AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 2/7/2020

1 – No expectation of privacy in an IP address, Alberta judge rules

Police in Alberta don’t need a court order to get an external IP address from a service provider in trying to identify an internet user, according to a recent Calgary judicial ruling. The decision is a first in Canadian privacy law. The precedent applies for now only in Alberta but it will be cited in other courts across the country and could be persuasive if the facts in other cases are similar. If upheld in other provinces or by the Supreme Court, organizations across the country — including social media platforms, content providers and websites — may have to turn over IP addresses without court orders. The pre-trial hearing involved the way Calgary police tracked down and charged a man with 33 counts of possessing and using other people’s credit cards and personal identification to fraudulently buy goods with virtual gift cards.


2 – Researchers Find ‘Anonymized’ Data Is Even Less Anonymous Than We Thought

Dasha Metropolitansky and Kian Attari, two students at the Harvard John A. Paulson School of Engineering and Applied Sciences, recently built a tool that combs through vast troves of consumer datasets exposed from breaches for a class paper they’ve yet to publish. “The program takes in a list of personally identifiable information, such as a list of emails or usernames, and searches across the leaks for all the credential data it can find for each person,” Attari said in a press release. They told Motherboard their tool analyzed thousands of datasets from data scandals ranging from the 2015 hack of Experian, to the hacks and breaches that have plagued services from MyHeritage to porn websites. Despite many of these datasets containing “anonymized” data, the students say that identifying actual users wasn’t all that difficult.


3 – Bug hunter finds cryptocurrency-mining botnet on DOD network

A security researcher hunting for bug bounties discovered last month that a cryptocurrency-mining botnet had found a home and burrowed inside a web server operated by the US Department of Defense (DOD). The issue was discovered and reported via the DOD’s official bug bounty program by Indian security researcher Nitesh Surana. Initially, the bug report was filed in relation to a misconfigured Jenkins automation server running on an Amazon Web Services (AWS) server associated with a DOD domain. Surana discovered that anyone could access the Jenkins server without login credentials.


4 – ZeroHedge banned from Twitter over coronavirus bioweapon claims

ZeroHedge has been permanently suspended from Twitter following a complaint stemming from an article that suggested a Chinese scientist was linked to the creation of the new coronavirus strain as a bioweapon. The financial markets news website was the subject of a recent Buzzfeed report which examined the article — still online at the time of writing — which connected a Wuhan-based scientist to the virus. ZeroHedge claimed, without evidence, that the scientist was involved in the development of the “weaponized” coronavirus strain. 


5 – Weak encryption means putting our military at risk

Last month, a brigade of U.S. soldiers deployed to the Middle East received instructions from their superiors to use two commercial encrypted messaging applications, Signal and Wickr, on their government issued cell phones. These leadership cues trickled down from the Department of Defense’s (DoD) position that strong encryption is critical to national security. While U.S. Attorney General William Barr continues to push for a broad mandate for backdoors for law enforcement, those on the front lines of protecting America have notably decided on a different approach. Simply put, weakening encryption means putting our military service members at risk.


6 – High-Tech Printing May Help Eliminate Painful Shots

Painful hypodermic needles may not be needed in the future to give shots, inject drugs and get blood samples. With 4D printing, Rutgers engineers have created tiny needles that mimic parasites that attach to skin and could replace hypodermic needles, according to a study in the journal Advanced Functional Materials. While 3D printing builds objects layer by layer, 4D goes further with smart materials that are programmed to change shape after printing. Time is the fourth dimension that allows materials to morph into new shapes.


7 – Cybereason Uncovers Malware Distributed via Bitbucket Repositories

Cybereason, a provider of endpoint protection software, today disclosed that it discovered a malware campaign that has been leveraging Bitbucket repositories from Atlassian to launch cyberattacks. Assaf Dahan, senior director for threat research at Cyberseason, said the repositories have been taken offline since first being discovered last month by Atlassian. However, Dahan noted this is only the latest example of public software repositories such as Google Drive or GitHub that are trusted by many individuals being employed to distribute malware. Cybercriminals are employing these repositories because it’s unlikely they will get blacklisted, he said.


