AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 11/13/2019

1 – Microsoft says it will follow California’s digital privacy law

Microsoft is taking a step toward guarding customer privacy that will impact the bottom line. The company said in a blog post on Monday that it would honor California’s privacy law throughout the United States, according to Reuters. The law called the California Consumer Privacy Act or CCPA, which goes into effect on Jan. 1. It is a strict set of rules meant to protect consumers and their data. “Under CCPA, companies must be transparent about data collection and use, and provide people with the option to prevent their personal information from being sold. Exactly what will be required under CCPA to accomplish these goals is still developing,” Julie Brill, Microsoft’s chief privacy officer, wrote in the blog. “Microsoft will continue to monitor those changes, and make the adjustments needed to provide effective transparency and control under CCPA to all people in the U.S.”


2 – Pemex Faces Payment Problems After Cyber Attack Shut System

A ransomware attack that hit Mexico’s Petroleos Mexicanos is disrupting the company’s billing systems, according to people familiar with the situation. Pemex is relying on manual billing that could affect payment of personnel and suppliers and hinder supply chain operations, the people said, asking not to be identified because they aren’t authorized to speak to the press. Invoices for fuel to be delivered from Pemex’s storage terminals to gasoline stations were being done manually on Tuesday. At the company’s refining arm, some employees couldn’t access emails or the internet on Tuesday and computers were operating more slowly. If the situation isn’t resolved by Wednesday, it could affect Pemex’s ability to to pay personnel and some suppliers, one of the people said.


3 – Payment security backslides for second straight year, says Verizon

Payment security has deteriorated for the second consecutive year in the Americas as only 1 in 5 companies meet compliance requirements, according to a Verizon report. Verizon’s 2019 Payment Security Report found that full compliance with the Payment Card Industry Data Security Standard (PCI DSS) fell to 36.7% globally, down from 52.5% in 2018. PCI DSS was launched by Visa in 2004 and organizations were supposed to be in compliance within 5 years. Compliance improved gradually from 2010 to 2016 and then started to decline. The lack of payment compliance raises a lot of security issues. 


4 – Google’s secret cache of medical data includes names and full details of millions – whistleblower

A whistleblower who works in Project Nightingale, the secret transfer of the personal medical data of up to 50 million Americans from one of the largest healthcare providers in the US to Google, has expressed anger to the Guardian that patients are being kept in the dark about the massive deal. The anonymous whistleblower has posted a video on the social media platform Daily Motion that contains a document dump of hundreds of images of confidential files relating to Project Nightingale.


5 – New 5G flaws can track phone locations and spoof emergency alerts

5G is faster and more secure than 4G. But new research shows it also has vulnerabilities that could put phone users at risk. Security researchers at Purdue University and the University of Iowa have found close to a dozen vulnerabilities, which they say can be used to track a victim’s real-time location, spoof emergency alerts that can trigger panic or silently disconnect a 5G-connected phone from the network altogether.


6 – Facebook says a bug caused its iPhone app’s inadvertent camera access

Facebook  has faced a barrage of concern over an apparent bug that resulted in the social media giant’s iPhone app exposing the camera as users scroll through their feed. A tweet over the weekend blew up after Joshua Maddux tweeted a screen recording of the Facebook app on his iPhone. He noticed that the camera would appear behind the Facebook app as he scrolled through his social media feed. Several users had already spotted the bug earlier in the month. One person called it “a little worrying.”


7 – Federal Court Rules Suspicionless Searches of Travelers’ Phones and Laptops Unconstitutional

In a major victory for privacy rights at the border, a federal court in Boston ruled today that suspicionless searches of travelers’ electronic devices by federal agents at airports and other U.S. ports of entry are unconstitutional. The ruling came in a lawsuit, Alasaad v. McAleenan, filed by the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF), and ACLU of Massachusetts, on behalf of 11 travelers whose smartphones and laptops were searched without individualized suspicion at U.S. ports of entry.


8 – Hackers Breach ZoneAlarm’s Forum Site — Outdated vBulletin to Blame

ZoneAlarm, an internet security software company owned by Israeli cybersecurity firm Check Point Technologies, has suffered a data breach exposing data of its discussion forum users, the company confirmed The Hacker News. With nearly 100 million downloads, ZoneAlarm offers antivirus software, firewall, and additional virus protection solutions to home PC users, small businesses, and mobile phones worldwide. Though neither ZoneAlarm or its parent company Check Point has yet publicly disclosed the security incident, the company quietly sent an alert via email to all affected users over this weekend, The Hacker News learned.


9 – Intel Failed to Fix a Hackable Chip Flaw Despite a Year of Warnings

Over the past two years, attacks like Spectre, Meltdown, and variants on those techniques—all capable of tricking a broad range of processors into coughing up sensitive data—have shown how hard it can be to secure a chip. But it’s one thing for a company like Intel to scramble to fix a vulnerability, and a very different one when it fails to act on one of those flaws for more than a year. Today researchers at Vrije Universiteit in Amsterdam, KU Leuven in Belgium, the German Helmholtz Center for Information Security, and the Graz University of Technology in Austria revealed new versions of a hacking technique that takes advantage of a deep-seated vulnerability in Intel chips. 


10 – UK Info Commish quietly urged court to swat away 100k Morrisons data breach sueball

The UK’s Information Commissioner urged the Court of Appeal to side with Morrisons in the supermarket’s battle to avoid liability for the theft and leaking of nearly 100,000 employees’ payroll details – despite her not having read the employees’ legal arguments. A letter (PDF) sent to the Court of Appeal in May 2018 on behalf of the watchdog’s leader, Elizabeth Denham, urged senior judges to side with Morrisons and rule the supermarket wasn’t responsible for the criminal actions of disgruntled auditor Andrew Skelton.

Related Posts