AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 2/14/2020

1 – Apple joins Microsoft, Samsung, Intel in FIDO security alliance

Apple has now joined the FIDO or “Fast Identity Online” Alliance, several years after competitors including Microsoft, Samsung, Intel and Google. FIDO is concerned with fostering and promoting higher security for users, and specifically using authentication technology such as biometric sensors rather than passwords. FIDO was formed in July 2012 by a small group of companies including PayPal and Lenovo. Its open specifications called for authentication systems ranging from fingerprint and iris scanners, plus hardware security keys. Microsoft became a member in December 2013, while Samsung joined in April 2014 alongside announcing its implementation of FIDO specifications in the Galaxy S5. Apple has not commented on its joining the alliance now, nor on why it has remained outside it for eight years. However, Apple has famously popularized FIDO-like systems such as Touch ID and Face ID.

 

2 – Google says EU antitrust regulators holding back innovation

Google defended its business model on Wednesday, saying that making innovative products was at its core rather than helping rivals, as it sought to overturn a 2.4-billion-euro ($2.6 billion) EU antitrust fine at Europe’s second-highest court. The legal fight comes as European Competition Commissioner Margrethe Vestager gears up to take on U.S. tech giants and Chinese companies with legislation in the coming months, on top of ongoing antitrust investigations. “Competition law does not require Google to hold back innovation or compromise its quality to accommodate rivals. Otherwise, competition would be restricted and innovation would be stifled,” the company’s lawyer Thomas Graf told a panel of five judges on the first of a three-day hearing at the General Court.

 

3 – Facebook suspends dating feature after DPC raids Dublin offices

Facebook has suspended its plans to roll-out a new dating feature across the EU to coincide with St Valentine’s Day after the data protection watchdog raided its offices in Dublin. Facebook Ireland first informed the Data Protection Commission (DPC) on February 3 of its plans to roll-out the feature within the fortnight. Facebook Dating, which is already available in the US, allows Facebook users over the age of 18 to create a dating profile separate from their main page. According to the social network giant: “It takes the work out of creating a dating profile and gives you a more authentic look at who someone is. People are suggested based on your preferences, interests and other things you do on Facebook.” However, the feature sparked concern with the offices of the Data Protection Commissioner, the Irish supervisory authority for General Data Protection Regulation (GDPR).

 

4 – MIT researchers find vulnerabilities in Voatz mobile voting app

Researchers at the Massachusetts Institute of Technology said Thursday they’ve found security flaws in Voatz, the mobile app that since 2018 has been used to collect ballots from overseas voters in several states. According to a new technical paper, the researchers found bugs that could be exploited to “alter, stop, or expose how an individual user has voted.” The researchers also found that Voatz’s reliance on a third-party vendor to authenticate the identity of its users raises potential privacy issues that could compromise the anonymity of ballots, which Voatz has previously said its technology ensures.

 

5 – White House Claims Huawei Equipment Has Backdoor for Spying

The Chinese company Huawei can secretly tap into communications through the networking equipment it sells globally, a U.S. official charged as the White House stepped up efforts to persuade allies to ban the gear from next-generation cellular networks. The U.S. national security adviser, Robert O’Brien, made the statement at an Atlantic Council forum on Tuesday evening after The Wall Street Journal quoted him as saying Huawei can “access sensitive and personal information” in systems it sells and maintains globally. O’Brien did not provide any evidence to support the claim. U.S. officials have long argued that Huawei is duty-bound by Chinese law to spy on behalf of the country’s ruling Communist Party. Huawei denies that claim and issued a statement Wednesday saying the company “has never and will never covertly access telecom networks, nor do we have the capability to do so.”

 

6 – US Bank Slammed for “Vague and Deceptive” Breach Disclosure

American bank Fifth Third has come under fire for sending customers a cryptic breach disclosure letter judged to be “vague and deceptive” by a consumer group.  Fifth Third wrote to customers after discovering that at least two of its employees had stolen customer information and provided it to a third party. Data exposed included names, Social Security numbers, addresses, phone numbers, dates of birth, mothers’ maiden names, driver’s license information, and account numbers. The thefts began in the summer of 2018, and those responsible have since been terminated by the company. Although it hasn’t been confirmed that the employees who pulled this inside job later sold the stolen data on the dark web, it’s only logical to conclude that they stood to profit in some way from their high-risk actions. 

 

7 – WordPress Cookie Consent Plugin Fixes Critical Flaw for 700K Users

Critical bugs found in the WordPress GDPR Cookie Consent plugin used by over 700,000 websites allow potential attackers to delete and change content and inject malicious JavaScript code due to improper access controls. The GDPR Cookie Consent plugin is designed to allow site admins to display customizable header or footer cookie banners to show their website’s EU Cookie Law (GDPR) compliance. The plugin maintained by WebToffee is also among the top 100 most popular ones in the WordPress plugins repository and is used by more than 700,000 sites according to the active installations count on its WordPress library entry.

 

8 – Rental cars can be remotely started, tracked, and more after customers return them

In October, Ars chronicled the story of a man who was able to remotely start, stop, lock, unlock, and track a Ford explorer he rented and returned five months earlier. Now, something almost identical has happened again to the same Enterprise Rent-A-Car customer. Four days after returning a Ford Mustang, the FordPass app installed on the phone of Masamba Sinclair continues to give him control of the car. Like the last time, Sinclair could track the car’s location at any given time. He could start and stop the engine and lock and unlock its doors. Enterprise only removed Sinclair’s access to the car on Wednesday, more than three hours after I informed the rental agency of the error.

 

9 – Gaza group strikes targets in Palestinian territories in new cyberattack wave

A new cyberspying campaign has been detected in the Middle East which is going after victims in Palestinian territories. An investigation into the attacks, conducted by the Cybereason Nocturnus team and made public on Thursday, suggests that one of the Gaza Cybergang groups — also known as MoleRATs — is potentially responsible. Tracked by Kaspersky as three separate factions — MoleRATs, a group linked to Desert Falcons, and Operation Parliament — MoleRATs is an Arabic-speaking, politically motivated collective that has been in operation since 2012. Kaspersky says that the MoleRATs group is the least sophisticated of the three, and while the trio uses different styles of attack, all use common tools and commands after initial infections. 

 

10 – Mozilla issues final warning to websites using TLS 1.0

Sometime this March, the Firefox, Chrome, Safari and Edge browsers will start throwing up warnings when users visit websites that only support Transport Layer Security (TLS) versions 1.0 or 1.1. Announced in October 2018 as part of a joint plan to phase out support, the implications for any holdout sites are stark – enable the later TLS 1.2 or, ideally, 1.3, or face having no traffic. According to the latest Mozilla reminder, visitors using Firefox will start seeing a ‘Secure Connection Failed’ message with accompanying SSL_ERROR_UNSUPPORTED_VERSION for anyone in doubt. Initially, it will be possible to override this but only for so long. Sooner rather than later, Mozilla says that too will disappear.

Related Posts