AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 12/28/2021

Amazon Alexa slammed for giving lethal challenge to 10-year-old girl

An Amazon Echo owner was left shocked after Alexa proposed a dangerous challenge to her ten-year-old daughter. AI-powered virtual assistants like Alexa that power smart devices and speakers such as Echo, Echo Dot, and Amazon Tap, come with a plethora of capabilities. These include enabling the users to play simple verbal games or request “challenges” on demand. When sitting idle, such as during the holidays, it wouldn’t be unusual for an Amazon Echo owner to ask Alexa, “tell me a challenge to do.” Typically such an auditory request has the AI prompting the user with a quiz question or a similar brainstorming activity. But that wasn’t the case for Kristin Livdahl’s ten-year-old girl who was proposed a rather lethal challenge: “The challenge is simple,” said Alexa. “Plug in a phone charger about halfway into a wall outlet, then touch a penny to the exposed prongs.”

 

Logistics giant D.W. Morgan exposed 100 GB worth of clients’ data, including Fortune 500 Clients

The Website Planet security team discovered an Amazon S3 bucket owned by logistics giant D.W. Morgan that was left unsecured online. The S3 bucket contained more than 100 GB of sensitive data relating to shipments and the company’s clients, including some Fortune 500 companies such as Cisco and Ericsson. The researchers discovered the open AWS S3 bucket on November 12th, 2021, and notified the company the same day. On November 16th, 2021, D.W. Morgan secured the S3 bucket. According to researchers, the database contained more than 100 GB worth of data with 2.5 million files detailing financial, shipment, transportation, personal and sensitive records belonging to D.W. Morgan’s employees and clients worldwide. These included Global 500 company Ericsson and Fortune 500 company Cisco.

 

More than 1,200 phishing toolkits capable of intercepting 2FA detected in the wild

A team of academics said it found more than 1,200 phishing toolkits deployed in the wild that are capable of intercepting and allowing cybercriminals to bypass two-factor authentication (2FA) security codes. Also known as MitM (Man-in-the-Middle) phishing toolkits, these tools have become extremely popular in the cybercrime underworld in recent years after major tech companies started making 2FA a default security feature for their users. The direct result was that threat actors who managed to trick a user into entering credentials on a phishing site found that the stolen credentials became useless since they couldn’t bypass the 2FA procedure. To counter this new trend in account security protections, since at least 2017, threat actors started adopting new tools that would allow them to bypass 2FA by stealing a user’s authentication cookies, which are files created inside a web browser once the user has logged into an account after the 2FA process was completed.

 

Privacy-focused search engine DuckDuckGo grew by 46% in 2021

The privacy-focused search engine DuckDuckGo continues to grow rapidly, with the company now averaging over 100 million daily search queries and growing by almost 47% in 2021. Unlike other search engines, DuckDuckGo says they do not track your searches or your behavior on other sites. Instead of building user profiles used to display interest-based ads, DuckDuckGo search pages display contextual advertisements based on the searched keywords. This means that if you search on DuckDuckGo for a television, that search query will not be used to display television ads at every other site you visit. Furthermore, to build their search index, the search engine uses the DuckDuckBot spider to crawl sites and receive data from partners, such as Wikipedia and Bing. However, they do not build their index using data from Google.

 

Russia fines Google $98 million over ‘banned content’

A Russian court levied a 7.2 billion rouble ($98 million) fine against Google on Friday for what it claims are repeated failures by the company to delete content the country has deemed illegal. Though Russia has tagged numerous tech companies throughout the year with fines for not following its increasingly restrictive internet content rules, Friday’s judgement marks the first time that the court has imposed fines based on a company’s annual revenue.  Additionally, the Russian court fined Meta (and its subsidiary, Instagram) 2 billion roubles ($27.15 million) for similar offenses. Per Reuters, Meta is accused of failing to remove around 2,000 banned items while Google had reportedly failed to take down 2,600 bits of illicit content. Those include posts promoting drug use or dangerous behaviors, instructions for making improvised weapons and explosives, as well as anything regarding what and who it designates as extremists or terrorists. Or the spreading of “gay propaganda,” apparently.

Related Posts