AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 5/7/2020

DigiCert hit as hackers wriggle through (patched) holes in buggy config tool

DigiCert, slinger of SSL/TLS certificates, has warned that it too has suffered at the hands of Salty miscreants as a key used for Signed Certificate Timestamps (SCT) was potentially compromised. The company joins Ghost.org and LineageOS in being the target of ne’er do wells as attackers exploited a disclosed (and patched) vulnerability in the Salt configuration tool over the weekend, spraying exposed infrastructure with cryptocurrency mining software. Salt, which as we reported, disclosed the bugs (CVE-2020-11651 and CVE-2020-11652) on Friday, is a system that allows a single host server to manage a cluster of other client servers, such as within a database or, in this case, a distributed log system.

 

Microsoft Just Dealt A Blow To Google Chrome With These New Security Features

Microsoft’s Edge browser is getting increasingly popular as a valid alterative to Google Chrome. Like Chrome, Edge is based on the Chromium browser engine, and it comes with a bunch of pretty cool features to boot.  The first change is an update to Microsoft Edge’s “Profiles” feature to make it easier for you to separate work and personal browsing. In a blog, Microsoft announced a feature called “Automatic Profile Switching” to help keep work and personal data separate. Available in Microsoft Edge 83, people who use multiple profiles can check it out by trying to navigate to a site authenticated with a work account while in their personal profile.  As a huge number of people work from home during the COVID-19 crisis, Microsoft is about to add some more new features to Edge to make it more secure for those staying away from the office.

 

Hacker buys old Tesla parts on eBay, finds them full of user data

Tesla infotainment systems are a marvel to behold. Among other things, they display Netflix or Youtube videos, run Spotify, connect to Wi-Fi, and of course store phone numbers of contacts. But those benefits require storing heaps of personal information that an amateur researcher found can reveal owners’ most sensitive data. The researcher, who described himself as a “Tesla tinkerer that’s curious about how things work,” recently gained access to 13 Tesla MCUs—short for media control units—that were removed from electric vehicles during repairs and refurbishments. Each one of the devices stored a trove of sensitive information despite being retired. Examples included phonebooks from connected cell phones, call logs containing hundreds of entries, recent calendar entries, Spotify and W-Fi passwords stored in plaintext, locations for home, work, and all places navigated to, and session cookies that allowed access to Netflix and YouTube (and attached Gmail accounts).

 

The Firefox password manager now tells you when you use leaked passwords

Mozilla has released today Firefox 76 to the Stable desktop channel for Windows, macOS, and Linux. This new release comes with with bug fixes, new features, and security patches. The highlight of the Firefox 76 release is a suite of new features added to Firefox’s built-in password manager, also known as Firefox Lockwise (available at about:logins). Starting with Firefox 76, Mozilla says that Lockwise will now begin prompting users to enter their Mac or Windows OS account credentials before revealing any passwords in cleartext. Mozilla said it added this feature at the request of the Firefox community. Firefox users complained that all a malicious threat actor had to do was to wait for the Firefox user to step away from their computer, then quickly access the Firefox built-in password manager to reveal and copy the user’s passwords on a piece of paper.

 

Uber Eats’ new sharing feature makes it less painful to send your friends food

Uber  Eats is introducing a new feature that lets customers send food to friends, family or coworkers and share details to make it easier track the deliveries. Uber Eats  customers have been able to order and send food to friend. But in the past, it required the sender to track the delivery and provide updates to the receiver. The new feature lets the person receiving the food track the delivery on their phone. As part of the roll out, the Uber partnered with Starbucks  to encourage U..S. customers to send a treat to friends through its #SendACup campaign that launched Wednesday. The feature is Uber’s latest effort to tap into the growing demand for delivered food during the COVID-19 pandemic, even as it has experienced huge drops in its ride-hailing business. 

 

Facebook’s AI detects gender bias in text

In a technical paper published this week, Facebook researchers describe a framework that decomposes gender bias in text along several dimensions, which they used to annotate data sets and pre-trained and evaluate gender bias classifiers. If the experimental results are any indication, the team’s work might shed light on offensive language in terms of genderedness, and perhaps even control for gender bias in natural language processing (NLP) models. All data sets, annotations, and classifiers will be released publicly, according to the researchers. It’s an open secret that AI systems and the corpora on which they’re trained often reflect gender stereotypes and other biases; indeed, Google recently introduced gender-specific translations in Google Translate chiefly to address gender bias.

Related Posts