AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 3/11/2020

1 – Malware Unfazed by Google Chrome’s New Password, Cookie Encryption

Google’s addition of the AES-256 algorithm to encrypt cookies and passwords in the Chrome browser had a minor impact on infostealers. Faced with the threat of having their business disrupted, developers of malware that steals data from web browsers quickly updated their tools to overcome the hurdle, many of their offers highlighting support for the new Chrome. Even AZORult, abandoned by its original author in 2018, has received code updates from actors who continued the project to make it compatible with Chrome 80.


2 – Talkspace threatened to sue a security researcher over a bug report

A security researcher said he was forced to take down a blog post describing an apparent bug in Talkspace’s  website that gave him a year’s subscription for free, after the company rejected his findings and sent the researcher a legal threat. John Jackson said he was able to sign up to Talkspace, a popular therapy app, as if he were an employee at one of the companies whose health insurance plans covers Talkspace’s services. Some of these sign-up links are found in Google search results, some of which aren’t advertised on the company’s website. But Jackson said he found little to no evidence that the sign-up page verifies that a user is eligible for the free year-long subscription.


3 – Comcast Xfinity published the contact details of 200,000 customers who paid for them to be kept private

Nearly 200,000 customers in the United States, who thought they were paying Comcast Xfinity to keep their information safely out of the public eye, have had their details exposed on the company’s online directory. Customers pay Comcast each month to keep their personal details names, phone numbers, and addresses out of public databases. The reason they do this is not just because they are privacy-conscious, but also because they might be concerned about their personal safety. So you can well understand why they might feel aggrieved to discover that the company seems to have ignored their instructions, and made supposedly “unlisted” contact details available for anyone to access on ecolisting.com – a site it lauded as a eco-friendly replacement to old-fashioned paper telephone directories.


4 – Facebook sued by Australian information watchdog over Cambridge Analytica-linked data breach

Australia’s information commissioner is suing Facebook over allegedly breaching the privacy of over 300,000 Australians caught up in the Cambridge Analytica scandal. In a case lodged in the federal court on Monday, the Australian information commissioner Angelene Falk has alleged Facebook committed serious and repeated interferences with privacy in contravention of Australian privacy law because data collected by Facebook was passed onto the This is Your Digital Life app by Cambridge Analytica for political profiling, which was not what it was collected for. Data included people’s names, dates of birth, email addresses, city location, friends list, page likes and Facebook messages for those who had granted the app access to the messages.


5 – New US Bill Aims to Protect Researchers who Disclose Govt Backdoors

New legislation has been introduced that amends the Espionage Act of 1917 to protect journalists, whistleblowers, and security researchers who discover and disclose classified government information. The goal of the new legislation is to amend the Espionage Act of 1917 so it cannot be used to target reporters, whistleblowers, and security researchers who discover and publish classified government secrets. Concerned that the current laws are being used for partisan prosecution, U.S. Representative Ro Khanna (D – California) introduced the new legislation to Congress on March 5th, 2020 and U.S. Senator Ron Wyden (D – Oregon) will soon introduce it to the Senate.


6 – How Oracle made its fortune copying IBM-designed SQL

More than a decade ago, Google re-implemented the Java programming language as part of its new Android mobile operating system. Oracle, the owner of Java, then sued Google for copyright infringement in 2010. Later this month, the Supreme Court will hear oral arguments in this epic copyright case that will have huge implications for the entire software industry—and that could cost Google billions of dollars. Google says it has done nothing wrong. Copyright law specifically excludes “systems” and “methods of operation” from copyright protection. Google argues that the aspects of Java it copied—function names, argument types, and so forth—fit squarely into these exceptions. Google also argues that copyright’s fair use doctrine allows for this kind of copying.


7 – Facebook’s photo transfer tool opens to more users in Europe, LatAm and Africa

Facebook is continuing to open up access to a data porting tool it launched in Ireland in December. The tool lets users of its network transfer photos and videos they have stored on its servers directly to another photo storage service, such as Google Photos, via encrypted transfer. A Facebook spokesman confirmed to TechCrunch that access to the transfer tool is being rolled out today to the UK, the rest of the European Union and additional countries in Latin America and Africa. Late last month Facebook also opened up access to multiple markets in APAC and LatAm, per the spokesman. The tech giant has previously said the tool will be available worldwide in the first half of 2020.


8 – Brussels Airlines sues hacker who flew to New York for free

Brussels Airlines is seeking thousands in compensation from a Flemish hacker who put himself and two other friends on a business class flight to New York for free. The airline is requesting up to €20,000 in compensatory damages to make up for the price of the tickets, as well as for airport taxes and other expenses incurred by the hacker’s feat. “The man bought a number of tickets through a special app that was intended for employee-use only,” prosecuting attorney Karel Berteloot told HLN. “[He] cancelled the tickets and obtained a reimbursement but then manipulated the URL of the ticket so that he could still use it.” “He also managed to arrange three tickets in business class for a flight to New York, worth €6,000 per ticket. The man would better use his talents legally, “Berteloot added.


9 – Chrome extension cons cryptocurrency users out of hardware wallet key

Cryptocurrency security company Ledger has warned users about a rogue Chrome extension that dupes its victims into giving up the keys to their crypto wallets. Cryptocurrency owners need a wallet just like users of regular cash do. Instead of cash, however, crypto wallets hold digital keys – which grant users access to the blockchain addresses to unlock their funds. Some people write those addresses down on a piece of paper, while others might store them in a file on their computer or in a software application that doubles as a wallet. A hardware wallet is a device dedicated to storing the addresses, and they are built to be as difficult to hack as possible.


10 – Polish school hit with GDPR fine for using fingerprints to verify students’ lunch payments

A school in Poland has been fined €4,600 ($5,200) for breaching Europe’s General Data Protection Regulation (GDPR) after it was found to be processing students’ fingerprint data to verify whether they had paid for school lunch. The news comes as biometric data harnessing programs around the world spark significant privacy concerns. The unidentified school in Gdansk, a city in northern Poland, processed the fingerprints of hundreds of children “without a legal basis,” according to a statement by Jan Nowak, pesident of Poland’s Personal Data Protection Office (UODO). Nowak added that there were adequate alternative options for managing school meals.

Related Posts