AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – March 1, 2019

1 U.S. Cyber Command operation disrupted Internet access of Russian troll factory on day of 2018 midterms

The U.S. military blocked Internet access to an infamous Russian entity seeking to sow discord among Americans during the 2018 midterms, several U.S. officials said, a warning that the Kremlin’s operations against the United States are not cost-free. The strike on the Internet Research Agency in St. Petersburg, a company underwritten by an oligarch close to President Vladi­mir Putin, was part of the first offensive cyber-campaign against Russia designed to thwart attempts to interfere with a U.S. election, the officials said. “They basically took the IRA offline,” according to one individual familiar with the matter who, like others, spoke on the condition of anonymity to discuss classified information. “They shut them down.”


2 Topps.com Sports Collectible Site Exposes Payment Info in MageCart Attack

Last week, the sports trading card and collectible company Topps issued a data breach notification stating that it was affected by an attack, which possibly exposed the payment and address information of its customers. This type of attack is called a MageCart attack, which is when attackers hack a site to inject a malicious script into a site's checkout or cart pages. When a visitor enters their payment and address information, this script will copy the submitted data and send it to a remote server for the attackers to collect. According to the data breach notification, on December 26th, 2018, Topps became aware of an unauthorized third-party that had hacked their site. Upon further investigation, it was discovered that these intruders added a malicious script that was active from November 19, 2018 to January 9, 2019.


3 DARPA wants robots that humans will trust

With robots expected to be an increasingly common presence on the battlefield, DARPA launched an ambitious program: is it possible for robots to quickly earn the trust of humans? Officially the “Competency-Aware Machine Learning,” DARPA’s stated aim is to “develop machine learning systems that continuously assess their own performance in time-critical, dynamic situations and communicate that information to human team-members in an easily understood format.” Or, in plain language, DARPA wants a way for robots to figure out how they’re doing, quickly, and then let people know by talking to them.


4 Senator Seeks Input on Health Care Cyber Strategy

Sen. Mark Warner, D-Va., is on a mission to strengthen the cybersecurity posture of the nation’s health care sector and is starting by soliciting feedback from the sector itself. The senator sent a letter to 12 health care organizations, including hospital and insurance associations and the cybersecurity information sharing and analysis organizations, or ISAOs, that cover the medical industry. “I would like to work with you and other industry stakeholders to develop a short- and long-term strategy for reducing cybersecurity vulnerabilities in the health care sector,” Warner wrote. “In the coming weeks I plan to seek broad input from leading public and private health care entities. I am reaching out to you to start that dialogue.”


5 Senate demands Google CEO answer for hidden Nest microphone

The microphone's existence became apparent after Google announced earlier this month it was bringing its Assistant software to the Nest Secure. The Assistant, which lets people check flight information or turn off the lights in their houses, relies heavily on voice commands — and a microphone — when its on devices without screens. At the time, Google said it was an "error" that the microphone was omitted from the product specs. The company also said the mic has never been activated. But that hasn't satisfied committee members, who wrote a letter to Pichai demanding more information.


6 Ring Doorbell Flaw Opens Door to Spying

A serious flaw in the popular Ring smart doorbell could allow an attacker on a shared WiFi network to spy on families’ video and audio footage, according to researchers. Ring Doorbell is a popular home security device acquired by Amazon. Researchers with BullGuard discovered a way to launch a man-in-the-middle hack against the smart doorbell app, enabling arbitrary surveillance and even inject counterfeit video traffic. “The attack scenarios possible are far too numerous to list, but for example imagine capturing an Amazon delivery and then streaming this feed,” Or Cyngiser, cyber security researcher with Dojo by BullGuard in a Wednesday post. “It would make for a particularly easy burglary.


