AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 12/14/2023

CVS, Rite Aid, Walgreens hand out medical records to cops without warrants 

All of the big pharmacy chains in the US hand over sensitive medical records to law enforcement without a warrant—and some will do so without even running the requests by a legal professional, according to a congressional investigation. The revelation raises grave medical privacy concerns, particularly in a post-Dobbs era in which many states are working to criminalize reproductive health care. Even if people in states with restrictive laws cross state lines for care, pharmacists in massive chains, such as CVS, can access records across borders. 


Apple now requires a judge’s consent to hand over push notification data 

Apple (AAPL.O) has said it now requires a judge’s order to hand over information about its customers’ push notification to law enforcement, putting the iPhone maker’s policy in line with rival Google and raising the hurdle officials must clear to get app data about users. The new policy was not formally announced but appeared sometime over the past few days on Apple’s publicly available law enforcement guidelines. It follows the revelation from Oregon Senator Ron Wyden that officials were requesting such data from Apple as well as from Google, the unit of Alphabet (GOOGL.O) that makes the operating system for Android phones. 


Polish Hackers Repaired Trains the Manufacturer Artificially Bricked. Now The Train Company Is Threatening Them 

In one of the coolest and more outrageous repair stories in quite some time, three white-hat hackers helped a regional rail company in southwest Poland unbrick a train that had been artificially rendered inoperable by the train’s manufacturer after an independent maintenance company worked on it. The train’s manufacturer is now threatening to sue the hackers who were hired by the independent repair company to fix it.  


New Underground Market Comes Online Just inTime for the Holidays 

Threat actors have opened a new underground market known as OLVX Marketplace (olvx[.]cc) that is gaining notoriety just in time for the holidays. This new marketplace claims to sell all the tools necessary to commit online fraud, manipulate the very savviest of online shoppers, and make this time of year much less merry and bright. OLVX follows a trend ZeroFox Intelligence has observed relating to multiple underground marketplaces now operating on the clear web, whereas in the past, most would only operate on the deep or dark web (DDW). 


Microsoft Disrupts Cybercrime Service That Created 750 Million Fraudulent Accounts 

Microsoft on Wednesday announced the disruption of Storm-1152, a cybercrime-as-a-service (CaaS) ecosystem that created 750 million fraudulent Microsoft accounts in support of phishing, identity theft, and other schemes. The CaaS is believed to have made millions of dollars in illicit revenue by creating fraudulent accounts for other cybercrime groups to use in phishing, spam, ransomware, distributed denial-of-service (DDoS), and other types of attacks. 


NIST issues guidance on a mathematical approach to data privacy 

The National Institute of Standards and Technology launched new draft guidance earlier this week focused on clarifying how organizations can adopt differential privacy — a mathematical algorithm broadly used to quantify how much privacy risk is posed to individuals from a given dataset — as part of their security infrastructure. As NIST’s guidance notes, differential privacy can be leveraged as a scheme to evaluate an organization’s digital privacy posture through a framework that identifies existing factors to potential breaches in data security. 

Related Posts