AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – December 10, 2018

Amazon robot sets off bear repellant, putting 24 workers in hospital

 Twenty-four employees at an Amazon warehouse inNew Jersey were taken to hospital after a robot accidentally punctured a can of bear repellant. The 255g can containing concentrated capsaicin, a compound in chilli peppers, was punctured by an automated machine after it fell off a shelf, according to local media. The incident happened on Wednesday at a warehouse in Robbinsville, New Jersey, on the outskirts of Trenton.

Arrest of Tech Exec Signals Tougher US Stand on China Tech Firms

 The arrest of a top executive of tech giantHuawei at the request of US authorities signals a toughening stand in Washington on dealing with Chinese tech firms amid longstanding concerns over cyberespionage. Meng Wanzhou, Huawei’s chief financial officer, was detained this week in Canada and faces an extradition request from US authorities over an investigation into suspected Iran sanctions violations by the Chinese technology giant. Meng is the daughter of company founder Ren Zhengfei, aformer Chinese People’s Liberation Army engineer. China’s embassy in Canada issued a strong protest saying Meng was “not violating any American or Canadian law.”

Safari Browser Is Testing USB Security Keys

If Safari is your browser of choice, you will soon have a new way to secure yourself online. Apple released Safari Technology Preview 71 on Wednesday for users to download. and this latest version of the browser has support for Web Authentication or “WebAuthn” technology.This means instead of using only a password or enabling standard two-factor authentication, users can authenticate their passwords using a physical USB stick. Safari isn’t the first browser to enable this security feature, however.

Unprotected MongoDB Exposes Scraped Profile Data of 66 Million

Information belonging to more than 66 million individuals was discovered in an unprotected database, within anyone’s reach,if they knew where to look on the web. The records look like scraped data from LinkedIn profiles. The cache includes personal details that can identify users and could help adversaries create phishing attacks that are more difficult to recognize. He found 66,147,856 unique records containing full name, personal or professional email address, user’s location details skills, phone number, and employment history. A link to the individual’s LinkedIn profile was also present.

Senator slams Google’s censored search engine work in China

Sen. Warner alluded to Google’s work on Project Dragonfly in China as proof of the country’s “successful efforts to recruit Western companies to their information control efforts.” He also discussed China’s cyber and information bureaucracy and Russia’s efforts at combining cyber warfare, espionage and information operations. He is calling for a”comprehensive cyber doctrine” with buy-in from other countries.Warner’s comments were delivered as part of a greater push for a more organized cybersecurity strategy at the federal level.

BeatStars discloses security breach in Twitter live stream

 BeatStars, a marketplace for selling music production beats, has disclosed a security breach today. In a Periscope live stream shared on Twitter, Abe Batshon, BeatStars CEO revealed that the mysterious cause of the site’s downtime on Monday was an unauthorized access of its servers. “Last night we’ve seen very unusual behavior with someone trying to enter into our servers, trying to access the database, trying to run code,” Batshon said during the live stream on Tuesday, December 4.

Flu tracker website developed in time for flu season

Pathologists at Houston Methodist developed areal-time website to track flu cases, just in time to assist physicians, the CDC and patients for the fall 2018 flu season. The up-to-date information onflu.houstonmethodist.org contains flu epidemiology data covering HoustonMethodist’s eight-hospital system. In a Nov. 30 journal article in Open Forum Infectious Diseases, the Houston Methodist researchers explained how they began developing the website in 2017 when the greater Houston area experienced a major increase in flu cases. The website actively reported on influenza A,influenza B, respiratory syncytial virus (RSV), and rhinovirus/enterovirus, as well as several other pathogens.

Cybercriminals reporting competitors to Google to spread their own malware

In a move as sneaky as a criminal calling the cops on rival gangs, malware authors have been impersonating Ubisoft, Steam and other large game companies to serve Google DMCA 1201 notices to irreversibly take down their competitors. The cyber gangs are claiming pirate games sites are using digital rights management (DRM) breaking tools which allow them to circumvent technologies designed for restricting the use of proprietary hardware and copyrighted works. Normally when Google gets a copyrights complaint it will delist the site but still allow the site’s owner to contes tthe removal through a process defined in Section 512 of the DMCA, but when Google receives complaints about the DRM-breaking tools they remove the accused site and offer no appeal process.

Navy, Marine Corps Forced to Send Sensitive Info by Mail After Army’s Popular Sharing System Shuttered

The abrupt shuttering of an Army-run secure document-sharing service is grinding to a snail’s pace work done by the Navy’s lawyers, doctors, personnel administrators, law enforcement and even the U.S.Naval Academy Band. The Army turned off its Aviation and Missile Research Development and Engineering Center (AMRDEC) Safe Access File Exchange system,called SAFE by users, a month ago because of the potential security risk, Kerensa Crum, an AMRDEC spokesperson, told USNI News. The shutdown was a preventative measure, Crum said, and the Army is not aware of any data breach because of the risk. However, without the SAFE system, users from all military branches were sent scrambling to figure out ways to securely share large documents containing sensitive but not classified information with colleagues, other government agencies, contractors and retirees.

Will Apple’s iPhone replace your password?

