AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 10/22/2019

1 – Open AWS buckets expose more than 200K CVs at two online recruitment firms

Unsecured AWS servers belonging to two online recruitment firms – U.S.-based Authentic Jobs and Sonic Jobs in the U.K. – have exposed more than 250,000 CVs of job candidates. Unsecured AWS servers belonging to two online recruitment firms – U.S.-based Authentic Jobs and Sonic Jobs in the U.K. – have exposed more than 250,000 CVs of job candidates.


2 – The US nuclear forces’ Dr. Strangelove-era messaging system finally got rid of its floppy disks

In 2014, “60 Minutes” made famous the 8-inch floppy disks used by one antiquated Air Force computer system that, in a crisis, could receive an order from the president to launch nuclear missiles from silos across the United States. But no more. At long last, that system, the Strategic Automated Command and Control System or SACCS, has dumped the floppy disk, moving to a “highly-secure solid state digital storage solution” this past June, said Lt. Col. Jason Rossi, commander of the Air Force’s 595th Strategic Communications Squadron.


3 – 500+ Million UC Browser Android Users Exposed to MiTM Attacks. Again.

The highly popular UC Browser and UC Browser Mini Android apps, with a total of over 600 million Play Store installs, exposed their users to man-in-the-middle (MiTM) attacks by downloading an Android Package Kit (APK) from a third party server over unprotected channels. Doing this is in direct violation of Google’s app store rules as Android apps “distributed via Google Play may not modify, replace, or update itself using any method other than Google Play’s update mechanism,”  “Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play,” as Google also states on the Play Store’s Privacy, Security, and Deception rules.


4 – US senator introduces privacy bill that would jail CEOs for user privacy violations

Sen. Ron Wyden (D-OR) announced today a new bill that introduces sweeping privacy protections for Americans’ private information. Named the Mind Your Own Business Act (MYOBA), the bill includes clauses that will give Americans “an easy, one-click way to stop companies from selling or sharing their personal information” and grants consumers the right to see how companies use and share their data. In addition, the bill goes one step further than any other user privacy legislation around the world by also introducing prison times for executives at companies that misuse user data and then lie about it to the government.


5 – European Airport Systems Infected With Monero-Mining Malware

More than 50% of all computing systems at a European international airport were recently found to be infected with a Monero cryptominer linked to the Anti-CoinMiner campaign Zscaler spotted during August 2018. The cryptojacking attack was discovered by Cyberbit’s Endpoint Detection and Response team while deploying their security solution whose behavioral engine subsequently detected suspicious activity on some airport systems. “The malware may have been used for months prior to the installation of Cyberbit EDR, although all workstations were equipped with an industry-standard antivirus,” said Cyberbit.


6 – Senate panel finds consumer agency accidentally disclosed personal data of thousands

The Senate Commerce Committee on Thursday issued a report that found the Consumer Product Safety Commission (CPSC) failed to properly handle the data of thousands of consumers, leading to an accidental data breach earlier this year. The report recommended that the CPSC, which is in charge of ensuring that consumer products do not harm Americans, take steps to improve its handling of personal data after the CPSC clearinghouse made “improper disclosures” between December 2017 and March 2019 to 29 entities. 


7 – Zappos data breach settlement: users get 10% store discount, lawyers get $1.6m

Zappos users who had their data stolen in a 2012 data breach will receive only a meager 10% discount to use on the Zappos online store, as part of a proposed class-action lawsuit settlement. Their lawyers, on the other hand, are set to receive $1,620,000 in attorneys’ fees and other legal costs, according to a preliminary settlement filed last month. The settlement marks yet another case where data breach victims walk away with nothing following devastating data breaches — such as the Yahoo settlement (where user cash compensation was maxed at $358.80) and the Equifax settlement (where user cash compensation was maxed at $125, and possibly lower).


8 – Elon Musk tweets using SpaceX’s Starlink satellite internet

SpaceX  CEO Elon Musk used an internet connection provided by his company’s Starlink constellation of broadband satellites early on Tuesday AM. Musk used the network in place with the Starlink satellites already in orbit to send a simple tweet, declaring that he’d done just that. Starlink is SpaceX’s  ambitious project to launch and operate its own network of broadband satellites, which will then provide broadband connectivity on a global level, including to areas which did not previously have reliable access to a high-speed internet connection.

Related Posts