AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 4/1/2020

Spotify is bringing its kids app to the US, Canada, and France

Spotify’s expanding the rollout of its kids app, just as more kids are at home with nothing to do. The company announced that it’s bringing Spotify Kids to the US, Canada, and France today. The ad-free iOS / Android app is only available to Spotify Premium Family subscribers and features content appropriate for kids ages three and older. Spotify first launched the app in Ireland in October, and since then, it’s made multiple product adjustments, although the app is still considered to be in beta.


Virgin Media Facing Huge Compensation Bill Over Data Breach

Virgin Media could be liable to pay up to £4.5bn in compensation following the company’s data breach, in which the details of 900,000 customers were freely available online for hackers to exploit for 10 months. This has left the victims vulnerable to scams including phishing emails, account takeovers and identity theft, with the resulting compensation claims for financial and emotional distress suffered expected to be around £5000 per claimant.


HackerOne cuts ties with mobile voting firm Voatz after it clashed with researchers

HackerOne, a company that pairs ethical hackers with organizations to fix software flaws, has kicked mobile voting vendor Voatz off its platform, citing the vendor’s hostile interactions with security researchers. It’s the first time in its eight-year existence that HackerOne, which works with companies from AT&T to Uber, has expelled an organization from its bug-bounty-hosting platform, a HackerOne spokesperson said. The decision comes after Voatz assailed the motives of MIT researchers who found flaws in the company’s voting app.


Phishing Attack Says You’re Exposed to Coronavirus, Spreads Malware

A new phishing campaign has been spotted that pretends to be from a local hospital telling the recipient that they have been exposed to the Coronavirus and that they need to be tested. With the Coronavirus pandemic affecting all corners of the world, we continue to see phishing actors try to take advantage of the fear and anxiety it is provoking to scare people into opening malicious email attachments. In a new low, a threat actor is pretending to be from a local hospital telling the recipient that they have been in contact with a colleague, friend, or family member who has tested positive for the COVID-19 virus.


Google Advises Against Disabling Sites During the Pandemic

Google warns businesses against disabling their websites during the COVID-19 and, instead, recommends limiting their functionality to avoid being penalized in Google Search results. The guidance published by Google Webmaster Trends Analyst John Mueller answers questions from businesses who might want to pause their online business and reduce the impact in Google Search. “These recommendations are applicable to any business with an online presence, but particularly for those who have paused the selling of their products or services online,” Mueller explained.


DeepMind’s Agent57 beats humans at 57 classic Atari games

In a preprint paper published this week by DeepMind, Google parent company Alphabet’s U.K.-based research division, a team of scientists describe Agent57, which they say is the first system that outperforms humans on all 57 Atari games in the Arcade Learning Environment data set. Assuming the claim holds water, Agent57 could lay the groundwork for more capable AI decision-making models than have been previously released. This could be a boon for enterprises looking to boost productivity through workplace automation; imagine AI that automatically completes not only mundane, repetitive tasks like data entry, but which reasons about its environment.


Court: Violating a site’s terms of service isn’t criminal hacking

A federal court in Washington, DC, has ruled that violating a website’s terms of service isn’t a crime under the Computer Fraud and Abuse Act, America’s primary anti-hacking law. The lawsuit was initiated by a group of academics and journalists with the support of the American Civil Liberties Union. The plaintiffs wanted to investigate possible racial discrimination in online job markets by creating accounts for fake employers and job seekers. Leading job sites have terms of service prohibiting users from supplying fake information, and the researchers worried that their research could expose them to criminal liability under the CFAA, which makes it a crime to “access a computer without authorization or exceed authorized access.”


FCC will require phone carriers to authenticate calls by June 2021

The FCC announced today all carriers and phone companies must adopt the STIR/SHAKEN protocol by June 30th, 2021. The regulatory requirement is designed to combat robocalls, specifically those that try to hide their phone numbers by allowing carriers to authenticate caller IDs. The agency says the widespread adoption of STIR/SHAKEN will reduce the effectiveness of illegal spoofing, help law enforcement agencies identify bad actors and, most importantly, allow carriers to identify spammers before they ever call your phone. 


Data from 5.2M Marriott Loyalty Program Members Hit by Breach

Marriott International has notified some 5.2 million guests that their personal information could have been accessed in the breach of an internal application used to help provide guest services. According to the company, the breach was active from mid-January until the end of February of this year. The information involved in the leak is part of the data kept on guests as part of Marriott’s Bonvoy loyalty program. The affected information includes contact details (such as name, mailing address, email address, and phone number), loyalty account information (including account number and points balance, but not passwords), additional personal details (such as company, gender, and birthday day and month), partnerships and affiliations (including linked airline loyalty programs and numbers), and preferences (for example, stay/room preferences and language preference). Marriott noted that no account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers were part of the breached data.


Epic Games floats $1m bounty to ID source of ‘commercial smear’ claiming Houseparty chat app has been hacked

Group video chat app Houseparty has offered a $1m bounty to identify what it claims is an organised campaign to falsely depict it as a hackers’ backdoor. Announced at 4am UTC on the firm’s Twitter account, the million-dollar bounty is being offered to “the first individual to provide proof of such a campaign,” with Epic Games, the firm behind Houseparty, alleging this effort is “a paid commercial smear… to harm Houseparty.” The app has exploded in popularity since most of the world entered coronavirus lockdown as a replacement for interacting within venues such as pubs, coffee shops and restaurants. Most people use it to livestream themselves drunkenly trying out filters that turn their fizzogs into cartoon dogs and so on.


Facebook launches a global version of its Community Help feature in response to the COVID-19 pandemic

Facebook first launched its Community Help feature in 2017, to give users a way to offer assistance, search for and receive help in the wake of a crisis. The feature has since been used to connect Facebook users after man-made, accidental, and natural disasters, like terrorist attacks or weather events, for example. Today, Facebook is expanding Community Help as part of its COVID-19 efforts. The new COVID-19 Community Help hub will allow people to request or offer help to those impacted by the coronavirus outbreak as well as donate to nonprofit fundraisers. This is the first time Facebook has launched Community Help on a global scale. It’s also the first time it’s been used for a health pandemic.

Related Posts