AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – April 26, 2019

A US judge gave the cops permission to force people's fingers onto seized iPhones to see who could unlock them, a newly unsealed search warrant has revealed. Specifically, Judge Judith Dein, of the federal district court of Massachusetts, gave agents from the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) the right to press Robert Brito-Pina's fingers on any iPhone found in his apartment in Boston. The bloke was suspected to be trafficking guns, hence the application for a search warrant. In fact, anyone nabbed at the property would be forced to use their fingers to unlock any cellphones seized at the home, according to the court filing.


2 Coming to store shelves: cameras that guess your age and sex

Eyeing that can of soda in the supermarket cooler? Or maybe you’re craving a pint of ice cream? A camera could be watching you. But it’s not there to see if you’re stealing. These cameras want to get to know you and what you’re buying. It’s a new technology being trotted out to retailers, where cameras try to guess your age, gender or mood as you walk by. The intent is to use the information to show you targeted real-time ads on in-store video screens. Companies are pitching retailers to bring the technology into their physical stores as a way to better compete with online rivals like Amazon that are already armed with troves of information on their customers and their buying habits.


3 AdventHealth Tampa Utilizing Virtual Reality to Treat Epilepsy Patients

Doctors at AdventHealth Tampa are getting a glimpse of new virtual reality tools that they'll soon use to treat patients with conditions characterized by seizures, such as epilepsy. “When I first saw the virtual reality, they called me over and said 'look at this!'" said Dr. Nancy Rodgers-Neame, Medical Director for Epilepsy at AdventHealth Tampa. "I was like, 'wow this is amazing.'" Rodgers-Neame said AdventHealth is the only hospital contracted to use this particular technology. Doctors will be able to show patients a 3-D image of their brain and pinpoint where seizures are coming from. Right now, they’re only able to show patients charts with waves demonstrating their brain activity.


4 Google Sensorvault Database Draws Congressional Scrutiny

Google is facing questions from Congress about Sensorvault, its database that stores the geolocation data of millions of Android users, which and has sometimes been shared with police as part of criminal investigations. In a letter to Google CEO Sundar Pichai, the Democratic and Republican leaders of the House Energy and Commerce Committee have posed 10 questions about Sensorvault and what information Google has collected about users over the past decade. The committee's leaders want to know what Google does with all this data, who can access it and whether consumers are protected in cases of mistaken identification that may result from police investigations. Because Google uses geolocation data to sell targeted advertising to consumers, Sensorvault is also raising questions about privacy and the personal information that companies collect.


5 Apple edges closer to cursory code review for all Mac apps

Apple will soon make a code review mandatory for all applications distributed outside its own Mac App Store by new developers, a first step towards requiring all Mac software to pass similar reviews. The Cupertino, Calif. company argued that the process, which it calls "notarization," would build a more secure macOS environment. "We're working with developers to create a safer Mac user experience through a process where all software, whether distributed on the [Mac] App Store or outside of it, is signed or notarized by Apple," the company stated in an April 10 message on its developer portal.


6 Amazon's Alexa Team Can Access Users' Home Addresses

An Amazon.com Inc. team auditing Alexa users’ commands has access to location data and can, in some cases, easily find a customer’s home address, according to five employees familiar with the program. The team, spread across three continents, transcribes, annotates and analyzes a portion of the voice recordings picked up by Alexa. The program, whose existence Bloomberg revealed earlier this month, was set up to help Amazon’s digital voice assistant get better at understanding and responding to commands. Team members with access to Alexa users’ geographic coordinates can easily type them into third-party mapping software and find home residences, according to the employees, who signed nondisclosure agreements barring them from speaking publicly about the program.


7 Court Allows Company to Surreptitiously Monitor Former Employee’s Social Media Account

A federal court of appeals recently found that there was nothing wrong with a company monitoring a departed employee’s Facebook account and using that information to pursue a trade secrets claim against four former employees. In Scherer Design Group, LLC v. Ahead Engineering LLC, the employer accessed former employee Daniel Hernandez’s account by using software that allowed the company to access Hernandez’s deleted browser history and his password-protected social media without detection, and additional software that allowed the employer to monitor Hernandez’s Facebook activity even after he had left the company. After gaining access to Hernandez’s Facebook account, the company reviewed his Facebook messages daily for two months and obtained information to support claims of trade secret misappropriation, improper interference with the company’s customers and breach of the four former employees’ duty of loyalty while employed at the company.


