AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – April 15, 2019

If you’ve ever had a voicemail appear out of nowhere, there’s a good chance Stratics Networks was involved. The Toronto-based company is the self-proclaimed inventor of “ringless voicemails,” providing its customers a way of auto-dialing a list of phone numbers and dropping voicemails without leaving a missed call. The system uses a backdoor voicemail number typically reserved by the carrier to leave a voicemail directly in a person’s mailbox. The company once claimed it can process up to 10,000 ringless voicemails per minute — if you pay for it. But the company left its back-end storage server open without a password, exposing thousands of outgoing and incoming recordings.
New research from Binghamton University, State University of New York, could make it easier to track and process suspicious activity in surveillance footage. Traditional surveillance cameras do not always detect suspicious activities or objects in a timely manner. To combat this issue, Binghamton University associate professor of electrical and computer engineering Yu Chen and his team developed a hybrid lightweight tracking algorithm known as Kerman (Kernelized Kalman filter). The research uses single board computers (SBCs) mounted on surveillance cameras to process videos and extract features that focus on enhanced detection of people, tracking their movement and recognizing behaviors for increased surveillance coverage.
A bipartisan bill introduced on Monday would require the Homeland Security Department to fund efforts by state and local governments to boost their cyber defenses. The Cyber Resiliency Act would create a federal grant program to support cybersecurity upgrades for governments that often lack the resources to fund their own endeavors. It would also mandate states that participate in the program work to improve recruitment and retention in their cyber workforce. “As cyberattacks increase in frequency and gravity, we must ensure that our nation—from our local governments on up—is adequately prepared to protect public safety and combat cyber threats,” said Sen. Mark Warner, D-Va., who cosponsored the bill with Sen. Cory Gardner, R-Colo. “Nearly 70 percent of states have reported that they lack adequate funding to develop sufficient cybersecurity. This bill will aim to mitigate that need by providing grants to state and local jurisdictions so that they are better prepared to take on these emerging challenges.”
A new Senate bill seeks to end those barrages of misleading prompts that say "turn on notifications" when they mean "give us all your everything." The Deceptive Experiences To Online Users Reduction (DETOUR) Act was introduced Tuesday by senators Deb Fischer (R-NE) and Mark R. Warner (D-VA). It could be included in a national data privacy bill being drafted by the Senate Commerce Committee, according to Sen. Warner in a CNBC interview (via Reuters). The bill takes aim at some of the sneakier tactics social media companies use to coerce people into handing over their personal information. It would also prohibit the companies from choosing groups of people for behavioral experiments without first obtaining informed consent. Online platforms that have over 100 million active users per month would also be prohibited from designing addictive games for children under the age of 13.
It’s just like the old saying: When you can’t hire them, offer to pay their student loan debt. Microsoft, Mastercard and Workday announced this week they’ve teamed with 11 federal government agencies as part of a Cybersecurity Talent Initiative meant to fill hundreds of thousands of open cybersecurity jobs. Graduating college students can apply for a two-year placement in a security role at the FBI, CIA or another agency. At the end of that two years they’ll be eligible for a position at one of those three companies, which will pay up to $75,000 of their student loan debt as part of their deal. The Cybersecurity Talent Initiative appears to be unique in the way it offers student loan assistance, but it’s hardly the only corporate effort meant to enhance an enterprise’s security posture.
A 3-year-old boy locked out his dad’s iPad for more than 48 years by entering the wrong password repeatedly. iPad lockout feature is a security feature with Apple devices, the kicks out whenever someone entering the wrong password. If you enter wrong password for six times it get you 1 minute lockout, 7 gives you 5 minutes lockout, eight gives 15, and nine 1 hour. Like this more times incorrect password entered lock-out time grows. Evan Osnos tweeted a cry for help, letting the world know of the little situation his toddler put him in, reported Fox5. He posted a tweet asking for help, with the locked iPad’s screen which shows a mind-blowing message “iPad is disabled, try again in 25,536,442 minutes.” 25,536,442 minutes is more than 48 years, so Osnos can get his phone unlocked in 2067. Sadly, now the only option to unlock the iPad is by using forget your passcode option, but it completely restores the current data.
Roughly 25% of all phishing emails found in a batch of 55 million analyzed emails were marked as clean by the Office 365 Exchange Online Protection (EOP) and reached the users’ inboxes, while another 5.3% were whitelisted instead of getting blocked because of admin configurations. The rest of 69.7% of phishing emails were blocked by Office 365 EOP, with 49% of them getting marked as spam and 20.7% getting tagged as "phishing." On the whole, Avanan’s 2019 Global Phish Report found that 1 out of every 99 emails is part of a phishing attack which uses malicious attachments or links as the attack vector, this being especially interesting given that phishing is seen as a more serious security threat than malware.
OpenAI, the nonprofit research organization founded by Elon Musk, can claim a world first: its artificial intelligence system trained to play the complex strategy game Dota 2 has bested a world champion e-sports team today. The competition was held in San Francisco and dubbed the OpenAI Five Finals, ending the organization’s public demonstrations of its Dota-playing technology on a high note. The competition saw five top Dota 2 pros on team OG, which won the $25 International Dota 2 tournament last year, face off in a best-of-three contest against the OpenAI Five bots, all trained using the same deep reinforcement learning techniques and controlled simultaneously by a single system. The performance is by far the highest-quality demonstration of OpenAI Five’s capabilities to date, with the system having lost two games to less capable e-sports teams last August. According to Greg Brockman, OpenAI’s chief technology officer, OpenAI Five improves by playing itself in an accelerating virtual environmental.
