Our website may use cookies to improve and personalize your experience and to display advertisements (if any). Our website may also include cookies from third parties like Google Adsense or Google Analytics. By using the website, you consent to the use of cookies. We’ve updated our Privacy Policy. Please click on the button to check our Privacy Policy.

AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 10/15/2020

DuckDuckGo, EFF, and others just launched privacy settings for the whole internet

A group of tech companies, publishers, and activist groups including the Electronic Frontier Foundation, Mozilla, and DuckDuckGo are backing a new standard to let internet users set their privacy settings for the entire web. “Before today, if you want to exercise your privacy rights, you have to go from website to website and change all your settings,” says Gabriel Weinberg, CEO of DuckDuckGo, the privacy-focused search engine. That new standard, called Global Privacy Control, lets users set a single setting in their browsers or through browser extensions telling each website that they visit not to sell or share their data. It’s already backed by some publishers including The New York Times, The Washington Post, and the Financial Times, as well as companies including Automattic, which operates blogging platforms wordpress.com and Tumblr.

 

Creepy covert camera “feature” found in popular smartwatch for kids

If you nearly didn’t read this article because you thought the headline sounded like a story you could take for granted, as you would if you saw an article called “Dinosaurs Still Extinct” or “Sun to Rise in East”……then be aware that we nearly didn’t write it for the same reason. Bugs and vulnerabilities in built-down-to-a-price devices made for kids are, very sadly, not a new or even an unusual problem. However, according to the Norwegian cybersecurity researchers who analysed the XPLORA 4 watch described below, the company that sells it claims to have close to half a million users, and annual revenues approaching $10,000,000. So it seems that writing up smartwatch security blunders is still important, because these devices are steady sellers despite their erratic cybersecurity history.

 

Confirmed: Barnes & Noble hacked, systems taken offline for days, miscreants may have swiped personal info

Bookseller Barnes and Noble’s computer network fell over this week, and its IT staff are having to restore servers from backups. The effects of the collapse were first felt on Sunday, with owners of B&N’s Nook tablets discovering they were unable to download their purchased e-books to their gadgets nor buy new ones. That is to say, if they had bought an e-book and hadn’t downloaded it to their device before B&N’s cloud imploded, they would be unable to open and read the digital tome. The bookseller’s Android and Windows 10 apps were similarly affected. It soon became clear the problem was quite serious when some cash registers in Barnes and Noble’s physical stores also briefly stopped working.

 

Mac chips have another major security flaw

After revealing that it has found a way to take over the security chip in modern Macs, the T2 exploit team has now demonstrated that it can do so without user intervention by using a modified USB-C cable. Members of the ad-hoc team go by the name Team t8012 which is a reference to Apple’s own internal name for its T2 security chip that the company has been incorporating into all of its devices since 2018. In addition to showing off its new USB-C Debug Probe which is now available for preorder, the T2 team has also released a video demonstrating exactly how it is able to take over Apple’s Mac computers. In the video, a team member is seen plugging a USB-C cable into a Mac and running checkra1n on it. 

 

Zoom Announces Rollout of End-to-End Encryption

Zoom, the videoconferencing service that has practically become a household name since the pandemic took hold, has announced the rollout of end-to-end encryption (E2EE), beginning next week. According to the company, this is the first of a four-phase deployment, available both free and paid users. Zoom first announced its E2EE plans in May. That and the subsequent announcement of two-factor authentication availability for all users followed early reports of security issues after use of the service grew dramatically in the first few weeks of the pandemic. Zoom notes that communications are already encrypted: This rollout changes where the encryption keys are stored for each videoconference. 

 

U.S. regulator: Twitter’s lax security enabled ‘simple’ celebrity account hack by Florida teen

Twitter suffered from cybersecurity shortfalls that enabled a “simple” hack attributed to a Florida teenager to take over the accounts of several of the world’s most famous people in July, according to a report released on Wednesday. The report by New York’s Department of Financial Services recommended that the largest social media companies be deemed systemically important, like some banks following the 2008 financial crisis, with a dedicated regulator monitoring their ability to combat cyberattacks and election interference. “That Twitter was vulnerable to an unsophisticated attack shows that self-regulation is not the answer,” said Linda Lacewell, the financial services superintendent. Twitter said it cooperated with the review and was increasing security for its teams and platform. The company has acknowledged that some employees were duped into sharing account credentials prior to the hack.

Related Posts