AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – February 18, 2019

Researchers are raking the Lenovo Watch X over the security coals in a report that blasts the device for shipping with a half dozen “disturbing” privacy and security vulnerabilities. The budget ($50) smartwatch was introduced in June 2018 and was initially praised for its design, features and affordability. But months following the launch, the Lenovo X Watch has since been hearing an earful from usability, and now security, critics. In a report released by Checkmarx on Tuesday, security researcher David Sopas outlined a swath of failings and concluded the watch’s vulnerabilities were “a violation of [his] privacy” by sending location data to an “unknown server” in China.


Boston and NY share high-tech losses as GE and Amazon bail on same day

Boston and New York have been sporting rivals for decades, constantly fighting over bragging rights across all four major sports, but today the two cities had something in common neither was probably hoping for. Both had major tech companies back out of massive deals on the same day. It turns out, however, the two cities lost the deals for entirely different reasons. For NY, Amazon  wasn’t pleased with the political greeting it received and decided it wasn’t going to be friendly enough for its liking. In the Boston case, it was entirely an economic decision as GE’s fortunes have changed considerably since it made its plans in 2016.


Electric scooters can be hijacked remotely – no password required

Security researchers have demonstrated that it’s possible to remotely hijack control of popular electric scooters, forcing them to dangerously brake suddenly or accelerate. Researchers at Zimperium say it took mere hours to uncover the security hole in the Xiaomi M365 scooters used by urban commuters around the world. Security researcher Rani Idan discovered that it was possible to targeted any Xiamoi M365 scooter passing within 100 metres (328 feet), forcing it to unexpectedly accelerate or brake – without any physical access to the scooter required. In a brief but effective video, the hoodie-wearing researcher demonstrates how easy it to remotely stall a scooter as its perplexed owner attempts to cross a road.


The great Equifax mystery: 17 months later, the stolen data has never been found, and experts are starting to suspect a spy scheme

CNBC talked to eight experts, including data "hunters" who scour the dark web for stolen information, senior cybersecurity managers, top executives at financial institutions, senior intelligence officials who played a part in the investigation and consultants who helped support it. All of them agreed that a breach happened, and personal information from 143 million people was stolen. But none of them knows where the data is now. It's never appeared on any hundreds of underground websites selling stolen information. Security experts haven't seen the data used in any of the ways they'd expect in a theft like this — not for impersonating victims, not for accessing other websites, nothing. But as the investigations continue, a consensus is starting to emerge to explain why the data has disappeared from sight. Most experts familiar with the case now believe that the thieves were working for a foreign government and are using the information not for financial gain, but to try to identify and recruit spies.


Mozilla will use AI coding assistant to preemptively catch Firefox bugs

Mozilla will start using Clever-Commit, an AI coding assistant developed by Ubisoft, to make the Firefox code-writing process more efficient and to prevent the introduction of bugs in the code. “By combining data from the bug tracking system and the version control system (aka changes in the code base), Clever-Commit uses artificial intelligence to detect patterns of programming mistakes based on the history of the development of the software. This allows us to address bugs at a stage when fixing a bug is a lot cheaper and less time-consuming, than upon release,” Sylvestre Ledru, Mozilla’s Firefox release manager, explained.


Facebook Taps User Data to Defend Workers From Threats

Facebook gathers intelligence from its platform to identify people who threaten the firm or its workers, the social network said Thursday in response to media reports of the security tactic. CNBC reported that it interviewed more than a dozen former Facebook security employees, some of whom questioned the ethics of what was portrayed as an unclearly defined practice at the leading social network. Facebook spokesman Anthony Harrison told AFP that the company's physical security team exists to keep workers safe and that strict processes are in place to protect people's privacy. "Any suggestion our on-site physical security team has overstepped is absolutely false," Harrison said.


620 Million Online Accounts Data Stolen from 16 Hacked websites – Available in Dark Web for Sale

A new shocking report revealed that almost 620 million online account data from 20 famous websites currently hackers selling it in dark web for less than $20,000 in Bitcoin. Selling data contains account holder names, email addresses, and passwords. These passwords are hashed and some of the other information such as location, personal details, and social media authentication tokens. Stolen data from following websites are combined in this 620 million online accounts and the register confirmed this all data was completely legit.


Coffee Meets Bagel Dating App Discloses Data Breach on Valentine's Day

As a Valentine's Day gift to all its users, online dating app Coffee Meets Bagel disclosed a data breach that contained user's email addresses and names. This data breach was discovered as part of a compilation of leaked credentials that was being sold on criminal marketplaces. According to the data breach notification, Coffee Meets Bagel became aware of the breach on February 11th 2019 after a report from TheRegister stated it was being sold as part of a larger compilation of leaked credentials. In a data breach notification email sent today, which is provided in its entirety below, the data consisted of 6 million Coffee Meets Bagel user names and email addresses. The dating company states that the breach did not disclose any user passwords or financial information, as that information is never stored by the app.