Two security researchers disclosed details today about a group of vulnerabilities collectively referred to as Dragonblood that impact the WiFi Alliance’s recently launched WPA3 Wi-Fi security and authentication standard. If ever exploited, the vulnerabilities would allow an attacker within the range of a victim’s network to recover the Wi-Fi password and infiltrate the target’s network. In total, five vulnerabilities are part of the Dragonblood ensemble –a denial of service attack, two downgrade attacks, and two side-channel information leaks. While the denial of service attack is somewhat unimportant as it only leads to crashing WPA3-compatible access points, the other four are the ones that can be used to recover user passwords.
Significant changes to the Massachusetts data breach notification law take effect on April 11, 2019.   You can view the amendment here. If you haven’t looked at your written information security plan, or WISP, in a while, now’s the time to dust it off.  If you still haven’t gotten around to implementing one as required by 201 CMR 17 back in 2010, now’s the time to get going. The revisions to Chapter 93H requires more detailed notifications to both the Massachusetts AG and the Office of Consumer Affairs and Business Regulation (OCABR) and to the affected individuals.  It also requires that entities experiencing a security breach provide credit monitoring to individuals if a breach includes the loss of a Social Security number.
Using cryptography and virtual drop boxes, Julian Assange’s WikiLeaks created a revolutionary new model for media to lure massive digitized leaks from whistleblowers, exposing everything from US military secrets to wealthy tax-dodgers’ illicit offshore accounts. Assange’s arrest in London Thursday on a US extradition request to face charges of computer crimes could spell the end of 13-year-old WikiLeaks. But his legacy will live long in the world’s media. News outlets and journalists everywhere can now offer to potential sources encrypted apps and secure virtual mailboxes to receive secrets that were once divulged by discreet whispers, furtive phone calls and unmarked manila envelopes. Skilled at hacking and cryptography — and motivated by a deep distrust of traditional institutions — Australia-born Assange took a cypherpunk’s libertarian streak to the challenge of government secrecy.
The lawyer for former CIA employee Joshua Schulte is unhappy the spy agency is allowed to review communications with her client before she receives it and has accused the agency of trying to intimidate her. Schulte’s lawyer, Sabrina Shroff, appeared in a New York court on Wednesday and argued that the CIA was abusing client-attorney privilege as well as threatening her with future legal repercussions for receiving confidential material. "The CIA essentially has threatened us,” Shroff told the judge. Asked whether the spy agency was also listening in on her confidential conversations with her client, she responded: "We don’t know." The CIA believes that Schulte was behind a massive leak of material from the spy agency that outlined how it is able to install spy software on laptops and phones. But it has been unable to prove the assertion.
Authorities were investigating Saturday the online posting by a hacker group of the personal information of hundreds of federal agents and police officers apparently stolen from websites affiliated with alumni of the FBI’s National Academy. The Associated Press counted at least 1,400 unique records of employees of the FBI, Secret Service, Capitol Police, U.S. Park Police and other federal agencies as well as police and sheriffs’ deputies in North Carolina and Florida. The records included home addresses and phone numbers, emails and employers’ names. The FBI National Academy Associates said in a statement that the information, posted late Thursday, appears to come from the websites of three local chapters of the nonprofit, which claims nearly 17,000 members nationwide and in 174 countries.
Social networks Facebook and Instagram, as well as messaging service WhatsApp, were unavailable on Sunday for more than three hours, users said. The website Down Detector reported that thousands of people globally had complained about the Facebook-owned trio being down from 11.30 BST onwards. Facebook users were presented with the message: "Something went wrong." At 14:50, the site said it had resolved the issue after some users "experienced trouble connecting" to the apps. A spokesman for the company added: "We’re sorry for any inconvenience." Facebook did not comment on the cause of the problem, or say how many users had been affected.
A privilege escalation vulnerability in the Yellow Pencil Visual Theme Customizer plugin exposes WordPress websites to hack. The flaw could be exploited by attackers to update arbitrary options on vulnerable installations. Early this week, the plugin was removed from the WordPress.org repository. it has been estimated that the plugin is installed on over 30,000 websites. Experts at security firm Wordfence observed a high volume of attempts to exploit the vulnerability after a security researcher publicly disclosed this week proof of concept (POC) for a set of two software vulnerabilities affecting the plugin. “On Tuesday a security researcher made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin.” reads the blog post published by Wordfence.
Oculus, Facebook’s virtual reality subsidiary, has fessed up to what might be the weirdest ever data leak. OK, so it might not actually be a data leak at all, even though messages that weren’t supposed to be released seem to have got out. And even if it is a data breach, it’s kind of cool – did we say that aloud, or just think it? – and may end up making the affected devices more sought after, and worth more money on online auction sites, than vanilla ones. At any rate, if we were a Data Privacy Officer – a job that we suspect might be thin on opportunities for fun, games and humour – we’d be cracking a smile at this one, if not breaking into laughter, instead of reaching for our breach report forms. The leaked messages are, literally and physically, printed characters that ended up hidden inside “tens of thousands” of new Oculus motion controllers.

Related Posts