8 – Ford’s biking jacket shows emoji to everyone behind you

While the number of traffic accident fatalities in the US is thankfully decreasing, there were more cyclist and pedestrian deaths on the roads in 2018, the most recent year for which NHTSA data is available. There were 51 more cyclist deaths that year than in 2017, a rise of 6.3 percent. A recent European Transport Safety Council report, meanwhile, determined that 19,450 cyclists died on EU roads between 2010 and 2018. To bolster road safety, Ford came up with a way to help cyclists communicate: a jacket that displays emoji. The prototype has an LED display on the rear that’s linked to a wireless remote attached to the handlebars. A cyclist might use it to display turn signals or a hazard symbol. They could also indicate their general mood: happy, sad or somewhere in between.


9 – Brazilian firm exposes personal details of thousands of soccer fans

Tens of thousands of Brazilian soccer fans have been exposed as a publicly-accessible cloud storage bucket leaked several gigabytes of data with sensitive information stretching back several years. The leaky S3 bucket, investigated exclusively by ZDNet in partnership with Brazilian cybersecurity news website The Hack, was owned by Futebol Card, an online ticketing company that also provides member and loyalty program management systems to a number of major soccer clubs. Personal data belonging to supporters of a number of Brazilian organizations was involved in the incident, but the vast majority of the individuals exposed are fans of São Paulo-based soccer team Palmeiras, one of the country’s most popular and successful Brazilian clubs, with around 18 million supporters nationwide.


10 – Academics steal data from air-gapped systems using screen brightness variations

Academics from Israel have detailed and demoed a new method for stealing data from air-gapped computers. The method relies on making small tweaks to an LCD screen’s brightness settings. The tweaks are imperceptible to the human eye, but can be detected and extracted from video feeds using algorithmical methods. This article describes this innovative new method of stealing data, but readers should be aware from the start that this attack is not something that regular users should worry about, and are highly unlikely to ever encounter it. Named BRIGHTNESS, the attack was designed for air-gapped setups — where computers are kept on a separate network with no internet access.


11 – Salesforce.com and Hanna Andersson Data Breach Lawsuit Among the First to Cite the CCPA

Even though California’s landmark privacy law only took effect on Jan. 1, it is already being cited in data breach lawsuits.   Salesforce.com and Hanna Andersson—a children’s clothing company—are facing data breach allegations in one of the first class action lawsuits to directly involve the CCPA.  According to the complaint filed in the U.S. District Court for the Northern District of California (Barnes v. Hanna Andersson, LLC, N.D. Cal., No. 20-cv-00812), Salesforce and Hanna Andersson failed to protect user data, safeguard platforms, or provide cybersecurity warnings. These actions violated state laws including the California Consumer Privacy Act, plaintiff Bernadette Barnes claims. 


12 – Facebook will let parents see kids’ chat history, peer into inbox

Seven months after a crack formed in the keep-the-kids-safe bubble of Facebook’s Messenger Kids chat app, it’s beefing up the app’s Parent Dashboard with new tools and letting parents read their kids’ chat histories, see the most recent videos and photos they sent or received, and delete any content they find objectionable. On Tuesday, product manager Morgan Brown said in an announcement that on top of the new tools and features for parents to manage their child’s experience in Messenger Kids, the company has also updated the app’s privacy policy to include additional information about its data collection, use, sharing, retention and deletion practices.


13 – Coronavirus outbreak starts to hit tech industry

The outbreak of Coronavirus in China is starting to affect the global technology industry, with reports that shipments of devices, such as graphics cards, are set to drop. That’s according to sources at companies like Asus, Foxconn and Gigabyte, who claim that first quarter shipments of motherboards and graphics cards have dropped by more than anticipated, according to Taiwanese industry newspaper Digitimes. They claim it is due to people in China avoiding public places, such as shops, as far as possible, while delivery and other services have also been affected.

Related Posts