AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – June 26, 2018

Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure

Google announced today a better model to improve biometric security, which will be available from Android P, allowing mobile app developers to integrate an enhanced mechanism within their apps to keep users’ data safe. Currently, the Android biometric authentication system uses two metrics—False Accept Rate (FAR) and False Reject Rate (FRR)—in combination with machine learning techniques to measure accuracy and precision of the user’s input. Google says none of the given metrics is capable enough to precisely identify if biometric data entered by a user is an attempt by an attacker to make unauthorized access using any spoofing or impostor attack. In an attempt to resolve this issue, in addition to FAR and FRR, Google has now introduced two new metrics—Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR)—that explicitly account for an attacker in the threat model.

Smartphone batteries can reveal what you typed and read

A group of researchers has demonstrated that smartphone batteries can offer a side-channel attack vector by revealing what users do with their devices through analysis of power consumption. Both snitching and exfiltration were described in this paper (PDF), accepted for July’s Privacy Enhancing Technologies Symposium. Nobody needs to panic yet, because the attack isn’t yet more than a decently-tested theory and it would be hard to execute. But there’s also a real-world implication because the paper shows how a too-free API can help attackers in ways its designers never imagined.

Wish List and Cart Coming to the Windows 10 Microsoft Store

According to screenshots posted to Twitter, Microsoft is currently performing an A/B test of new features for the Microsoft Store. These features include a Wish List, shopping cart, and new navigation layouts. The addition of a Wish List and Cart to the Microsoft Store has been a popular request for some time and looks like Microsoft is gearing to roll these out soon. To access the Wish List, users will be able to click on the Microsoft Store menu and select “My Wish List” as shown in the image below. This will open a screen titled “Wish List” that will contain a list of all the programs that have been added. It is not known at this time whether the wish lists will be publicly shareable so that friends and family can purchase items from the list.

Virtual Reality’s Role In Building The Next Generation Of Jails

Strolling down the hall of the brand new El Centro jail expansion, opened April 2018, Correctional Officer Sergio Romero points out the holding cells near the processing center, the strip search room, and the nursing station. Comprised of 274 beds, the jail is arranged in dormitories instead of the traditional cells, each with a restroom, laundry area, and a 150-foot outdoor exercise space. Every bathroom has modesty panels, so inmates can have some privacy when changing. At this point, I need to clarify that I’m not actually at the jail, but 600 miles away in a conference hall in Sacramento., attending the American Jail Association’s annual conference and jail expo. The jail I’m looking at is a virtual reality construction, used by Vanir Construction Management to aid in the building of the jail. In front of me, officer Romero is encased in an Oculus Rift, his movements in the jail broadcast onto a large screen above his head. It might seem like another industry is jumping on the VR bandwagon, but in this case, it has already proved surprisingly useful.

Supreme Court Says Fourth Amendment Applies to Cell Phone Tracking

The Supreme Court handed down a landmark opinion today in Carpenter v. United States, ruling 5-4 that the Fourth Amendment protects cell phone location information. In an opinion by Chief Justice Roberts, the Court recognized that location information, collected by cell providers like Sprint, AT&T, and Verizon, creates a “detailed chronicle of a person’s physical presence compiled every day, every moment over years.” As a result, police must now get a warrant before obtaining this data.

Bitcoin Hits New 2018 Low Amid Shaken Investor Confidence

Bitcoin dipped as low as $5,787 Sunday afternoon, marking the cryptocurrency’s lowest price so far in 2018. Bitcoin’s low had previously been set at $5,947 on February 6th, according to Coindesk’s price index, in the midst of a sharp dip. But the current bear trend, a slower grind driven by global regulatory scrutiny, allegations of market manipulation, and battered investor sentiment, may prove more sustained — despite a bounce that followed the new low. Sunday’s low marked a more than 70% decline in the value of Bitcoin since December of 2017, when the digital token’s value stopped just short of $20,000.

How to Quickly Identify and Delete iPhone Apps You Don’t Use Anymore

To get to the apps on your phone go into the Settings menu and then select “General” followed by “iPhone Storage.” When you do, your device will list all of the apps you currently have installed on your device with the largest of those listed first. If you scroll down, you’ll see a “Last Used” date below each app that lists the last time you opened it. If it’s been a few months, it might be time to part ways with it.

In private briefings, U.S. government raises concerns over Huawei and ZTE

The U.S. government has been quietly warning technology companies about the security risks posed by doing business with Huawei and ZTE, two Chinese telecommunications firms that are closely linked with China’s government. Sen. Marco Rubio, R-Fla., told CyberScoop Thursday at a national security conference that the government is holding classified briefings to warn private companies of the intelligence concerns. He said the companies that have been briefed are aware of the concerns, but are also “prioritizing market access.”