8 IRS’ Outdated App Security Leaves Taxpayers at Risk of Identity Theft, Watchdog Says

The IRS is nearly a year behind on rolling out online security measures meant to prevent identity thieves from improperly accessing taxpayer data, according to an internal watchdog. The agency operates a full suite of web applications where the public can pay taxes, review documents and access numerous tax-related services, but many of the programs lack the latest electronic authentication controls, the Treasury Inspector General for Tax Administration said in a recent report. Identity authentication protocols help guarantee that people logging into the apps are who they claim to be, and if they’re not strong enough, taxpayers risk having their information stolen. “Because these applications collect, process, and store large amounts of taxpayer data, the IRS has become a target of criminals and identity thieves,” TIGTA wrote in the report.


9 GoDaddy takes down 15,000 subdomains used for online scams

Web hosting provider and domain registrar GoDaddy has taken down more than 15,000 subdomains that were being used as part of a spam operation that lured users on web pages selling fake products. Users would typically receive a spam email promoting a product, and if they'd click links in these emails, they'd land on one of these subdomains, hosted on legitimate sites -without the site's legitimate owner's knowledge. The common theme among all the scammy subdomains was that they all sold products backed by bogus endorsements from celebrities. Celebrity names used in these scams include Stephen Hawking, Jennifer Lopez, Gwen Stefani, Blake Shelton, Wolf Blitzer, the Shark Tank TV show, and others.


10 New York’s attorney general is investigating Facebook after contact-scraping scandal

The New York attorney general’s office has opened an investigation into Facebook after it was discovered earlier this month that the company had the email contacts belonging to over 1.5 million people without their consent. “It is time Facebook is held accountable for how it handles consumers’ personal information,” Attorney General Letitia James said in a statement. “Facebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data.” Starting in May 2016, Facebook automatically collected users’ contact lists, ultimately collecting data on more than 1.5 million people. That data was then used to improve the social media company’s ad-targeting algorithms and other operations on the platform.


11 China is reportedly using US satellite technologies to bolster its surveillance capabilities

The Chinese government has been using a private company jointly owned by a U.S. investment firm and its Chinese counterpart to expand its surveillance and telecommunications capabilities using American technology, The Wall Street Journal reports. At the center of the Journal’s reporting is a company called Asia Satellite Telecommunications (AsiaSat). It’s a satellite operating company acquired back in 2015 by U.S. private equity firm The Carlyle Group and Chinese private equity firm CITIC Group. Both Carlyle and CITIC are known for their ties to government in their respective home nations. While the U.S. government basically bans American companies from exporting satellite technology to foreign governments like China, there have been no controls put in place on how bandwidth from launched satellites is used once those satellites are in orbit.


12 Microsoft knows password-expiration policies are useless

Microsoft admitted today that password-expiration policies are a pointless security measure. Such requirements are "an ancient and obsolete mitigation of very low value," the company wrote in a blog post on draft security baseline settings for Windows 10 v1903 and Windows Server v1903. Microsoft isn't doing away with its password-expiration policies across the board, but the blog post makes the company's stance clear: expiring passwords does little good. As the blog post explains, if a password is never stolen, there's no need to expire it. And if a password is suspected to be stolen, you would want to act immediately, not wait until the expiration date.


13 '768K Day' Is As Overhyped As Y2K, ISP Says

Some experts have warned that outdated networking equipment could cause significant connectivity headaches for consumers and companies alike as part of what many are calling “768k day,” expected to occur sometime next month. But internet service providers and network engineers contacted by Motherboard say they have a good handle on the problem, and the threat is largely being overhyped. The worry is that we’re about to see a repeat of a major outage that crippled parts of the internet back in August of 2014. Dubbed “512k day," the outage resulted in widespread connectivity and packet loss issues across hundreds of global ISPs, resulting in millions of dollars in lost productivity from industries and consumers being kicked offline.


14 Canada Privacy Watchdog Taking Facebook to Court

Canada’s privacy czar said Thursday that he is taking Facebook to court after finding that lax practices at the social media giant allowed personal information to be used for political purposes. A joint report from privacy commissioner Daniel Therrien and his British Columbia counterpart said major shortcomings were uncovered in Facebook’s procedures. It called for stronger laws to protect Canadians. The commissioners expressed dismay that Facebook had rebuffed their findings and recommendations. Facebook insisted it took the investigation seriously. The company said it offered to enter into a compliance agreement.


15 NSA: That ginormous effort to slurp up Americans' phone records that Snowden exposed? Ehhh, we don't need that no more

The NSA's mass-logging of people's phone calls and text messages, at home and abroad – a surveillance program introduced after the September 11, 2001 terror attacks – is set to end as it's no longer worth the hassle. The blanket spying, which hoovered up the metadata for all calls and texts made by US citizens as well as foreigners around the world, has been widely criticized ever since its existence was revealed by whistleblower Edward Snowden. Now intelligence officials are telling the White House that it's no longer needed, with one whispering this week to the Wall Street Journal that “the candle is not worth the flame." The program was authorized by the controversial Section 215 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act, passed in the month after the 9/11 mass-murders by terrorists on American soil.

Related Posts