AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 4/15/2020

Amazon stops accepting new online grocery customers amid surging demand

Amazon will begin to put new grocery delivery customers on a wait-list and curtail shopping hours at some Whole Foods stores to prioritize orders from existing customers buying food online during the coronavirus outbreak, the company said on Sunday. Many shoppers recently seeking to purchase groceries from the Seattle-based ​e-commerce company found they could not place orders due to a lack of available delivery slots. Amazon said it would have to relegate all new online grocery customers to a wait-list starting Monday while working on adding capacity each week.


Apple Maps will soon direct you to your nearest coronavirus testing center

One of the key directives from the World Health Organization (WHO) to contain the coronavirus spread has been to perform more tests. But it might not be easy for people to know where’s the nearest test center. Apple is hoping to help with that by pinpointing the location of test centers nearest you in its Maps app. As was first spotted by 9to5Mac, Apple introduced a portal for hospitals, labs, and clinics over the weekend to register themselves as COVID-19 testing centers. The company will verify these locations, and show them on Apple Maps. The app will also show if the test location has a drive-through facility or requires you to pre-book an appointment.


Credentials of 4 Million Quidd Users Found on Dark Web

A data set containing 3,954,416 Quidd user credentials was found on a prominent dark web hacking forum, Risk Based Security reports. Backed by Sequoia and headquartered in Brooklyn, Quidd offers an application for trading digital collectibles, and claims to have issued over 2.1 billion assets. The data discovered on the dark web, RBS security researchers say, is not up for sale, but access to it is not restricted. The data was initially posted on the underground forum on March 12, self-attributed to a threat actor called “Protag.” The data was quickly removed, but another individual posted it again, on March 29, and it has remained available ever since, the researchers say. Within the data, email addresses, usernames, and bcrypt hashed passwords were identified.


Apple Responds to Senators Questioning Privacy of Covid-19 Tools

Apple Inc. responded to Democratic Senators who sent a letter to Chief Executive Officer Tim Cook with questions related to the privacy of the iPhone maker’s Covid-19 screening tools. In a letter dated Friday, Apple said the tools “were built to protect the privacy and security of users’ data.” The company also answered questions related to data sharing, agreements with government agencies, and the accessibility of the tools. The letter refers to screening tools launched in March that help users determine if they should quarantine or seek medical help, not Apple and Google’s new partnership for contact tracing.


Zoom will let paying customers pick which data center their calls are routed from

Zoom will let paying customers pick which data centers calls can be routed through starting April 18th, the company announced in a blog post today. The changes come after a report from the University of Toronto’s Citizen Lab found that Zoom generated encryption keys for some calls from servers in China, even if none of the people on the call were physically located in the country. Zoom says paying customers will be able to “opt in or out of a specific data center region,” though you won’t be able to opt out of your default region. Zoom currently groups its data centers into these regions: Australia, Canada, China, Europe, India, Japan/Hong Kong, Latin America, and the US.


Hackers file fake tax returns in scheme to steal IRS refunds

It may be open season for coronavirus scammers, but tax frauds aren’t letting up, either. Attackers tried obtaining large tax refunds by posing as clients of Weber and Company, the California-based accounting firm revealed last week. The scammers apparently accessed clients’ personal data — including, perhaps, Social Security numbers and bank account information — and used that to file fraudulent returns, Weber and Company said in a notification to California’s attorney general. The IRS and the FBI are investigating the matter, the company said.


TikTok users beware: Hackers could swap your videos with their own

Mobile app developers Tommy Mysk and Talal Haj Bakry just published a blog article entitled “TikTok vulnerability enables hackers to show users fake videos“. As far as we can see, they’re right. (We replicated their results with a slightly older Android version of TikTok from a few days ago, 15.5.44; their tests included the very latest builds on Android and iOS, numbered 15.7.4 and 15.5.6 respectively.) We used a similar approach to Mysk and Haj Bakry to look at the network traffic produced by TikTok – we installed the tPacketCapture app on Android and then ran the TikTok app for a while to flip through a few popular videos.


Coronavirus means no new emoji in 2021

The Unicode Consortium announced last week that it was pushing the release of Unicode 14 back by six months. Now instead of a new batch of emoji coming out in 2021, we won’t see the new ones until 2022. The reason is — you guessed it — COVID-19. Specifically, the Consortium is delaying the release of Unicode Standard Version 14.0, which would include a new batch of emoji characters. Mark Davis, President of the Consortium, said in a statement that attempting to adhere to the original schedule would put a strain on the Consortium’s volunteers.

Related Posts