AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – April 29, 2019

When railroad tracks were first laid across the western U.S., there were eight different gauges all competing to dominate the industry – making a nationwide, unified rail system impossible; it took an act of Congress in 1863 to force the adoption of an industry standard gauge of 4-ft., 8-1⁄2 inches. FedEx CIO Rob Carter believes the same kind of thing needs to happen for blockchain to achieve widespread enterprise adoption. While the promise of blockchain to create a more efficient, secure and open platform for ecommerce can be realized using a proprietary platform, it won't be a global solution for whole industries now hampered by a myriad of technical and regulatory hurdles. Instead, a platform based on open-source software and industry standards will be needed to ensure process transparency and no one entity profits from the technology over others.


2 Amazon Shoppers Can Now Pay with Bitcoin on the Platform

Bitcoin payments are now an option on Amazon, and other ecommerce platforms will accept them by 2020 thanks to a startup, a browser extension and the lightning network, writes Coindesk. Bitcoin processes only 7 transactions per second, while Visa handles about 24,000, but the lightning network is a payment protocol that helps improve the cryptocurrency’s scalability and processing times. It “adds another layer to Bitcoin’s blockchain and enables users to create payment channels between any two parties on that extra layer,” Cointelegraph explains. Moon is a crypto payment startup founded last year that created a browser extension to connect to the crypto-wallet. The interface is currently with 250 beta users and is under review by the Chrome Web Store.


3 Boffins bring home the bacon as AI-powered robo-medic performs heart surgery on pigs

AI-trained autonomous robots have helped surgeons perform heart surgery on live pigs, according to research published in Science Robotics. A team of researchers from Boston Children’s Hospital in USA, Université de Strasbourg in France, and Taipei Veterans General Hospital in Taiwan, have built a robot to perform heart surgery on poorly pigs using machine learning software. They introduced weaknesses into the five porky patients' hearts, then let the robot find and fix them up. The robotic catheter managed to navigate to the right position 79 times out of the 83 trials carried on five pigs, giving it a success rate of about 95 per cent, according to the results. It’s a tricky procedure considering the heart is still beating.


4 Internet industry freaks out over proposed unlimited price hikes on .org domain names

The internet is about to get a whole lot more expensive. The organization that oversees the domain name system, ICANN, has proposed an end to price caps on one of the internet's most popular extensions – .org – and many in the internet industry are unhappy about it. "Imagine if next year you had to pay 10 times as much to renew your domain name as you paid this year," one seller of domains, Namecheap, has warned in a blog post. It and other registrars have started emailing their customer urging them to oppose the plan – which is out for public comment until this Monday, April 29. Currently, many of the world's biggest internet extensions – .com, .net and .org, among others – are prevented from increasing their prices beyond a certain amount over the course of their contract with ICANN.


5 Half a Billion Compromised iPhones Reminds us Why Apple Never Wanted Third-Party Apps

Just in time for Easter, a cybercrime gang has gifted iPhone users with a new malware attack: 500 million of them and counting. According to reports, the attack exploits an unpatched and obscure vulnerability in Google's Chrome app, available through the native iOS app store. After serving up malvertising', the user is redirected to webpages with miscellaneous motives – scam contests, a malicious payload, solicitation for credit card details, etc. Although it took researchers ten days to discover the new malware, this should have come as no surprise. While popular consciousness insists that the Apple ecosystem is “more secure” than competitors – a prejudice which survives the earliest days of computing – last November, a similar large-scale attack happened when iPhones were compromised by the PayLeak-3PC, which was followed by FourthColor-3PC a few short months later.


6 Walmart experiments with AI to monitor stores in real time

Who’s minding the store? In the not-too-distant future it could be cameras and sensors that can tell almost instantly when bruised bananas need to be swapped for fresh ones and more cash registers need to open before lines get too long. Walmart, which faces fierce competition from Amazon and other online retailers, is experimenting with digitizing its physical stores to manage them more efficiently, keep costs under control and make the shopping experience more pleasant. On Thursday, the retail giant officially opens its Intelligent Retail Lab inside a 50,000-square-foot Neighborhood Market grocery store on Long Island. Thousands of cameras suspended from the ceiling, combined with other technology like sensors on shelves, will monitor the store in real time so workers can quickly replenish products or fix other problems.


7 Partnership on AI: Algorithms aren’t ready to automate pretrial bail hearings

The Partnership on AI released its first-ever research report today, which declares algorithms now in use unfit to automate the pre-trial bail process or label some people as high risk and detain them, while others low risk plaintiffs are declared fit for release and sent home. Validity and data sampling bias and bias in statistical predictions were called out as issues in currently available risk assessment tools. Human-computer interface issues and unclear definitions of high risk and low risk were also considered important shortcomings in risk assessment tools. The Partnership on AI is an organization created in 2016 that attempts to join the biggest names in AI like Amazon, Google, Facebook, and Nvidia together with Amnesty International, ACLU, EFF, Human Rights Watch.


