AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 11/03/2020

Twitter explains how it will handle misleading tweets about the US election results

Twitter recently updated its policies in advance of the U.S. elections to include specific rules that detailed how it would handle tweets making claims about election results before they were official. Today, the company offered more information about how it plans to prioritize the enforcement of its rules and how it will label any tweets that fall under the new guidelines. In September, Twitter said it would either remove or attach a warning label to any premature claims of victory, with a focus on tweets that incite “unlawful conduct to prevent a peaceful transfer of power or orderly succession,” the company had explained. This morning, Twitter added that it will prioritize labeling tweets about the presidential election and any other “highly contested races” where there may be significant issues with misleading information.

 

Google reCAPTCHA service under the microscope: Questions raised over privacy promises, cookie use

Six years ago, Google revised its reCAPTCHA service, designed to filter out bots, scrapers, and other automated web browsing, and allow humans through to websites. The v2 update in 2014 added an iframe or HTML Inline Frame, which is a way of embedding one web page in another. Then there was the v3 update in 2018, which added machine learning to the mix, to reduce the need for interaction with bot detection challenges. reCAPTCHA makes it possible for the internet giant to challenge netizens to prove they are real people, by completing picture puzzles and the like, while providing plumbing to potentially funnel information about folks into its advertising business. Google insists it doesn’t use reCAPTCHA data for personalized adverts, and says as much in the reCAPTCHA terms of service.

 

Gold seller JM Bullion hacked to steal customers’ credit cards

Precious metal online retailer JM Bullion has disclosed a data breach after their site was hacked to include malicious scripts that stole customers’ credit card information. JM Bullion is an online retailer of gold, silver, copper, platinum, and palladium products, including coins and bullion. According to a ‘Notice of Data Security Incident’ sent to customers, JM Bullion’s web site was hacked in the middle of February 2020, when a malicious script was added to the site. The malicious scripts were present on the site between February 18th, 2020, and July 17th, 2020, and caused any submitted payment information to be sent to a remote server under the attacker’s control.

 

Google discloses ‘high’ severity security flaw in GitHub

The vulnerability has been classified as a “high” severity issue by Google Project Zero. We’ll spare you the nitty-gritty technical details – and you’re free to view them in detail here if you want – but the meat of the matter is that workflow commands in GitHub Actions are extremely vulnerable to injection attacks. For those unaware, workflow commands act as a communication channel between executed actions and the Action Runner. The big problem with this feature is that it is highly vulnerable to injection attacks. As the runner process parses every line printed to STDOUT looking for workflow commands, every Github action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed. I’ve spent some time looking at popular Github repositories and almost any project with somewhat complex Github actions is vulnerable to this bug class.

 

Russian Cybercriminal Sentenced to Prison for Role in $100 Million Botnet Conspiracy

A Russian national was sentenced Oct. 30 to eight years in prison for his role in operating a sophisticated scheme to steal and traffic sensitive personal and financial information in the online criminal underground that resulted in an estimated loss of over $100 million.

Aleksandr Brovko, 36, formerly of the Czech Republic, pleaded guilty in February to conspiracy to commit bank and wire fraud. According to court documents, Brovko was an active member of several elite, online forums designed for Russian-speaking cybercriminals to gather and exchange their criminal tools and services.“For over a decade, Brovko participated in a scheme to gain access to Americans’ personal and financial information, causing more than $100 million in intended loss,” said Acting Assistant Attorney General Brian C. Rabbitt of the Justice Department’s Criminal Division.  “This prosecution and the sentence imposed show the department’s commitment to work with our international and state counterparts to bring cybercriminals to justice no matter where they are located.”

 

Related Posts