and regulators globally on how their platforms handle user data.


MIT-IBM developed a faster way to train video recognition AI

Machine learning has given computers the ability to do things like identify faces and read medical scans. But when it’s tasked with interpreting videos and real-world events, the models that make machine learning possible become large and cumbersome. A team from the MIT-IBM Watson Lab believe they have a solution. They’ve come up with a method that reduces the size of video-recognition models, speeds up training and could improve performance on mobile devices.


Should Schools Teach Cybersecurity?

With an increased teacher and student reliance on internet accessibility, the need to deliver cybersecurity skills to schoolchildren is more significant than ever. Worryingly, schools aren’t being aggressive enough in forcing through a change that will see the topic be delivered as a core lesson. So, whether it will be a module in as part of IT or a standalone subject altogether, remains unclear. But delivering this knowledge and skillset could well lead to increased interest in the subject as a whole and could lead to them being inspired to take up a career in it.


China attacks Apple for allowing Hong Kong crowdsourced police activity app

Apple’s  decision to greenlight an app called HKmaps, which is being used by pro-democracy protestors in Hong Kong to crowdsource information about street closures and police presence, is attracting the ire of the Chinese government. An article in Chinese state mouthpiece, China Daily, attacks the iPhone maker for reversing an earlier decision not to allow the app to be listed on the iOS App Store — claiming the app is “allowing the rioters in Hong Kong to go on violent acts” (via The Guardian).


C is for Credit Card: MageCart Hits Volusion E-Commerce Sites

Hackers compromised the infrastructure of Volusion cloud-based e-commerce platform to inject customer checkout pages with malicious JavaScript code that steals payment card data. The attackers added code for dynamic injection of the card data thieving script to a JavaScript that is part of the Volusion e-commerce software. Thousands of websites are likely loading the attackers’ script and sending payment information to their server. Some may have been compromised as early as September 12.


AIG says its cyber insurance plans don’t cover criminal acts; wants lawsuit tossed

Insurance giant AIG argued to a New York federal court on Monday that it is not responsible to cover nearly $6 million in losses incurred by a client that was victimized by suspected Chinese hackers. The company asked a court in the Southern District of New York to dismiss a lawsuit filed in August by SS&C Technologies, a $6 billion financial technology company, which alleged that AIG violated its contract by failing to cover losses from fraud. Hackers fleeced SS&C out of $5.9 million in 2016 by emailing company employees from spoofed email addresses, and requesting monetary transfers. AIG says its policy stipulates that the insurer will not cover losses stemming from criminal activity.


FBI violated Americans’ privacy by abusing access to NSA surveillance data, court rules

The Federal Bureau of Investigation made tens of thousands of unauthorized searches related to US citizens between 2017 and 2018, a court ruled. The agency violated both the law that authorized the surveillance program they used and the Fourth Amendment of the US Constitution.  The ruling was made in October 2018 by the Foreign Intelligence Surveillance Court (FISC), a secret government court responsible for reviewing and authorizing searches of foreign individuals inside and outside the US. It was just made public today. 


PAL Airlines investigating data breach involving customer, employee information

A St. John’s-based airline is investigating a data breach it says may have exposed employees’ and customers’ personal information. PAL Airlines says the “data security incident” appears to be limited to one email account containing information collected for the company’s employee pass travel program. Exposed data may include names, dates of birth and credit card information. PAL Airlines says it will work with the Federal Privacy Commissioner in its investigation.


Class-Action Lawsuit Filed Against CafePress Following Data Breach

Leading online gift shop CafePress is the target of a proposed national class-action lawsuit in the United States after allegedly failing to update its security software and taking months to inform customers of a data breach. The retailer was heavily criticized earlier this year for its poor cybersecurity and incident response after it emerged that 23 million customers had their personal data stolen in a breach that is thought to have occurred in February 2019.


Researcher Adds $100,000 Worth of Credit to Voi E-Scooter App

A Swedish security enthusiast was able to take advantage of some weaknesses in the Voi scooter mobile app to get $100,000 worth of free rides. Voi is a Scandinavian micro-mobility startup that offers electric scooter riding services in partnership with cities and local communities. The company has raised over $80 million over three investment rounds since its launch in August 2018. Voi boasts having at least three million users riders in 34 cities in 10 countries including Sweden, France, Germany, Spain, Portugal, Denmark, and Norway. One year after its launch, Voi reached five 10 million rides.


Senator proposes mandatory labeling for products with mics, cameras

The bill, dubbed the Protecting Privacy in our Homes Act, would mandate a new kind of labeling on goods that include Internet-connected microphones or cameras. The proposed law does not define what kind of labels would need to be appended but rather would order the Federal Trade Commission to put in place specific regulations “under which each covered manufacturer shall be required to include on the packaging of each covered device manufactured by the covered manufacturer a notice that a camera or microphone is a component of the covered device.”

Related Posts