AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 2/27/2020

1 – FCA admits data breach

The Financial Conduct Authority has admitted it had revealed the confidential details of consumers on its website in a data breach last year. In a statement published today (February 25) the regulator said it had referred itself to the Information Commissioner’s Office over the incident, which occurred in November 2019. In response to a Freedom of Information request the FCA mistakenly published on its website the details of individuals who had made a complaint to the regulator between January 2018 and July 2019. In some instances these confidential details included names, addresses, telephone numbers and also the nature of the complaint. 


2 – 80,000 Passengers Affected By Transavia Data Breach

Dutch low-cost airline Transavia yesterday (Monday) admitted that as many as 80,000 Transavia passengers’ data was released following a cyber-attack. The five-year-old data was apparently being stored in an email inbox and contained passengers’ full names, their date of birth, luggage reservations, and whether or not they required assistance at the airport, such as a wheelchair. The data that was released concerned any passengers that flew with the KLM subsidiary between January 21st and January 31st, 2015. Not affected by the breach were any passengers who flew to Egypt, the Canary Islands or Lapland in Finland.


3 – Smart speakers mistakenly eavesdrop up to 19 times a day

That smart home speaker isn’t listening to everything you say, according to new research – but it is listening a lot more than it should. Researchers have found some speakers activating by mistake up to 19 times each day. Virtual assistants like Siri and Alexa are programmed not to listen to your conversation constantly. Instead, they listen for a ‘wake phrase’. When they hear it, it’s their cue to listen to what you subsequently say, which could be an instruction or a request. Google Assistant responds to “OK Google”, Apple’s Siri perks up when you say “Hey Siri” and Microsoft’s Cortana pricks up its digital ears when you say “Hey Cortana”. The problem is that just like humans, virtual assistants often mishear things. Siri might think that “Seriously” sounds enough like its wake word to start listening to what you’re saying, but that’s just one of a range of sounds that might trigger it. That’s why it’s been reported recording everything from sex to criminal deals.


4 – KidsGuard stalkerware leaks data on secretly surveilled victims

“KidsGuard?” What an inappropriate name. It should be called KidsStalk-N-Dox, given that the makers of this consumer-grade stalkerware left a server open and unprotected, regurgitating the private data it slurped up from thousands of victims’ devices after a parent or other surveillance-happy person stealthily installed it. The spyware app’s unprotected Alibaba cloud storage bucket was found by Till Kottmann. He’s a developer who reverse-engineers apps to see how they tick (or leak, in this case). Kottmann shared a copy of the Android version of KidsGuard with TechCrunch, which first reported on the data breach on Thursday. Kottmann’s findings amount to “Goodness, Grandma, what enormous bites you take out of victims’ privacy with those big, keyloggy teeth of yours.”


5 – Pentagon Adopts New Ethical Principles for Using AI in War

The Pentagon is adopting new ethical principles as it prepares to accelerate its use of artificial intelligence technology on the battlefield. The new principles call for people to “exercise appropriate levels of judgment and care” when deploying and using AI systems, such as those that scan aerial imagery to look for targets. They also say decisions made by automated systems should be “traceable” and “governable,” which means “there has to be a way to disengage or deactivate” them if they are demonstrating unintended behavior, said Air Force Lt. Gen. Jack Shanahan, director of the Pentagon’s Joint Artificial Intelligence Center.


6 – PayPal accounts abused en-masse for unauthorized payments

Hackers have found a bug in PayPal’s Google Pay integration and are now using it to carry out unauthorized transactions via PayPal accounts. Since last Friday, users have reported seeing mysterious transactions pop up in their PayPal history as originating from their Google Pay account. Victims reported that hackers abused Google Pay accounts to buy products using linked PayPal accounts. According to screenshots and various testimonies, most of the illegal transactions are taking place at US stores, and especially at Target stores across New York. Most of the victims appear to be German users.


7 – Credit Card Skimmer Running on 13 Sites, Despite Notification

The tally of shopping websites infected by MageCart Group 12 with JavaScript that steals payment card info is seeing a sharp increase. Nearly 40 new victims have been discovered. Some of them were compromised as early as September 30, 2019, allowing attackers to collect payment card info for more than four months. MageCart is a generic name for attackers that inject in web shops a script that steal the payment details customers provide on checkout pages, essentially a skimmer in software form. Group 12 refers to just one of the threat actors involved in this business. They are not overly sophisticated but adjusts tactics as researchers document their modus operandi.


8 – Mexico’s economy ministry hit by cyber attack

Mexico’s economy ministry detected a cyber attack on some of its servers on Sunday but did not consider sensitive information to have been compromised, and beefed up safety measures, it said in a statement. It was the second high-profile cyber attack on the Mexican government after hackers demanded $5 million in bitcoin from national oil company Pemex last November, forcing it to shut down computers nationwide. Providers have been asked to temporarily isolate networks and servers, the ministry said on Monday, adding that the processing of some forms would be temporarily suspended to protect their legal status.


9 – Facebook would have to pay $3.50 per month to U.S. users for sharing contact info

German Facebook users would want the social media platform to pay them about $8 per month for sharing their contact information, while U.S. users would only seek $3.50, according to a study of how people in various countries value their private information. The study by U.S. based think tank the Technology Policy Institute (TPI) is the first that attempts to quantify the value of online privacy and data. It assessed how much privacy is worth in six countries by looking at the habits of people in the United States, Germany, Mexico, Brazil, Columbia and Argentina. It addresses growing concern about how companies from technology platforms to retailers have been collecting and monetizing personal data. U.S. regulators have imposed hefty fines on Facebook Inc and Alphabet-owned Google’s YouTube unit for privacy violations.


10 – Kr00k Bug in Broadcom, Cypress WiFi Chips Leaks Sensitive Info

A vulnerability in some popular WiFi chips present in client devices, routers, and access points, can be leveraged to partially decrypt user communication and expose data in wireless network packets. The flaw received the name Kr00k and was identified in components from Broadcom and Cypress, which are integrated into mobile phones, tablets, laptops, IoT gadgets. By current conservative estimates, over one billion devices are affected. Researchers at security company ESET, who found the vulnerability, explain that exploitation leads to unpatched devices to “use an all-zero encryption key to encrypt part of the user’s communication.”


Related Posts