AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – April 22, 2019

A security flaw in a Shopify API endpoint has been discovered by a researcher which can be exploited to leak the revenue and traffic data of thousands of stores. Application security engineer and bug bounty hunter Ayoub Fathi disclosed his findings in a Medium blog post this week. Shopify, which accounts for over 800,000 merchants in more than 175 countries, set up a new API over the past year which gained Fathi's interest. This API was meant to be used to internally fetch sales data for graph presentations, but the system was found to be leaking the revenue data of two unnamed Shopify stores, one of which had been removed from the platform.


2 Google Pulls Selfie App With Over 50 Million Downloads for Secretly Clicking Ads

Six apps have reportedly been removed from the Google Play Store after a Buzzfeed investigation found that they were involved in ad fraud. The apps, which were all tied to Chinese app developer DU Group, were fraudulently clicking on ads and didn’t disclose to users that they were sending their data to China. The DU Group apps collectively had over 90 million downloads. This includes the massively popular Selfie Camera app, which has over 50 million downloads. Researchers reportedly found that this app had code that not just clicked on ads to generate revenue without the user’s consent, but could do so without the app running. This is a huge battery suck and an egregious violation of Google’s Play Policy. When contacted by Gizmodo, a spokesperson for Google confirmed that the 6 apps have been suspended from Google Play for policy violations, including ad fraud.


3 Emotionally intelligent AI will respond to how you feel

Artificial intelligence offers us an opportunity to amplify service and the integration of technology in everyday lives many times over. But until very recently, there remained a significant barrier in how sophisticated the technology could be. Without a complete understanding of emotion in voice and how AI can capture and measure it, inanimate assistants (voice assistants, smart cars, robots and all AI with speech recognition capabilities) would continue to lack key components of a personality. This barrier makes it difficult for an AI assistant to fully understand and engage with a human operator the same way a human assistant would. This is starting to change. Rapid advances in technology are enabling engineers to program these voice assistants with a better understanding of the emotions in someone’s voice and the behaviors associated with those emotions. The better we understand these nuances, the more agile and emotionally intelligent our AI systems will become.


4 Amazon is now making its delivery drivers take selfies

Amazon is now making its delivery drivers take selfies, it confirmed to The Verge, in a bid to reduce fraud. Using facial recognition, the company will verify drivers’ identities to make sure they are who they say they are. The new requirements appeared on the Amazon Flex app to drivers, notifying them that they needed to take a selfie before continuing work. Of course, Amazon warns drivers to “not take a selfie while driving.” By asking drivers to take selfies, Amazon could be preventing multiple people from sharing the same account. These efforts could screen out anyone who is technically unauthorized from delivering packages, such as criminals who are attempting to use Amazon Flex as an excuse to lurk in front of people’s homes. In the past, Amazon has also had a problem with dishonest drivers who steal packages, and it has even used fake packages to lure out thieves. The selfie requirement likely won’t help with these efforts, however: after all, a thief can be exactly who they say they are and pass the selfie test.


5 Stop what you’re doing, and gaze upon this PC made out of pasta

Everybody loves pasta. It’s a cheap source of calories, it’s easy to cook, and it comes in lots of cute shapes like bow ties. It’s so great that, perhaps a little unfairly, it’s become a little pigeonholed as just being a food. Now, thanks to a new pasta-based PC build spotted by Motherboard, those days are finally coming to an end. The build is courtesy of YouTuber Laplanet Arts, who embarked on the project after his wife joked about making a PC out of pasta… so that’s exactly what he did. The machine is based on the hardware from an old Asus Transformer convertible tablet, which he stripped out of its old chassis and built into a new case made entirely out of lasagna and rigatoni.


6 Acting SecDef Shanahan on the Mueller report: US has ‘tremendous capability’ to counter Russian hackers

The Russians are not the only game in town when it comes to cyberwarfare, Acting Defense Secretary Patrick Shanahan said on Thursday amid revelations in the Mueller report about how Russian intelligence officers interfered with the 2016 presidential election. Released on Thursday, a redacted copy of the report details how the GRU – Russian military intelligence – broke into government, company, and personal computers to steal a treasure trove of information that was used to smear Hillary Clinton. But the U.S. government is not helpless against Russian hackers, said Shanahan, who has not read the Mueller report. "The Russians present a risk," Shanahan told reporters on Thursday. "My job is to manage the risk. We have tremendous capability at Cyber Command and the NSA."


7 Source code of Iranian cyber-espionage tools leaked on Telegram

In an incident reminiscent of the Shadow Brokers leak that exposed the NSA's hacking tools, someone has now published similar hacking tools belonging to one of Iran's elite cyber-espionage units, known as APT34, Oilrig, or HelixKitten. The hacking tools are nowhere near as sophisticated as the NSA tools leaked in 2017, but they are dangerous nevertheless. The tools have been leaked since mid-March on a Telegram channel by an individual using the Lab Dookhtegan pseudonym. Besides hacking tools, Dookhtegan also published what appears to be data from some of APT34's hacked victims, mostly comprising of username and password combos that appear to have been collected through phishing pages.


8 Security researcher MalwareTech pleads guilty

Marcus "MalwareTech" Hutchins, the British security researcher known for stopping the WannaCry ransomware outbreak, has pleaded guilty today to writing malware in the years prior to his prodigious career as a malware researcher. "I regret these actions and accept full responsibility for my mistakes," Hutchins wrote in a statement posted on his website. "Having grown up, I've since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks."


9 Some internet outages predicted for the coming month as '768k Day' approaches

An internet milestone known as "768k Day" is getting closer and some network administrators are shaking in their boots fearing downtime caused by outdated network equipment. The fear is justified, and many companies have taken precautions to update old routers, but some cascading failures are still predicted. The term 768k Day comes from the original mother of all internet outages known as 512k Day. 512k Day happened on August 12, 2014, when hundreds of ISPs from all over the world went down, causing billions of dollars in damages due to lost trade and fees, from a lack of internet connectivity or packet loss. The original 512k Day took place because routers ran out of memory for storing the global BGP routing table, a file that holds the IPv4 addresses of all known internet-connected networks. Most network administrators followed documentation provided at the time and set the new upper limit at 768,000 — aka 768k. 768K Day is estimated to happen within the next month.


10 Facebook urged to tackle spread of fake profiles used by US police

The Electronic Frontier Foundation (EFF) has called on Facebook to address the proliferation of undercover law enforcement accounts on the social networking site following a Guardian report that revealed a secret network of accounts operated by US Immigration and Customs Enforcement (Ice). EFF, a digital civil liberties not-for-profit, said law enforcement agencies are able to create fake accounts to spy on users, despite Facebook’s policy which prohibits all users, including government agencies, from making them. “Facebook’s practice of taking down these individual accounts when they learn about them from the press (or from EFF) is insufficient to deter what we believe is a much larger iceberg beneath the surface,” wrote EFF’s senior investigative researcher, Dave Maass, in a blogpost. “We often only discover the existence of law enforcement fake profiles months, if not years, after an investigation has concluded.”

Related Posts