7 Web hacker 'Alfabeto Virtual' thrown in the clink for 3 months

A US judge this week sentenced website hacker Billy Anderson to three months behind bars, refusing his lawyer's request not to put him in jail, in order to "send a message" to others. Anderson, 42, of Torrance, California, targeted thousands of websites under the hacker name AlfabetoVirtual, and boasted about his efforts on a hacking forum. But it was when he brought down the website of New York City's comptroller for nearly two days in 2015, leaving his pseudonym on the site, and broke into another belonging to military academy West Point the following year, that the authorities chased him down.


8 Facebook will introduce 'clear history' tool this year

Facebook Inc will introduce a tool allowing users to clear their browsing history this year, which will affect the company’s ability to target advertisements, Chief Financial Officer David Wehner told an investment conference on Tuesday. Facebook announced plans for a “Clear History” product last year, but technical challenges have delayed its implementation.


9 Coinhive In-Browser Cryptomining Service Shuts Down on March 8

The Coinhive cryptomining mining service which was designed to offer web developers a JavaScript-based Monero miner announced that it will discontinue its services on March 8, 2019. For developers, Coinhive is a JavaScript library designed to be loaded within a web app and allowing the website owner to use the CPU resources available on visitors' computers to mine for Monero (XMR). Among the reasons behind the services shutdown, Coinhive mentions the last Monero hard fork which lead to a 50% decrease in hash rate and the YoY depreciation of the XMR cryptocoin.


10 U.S. consumer regulator forms task force to monitor big tech

The Federal Trade Commission, under pressure to keep closer tabs on big tech companies such as Alphabet’s Google and Facebook, said on Tuesday it would create a task force to monitor the sector and investigate anticompetitive conduct.  The FTC’s Bureau of Competition will put some 17 staff attorneys on the task force, which will consult on tech-related merger reviews, investigations and reviews of consummated tech deals. “It makes sense for us to closely examine technology markets to ensure consumers benefit from free and fair competition,” FTC Chairman Joe Simons said in a statement.


11 The Defense Department is also looking to build out its recruitment staff, officials told Congress

The government’s lengthy security clearance process is making it harder for the Defense Department to hire top tech and cyber talent, Pentagon officials told Congress on Tuesday. They also said the department has yet to take full advantage of the Cyber Excepted Service program, a special authority meant to make it easier to bring IT specialists into the workforce. As the Pentagon ramps up investment in artificial intelligence, cloud services and other emerging tech, its appetite for digital expertise is growing. But scant resources and surplus bureaucracy are hampering recruitment efforts, officials said, and the talent gap isn’t spread evenly across the enterprise.


12 Police bust their own radio shop manager for dodgy software updates

The manager in charge of Winnipeg’s police radios was arrested last Thursday for allegedly using fraudulent licenses to update the encrypted Motorola radios that police use to keep their conversations private, CBC News reports. According to court documents, an employee tipped authorities off about the alleged actions of Ed Richardson, who was the manager of the radio shop for the City of Winnipeg. The radio shop is in charge of repairing and maintaining radios used by the Winnipeg Police Service and Winnipeg Fire Paramedic Service. Richardson allegedly got his hands on millions of dollars’ worth of illegal licenses for the radios, which require frequent updates. Each of those software updates should have cost the city $94, but the informant said that Richardson didn’t like paying those fees to Motorola.


13 Predictive Modeling Could Help Fight Neighborhood Crime

"In any given neighborhood, there can be hundreds or even thousands of lines of sight that have to be analyzed while taking into account the surrounding architectural and landscape features that can obstruct an observer's viewpoint," Amiri said. "Our model is unique in that we can place a point anywhere we want and see in realistic three dimensions how visible that location is from its surroundings." Amiri used her model to analyze five years of data on the location of burglaries in Spokane to determine if there was a correlation between the visibility of entryways and the likelihood of them being broken into.


