AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 9/4/2019

Over 47,000 Supermicro servers are exposing BMC ports on the internet

More than 47,000 workstations and servers, possibly more, running on Supermicro motherboards are currently open to attacks because administrators have left an internal component exposed on the internet. These systems are vulnerable to a new set of vulnerabilities named USBAnywhere that affect the baseboard management controller (BMC) firmware of Supermicro motherboards. Patches are available to fix the USBAnywhere vulnerabilities, but Supermicro and security experts recommend restricting access to BMC management interfaces from the internet, as a precaution and industry best practice.

XKCD forum goes offline after discovery of data leak affecting 562K members

XKCD forum, the bulletin board associated with the popular webcomic XKCD, has been taken offline after personal information of more than 562,000 members was exposed online. According to security researcher Troy Hunt, the breach occurred two months ago (on July 1 2019). The compromised data has been added to breach alerting site Have I Been Pwned (HIBP). “We’ve been alerted that portions of the PHPBB user table from our forums showed up in a leaked data collection,” XKCD said in a notice. “It is likely that it was gathered up in some automated scan taking advantage of a vulnerability in the forum software.”

Data Leak Impacts Millions of Yves Rocher Cosmetics Company Customers

Cosmetics giant Yves Rocher is warning that a giant data leak exposed the personal data of millions of its customers and reams of sensitive internal company information to the public. The data exposure stems from a database left unprotected by a third-party consultant to the firm. Researchers with vpnMentor on Monday said that they discovered an unprotected Elasticsearch server owned by Aliznet, which provides consulting services to large firms including IBM, Salesforce, Sephora and Louboutin. The server contained data about international cosmetics and beauty brand Yves Rocher, which is one of Aliznet’s clients, as well as exposing full personal identifiable information of millions of Yves Rocher customers.

Google says a fix for that obnoxious Calendar spam issue is on the way

Google says it’s hard at work resolving an issue that allows malicious third parties to hijack your Google Calendar with unremovable spam invites. As noted by Engadget this morning, Google posted to its Calendar Help forums yesterday to say that it’s aware of the issue and “working diligently” to fix it. “We’re aware of the spam occurring in Calendar and are working diligently to resolve this issue. We’ll post updates to this thread as they become available,” the post reads.

Data breach compromises students’ personal information in dozens of CNY school districts

Up to a dozen school districts in Central New York, including North Syracuse and Fayetteville-Manlius, have been affected by a Pearson data breach. Pearson is a London-based firm that’s one of the largest publishers of print and digital textbooks. Their software monitors kids’ reading and writing scores all the way into high school. A spokesperson explained they’re informing all schools impacted by the breach and leaving it to those schools to inform their communities. The company claims only names, addresses and dates of birth were compromised.

BEC overtakes ransomware and data breaches in cyber-insurance claims

Business email compromise (BEC) has overtaken ransomware and data breaches as the main reason companies filed a cyber-insurance claim in the EMEA (Europe, the Middle East, and Asia) region last year, said insurance giant AIG. According to statistics published in July, AIG said that BEC-related insurance filings accounted for nearly a quarter (23%) of all cyber-insurance claims the company received in 2018.

Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran

For years, an enduring mystery has surrounded the Stuxnet virus attack that targeted Iran’s nuclear program: How did the U.S. and Israel get their malware onto computer systems at the highly secured uranium-enrichment plant? The first-of-its-kind virus, designed to sabotage Iran’s nuclear program, effectively launched the era of digital warfare and was unleashed some time in 2007, after Iran began installing its first batch of centrifuges at a controversial enrichment plant near the village of Natanz. The courier behind that intrusion, whose existence and role has not been previously reported, was an inside mole recruited by Dutch intelligence agents at the behest of the CIA and the Israeli intelligence agency, the Mossad, according to sources who spoke with Yahoo News.

Phishers are Angling for Your Cloud Providers

Many companies are now outsourcing their marketing efforts to cloud-based Customer Relationship Management (CRM) providers. But when accounts at those CRM providers get hacked or phished, the results can be damaging for both the client’s brand and their customers. Here’s a look at a recent CRM-based phishing campaign that targeted customers of Fortune 500 construction equipment vendor United Rentals.

FBI asks Google for help finding criminals

The Verge reports that FBI agents issued the search and advertising giant with a warrant in November 2018, seeking its help with a bank robbery the month before. The robbery took place at 9:02am on 13 October 2018 at the Great Midwest Bank in Hartland, Wisconsin. Two robbers entered the building, one of them waving a handgun and forcing staff to the floor. He filled a plastic bag with cash and demanded the key to the vault. He took three drawers of cash from the vault, and then both robbers left the building by the back door. The whole thing took just seven minutes. Investigators, hitting a brick wall, turned to Google.

Tesla Malfunction Locks Out Owners Who Depended on App for Entry, Forces Them to Scramble for ‘Keys’

The Next Web reported that a number of people tweeted out their frustrations on Monday when they were “locked out” of their car due to phone app issues. Downdetector, a tracker for users to report technical difficulties with web-based services, also showed that many users were having trouble with Tesla’s app. A Tesla spokesperson confirmed to Gizmodo that Tesla’s app was temporarily unavailable on Monday but full functionality was soon restored. Tweets suggest the app was down for around three hours at least.

QR codes need security revamp, says creator

Museums use them to bring their paintings to life. Restaurants put them on tables to help customers pay their bills quickly. Tesco even deployed them in subway stations to help create virtual stores. QR codes have been around since 1994, but their creator is worried. They need a security update, he says. Engineer Masahiro Hara dreamed up the matrix-style barcode design for use in Japanese automobile manufacturing, but, as many technologies do, it took off as people began using it in ways he hadn’t imagined. His employer, Denso, made the design available for free. Now, people plaster QR codes on everything from posters to login confirmation screens.

YouTube reportedly to be fined up to $200m over COPPA investigation

Google has reportedly agreed to pay between $150 million and $200 million to resolve the FTC’s investigation into YouTube and its allegedly illegal tracking and targeting of kids who use the video streaming service. In June, people familiar with the matter told news outlets that the Federal Trade Commission (FTC) was nearing the end of an investigation into YouTube’s alleged failure to protect the kids who use the Google-owned service. That was followed by letters sent to the FTC about the matter from children’s privacy law co-author Senator Edward Markey and two consumer privacy groups. They urged the FTC to do whatever it takes to figure out if YouTube has violated the law protecting children and, if so, to make it shape up and stop it.

‘Deepfake’ app causes fraud and privacy fears in China

An artificial-intelligence app that allows users to insert their faces in place of those film and TV characters has caused controversy in China. Zao has sparked privacy fears and suggestions it could be used to defeat systems using facial recognition. It appeared in China on 29 August and has proven wildly popular. But it has led to developers Momo apologising for its end-user agreement, which stripped users of the rights to their images. And as the app went viral, Zao’s owners aired fears users were devouring its expensively purchased server capacity.


Related Posts