Imagine using Face ID on your iPhone alongside a password and Touch ID on your computer in order to access highly secure websites, such as online banks, enterprise intranets and confidential online data services. That’s a possibility as Apple begins testing a new security standard called WebAuthn. Apple has begun beta-testing support for the standard in Safari Technology Preview Release 71, though it does warn this support is an“experimental feature,” so it may go no further than that.

Facebook Defends Data Policies On Heels of Incriminating Internal Docs

Facebook has found itself embroiled in yet another data privacy scandal. New internal documents released this week showed the social media giant promoting – and trying to keep secret – the collection of call logs and texts for Android app users. A slew of internal documents were dumped this week by a committee of U.K. lawmakers who are investigatingFacebook’s role in fake news. The documents, which include correspondence between the social media giant and Six4Three, creators of the Pikini app, led up to changes Facebook made to its developer platform to shut down abusive apps in 2014 through 2015. The correspondence (seen in the image below) within the documents that has users up in arms revolves around Facebook’s alleged attempts to cover up changes to its Android policies that would allow its app to collect a record of calls and texts by users – without alerting them.

Oath agrees to pay $5M to settle charges it violated children’s privacy

The penalty is said to be the largest ever issued under COPPA. The New York Times reported the story yesterday, saying the settlement will be announced by the New York attorney general’s office today. At the time of writing the AG’s office could not be reached for comment. We reached out to Oath with a number of questions about this privacy failure. But a spokesman did not engage with any of them directly — emailing a short statement instead, in which it writes: “We are pleased to see this matter resolved and remain wholly committed to protecting children’s privacy online.”

Tesla autopilot saves driver after he fell asleep at wheel on the freeway

At 0300 PT on Friday, the highway patrol pulled alongside at grey Tesla Model S traveling at 70 miles an hour on a freeway down toward Silicon Valley and noticed that driver – 45-year-old Alexander Samek – appeared to be fast asleep. So the police car pulled behind the Tesla and flashed its lights and siren in an effort to wake him up. He didn’t budge –most likely because he was dead drunk – the police said in a statement he”was placed under arrest for driving under the influence of alcohol.”The officers figured that since the car was following the freeway lanes –rather than the veering and swerving you’d expect if no one was driving – that the Tesla’s “driver assist” feature was on and so did a very smart thing: They maneuvered in front of the car and then gradually slowed down, finally coming to a stop in the lane.

Humble Bundle breach could be first step in wider attack

Sometimes a basic data breach is just the first step in a larger campaign. That appears to be the case with the gaming subscription site Humble Bundle, which began informing its customers of a data breach that may have exposed a person’s subscription status, Malwarebyte sreported. While on the outside this appears to be a basic attack, Malwareybytes’ researcher Christopher Boyd thinks there could be more behind it. “More specifically, they might know if your subscription is active, inactive, or paused; when your plan expires; and if you’ve received any referral bonus,” Humble Bundle’s customer email stated, adding no payment card, billing addresses and password were not exposed.

Intelligo does constant background checks on your trusted employees

As a former Arby’s sandwich artist I understand the value of a background check. Had I not been investigated back at age 16 no one at the restaurant would have known I was a lapsed Boy Scout and read Stephen King novels. But what would have happened had I taken up a life ofpetty crime after being hired? No one except Intelligo would know. Run by former lawyer Shlomo Mirvis, Intelligo began as a manual background check service that pivoted to using AI and machine learning to speed up the process.Now Mirvis and his team have added a further twist, allowing for constant background checks over time, ensuring nothing untoward comes up after five months behind the keyboard or meat slicer.

More than 200 companies are calling for a national privacy law

The Business Roundtable’s consumer privacy legislation framework, provided exclusively to The Technology 202, calls on the United States to adopt a national privacy law that would apply the same data collection requirements to all companies regardless of sector — while ramping up Federal Trade Commission staffing and funding to enforce the rule. It calls on companies to give consumers more control of their data and form a national standard for breach notification. “We see a real need to both protect consumers at a time when digital services and the digital economy is so important and expanding, and at the same time, making sure we’re advancing globa lcompetitiveness,” Julie Sweet, chief executive of Accenture North America, who chairs the Business Roundtable’s technology committee, tells me.

The CoAP protocol is the next big thing for DDoS attacks

RFC 7252, also known as the Constrained Application Protocol (CoAP), is about to become one of the most abused protocols in terms of DDoS attacks, security researchers have told ZDNet. If readers don’t recognize the name of this protocol that’s because it’s new–being formally approved only recently, in 2014, and largely unused until this year. CoAP was designed as a lightweight machine-to-machine (M2M) protocol that can run on smart devices where memory and computing resources are scarce. In a very simplistic explanation, CoAP is very similar to HTTP, but instead of working on top of TCP packets, it works on top of UDP, a lighter data transfer format created as a TCP alternative.

No Smoking Gun Tying Russia to Spear-Phishing Attack, Microsoft Says

There is not enough evidence to attribute a recent wave of spear-phishing emails impersonating personnel at the United States Department of State to Russian hackers, Microsoft says. The attack,which started on November 14, was previously said to have been the work of Cozy Bear, a Russian threat actor involved in hacking incidents during the 2016 U.S.presidential election. Microsoft, which tracks the adversary as YTTRIUM, begs to differ. “Microsoft does not yet believe that enough evidence exists to attribute this campaign to YTTRIUM,” the software giant says.

Related Posts