AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – April 12, 2019

1 Android 7.0+ Phones Can Now Double as Google Security Keys

Google this week made it easier for Android users to enable strong 2-factor authentication (2FA) when logging into Google’s various services. The company announced that all phones running Android 7.0 and higher can now be used as Security Keys, an additional authentication layer that helps thwart phishing sites and password theft. As first disclosed by KrebsOnSecurity last summer, Google maintains it has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes.


2 Amazon Workers Are Listening to What You Tell Alexa

Tens of millions of people use smart speakers and their voice software to play games, find music or trawl for trivia. Millions more are reluctant to invite the devices and their powerful microphones into their homes out of concern that someone might be listening. Sometimes, someone is. Amazon.com Inc. employs thousands of people around the world to help improve the Alexa digital assistant powering its line of Echo speakers. The team listens to voice recordings captured in Echo owners’ homes and offices. The recordings are transcribed, annotated and then fed back into the software as part of an effort to eliminate gaps in Alexa’s understanding of human speech and help it better respond to commands.


3 Yahoo could pay $117.5 million to settle data breach

Yahoo is back in the courtroom with a revised settlement proposal meant to make amends for its massive data breaches. If this proposal is approved, the company will pay $117.5 million. Between 2013 and 2016, Yahoo had three separate breaches. The first leaked information from an estimated three billion accounts and is now the largest data breach in history. Yahoo's 2014 breach, which exposed 500 million users, follows close behind. In January, Judge Lucy Koh rejected Yahoo's first settlement proposal. It called for a $50 million payout and two years of free credit monitoring for about 200 million people in the US and Israel. But Koh rejected the initial proposal because it didn't say how much the settlement was worth or how much victims might expect to recover. Now, it's up to Koh to decide if this proposal gets it right.


4 DHS, FBI say election systems in all 50 states were targeted in 2016

A joint intelligence bulletin (JIB) has been issued by the Department of Homeland Security and Federal Bureau of Investigation to state and local authorities regarding Russian hacking activities during the 2016 presidential election. While the bulletin contains no new technical information, it is the first official report to confirm that the Russian reconnaissance and hacking efforts in advance of the election went well beyond the 21 states confirmed in previous reports. As reported by the intelligence newsletter OODA Loop, the JIB stated that, while the FBI and DHS "previously observed suspicious or malicious cyber activity against government networks in 21 states that we assessed was a Russian campaign seeking vulnerabilities and access to election infrastructure," new information obtained by the agencies "indicates that Russian government cyber actors engaged in research on—as well as direct visits to—election websites and networks in the majority of US states."


5 Tens of thousands of cars were left exposed to thieves due to a hardcoded password

The maker of a popular vehicle telematics system has left hardcoded credentials inside its mobile apps, leaving tens of thousands of cars vulnerable to hackers. Security updates that remove the hardcoded credentials have been made available for both the MyCar Android and iOS apps since mid-February, the security researcher who found this issue told ZDNet today. Similarly, the hardcoded credentials were also removed on the server-side to prevent any abuse against users who failed to update their apps. The vulnerability, tracked as CVE-2019-9493, impacts the MyCar telematics system sold by Quebec-based Automobility Distribution. For ZDNet readers unware of the term, vehicle telematics refers to hardware components that car owners can install in their vehicles to provide 2G/3G-based remote control capabilities over certain car features.


6 T-Mobile promises 5G will cover 99% of California homes after Sprint merger

While T-Mobile’s merger with Sprint continues to await final federal regulatory approvals — notably focusing on whether the $26 billion deal will decrease cellular competition — California has negotiated written guarantees that the carriers will dramatically improve their coverage in the state, including 5G coverage for 99% of California households. The only obstacle: California’s Public Utilities Commission (CPUC) must approve the merger, which it previously questioned, to get the benefits. Under the deal negotiated with the California Emerging Technology Fund (spotted by the Sacramento Business Journal), the post-merger “New T-Mobile” is committing to funding at least 10 different California initiatives. The boldest is the promised 99% 5G blanket, a presently immeasurable expense that will be audited by independent third-party testers using high-resolution coverage maps.


7 Two robocallers fined $3m for Google listings scam

Two robocall scammers have been fined over $3 million in a US court for defrauding small businesses. The pair pretended to represent Google and falsely took unwitting business owners’ money in return for the promise of better search results. Judge Cecilia Altonaga fined Dustin Pillonato and Justin Ramsey, owners of Pointbreak Media, LLC and Modern Source Media LLC, $3,367,666.30 for their robocalling campaign. According to a court affidavit filed last May, they used their robocall system to phone small businesses offering Google listing ‘claiming and verification’ services. They said that they were affiliated with Google and warned them that their businesses would be removed from Google search results unless they paid up. It was, in short, a shakedown. As in, ‘nice search ranking you’ve got there. It’d be a shame if something happened to it.’ They went further, though, trying to upsell the victims with extra services like higher rankings on certain keywords. When victims paid up, they got nothing.


8 WikiLeaks' Julian Assange arrested in London; U.S. seeks extradition on hacking charges

The Justice Department revealed Thursday that it has charged Julian Assange with computer hacking hours after the fugitive founder of WikiLeaks was arrested in London on behalf of a U.S. request to extradite him. Assange, the publisher of state secrets that embarrassed governments around the world, was wanted in Britain for skipping bail in 2012, when he was under investigation in Sweden on charges of sexual assault and rape. He spent almost seven years living in the Ecuadorian Embassy in London to avoid extradition to the U.S. Assange is charged with one count of "conspiracy to commit computer intrusion for agreeing to break a password to a classified U.S. government computer," according to the indictment released Thursday by the U.S. Attorney for the Eastern District of Virginia. If convicted, he faces up to five years in prison.


9 This AI-generated sculpture is made from the shredded remains of the computer that designed it

AI art is having a moment. There are record-breaking auctions, artistic controversies, and debates about the nature of creativity But here’s something new: an AI-generated sculpture made from the ground remains of the computer used to design it. It’s the work of New York artist Ben Snell, and is currently up for sale at London auction house Phillips. It’s perhaps the third signification auction of AI art in recent months, but it’s the first sculpture to go under the hammer. Christie’s sold a printed AI portrait last October while Sotheby’s auctioned a video installation of AI art back in March. Snell’s piece, named Dio, follows the basic methodology of these earlier works. Machine learning algorithms are used to scan and digest a databsse of historical artworks, and then attempt to reproduce the data they’ve seen, with their output guided by the artist.


Related Posts