8 South Carolina capital website had a security flaw that exposed passwords

One bad search on the government website for South Carolina's capital city could've exposed an entire database. The city of Columbia site had a security flaw in its search tool, according to independent security researcher Arif Khan. The flaw let anyone view passwords for the website's database and email protocol servers, creating a massive potential for abuse, Khan said on Thursday. The vulnerability made it possible for someone to "pull sensitive data out of the Columbia city government's database," Khan said. With access to the email protocol servers, an attacker could've also created spoof emails that looked like they'd come from the city government.


9 Malicious lifestyle apps found on Google Play, 30 million installs recorded

A total of 50 malicious apps have managed to bypass Google's security checks and land on the Google Play store, leading to millions of installs on Android devices. It was only last week that researchers from Check Point uncovered a total of six apps laden with the PreAMo ad fraud malware on Google Play which had been installed 90 million times. Now, the cybersecurity team from Avast have found a further 50 apps relating to lifestyle services which masquerade as legitimate software but are actually adware, and these malicious apps have been downloaded a total of 30 million times. On Tuesday, Avast published a report on the discovery, in which the apps are linked to each other through third-party libraries that "bypass the background service restrictions present in newer Android versions."


10 Russian-speaking hackers are using email to attack US retailers and others

Cyber attackers have found an inventive new way to rip off retailers and others, a digital security firm says. An investigation by researchers at security vendor CyberInt Technologies Ltd. say they have connected a single group of hackers—known as TA505—to a range of attacks against retailers and financial institutions around the world. The hackers conduct their attacks by using legitimate remote-access software and innocent-looking files attached to “spear-phishing” emails. Unlike ordinary phishing—which refers to any attempt to trick victims into sharing sensitive information with online attackers—spear-phishing attackers modify their emails to address specific targets.


11 Twitter shuts down 5,000 pro-Trump bots retweeting anti-Mueller report invective

Twitter has suspended over 5,000 accounts tied to a network amplifying a message denouncing the report by Special Counsel Robert Mueller as a "RussiaGate hoax." According to a researcher, the accounts—most of which had only posted three or four times in the past—were connected to other accounts previously used to post pro-Saudi messages. In response to an inquiry by Ars, a Twitter spokeswoman said, "We suspended a network of accounts and others associated with it for engaging in platform manipulation—a violation of the Twitter Rules." An investigation into the network is still ongoing, the spokeswoman said, but no determination has yet been made about who was behind the campaign. "In cases such as this, attribution is difficult," the spokeswoman noted. "If we do have reasonable evidence to support state-backed activity, we will disclose the accounts as part of our information operations archive."


12 Vulnerable Confluence Servers Get Infected with Ransomware, Trojans

A critical Atlassian Confluence Server vulnerability is being remotely exploited by attackers to compromise both Linux and Windows servers, allowing them to drop GandCrab ransomware and the Dofloo (aka AES.DDoS, Mr. Black) Trojan. The CVE-2019-3396 server-side template injection vulnerability is present in the Widget Connector in vulnerable versions and it allows "remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection" according to NVD. Trend Micro security researcher Augusto II Remillano says that Atlassian patched the software flaw on March 20 [1, 2, 3] and advised users to update their installation to a fixed version of the Atlassian Confluence Server and Data Center.


13 This Nonprofit Wants to Offer Political Campaigns Free Help With Cybersecurity

The FEC is now considering a proposal that might help fix the issue. It would allow campaigns to access free IT services to secure their operations and strengthen the integrity of the country’s election system. The only catch is that a decision in favor of the proposal risks leaving a gaping loophole in campaign finance laws that could provide corporations with yet another way to unduly influence elected officials. On Thursday, the FEC will again consider a request to allow a nonprofit to offer free and low-cost cybersecurity support to campaigns in the form of software, hardware, tech boot camps, and information-sharing systems. Defending Digital Campaigns, the nonprofit spinoff of a Harvard cybersecurity project founded by Hillary Clinton’s 2016 campaign manager, Robby Mook, and Mitt Romney’s 2012 campaign manager, Matt Rhoades, submitted the proposal in September. The FEC last discussed the proposal during an open meeting on April 11, and a ruling is likely coming soon. (Defending Digital Campaigns did not respond to Slate’s interview requests.)


