AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 12/04/2019

1 – Apple’s tap-and-go Express payments come to London public transport

Paying for daily necessities using your phone might feel like the future, but the reality can sometimes be slower as mobile payments require authentication that can take time to approve. To combat this issue, Apple has brought its Express feature to London, making it far quicker and easier to use Apple Pay on services like the Tube. Apple’s Express Mode can now be used on all Transport for London (TfL) services, including buses, trams and the underground system. Users only need to tap their phone or Apple Watch against the yellow card reader to pay for their journey.


2 – For criminal hackers, Brazilian hotel networks appear to be easy targets

Cybercriminals have gone on a spree in Brazil’s hospitality industry, infecting the networks of hotels and tourism companies with malware that steals credit card data, according to researchers at Kaspersky. All told, the hackers have struck hospitality organizations in eight states across Brazil, and 20 hotels in that country and others around the world, Kaspersky said last week. Active since 2015, the hackers have stepped up their activity this year.  They are brazenly selling access to hotel networks they’ve breached to whoever is buying. 


3 – The FBI says the photo-editing app that went viral this summer is a ‘significant counterintelligence threat’ because of its ties to Russia

The popular photo-editing platform FaceApp debuted in 2017, but it exploded in popularity this summer as social media influencers flooded feeds with selfies that used the app’s filters to alter their age or gender— usually to hilarious effect. It was even briefly the most popular free app in both the Apple Store and Google Play. But the Russian-developed app also drew regulatory scrutiny thanks to its data policies: photos added to FaceApp were uploaded to a server for processing before being sent back to the user, but its terms of service did not specify how long the data could be kept.


4 – Smith & Wesson Web Site Hacked to Steal Customer Payment Info

American gun manufacturer Smith & Wesson’s online store has been compromised by attackers who have injected a malicious script that attempts to steal customer’s payment information. This type of attack is called Magecart and is when hackers compromise a web site so that they can inject malicious JavaScript scripts into ecommerce or checkout pages. These scripts then steal payment information that is submitted by a customer by sending it to a remote site under the attacker’s control. According to Sanguine Security’s Willem de Groot, a Magecart group has been registering domain names named after his company and utilizing his name as the domain contact.


5 – Whole Foods says Fresno store violated customer privacy policies, vows ‘measures’

Instead of high prices at the organic grocery store threatening your pocketbook, the Whole Food’s Fig Garden outlet has exposed customer’s sensitive financial information, a social media post by a Fresno man shows.  J. Colin Petersen, president of a Fresno-based information technology firm JIT Outsource, recorded a Whole Foods clerk entering a customer’s information —including address, phone number, credit card number and security codes — in plain sight in the middle of a busy pre-Thanksgiving Day store.  Local Whole Foods managers declined to comment, referring the Times-Delta/Advance-Register to corporate offices, which released a statement saying the video showed a violation of the company’s customer information privacy. 


6 – Costco’s Thanksgiving Day Website Crash Cost It Nearly $11M

Here’s one example of where it might have paid to physically line up in the wee, dark hours to score a Black Friday deal. Bulk-discount retail giant Costco (COST – Get Report) got a rude and costly awakening Thanksgiving Day when its website went down for more than 16 hours, costing the retailer nearly $11 million in lost pre-Black Friday potential sales, according to retail sales aggregator website LovetheSales.com. LovetheSales.com calculated how much Costco might have pulled in over the 16.5 hours its website was down. On a per-minute basis, the company pulls in approximately $11,035 a minute, adding up to nearly $11 million over the two-thirds of Thanksgiving Day that buyers saw “Sorry for the delay” messages on their screens while trying to check out.


7 – Has Huawei’s Darkest Secret Just Been Exposed By This New Surveillance Report?

Just a few days after the devastating leak of the so-called China Cables, a cache of documents exposing the truth of the surveillance regime deployed in Xinjiang to suppress the minority Uighur population, tech giant Huawei has become embroiled in the controversy. Huawei’s technology has been linked to Xinjiang before, but the company has always claimed this is only through third-parties, that Huawei itself is not involved. Not so, says a damaging new report, it is much worse than that.


8 – New Zealand’s gun buyback website ‘a shopping list for criminals’

New Zealand’s high profile gun buyback scheme, enacted by the prime minister, Jacinda Ardern, after the Christchurch mosque attacks, has been thrown into disarray after police admitted that at least one person had been able to access other firearm owners’ personal information online. The error became public on Monday when a gun lobby group said it had spoken to 15 people who were able to access information on a website where firearms owners registered weapons to be relinquished. It included their names, addresses, dates of birth, firearms licence numbers and bank account details, the group said.


9 – Putin signs law making Russian apps mandatory on smartphones, computers

Russian President Vladimir Putin on Monday signed legislation requiring all smartphones, computers and smart TV sets sold in the country to come pre-installed with Russian software. The law, which will come into force on July 1 next year, has been met with resistance by some electronics retailers, who say the legislation was adopted without consulting them. The law has been presented as a way to help Russian IT firms compete with foreign companies and spare consumers from having to download software upon purchasing a new device.


10 – Mozilla removes Avast and AVG extensions from add-on portal over snooping claims

Mozilla removed today four Firefox extensions made by Avast and its subsidiary AVG after receiving credible reports that the extensions were harvesting user data and browsing histories. The four extensions are Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice. The first two are extensions that show warnings when navigating to known malicious or suspicious sites, while the last two are extensions for online shoppers, showing price comparisons, deals, and available coupons.

Related Posts