AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 9/11/2019

Toyota Parts Supplier Hit By $37 Million Email Scam

The Toyota Boshoku Corporation, a major supplier of Toyota auto parts, reported some distressing news this week. Fraudsters fleeced the company via an email scam to the tune of about ¥ 4 billion (JPY). That works out to just over $37 million at today’s exchange rate. On August 14th, attackers managed to convince someone with financial authority to change account information on an electronic funds transfer. Both Toyota Boshoku Corporation and its subsidiary have been in contact with law enforcement officials and an investigation is under way.


Monster.com job applicants info exposed on unprotected server

Personal details from resumes and CVs from job seekers were exposed after a server belonging to a recruitment company that was a customer of Monster.com and others was left unprotected. Monster.com which learned of the breach in August, did not initially alert potential victims to the exposure, contending that notification responsibly lay with the recruitment company that “owned” the data. Information exposed included work history, phone numbers, email addresses and home addresses on resumes submitted between 2014 and 2017.


Oklahoma pension fund reports $4.2 million cyber theft

Officials with the pension system for retired Oklahoma Highway Patrol troopers and other state law enforcement officers say the FBI is investigating after computer hackers stole $4.2 million in funds. A notice posted on the Oklahoma Law Enforcement Retirement System website on Friday said no pension benefits of any members are at risk.


Cyber-security incident at US power grid entity linked to unpatched firewalls

A cyber-security incident that impacted a US power grid entity earlier this year was not as dangerous as initially thought, the North American Electric Reliability Corporation (NERC) said last week. In a report highlighting the “lessons learned” from a past incident, NERC said hackers repeatedly caused firewalls to reboot for about ten hours, on March 5, 2019. The incident impacted firewalls deployed at multiple power generation sites operated by a “low-impact” operator and did not cause any disruption in the electric power supply.


Private Instagram posts and stories can be shared publicly using just a web browser

Instagram has a security flaw in the way it handles posts on accounts that have been set to private, BuzzFeed reported today. The report illustrates how a series of mouse clicks on any web browser can expose the persistent URL of private posts and stories cached on Facebook servers. Anyone can use a web browser, like Google Chrome, to inspect the source code on a web page using the “Inspect Elements” tool. By tabbing over to the “Img” section of the Network header, you’re able to find the URL of any Instagram image you’ve clicked on, be it a disappearing story or a photo posted to a user’s feed. That URL can then be shared and the photo viewed by anyone, including people who do not follow the private account in question.


Web scraping doesn’t violate anti-hacking law, appeals court rules

Scraping a public website without the approval of the website’s owner isn’t a violation of the Computer Fraud and Abuse Act, an appeals court ruled on Monday. The ruling comes in a legal battle that pits Microsoft-owned LinkedIn against a small data-analytics company called hiQ Labs. HiQ scrapes data from the public profiles of LinkedIn users, then uses the data to help companies better understand their own workforces. After tolerating hiQ’s scraping activities for several years, LinkedIn sent the company a cease-and-desist letter in 2017 demanding that hiQ stop harvesting data from LinkedIn profiles. Among other things, LinkedIn argued that hiQ was violating the Computer Fraud and Abuse Act, America’s main anti-hacking law.


European police arrest Dark Web counterfeit currency traders

Europol has announced the arrest of members of one of Europe’s most prolific counterfeit currency networks.  Believed to be the second-largest known counterfeit currency ring operating in the web’s underbelly, the network has now been dismantled following the arrest of five individuals suspected of being involved in the creation of fake currency, Europol said on Monday.  The Portuguese Judicial Police (Polícia Judiciária) arrested the suspects, who have not been named. Each, however, is accused of counterfeiting and organized crime. 


Boy Scouts’ information exposed during brief data breach

Boy Scouts nationwide sell popcorn to raise funds for activities like camping trips — just like Girl Scouts sell cookies. To facilitate the sales process, Boy Scouts of America uses a third-party fundraising organization called Trails End. Last week, Trails End said it notified Boy Scouts of America and local councils of “a data incident” that a web developer noticed. Certain information — including children’s full names, dates of birth, email addresses, phone number, parent names, favorite product and affiliation (council, district, unit) — was visible through a search.


Data breach may affect 50,000 Australian university students using ‘Get’ app

The personal details of an estimated 50,000 students involved in university clubs and societies around Australia may have been exposed online, in the second breach of its kind for the company holding the data. Get, previously known as Qnect, is an app built for university societies and clubs to facilitate payments for events and merchandise. The app operates in four countries with 159,000 active student users, and 453 clubs using it. A user on Reddit reported over the weekend that after looking up their own club they were able to get access to other users’ data, including name, email, date of birth, Facebook ID and phone numbers, through the company’s search function, API.


Secret Service Investigates Breach at U.S. Govt IT Contractor

The U.S. Secret Service is investigating a breach at a Virginia-based government technology contractor that saw access to several of its systems put up for sale in the cybercrime underground, KrebsOnSecurity has learned. The contractor claims the access being auctioned off was to old test systems that do not have direct connections to its government partner networks. In mid-August, a member of a popular Russian-language cybercrime forum offered to sell access to the internal network of a U.S. government IT contractor that does business with more than 20 federal agencies, including several branches of the military. The seller bragged that he had access to email correspondence and credentials needed to view databases of the client agencies, and set the opening price at six bitcoins (~USD $60,000).


UNICEF data leak reveals personal info of 8,000 online learners

The United Nations children’s agency, UNICEF, has inadvertently leaked personal information belonging to thousands of users of its online learning portal Agora. The website offers free training courses to UNICEF staff and members of the public on issues such as child rights, humanitarian action, research, and data. On Aug. 26, an email containing personal details of 8,253 users enrolled in courses on immunization went out to nearly 20,000 Agora users.


Google to run DNS-over-HTTPS (DoH) experiment in Chrome

Google has announced plans to officially test the new DNS-over-HTTPS (DoH) protocol inside Google Chrome starting with v78, scheduled for release in late October this year. The DNS-over-HTTPS protocol works by sending DNS requests to special DoH-compatible DNS resolvers. The benefit comes from the fact that DNS requests are sent via port 443, as encrypted HTTPS traffic, rather than cleartext, via port 53. This hides DoH requests in the unending stream of HTTPS traffic that moves across the web at any moment of the day and prevents third-party observers from tracking users’ browsing histories by recording and looking at their unencrypted DNS data.

Related Posts