14 TikTok: Record fine for video sharing app over children's data

Short-form video sharing app TikTok has been handed the largest ever fine for a US case involving children's data privacy. The company has agreed to pay $5.7m (£4.3m) and implement new measures to handle users who say they are under 13. The Federal Trade Commission (FTC) said the Musical.ly app, which was later acquired and incorporated into TikTok, knowingly hosted content published by underage users. It has ordered TikTok to delete the data. Additionally, as of Wednesday, TikTok users in the US will be required to verify their age when they open the app.


15 A researcher made an elite hacking tool out of the info in the Vault 7 leak

Ronaldson, using Assassin as the model for his own intelligence-gathering tool, studied the leaked CIA documents and consulted with industry friends about how to make his own cyber-espionage weapon. Next week, nearly 16 months after he began the process, Ronaldson plans to unveil Overwatch Offensive during a presentation at the 2019 RSA Conference in San Francisco. Red teams probe corporate security defenses for vulnerabilities, getting paid to detect and report holes real-world adversaries could use for their own gain.


16 Dow Jones’ watchlist of 2.4 million high-risk individuals has leaked

A watchlist of risky individuals and corporate entities owned by Dow Jones has been exposed, after a company with access to the database left it on a server without a password. Bob Diachenko, an independent security researcher, found the Amazon Web Services-hosted Elasticsearch database exposing more than 2.4 million records of individuals or business entities. The data, since secured, is the financial giant’s Watchlist database, which companies use as part of their risk and compliance efforts. Other financial companies, like Thomson Reuters, have their own databases of high-risk clients, politically exposed persons and terrorists — but have also been exposed over the years through separate security lapses.


17 Georgia House OKs Touchscreen Voting Machines Amid Opposition

New voting machines that print paper ballots would soon be installed statewide in Georgia, according to a bill approved by the state House on Tuesday. The House voted 101-72 on a bill to replace the state’s 27,000 electronic voting machines with a $150 million voting system that uses touchscreens, printers and optical scanners. The legislation now advances to the state Senate. Voters would pick their candidates on touchscreens, which are attached to printers that would print ballots for voters to review for accuracy. Then they’d insert their ballots into separate scanning machines for tabulation.


18 YouTube disables comments on videos with kids after reports of predatory behavior

YouTube will shut off comments on videos featuring “younger minors and videos with older minors at risk of attracting predatory behavior,” according to a statement from the company. It’s an effort to stamp out predatory behavior from viewers that included salacious notes in the comments section of videos featuring underage kids. Last week, TechCrunch confirmed reports which first arose on Reddit about the existence of a soft-core pedophile ring that was communicating via YouTube’s comments section and disseminating videos of minors by gaming the company’s search algorithms.


19 The Volvo Polestar 2 is the first Google Android car

Volvo's newest brand, Polestar, took the wraps off the Polestar 2 yesterday, the company's all-electric Tesla Model 3 fighter. Polestar has done some interesting rethinking of how a car should work (The car starts via a chair-mounted pressure switch! It has a crazy ownership subscription plan!). And one of the more wide-ranging features is in the infotainment system: this is the first car with Android Auto built in. Previously, we've seen a smartphone app from Google called "Android Auto" that, like Apple's CarPlay, runs on your smartphone and uses the car display as an external monitor. This project with Polestar is a full-blown operating system instead of a single app, and it is built into the car's hardware instead of running on your smartphone. It doesn't really have a name yet. Volvo was just calling it "Android," and Google in the past has referred to it as both "Android Automotive" and "Android Auto built-in."


20 Get Ready for Foldable Smartphones, Because They're About To Be Everywhere

For a peek at the cutting-edge smartphones you can expect to see (and even buy) later this year, look no further than Mobile World Congress, the annual Super Bowl of the handset world. And one clear trend from this year’s MWC, which wraps up Feb. 28, is the rise of “foldable” smartphones. With the appearance of a regular handset but the ability to open up to become more tablet-like, foldable smartphones are looking like the next big thing in gadgetdom. But will they be a bona-fide hit with consumers, or quickly relegated to the proverbial junk drawer of tech history?

Related Posts