AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – June 15, 2018

New Tesla update like being taught to drive by your dad

An update to Tesla’s Autopilot software earlier this month has caused headaches for drivers of its electric cars – with one user alleging he was almost driven off the road by the robotic assistant. The patch, 2018.21.9, contained a number of tweaks to address safety concerns with the Autopilot software, which Tesla trumpeted as the first step on the path to fully self-driving cars. Users, unfortunately, have often bought into the dream a little too wholeheartedly and failed to read the small print. Drivers should keep their hands on the wheel and eyes on the road – because Autopilot isn’t an actual autopilot. It’s more of a jumped-up cruise control at this stage. Due in part to some high-profile incidents caused by users relying a little heavily on their electronic buddy-under-the-hood, the new software now nags drivers every 30 seconds to keep their hands on the wheel.

Apple confirms that it will seal up law enforcement’s favorite iPhone cracking method

A new version of iOS will block a controversial loophole that law enforcement agencies have leveraged in order to crack into locked iPhones. In an upcoming version of iOS (likely iOS 12), Apple will include a feature known as USB Restricted Mode, which limits access to a locked iPhone through its USB port. The feature previously appeared in the iOS 11.3 beta, making its way into the iOS 12 beta; now the company has confirmed the security patch will make it into a final iOS release. With USB Restricted Mode, an iPhone’s Lightning port will lock one hour after the phone is locked. In that mode, which will be the default, only charging will be possible through the port after the initial one hour period has expired. “We’re constantly strengthening the security protections in every Apple product to help customers defend against hackers, identity thieves and intrusions into their personal data,” Apple told TechCrunch in an emailed statement.

The Best Security Podcasts in 2018

Summer’s here and that means one thing – there’s more time to relax and maybe learn something new. Podcasts are one of the best ways to be informed and entertained, so we compiled below a list of the best cybersecurity podcasts we’ve listened to so far. From the latest cybersecurity news to the best privacy tips, we tried to cover all areas.

Bitcoin’s rise might be linked to price manipulation, study indicates

The rise of cryptocurrency prices last year, including bitcoin, ethereum, and altcoins, could have been largely caused by price manipulation, according to a paper published today by researchers at the University of Texas at Austin. The paper, co-authored by a finance professor who is known for catching fraud in financial markets, reveals several distinct patterns in trading that suggest several people or a person at the major cryptocurrency exchange Bitfinex inflated virtual coin prices.

MALICIOUS DOCKER CONTAINERS EARN CRYPTOMINING CRIMINALS $90K

Seventeen malicious Docker containers earned cryptomining criminals $90,000 in 30 days in what could be a harbinger of things to come. The figure may seem tame compared to some of the larger paydays that cryptojackers have earned. But, researchers at Kromtech Security Center warn containers are shaping up to be the next ripe target for these types of criminals. Kromtech said the malicious Docker images (17 in total) were pulled down from the Docker Hub image repository. Researchers can’t say for sure how many times the rogue containers were used by Docker Hub users, but Kromtech estimates that the 17 images were downloaded collectively 5 million times during the year they were available.

Windows security: Here’s why we don’t fix some bugs right away, Microsoft reveals

The document outlines the criteria the Microsoft Security Response Center uses to decide whether a reported vulnerability gets fixed swiftly, usually in a Patch Tuesday security update, or left for a later version update. Microsoft said in a blogpost the document is intended to offer researchers “better clarity around the security features, boundaries and mitigations which exist in Windows and the servicing commitments which come with them.” The criteria revolve around two key questions: “Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?”; and, “Does the severity of the vulnerability meet the bar for servicing?”

SNAP WILL LET OTHER APPS USE ITS FEATURES, BUT NOT YOUR DATA

SNAP’S RECENT APP redesign may have slowed its growth, but that hasn’t stopped the company from trying to entice people to use Snapchat in new ways. Its latest move is designed to keep you using Snapchat even when you’re not in the Snapchat app. Snap just announced a platform for third-party app developers, called Snap Kit, that lets other apps used Snapchat features, including stickers and Bitmoji. It also turns Snap into an authentication tool app makers can embed in their own apps to let people easily log in—similar to the way many apps let you use your Facebook username and password to gain entry.

Man Presumed Dead After Tragic Mount Everest Cryptocurrency Stunt

A Sherpa man who helped lead a team up Mount Everest as a part of an ASKfm cryptocurrency publicity stunt is presumed dead. In an effort to promote their initial coin offering, the social media platform ASKfm sponsored four “crypto enthusiasts” on their climb of Mount Everest, so they could bury $50,000 worth of the company’s cryptocurrency, ASKT, at the peak. The team made it to the top on May 14. A promotional video encourages others to scale the mountain in search of the crypto wallet. The conceit of the stunt, according to a promotional blog post, was that the company is racing to take its cryptocurrency “to the moon”—an apparent reference to dogecoin, a meme-inspired cryptocurrency that was started as a joke in 2013. Everest is the closest they could get to the moon, on foot at least. But this bad metaphor for crypto’s success has been mired by a tragic death.

U.S. Senators ask Amazon how Alexa improperly sent a voice recording

U.S. Senators Jeff Flake (R-AZ) and Chris Coons (D-DE) have sent a letter to Amazon demanding answers following an incident last month when a woman in Portland, Oregon who declined to share her full name told CBS News affiliate Kiro-TV that a recording of a conversation she had was sent to a person in her phone contact list without her knowledge or consent. The letter (PDF) addressed to CEO Jeff Bezos asks a series of questions, including how efforts Amazon has made to anonymize data, whether Echo speakers are permitted to record background conversations in order to listen for the “Alexa” wake word, and all the ways Amazon “uses, stores, and retains consumer information” like voice data.

Intel Discloses Yet Another Side Channel Vulnerability

Intel has disclosed another speculative execution side-channel vulnerability affecting many of its modern microprocessors that gives attackers a way to steal data, including cryptographic secrets, from computers running the flawed chips. The problem exists in the way the microprocessors handle a technique called Lazy FP state restore for saving and restoring an application’s state. As Intel describes it, system software running on Intel Core-based microprocessors may use the Lazy FP state restore technique to delay the restoring of an application’s state in memory until when it is actually needed. Microsoft Windows, for instance, enables Lazy restore by default and does not allow the feature to be disabled.

Privacy.com Offers Virtual Payment Cards To Keep Your Digital Cash Secure

It uses the same security standards as banks (which is give or take these days) and lets you create a virtual debit card which you can use to purchase all the weird stuff you like to purchase online. You can set a spend limit (as if we have that kind of personal responsibility) or even set the card to be a one-time use card. So what this all means is that if a merchant is breached (like, I dunno, Target), the only thing that is exposed to scammers is a set of scrambled numbers that has nothing to do with your actual bank account. You can also use any name and any billing address for further security.

Woman sues bosses over fingerprint clock-in tech

A former employee at a nursing home is alleging the company and its equipment provider violated the US state of Illinois’ biometric privacy laws with a fingerprint-scanning time clock system. Judge Matthew Kennelly, of the northern Illinois district court, has agreed to hear the claims of Cynthia Dixon against Smith Senior Living and its equipment provider Kronos Inc. Dixon is suing for damages after what she claims is an invasion of privacy. Dixon claimed the violations as part of a larger negligence and pay violations claim against Smith, her former employer. The complaint includes the allegation that the clock-in system Smith used, a fingerprint scanning system from Kronos, collected, transmitted, and stored her prints without prior permission, a violation of the state’s Biometric Information Privacy Act (BIPA).

Related Posts