Toyota Prepping 'PASTA' for its GitHub Debut

Carmaker's open source car-hacking tool platform soon will be available to the research community. The lead developer behind Toyota's new cybersecurity testing tool said the carmaker plans to make its so-called PASTA (Portable Automotive Security Testbed) available via GitHub as early as next month or April. Tsuyoshi Toyama, senior researcher at Toyota InfoTechnology Center, told Dark Reading that he and his team are currently working on getting the PASTA specifications ready for availability online, and plan to offer as open-source the platform's specs, CAN (controller area network) ID maps, ECU (engine control unit) program codes, and ECU circuit diagrams for vehicle testing. He says Toyota also hopes to offer PASTA's driving simulator programs as open source, as well.


DHS ‘Doubling Down’ on Election Security Heading Into 2020

Cybersecurity and Infrastructure Security Agency Director Chris Krebs told reporters Thursday that the Homeland Security Department’s election security and countering foreign influence efforts are ramping up, not tapering down as a report Wednesday by The Daily Beast suggested. The report said two task forces set up within CISA—the agency within DHS that responded to Russian meddling in the 2016 election—were now hemorrhaging personnel, and anonymous officials cited in the report expressed fears they might not be replaced in the lead up to the 2020 election. “We are doubling down [on election security] in advance of the 2020 election,” Krebs said. “Despite what some of the reporting might be, election security and countering foreign influence efforts aren’t going anywhere.”


Bad news for WannaCry slayer Marcus Hutchins: Judge rules being young, hungover, and in a strange land doesn't obviate evidence

Marcus Hutchins, the Brit white-hat hacker who halted 2017's WannaCry ransomware outbreak, has failed to stop the American legal system using statements he made while recovering from the effects of holidaying in Las Vegas. Hutchins, aka MalwareTechBlog, faces a criminal trial in the US over allegations he wrote parts of the Kronos online banking trojan in 2014. He denies this. The professional malware researcher was arrested in early August 2017 as he tried to fly home to England from the Def Con hacker conference in Nevada. "Hutchins had spent much of the week partying, which included ingesting various intoxicating substances," federal district judge Joseph Stadtmueller noted this week (PDF) in response to Hutchins' motion to get statements he made thrown out.


Tesla’s new ‘sentry mode’ camera security feels more like a hack than a real feature

Tesla is rolling out a 360-degree surveillance system to some of its cars from today, as the company doubles down on its efforts to protect its premium electric vehicles (EVs) from bumps and break-ins. Dubbed “sentry mode,” the new feature will use all eight on-board cameras to provide a holistic view of everything going on outside. This upgrade comes a few months after Tesla introduced a new dashcam feature with version 9.0 of its software; however, that only captured footage from the front-facing camera — and only when the car was active. With sentry mode, not only are all cameras used, but they are functional when the car is inactive (i.e., parked) and they can initiate a number of security-focused deterrents.


ThisPersonDoesNotExist.com uses AI to generate endless fake faces

The ability of AI to generate fake visuals is not yet mainstream knowledge, but a new website — ThisPersonDoesNotExist.com — offers a quick and persuasive education. The site is the creation of Philip Wang, a software engineer at Uber, and uses research released last year by chip designer Nvidia to create an endless stream of fake portraits. The algorithm behind it is trained on a huge dataset of real images, then uses a type of neural network known as a generative adversarial network (or GAN) to fabricate new examples. “Each time you refresh the site, the network will generate a new facial image from scratch,” wrote Wang in a Facebook post. He added in a statement to Motherboard: “Most people do not understand how good AIs will be at synthesizing images in the future.”


Even years later, Twitter doesn’t delete your direct messages

When does “delete” really mean delete? Not always, or even at all, if you’re Twitter . Twitter retains direct messages for years, including messages you and others have deleted, but also data sent to and from accounts that have been deactivated and suspended, according to security researcher Karan Saini. Saini found years-old messages in a file from an archive of his data obtained through the website from accounts that were no longer on Twitter. He also reported a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient — though, the bug wasn’t able to retrieve messages from suspended accounts.


Ransomware Attacks Target MSPs to Mass-Infect Customers

Ransomware distributors have started to target managed service providers (MSPs) in order to mass-infect all of their clients in a single attack. Recent reports indicate that multiple MSPs have been hacked recently, which has led to hundreds, if not thousands, of clients being infected with the GandCrab Ransomware. With the mass distribution of ransomware increasingly becoming more difficult through methods such a spam, attackers are coming up with more creative ways to infect their victims. This includes hacking into RDP, teaming up with criminal download monetization companies, renting the services of botnet operators, and now attacking MSPs.


US Air Force Veteran Charged in Iran Hacking Scheme

A former U.S. Air Force counterintelligence agent has been indicted together with four Iranians for coordinating spear-phishing campaigns that sought to compromise the computers of other U.S. intelligence agents. The charges were revealed by the U.S. Department of Justice on Wednesday. The former agent, Monica Elfriede Witt, defected to Iran in 2013, the DOJ says. She also stands accused of revealing the identity of a highly classified U.S intelligence program and an intelligence officer. Witt has been charged in federal court in Washington with three counts of espionage. 

Related Posts