Restaurant chain PDQ says customers’ credit card info was hacked

In a statement posted to the company’s website, the chain disclosed that it had been targeted and that the breach lasted nearly a year, from May 19, 2017 to April 20, 2018. “We have been the target of a cyber-attack,” said the online statement, which has a June 2018 date. “An unauthorized person (hacker) exploited part of our computer related system and accessed and or acquired personal information from some of our customers.” According to the company’s website, it has at least 10 restaurants in the Triangle, including locations in North Raleigh, Wake Forest, Cary, Durham and Fayetteville. The company also has a location at PNC Arena in Raleigh, but officials said that location along with two others in Tampa, Florida were not affected by the cyber hack.

THE ASSOCIATED EXPENSES THAT ADD TO THE COST OF A RANSOMWARE ATTACK

Organizations typically consider two figures when attempting to calculate the cost of a ransomware attack: the ransom demand and the cost of recovering data. But more goes into restoring a system than those two factors, judging from the recovery efforts organizations mounted following recent ransomware attacks. Temporary staff increases, consulting services and lost business productivity and revenue are a few of the other considerations that security executives need to keep in mind. To help determine the true cost of a ransomware attack, we reviewed a few to find out how much was spent on getting networks back online and what other expenses businesses incurred as a result of the attack.

White House picks new chief to oversee cyber-weapons group

The White House has a new leader of a largely secretive government group that decides whether software and hardware vulnerabilities should be withheld from the public to help the government conduct cyber operations. Grand Schneider, the federal chief information security officer and senior director at the National Security Council, was named head of the Vulnerabilities Equities Process (VEP) board. The group determines if the government should withhold so-called zero day flaws, which are previously undiscovered security bugs that have not yet been patched. The government uses the board to decide which flaws it can use to conduct surveillance — or to disclose to the public.

Not hackers, but exes are remotely controlling smart devices as a form of domestic abuse

Citing interviews with abuse victims, lawyers, shelters, and emergency responders, The New York Times explained how smart devices are being used by abusers to exert power, “being used as a means for harassment, monitoring, revenge and control.” The report also said most smart home abuse victims are women, as it is men who install the devices and have the corresponding apps on their phones. Ruth Patrick, who runs a domestic violence program in Silicon Valley, told The New York Times that some clients were actually put on psychiatric holds – their mental health evaluated – after abuse involving connected home devices.

Apple pushes back on hacker’s iPhone passcode bypass report

Despite several requests for comment, Apple spokesperson Michele Wyman said Saturday: “The recent report about a passcode bypass on iPhone was in error, and a result of incorrect testing.” Apple did not say why it disputed Hickey’s findings, which he reported to the company Friday, before tweeting. We reported Friday on Hickey’s findings, which claimed to be able to send all combinations of a user’s possible passcode in one go, by enumerating each code from 0000 to 9999, and concatenating the results in one string with no spaces. He explained that because this doesn’t give the software any breaks, the keyboard input routine takes priority over the device’s data-erasing feature. But Hickey tweeted later, saying that not all tested passcodes are sent to a the device’s secure enclave, which protects the device from brute-force attacks.

Switch-hacking trolls reportedly loading pornographic profile pictures

Nintendo only lets users choose from a limited number of preset profile pictures (or custom-made Miis) for their online avatar on the Switch network. So at least one Reddit user was quite surprised to see pornographic profile pictures showing up on the user-placed balloons in Super Mario Odyssey’s online “Balloon World” mode. “The picture was changed several times over the course of my time patrolling, each picture being pornographic content,” Redditor ewaison writes, including links to (censored) screenshots of the offending profile pictures in their post. “There are multiple [sic] of these balloons all being made by the same user. This is obviously intentional, and made to upset children.” The reported imagery seems to trace its source back to the recent leak of an internal Switch developer menu online.

ROKU TV, SONOS SPEAKER DEVICES OPEN TO TAKEOVER

The DNS rebinding flaw reported in Google Home and Chromecast devices earlier this week is about to get a patch — but the same type of flaws have come to light for other top-name consumer Internet of Things devices, from Roku and Sonos. Fortunately, Roku has already started deploying its update, while Sonos said it will  issue a patch in July. If exploited, the devices are open to attacker hijacks, thanks to two common IoT issues: One, many IoT devices don’t require authentication for connections received on a local network; and two, locally, HTTP is often used to configure or control embedded devices.

8 Security Tips for a Hassle-Free Summer Vacation

It’s easy to let your security guard down when you’re away on vacation. Worries about credit cards, online bank accounts, and sensitive medical information getting into the wrong hands tend to fall by the wayside. Hackers know that, too. Lurking in the ether, they’re waiting for you to make a misstep. “We don’t want to discourage travel, but people need to understand that when you travel, your security is at a higher risk than normal,” says Daniel Eliot, director of small business programs at the National Cyber Security Alliance. What’s a traveler to do? Eliot, along with T. Frank Downs, director of SME cybersecurity practices at ISACA, offer eight security tips that corporate users and home office workers can use to stay safe this summer.

Related Posts