Our website may use cookies to improve and personalize your experience and to display advertisements (if any). Our website may also include cookies from third parties like Google Adsense or Google Analytics. By using the website, you consent to the use of cookies. We’ve updated our Privacy Policy. Please click on the button to check our Privacy Policy.

AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 10/18/2021

7-Eleven breached customer privacy by collecting facial imagery without consent

In Australia, the country’s information commissioner has found that 7-Eleven breached customers’ privacy by collecting their sensitive biometric information without adequate notice or consent. From June 2020 to August 2021, 7-Eleven conducted surveys that required customers to fill out information on tablets with built-in cameras. These tablets, which were installed in 700 stores, captured customers’ facial images at two points during the survey-taking process — when the individual first engaged with the tablet, and after they completed the survey. After becoming aware of this activity in July last year, the Office of the Australian Information Commissioner (OAIC) commended an investigation into 7-Eleven’s survey.

 

Missouri Threatens to Sue a Reporter Who Flagged a Security Flaw

MISSOURI GOVERNOR MIKE Parson on Thursday threatened to prosecute and seek civil damages from a St. Louis Post-Dispatch journalist who identified a security flaw that exposed the Social Security numbers of teachers and other school employees, claiming that the journalist is a “hacker” and that the newspaper’s reporting was nothing more than a “political vendetta” and “an attempt to embarrass the state and sell headlines for their news outlet.” The Republican governor also vowed to hold the Post-Dispatch “accountable” for the supposed crime of helping the state find and fix a security vulnerabilitythat could have harmed teachers. The issue was discovered in a website maintained by the state’s Department of Elementary and Secondary Education (DESE). Despite Governor Parson’s surprising description of a security report that normally wouldn’t be particularly controversial, it appears that the Post-Dispatch handled the problem in a way that prevented harm to school employees while encouraging the state to close what one security professor called a “mind-boggling” vulnerability. 

 

Facebook hits back at claims its AI has minimal success in fighting hate speech

Facebook integrity VP Guy Rosen has shut down claims that the AI technology it uses to fight hate speech is having little impact, saying it’s “not true”. Instead, he claimed the prevalence of hate speech on Facebook has been down by almost 50% in the last three quarters. “We don’t want to see hate on our platform, nor do our users or advertisers, and we are transparent about our work to remove it,” Rosen wrote in a blog post. “What these documents demonstrate is that our integrity work is a multi-year journey. While we will never be perfect, our teams continually work to develop our systems, identify issues and build solutions.” Rosen’s post was in response to a Wall Street Journal article that reported, based on leaked internal documents, the social media giant’s AI technology created to remove offensive content such as hate speech and violent images has had little success.

 

US Treasury said it tied $5.2 billion in BTC transactions to ransomware payments

The financial crimes investigation unit of the US Treasury Department, also known as FinCEN, said today it identified approximately $5.2 billion in outgoing Bitcoin transactions potentially tied to ransomware payments. FinCEN officials said the figure was compiled by analyzing 2,184 Suspicious Activity Reports (SARs) filed by US financial institutions over the last decade, between January 1, 2011, and June 30, 2021. While the initial SAR reports highlighted $1.56 billion in suspicious activity, a subsequent FinCEN investigation of the Top 10 most common ransomware variants exposed additional transactions, amounting to around $5.2 billion just from these groups alone. But while the FinCEN report included some historical data on past ransomware attacks, most of the organization’s investigation focused on the first half of 2021 and the analysis of recent trends.

 

Accenture confirms data breach after August ransomware attack

Global IT consultancy giant Accenture confirmed that LockBit ransomware operators stole data from its systems during an attack that hit the company’s systems in August 2021. This was revealed in the company’s financial report for the fourth quarter and full fiscal year, which ended on August 31, 2021. “In the past, we have experienced, and in the future, we may again experience, data security incidents resulting from unauthorized access to our and our service providers’ systems and unauthorized acquisition of our data and our clients’ data including: inadvertent disclosure, misconfiguration of systems, phishing ransomware or malware attacks,” Accenture said. “During the fourth quarter of fiscal 2021, we identified irregular activity in one of our environments, which included the extraction of proprietary information by a third party, some of which was made available to the public by the third party.

 

Windows 10, iOS 15, Ubuntu, Chrome fall at China’s Tianfu hacking contest

Chinese security researchers took home $1.88 million after hacking some of the world’s most popular software at the Tianfu Cup, the country’s largest and most prestigious hacking competition. The contest, which took place over the weekend of October 16 and 17 in the city of Chengdu, was won by researchers from Chinese security firm Kunlun Lab, who took home $654,500, a third of the total purse. The competition, now at its fourth edition, took place using the now-classic rules established by the Pwn2Own hacking contest. In July, organizers announced a series of targets, and participants had three-to-four months to prepare exploits that they would execute on devices provided by the organizers on the contest’s stage. Researchers had three 5-minute attempts to run their exploits, and they could register to hack multiple devices if they wished to increase their winnings.

Related Posts