14 Air Force Academy ethics instructor arrested for luring child on the internet

Capt. Paul Sikkema, who is a philosophy professor teaching ethics at the Air Force Academy, has been arrested and charged with luring a child on the internet, a Class 4 felony. According to an arrest affidavit filed in Colorado’s 18th Judicial District, Sikkema is accused of chatting with an officer — who he believed to be a 14-year-old girl — online, via text message and over the phone in January. Sikkema allegedly made multiple lewd comments propositioning her sexually, the document said. Sikkema earned his commission after graduating from the academy in 2012, and was named an outstanding graduate that year.


15 Gunpoint domain hijack turns out to have been a family affair

You might recall the epic, violent domain transfer #FAIL that involved pistol-whipping, tasering, and demanding, at gunpoint, the transfer of “doitforstate.com” – a site devoted to content concerned with the beer-guzzling and butt-ogling of college students. The domain-demanding burglar, Sherman Hopkins, Jr., of Cedar Rapids, Iowa – who got shot multiple times in the chest when the rightful owner of doitforstate.com managed to wrestle Hopkins’ gun away from him – was sentenced to maximum prison time of 20 years last year. But it turns out that the entrepreneurial yearning to possess the doitforstate.com site did not originate with Hopkins. In fact, Hopkins was hired by his cousin, who last week was convicted for planning the armed home invasion and hiring Hopkins to do it.


16 Google hasn’t updated Android distribution data in 6 months

The Android developer website hosts a distribution dashboard that details the adoption of Google’s mobile operating system versions. With over 2 billion active Android devices out there, this is useful information that Google updates on a monthly cadence. But Google stopped updating the page last year — today marks the six-month mark. We’ve reached out to Google multiple times in the past half a year. In January, Google told us that the dashboard was undergoing site maintenance and that we’d hear back when it’s fixed. In April, the company declined to comment. This data is particularly useful to anyone who needs to make decisions regarding Android. It’s incredibly valuable to know how widely (or narrowly) an Android version — or more importantly, an API level — has been adopted.


17 A new bill would force companies to check their algorithms for bias

US lawmakers have introduced a bill that would require large companies to audit machine learning-powered systems — like facial recognition or ad targeting algorithms — for bias. The Algorithmic Accountability Act is sponsored by Senators Cory Booker (D-NJ) and Ron Wyden (D-OR), with a House equivalent sponsored by Rep. Yvette Clarke (D-NY). If passed, it would ask the Federal Trade Commission to create rules for evaluating “highly sensitive” automated systems. Companies would have to assess whether the algorithms powering these tools are biased or discriminatory, as well as whether they pose a privacy or security risk to consumers.


18 Fort Bragg cut power for thousands to test ‘real-world reactions’ to a cyber-attack

Fort Bragg in North Carolina says the Army post had a “blackout” for more than 12 hours overnight Wednesday as part of a cyber-attack military exercise that came as a complete surprise to its tens of thousands of residents. The fort, which the Army says is the world’s largest military post, says it cut off the electricity “to identify shortcomings in our infrastructure, operations and security.” “Fort Bragg has to train for any possible threats to the installation in order to remain mission capable,” said a post on Fort Bragg’s Facebook page just after 11 a.m. “This exercise was not announced in order to replicate likely real-world reactions by everyone directly associated with the installation. In today’s world, cyber-attacks are very likely. This exercise is exactly what we needed to do to identify our vulnerabilities and work to improve our security and deployment posture.”


19 United Airlines says it’s now covering those surprise seatback webcams

United Airlines has begun physically covering built-in webcams on in-flight entertainment devices following privacy concerns, according to a report from BuzzFeed. The screens, enterprise-grade tablets provided to United by the aviation equipment division of Panasonic, are said to come with built-in webcams by default, with Panasonic executives claiming the cameras could one day provide improved entertainment features like seat-to-seat video calling and even gaming. United claims it did not specially order its screens with webcams. “As with many other airlines, some of our premium seats have in-flight entertainment systems that came with cameras installed by the manufacturer. All cameras have since been covered, which were never activated and that we have no plans to use in the future,” a United spokesperson told BuzzFeed. The report states the airline will continue to cover the webcams in all future installations of its premium seating options, which come with the Panasonic screens already built into the seatback.


20 COPPA: A few tips to keep your child safe online

Online games and websites for kids are everywhere these days – to the point where it’s commonplace to see toddlers playing with them, too. And while the internet often offers a positive way for children to explore and learn, privacy concerns are lurking. To help protect children’s privacy, the FTC enforces the Children’s Online Privacy Protection Act (COPPA), which requires websites and online services to obtain consent from parents before collecting personal information from kids younger than 13.

Related Posts