AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 10/23/2019

1 – Vatican’s wearable rosary gets fix for app flaw allowing easy hacks

The road to internet-connected salvation is paved with cybersecurity issues. The Vatican discovered that Thursday, after a security researcher disclosed a severe vulnerability with the “Click to Pray” eRosary app. On Wednesday, the Vatican announced its $110 wearable rosary, an internet of things device that syncs with an app from the Pope’s Worldwide Prayer Network. One advantage of IoT devices is that they open up a new way for people to interact with resources. With the eRosary, the Vatican said, people can get different prayers every day, as well as reminders on when to pray. 


2 – India government, Facebook spar over decryption laws at top court

India’s government asked Facebook Inc on Tuesday to help it decrypt private messages on its network, citing national security requirements in a court hearing on privacy rights on social media platforms. India’s Attorney General K.K. Venugopal told the Supreme Court that it was the responsibility of social media companies to share data wherever there was a threat to national security. “A terrorist cannot claim privacy,” Venugopal said. “For Facebook and WhatsApp to say they cannot decrypt is not acceptable.”


3 – Avast says hackers breached internal network through compromised VPN profile

Czech cyber-security software maker Avast disclosed today a security breach that impacted its internal network. In a statement published today, the company said it believed the attack’s purpose was to insert malware into the CCleaner software, similar to the infamous CCleaner 2017 incident. Avast said the breach occurred because the attacker compromised an employee’s VPN credentials, gaining access to an account that was not protected using a multi-factor authentication solution.


4 – Mercedes-Benz app glitch exposed car owners’ information to other users

Mercedes-Benz car owners have said that the app they used to remotely locate, unlock and start their cars was displaying other people’s account and vehicle information. TechCrunch spoke to two customers who said the Mercedes-Benz’ connected car app was pulling in information from other accounts and not their own, allowing them to see other car owners’ names, recent activity, phone numbers, and more. The apparent security lapse happened late-Friday before the app went offline “due to site maintenance” a few hours later.


5 – Misuse of Alphabet’s Virus Scanner is Exposing Sensitive Files

Companies are misusing Alphabet Inc.’s virus scanner and similar products, and are unwittingly leaking data such as factory blueprints to intellectual property online, Israeli cybersecurity company Otorio Ltd. said. The firm said it discovered thousands of unprotected files from companies in the pharmaceutical, industrial, automotive and food industries as part of a project to research the malware logged by VirusTotal, which is owned by Alphabet cyber security subsidiary Chronicle. Otorio didn’t find any documents uploaded to VirusTotal that had been used in a cyber attack.


6 – Hackers steal secret crypto keys for NordVPN. Here’s what we know so far

Hackers breached a server used by popular virtual network provider NordVPN and stole encryption keys that could be used to mount decryption attacks on segments of its customer base. A log of the commands used in the attack suggests that the hackers had root access, meaning they had almost unfettered control over the server and could read or modify just about any data stored on it. One of three private keys leaked was used to secure a digital certificate that provided HTTPS encryption for nordvpn.com. The key wasn’t set to expire until October 2018, some seven months after the March 2018 breach. Attackers could have used the compromised certificate to impersonate the nordvpn.com website or mount man-in-the-middle attacks on people visiting the real one. Details of the breach have been circulating online since at least May 2018.


7 – 47 attorneys general are investigating Facebook for antitrust violations

“After continued bipartisan conversations with attorneys general from around the country, today I am announcing that we have vastly expanded the list of states, districts, and territories investigating Facebook for potential antitrust violations,” James said in a statement. “Our investigation now has the support of 47 attorneys general from around the nation, who are all concerned that Facebook may have put consumer data at risk, reduced the quality of consumers’ choices, and increased the price of advertising. As we continue our investigation, we will use every investigative tool at our disposal to determine whether Facebook’s actions stifled competition and put users at risk.”


8 – Firefox 70 arrives with social tracking blocked by default, privacy report, and performance gains on macOS

Mozilla today launched Firefox 70 for Windows, Mac, Linux, Android, and iOS. Firefox 70 includes social tracking protection, a Privacy Protections report, new Lockwise features, and performance improvements on Windows and macOS. Firefox 70 for desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. The Android version is trickling out slowly on Google Play and the iOS version is on Apple’s App Store. According to Mozilla, Firefox has about 250 million active users, making it a major platform for web developers to consider.


9 – Malicious Apps on Alexa or Google Home Can Spy or Steal Passwords

Google and Amazon smart speakers can be leveraged to record user conversation or to phish for passwords through malicious voice apps, security researchers warn. Unless the two companies take measures to improve the review process and the restrictions for apps integrating with their smart devices, malicious developers could exploit the weakness to capture audio from users. Called ‘skills’ for Amazon Alexa and ‘actions’ for Google Home, voice apps for these smart speakers are activated using a phrase (‘invocation name’) designated by the developer to start the app, which is typically the name of the app.


10 – U.S. Government, Military Personnel Data Leaked By Autoclerk

A leaky database owned by reservations management system Autoclerk has exposed the personal data and travel information for thousands of users – including U.S. government and military personnel. Autoclerk, which was acquired by the Best Western Hotel and Resorts Group in August, provides reservation management software for hotels, accommodation providers, travel agencies and more. Researchers with vpnMentor on Monday said that they discovered an Elasticsearch database, owned by Autoclerk, exposed online that contained over 100,000 booking reservations for travelers.


11 – Major German manufacturer still down a week after getting hit by ransomware

Pilz, one of the world’s largest producers of automation tools, has been down for more than a week after suffering a ransomware infection.  “Since Sunday, October 13, 2019, all servers and PC workstations, including the company’s communication, have been affected worldwide,” the Germany-based company wrote on its website. “As a precaution, the company has removed all computer systems from the network and blocked access to the corporate network.”

Related Posts