AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – February 19, 2019

Academics Confirm Major Predictive Policing Algorithm is Fundamentally Flawed

Last week, Motherboard published an investigation which revealed that law enforcement agencies around the country are using PredPol—a predictive policing software that once cited the controversial, unproven “broken windows” policing theory as a part of its best practices.  In a 2014 presentation to police departments obtained by Motherboard, the company says that the software is “based on nearly seven years of detailed academic research into the causes of crime pattern formation … the mathematics looks complicated—and it is complicated for normal mortal humans—but the behaviors upon which the math is based are very understandable.” But academics Motherboard spoke to say that the mathematical theory that is used to power PredPol is flawed, and that its algorithm—at least as pitched to police—is far too simplistic to actually predict crime.


Lawmakers probe TSA's pipeline cyber role

Responsibility for oversight of 2.7 million miles of U.S. pipeline infrastructure falls to the Transportation Security Administration, but an oversight report from December 2018 found that TSA needs to get a better handle on this role. According to Government Accountability Office, the agency hasn't maintained needed staffing levels in its pipeline security operations or kept its risk assessment methodology up to date. China has the ability to launch disruptive cyberattacks on U.S. critical infrastructure including gas pipelines, according to a recent public intelligence assessment. That possibility has lawmakers concerned. At a Feb. 14 Senate hearing, Sen. Martin Heinrich (D-N.M.) asked Neil Chatterjee, chairman of the Federal Energy Regulatory Committee, if TSA was the right agency to oversee gas pipeline security.


Researchers create 'malicious' writing AI

A team of researchers who have built an artificially-intelligent writer say they are withholding the technology as it might be used for "malicious" purposes. OpenAI, based in San Francisco, is a research institute backed by Silicon Valley luminaries including Elon Musk and Peter Thiel. It shared some new research on using machine learning to create a system capable of producing natural language, but in doing so the team expressed concern the tool could be used to mass-produce convincing fake news. Which, to put it another way, is of course also an admission that what its system puts out there is unreliable, made-up rubbish. Still, when it works well, the results are impressively realistic in tone.


Chrome to patch loophole that allows sites to block Incognito mode users

Future versions of Chrome will fix a loophole that lets websites detect and block users who attempt to access them using the browser’s Incognito mode, reports 9to5Google. As well as not storing any local records of your browsing history, Chrome’s Incognito mode stops websites from being able to track you using cookies. However, because so much of the web’s ad revenue relies on this tracking data, some sites, such as The Boston Globe and MIT Technology Review, prevent you from reading their articles if you visit them using this mode. Most sites do this by trying to use the “FileSystem” API, which is disabled while using Incognito mode because it allows permanent files to be created. However, recent commits to Chromium’s source code, which were first spotted by 9to5Google, show that the browser will soon trick websites into believing its FileSystem API is always operational.

Data-spewing Spectre chip flaws can't be killed by software alone

Google security researchers have analyzed the impact of the data-leaking Spectre vulnerabilities afflicting today's processor cores, and concluded software alone cannot prevent exploitation. The Chocolate Factory brainiacs – Ross Mcilroy, Jaroslav Sevcik, Tobias Tebbi, Ben L. Titzer, Toon Verwaest – show that they can construct what's dubbed a universal gadget to exploit the spectre gang of speculative-execution flaws present in various CPU families, allowing attacker-supplied code running in a thread to read all memory in the same address space. This means, for example, a malicious webpage's JavaScript code executing in a web browser thread can potentially snoop on another webpage's JavaScript running in another thread, and steal secret data from that other page.


Brokerage Firms Warned by FINRA Regulator of New Phishing Attack

The Financial Industry Regulatory Authority (FINRA) has issued an information notice to brokerage firms regarding an ongoing phishing attack which currently targets member firms with malicious spam e-mails. FINRA is a not-for-profit organization which regulates exchange markets and member brokerage firms, and it is authorized by the US Congress to defend America’s investors by always ensuring that the broker-dealer industry functions equitably and honestly. The phishing attack warning comes after a number of brokerage firms have already received suspicious looking e-mails camouflage to appear as being received from a legitimate credit union entity.


Wendy's to pay $50M to settle lawsuit from data breach

Wendy's Co. will pay $50 million to settle a class-action lawsuit from a data breach that hit hundreds of its franchisees. The Dublin-based company on Wednesday announced the pending agreement with financial institutions, which had alleged Wendy's failed to safeguard customer credit card information and failed to provide notice that customer information had been compromised. Wendy's said it will pay $27.5 million of the settlement costs, with the rest covered by insurance. The settlement would release Wendy's from all claims, as well as its franchisees.


Legislation Would Stiffen Penalties for Ransomware Attacks

Using ransomware to hold computers hostage would draw stiffer penalties under legislation — prompted in part by attacks on Maryland hospitals over the past few years — state lawmakers are considering. The legislation, which would enforce tougher penalties for those convicted of ransomware crimes, was spurred by attacks like those on the University of Maryland Medical System in 2018 and on the Salisbury Police Department in January. Hospitals and health care centers remain one of the most vulnerable industries to ransomware attacks, which could lead to disruptions of critical information systems, loss of data and even patient fatalities.


US Facebook Fine Over Privacy Could Be in Billions

A US investigation into privacy violations by Facebook could result in a record fine running to billions of dollars, media reports said Friday. The Federal Trade Commission is negotiating the terms of the penalty stemming from its investigation into whether Facebook violated a 2011 settlement with the regulator on protecting user data, the Washington Post and New York Times said, citing unnamed sources. The FTC reopened its investigation following revelations last year that personal data from tens of millions of Facebook users was hijacked by the political consultancy Cambridge Analytica as it worked on Donald Trump's presidential campaign. The 2011 court-approved agreement required Facebook to notify users when it shares data with third parties and bars the social network from deceptive practices. According to the Times, the penalty for violating the agreement could be some $41,000 per violation, and that the FTC may potentially levy that amount for each individual affected.


