AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 2/3/2020

1 – Tinder and Bumble under investigation over underage use, sex offenders, and data handling

Yesterday, the US House Oversight and Reform subcommittee announced an investigation into popular dating apps including Tinder, Grindr, and Bumble for allegedly allowing minors and convicted sex offenders to use their services. In a press release issued yesterday, the Chairman of the subcommittee, Raja Krishnamoorthi, sent letters to Match Group, Inc — the parent company of major dating apps — seeking information related to recent reports that numerous dating apps have failed to effectively screen out underage users, “which creates dangerous and inappropriate situations.” Dating services will have to hand over information on the age of its users, the procedure it takes to verify ages, and any complaints raised by users regarding assault, rape, or use by minors.


2 – Hacker Leaks Alleged Tesla Design Secrets

A hacker has taken to Twitter to share design secrets they allegedly obtained by compromising American automotive and energy company Tesla. Posting on the account @genteelly on Friday night, a hacker who calls themself “Green” said that Tesla was planning to introduce new hardware to their S and X model cars. Modifications that Green claims are in the cards include the introduction of new battery options and a suspension redesign. According to Green, Tesla has added a wireless device charger to its two oldest car models. The charger is allegedly integrated into the center console. Green also claims to have uncovered plans for a new type of charging port.


3 – Social media boosting service exposed thousands of Instagram passwords

A social media boosting startup, which bills itself as a service to increase a user’s Instagram  followers, has exposed thousands of Instagram account passwords. The company, Social Captain, says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started. But TechCrunch learned this week Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform.


4 – United Nations Data Breach Started with Microsoft SharePoint Bug

A cyberattack targeting United Nations offices in July 2019 reportedly stemmed from Microsoft SharePoint vulnerability CVE-2019-0604, which was patched early last year and has been under active attack since then. A senior UN IT official estimates some 400GB of data was downloaded. News of the breach comes from a confidential document from the UN Office of Information and Technology. The file was leaked to The New Humanitarian and seen by the AP, which reports 42 servers were compromised and another 25 are considered suspicious. The majority of these servers are at the UN offices in Geneva and Vienna. Attackers were also able to access Active Directories, likely obtaining human resources, insurance systems, databases, and network data.


5 – BOJ warns of cyber-attack vulnerability ahead of Olympic Games

Japan’s financial institutions must guard against cyber-attacks ahead of the 2020 Tokyo Olympic Games, with nearly 40% of banks and other firms experiencing attacks over the past three years, the Bank of Japan said on Friday. The increasing threat of cyber-attacks has prodded the Bank of England and other central banks to take action to ensure that banks, insurers and other financial firms minimize the impact of cyber-attacks or technology outages. In a BOJ survey conducted in September, nearly 40% of respondents said they had experienced cyber-attacks, and more than 10% had suffered disruptions to their business.


6 – China’s Winnti hackers

A Chinese hacking crew which had previously been focusing on industrial and commercial attacks has now involved itself in efforts to suppress protests in Hong Kong. Researchers at security shop ESET say the Winnti Group, a hacking operation believed to be backed by the Chinese government, has begun targeting the networks and accounts of at least five universities in Hong Kong. Active malware infections were found at two of the schools in November of last year and ESET believes three others have since been targeted by the hackers. The aim of these intrusions, ESET believes, is to gather intelligence and disrupt protests by students at those universities, as Hong Kong continues to deal with civil unrest between pro-democracy protesters and the mainland government.


7 – Hacker snoops on art sale and walks away with $3.1m, victims fight each other in court

Hackers intercepted talks between an art dealer and a Dutch museum to scam the museum out of millions, and while they walked away with their ill-begotten proceeds, the victims are now fighting over who is responsible. As reported by Bloomberg, London-based veteran art dealer Simon Dickinson and Rijksmuseum Twenthe were in the midst of negotiations over the acquisition of a valuable painting by John Constable, a 1700 – 1800’s landscape painter from England. In particular, it has been reported that the 1855 painting, “A View of Hampstead Heath: Childs Hill, Harrow in the Distance,” caught the eye of the museum’s director after they visited a European art fair in 2018.


8 – Dallas County attorney agrees to drop charges against men contracted by judicial branch to test courthouse security

Charges have been dropped against two men initially accused of burglary after they were found testing the security of an Iowa courthouse while on contract with the judicial branch. Justin Wynn, 29, of Naples, Florida, and Gary De Mercurio, 43, of Seattle, were charged with third-degree burglary and possession of burglary tools after they tripped the alarm at the Dallas County Courthouse early on the morning of Sept. 11. It was later revealed they also performed physical penetration tests on the Polk County Courthouse and Judicial Building. Wynn’s and De Mercurio’s charges were later reduced to trespassing, a simple misdemeanor; they continued to maintain their innocence and fight the allegations.


9 – Jeff Bezos met FBI investigators in 2019 over alleged Saudi hack

Jeff Bezos met federal investigators in April 2019 after they received information about the alleged hack of the billionaire’s mobile phone by Saudi Arabia, the Guardian has been told. Bezos was interviewed by investigators at a time when the FBI was conducting an investigation into the Israeli technology company NSO Group, according to a person who was present at the meeting. Reuters first reported on Thursday that the FBI was investigating the role of NSO in possible hacks of US residents and companies, citing four people familiar with the inquiry. Reuters also reported that the FBI had met Bezos in connection with the alleged hacking of his phone.


10 – Employers can’t force you to get microchipped, Indiana reps say

You’ve got two choices, employee: a) let us slide a syringe between your thumb and index finger so we can inject a rice-sized microchip into your hand that can be used as a swipe card to open doors, clock in, operate printers or buy junk out of the snack machine, or b) find another job. An improbable scenario? Yes. It doesn’t happen – at least not if employees say no… For now. And the US state of Indiana wants to make sure it stays that way. Last week, the state House of Representatives unanimously passed legislation – House Bill 1143 – stipulating that employers can’t force their employees to have an ID or tracking chip implanted in their bodies as a condition of employment. The bill passed the House 96-0 and is now heading to the Senate for consideration.


11 – Attempts to define international infosec rules of the road bogged down by endless talkshops, warn diplomats

FIC 2020 International progress on state-level so-called cybersecurity “norms” is hopelessly bogged down in an explosion of NGOs and internal United Nations rivalries between two overlapping groups, a French security conference heard this week. Not only are there two overlapping United Nations groups tasked with defining international cybersecurity norms, but even agreed declarations are ignored because nobody notices what the UN comes up with on cybersecurity, diplomats complained. Set in the context of a panel discussion about soft standards for states interacting in cyberspace, the discussion did not build confidence in the idea that countries will sign up to a worldwide set of rules on what is and isn’t acceptable online.


12 – AI-formulated medicine to be tested on humans for the first time

A drug designed entirely by artificial intelligence is about to enter clinical human trials for the first time. The drug, which is intended to treat obsessive-compulsive disorder, was discovered using AI systems from Oxford-based biotech company Exscientia. While it would usually take around four and a half years to get a drug to this stage of development, Exscientia says that by using the AI tools it’s taken less than 12 months. The drug, known as DSP-1181, was created by using algorithms to sift through potential compounds, checking them against a huge database of parameters, including a patient’s genetic factors. Speaking to the BBC, Exscientia chief executive Professor Andrew Hopkins described the trials as a “key milestone in drug discovery” and noted that there are “billions” of decisions needed to find the right molecules for a drug, making their eventual creation a “huge decision.” With AI, however, “the beauty of the algorithm is that they are agnostic, so can be applied to any disease.”


Related Posts