AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 11/14/2022

NSA urges orgs to use memory-safe programming languages

The US National Security Agency (NSA) has released guidance encouraging organizations to shift programming languages from the likes of C and C++ to memory safe alternatives – namely C#, Rust, Go, Java, Ruby or Swift. “NSA recommends that organizations use memory safe languages when possible and bolster protection through code-hardening defenses such as compiler options, tool options, and operating system configurations,” advised the agency. The org’s main concern is that malicious cyber actors may exploit vulnerabilities in poorly managed memory, which occurs more frequently in the languages that give more options and flexibility to the programmer. The NSA gives the examples of a threat actor finding their way into a system through a buffer overflow or by leveraging software memory allocation issues.

 

New research gives users another reason to hate unwanted ads

New research released this week reveals the process used by third party advertisers to target online users can be viewed or manipulated by online adversaries using only their target’s email address. A four-person team of researchers from the Georgia Institute of Technology, University of Illinois Chicago (UIC), and New York University (NYU) presented their findings Wednesday at the ACM Conference on Computer and Communications Security (CCS), a premier security venue. Today, much of the advertising that appears online is specifically tailored to individuals based on their browsing history, location, and a variety of other factors that have been collected by third party advertising networks.

 

Twitter quietly drops $8 paid verification; “tricking people not OK,” Musk says

When a wave of imposter accounts began using the verified checkmarks from Twitter’s Blue paid subscription service to post misleading tweets while pretending to be some of the world’s biggest brands, it created so much chaos that Elon Musk seemingly had no choice but to revoke the paid checkmarks entirely. “Basically, tricking people is not OK,” Musk tweeted, as some users began reporting that the option to pay $7.99 for a Twitter Blue subscription had disappeared, while others who had been verified previously found that their “Official” blue checkmarks had been reinstated. Reuters reported that Twitter announced today that it had reinstated the “Official” badges on some accounts, but because Twitter has no communications department (according to The Verge), it’s difficult to verify if paid verification is actually gone for good or just temporarily disabled.

 

Apple Sued for Allegedly Deceiving Users With Privacy Settings After Gizmodo Story

Apple is facing a class action lawsuit for allegedly harvesting iPhone user data even when the company’s own privacy settings promise not to. The suit, filed Thursday in California federal court, comes days after Gizmodo exclusively reported on research into how multiple iPhone apps send Apple analytics data, regardless of whether the iPhone Analytics privacy setting is turned on or off. The problem was spotted by two independent researchers at the software company Mysk, who found that the Apple App Store sends the company exhaustive information about nearly everything a user does in the app, despite a privacy setting, iPhone Analytics, which claims to “disable the sharing of Device Analytics altogether” when switched off. Gizmodo asked the researchers to run additional tests on other iPhone apps, including Apple Music, Apple TV, Books, and Stocks. The researchers found that the problem persists across most of Apple’s suite of built-in iPhone apps.

 

FIFA World Cup apps stoke data privacy concerns

The FIFA World Cup begins in just one week, and as soccer (read: football) fans gear up to cheer on their home countries, privacy experts are calling out the sporting event for threatening the data security of its participants. Two apps are required to attend the festivities: Ehteraz, a COVID-19 tracking system, and Hayya, an app used to allow fans entrance to stadium grounds, schedule viewing, and free public transportation. Several digital security agencies have alerted users to privacy concerns across both apps, first reported last month, after analyzing the apps’ access permissions. Used countrywide before the games, Ehteraz asks users to allow remote access to pictures and videos, make unprompted calls, and read or modify device data. Hayya permissions include full network access and unrestricted access to personal data. Both track users’ locations.

 

GitHub launches channel to ease vulnerability disclosure process for open source software

GitHub, the largest open source software development community in the world, launched a communication channel on the platform to make it more straightforward for security researchers to report vulnerabilities to projects’ maintainers. Vulnerability reporting has always been complicated. While researchers often feel responsible for informing users of bugs that could be exploited, there are no clear instructions on how to contact projects’ maintainers. Additionally, many open source projects are managed and supported by small cadres of volunteers who update or fix problematic code in their spare time. The feature – announced Wednesday at GitHub Universe 2022, a global developer event for cloud, security, community, and AI –  allows researchers to report bugs to maintainers directly and privately.

Related Posts