Ajit Pai orders phone companies to adopt new anti-robocall tech in 2019

The Federal Communications Commission will consider "regulatory intervention" if major phone companies fail to adopt a new anti-robocall technology this year. FCC Chairman Ajit Pai has been pressuring phone companies to implement the "SHAKEN" and "STIR" robocall-blocking protocols, which perform Caller ID authentication. Most major providers have committed to doing so, but Pai issued a warning to laggards yesterday. "I applaud those companies that have committed to deploy the SHAKEN/STIR framework in 2019," Pai said in his statement yesterday. "This goal should be achievable for every major wireless provider, interconnected VoIP operator, and telephone company—and I expect those lagging behind to make every effort to catch up. If it appears major carriers won't meet the deadline to get this done this year, the FCC will have to consider regulatory intervention."


Could hackers trick voice assistants into committing fraud? Researchers say yes

At the heart of this security issue is the fact that the neural networks powering voice assistants have much better “hearing” than humans do. People can’t identify every single sound in the background noise at a restaurant, for example, but AI systems can. AI speech recognition tools can also process audio frequencies outside the range that people can hear, and many speakers and smartphone microphones pick up those frequencies. These facts give bad actors at least two options for issuing “silent” commands to voice assistants. The first is to bury malicious commands in white noise, as US students at Berkeley and Georgetown did in 2016. The New York Times reported that students were able to play the hidden voice commands in online videos and over loudspeakers to get voice-controlled devices to open websites and to switch to airplane mode.


Emoji are showing up in court cases exponentially, and courts aren’t prepared

Bay Area prosecutors were trying to prove that a man arrested during a prostitution sting was guilty of pimping charges, and among the evidence was a series of Instagram DMs he’d allegedly sent to a woman. One read: “Teamwork make the dream work” with high heels and money bag emoji placed at the end. Prosecutors said the message implied a working relationship between the two of them. The defendant said it could mean he was trying to strike up a romantic relationship. Who was right? Emoji are showing up as evidence in court more frequently with each passing year. Between 2004 and 2019, there was an exponential rise in emoji and emoticon references in US court opinions, with over 30 percent of all cases appearing in 2018, according to Santa Clara University law professor Eric Goldman, who has been tracking all of the references to “emoji” and “emoticon” that show up in US court opinions.


Pressure mounts on Facebook and Google to stop anti-vax conspiracy theories

As a measles outbreak continues to spread in Washington state, Facebook is “exploring additional measures” to fight false anti-vaccine content on the platform, Bloomberg reports. The news comes on the heels of criticism from Representative Adam Schiff, who sent Facebook CEO Mark Zuckerberg a letter about vaccine misinformation on Facebook and Instagram today. In the letter, first reported by Bloomberg’s Sarah Frier, Schiff voiced concerns that both Facebook and Instagram serve up misleading, fear-mongering content about vaccines, which have been shown to be safe, effective, and critical for public health. Schiff also sent a similar letter to Google’s Sundar Pichai about vaccine misinformation on YouTube.


The best new Twitter bot is an endless game of Jeopardy where the winners are good at puns

Web artist Neil Cicierega has created a new bot that’ll forever distract us on Twitter. His new Twitter account, @endlessjeopardy, creates “randomly generated clues” that fellow Twitter users can reply to with an answer. A new clue comes every hour. There’s no correct answer, but whoever’s response receives the most likes will win points. A bot keeps score, and it seems some users already have multiple wins. The bot picks five winners per question, although each receives a different amount of points.


Apple sued over death blamed on faulty iPad battery

In the early morning of February 22, 2017, a fire broke out at the apartment of 64-year-old Bradley Ireland in Parsippany, New Jersey. Sadly, Ireland suffered serious injuries in the fire and died some hours later. The reason why we’re talking about this? According to a law suit newly filed by Ireland’s daughter, Julia Ireland Meo, a defective Apple iPad is being blamed for the fire. According to the law suit filed against Apple, “the fire and the resulting death… was caused by the defectively designed and/or defectively manufactured subject tablet.” The suit is not specific about how much money Ireland’s family hopes to receive from Apple, but it does ask for compensatory damages, interest, and costs including attorney fees.


Which Wifi Band Should I Use for My Devices?

For those who aren’t as well-versed in the ways of wifi, allow me take a moment to explain what’s going on. Most modern routers—if they aren’t terrible—operate on two bands: 2.4GHz and 5GHz. In practical terms, that means your router probably asks you to create an SSID and password two different wireless networks when you initially set it up. (Some routers allow you to use one SSID/password for both, and it’s then up to your devices to decide whether they connect to either 5GHz or 2.4GHz.) I recommend you go the route of having a separate SSID for each band, so you can then allocate your devices based on your needs.


Mozilla Adding a Picture-in-Picture Mode to Firefox

Like Chrome, Mozilla Firefox is adding a Picture-in-Picture Mode that allows users to pop the video out of the web page in a stay on top frame that they can watch while using other applications. In a recently updated Mozilla bug post, the Picture-in-Picture feature has been enabled in the Firefox Nightly build. Using this build, you can go to a YouTube video and right-click on it twice to show a menu that contains a "Picture in Picture" option as shown below. When you click on the Picture in Picture option, the video will pop into its own stay-on-top frame, which allows you to continue watch the video even if you switch to a different application.

Related Posts