Our website may use cookies to improve and personalize your experience and to display advertisements (if any). Our website may also include cookies from third parties like Google Adsense or Google Analytics. By using the website, you consent to the use of cookies. We’ve updated our Privacy Policy. Please click on the button to check our Privacy Policy.

AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – March 14, 2019

A world of hurt after GoDaddy, Apple, and Google misissue >1 million certificates

A major operational error by GoDaddy, Apple, and Google has resulted in the issuance of at least 1 million browser-trusted digital certificates that don’t comply with binding industry mandates. The number of non-compliant certificates may be double that number, and other browser-trusted authorities are also likely to be affected. The snafu is the result of the companies' misconfiguration of the open source EJBCA software package that many browser-trusted authorities use to generate certificates that secure websites, encrypt email, and digitally sign code. By default, EJBCA generated certificates with 64-bit serial numbers, in keeping, it seemed, with an industry mandate that serial numbers contain 64 bits of output from a secure pseudo-random number generator. Upon further scrutiny, engineers discovered that one of the 64 bits must be a fixed value to ensure the serial number is a positive integer. As a result, the EJBCA default produced a serial number with 63 bits of entropy.

 

2 Chrome Adds Pro-Privacy Search Engine Options As Google Faces Antitrust Scrutiny

Here’s a change in Google’s Chrome browser that’s raising eyebrows: In 60 global markets, Chrome now includes the option of using pro-privacy competitor search engine DuckDuckGo. The change, first spotted by TechCrunch, is written into Chromium 73, the recently released version of the Chromium engine that is the open source foundation of the Chrome browser as well as several other browsers. It was initially a quiet addition with no announcement but the change has received a ton of attention in hours after it went live. A Google spokesperson explained that “starting Chrome M73, we have updated the list of default search engines available in Chrome settings. The new list is based on popularity of search engines in different locales, determined using publicly available data.”

 

3 Facebook Data Deals Are Under Criminal Investigation

Facebook is under criminal investigation for massive data deals between the social media giant and many of the world’s biggest technology firms, according to a Wednesday evening report on the New York Times. Facebook confirmed the investigations in a statement. “We are cooperating with investigators and take those probes seriously,” a Facebook spokesman told the Times on Wednesday. “We’ve provided public testimony, answered questions and pledged that we will continue to do so.” The exact focus of the investigation, however, remains unknown. Facebook did not respond to questions about the focus or nature of the investigation.

 

4 Cover the PIN Pad While Using a Drive-Up ATM

Skimming scams are everywhere, but according to Krebs on Security, there’s another component to them that’s easy to prevent—scammers recording your PIN number. “Very often the most clever component of your typical ATM skimming attack is the hidden pinhole camera used to record customers entering their PIN,” writes Krebs. “These little video bandits can be hidden 100 different ways, but they’re frequently disguised as ATM security features — such as an extra PIN pad privacy cover, or an all-in-one skimmer over the green flashing card acceptance slot at the ATM.” Krebs writes that this is particularly common at drive-up ATMs, and people who use them can become easy prey for scammers. One simple solution: Cover the PIN pad with your hand, bag or something else, just as you would at a walk-up ATM.

 

5 Man arrested for showing up at YouTube and threatening violence over deleted account

A man was arrested this past Sunday after showing up to Google’s Mountain View, Calif. headquarters and threatening violence over his belief that YouTube had deleted his account and the single video he had posted to it, BuzzFeed News reported today. Unfortunately for the man, 33-year-old Kyle Long, it was actually his wife who deleted the account. She then told him it was likely Google’s doing because she feared how he might react. Not only that, but Long had driven all the way from Maine, more than 3,300 miles, on his mission. Long’s video was apparently some type of get-rich-quick guide, a video his father, Kevin Long, characterized as “rambling” and “bizarre.”

 

6 'Yelp for conservatives' MAGA app leaks users data

A new mobile app described as the "Yelp for conservatives" is leaking user records and business reviews, according to a French security researcher. The app, named "63red Safe," features a motto of "keeping conservatives safe" and was launched over the weekend on the Apple and Google mobile app stores. The app describes itself as a service where users can read or write "reviews of local restaurant and businesses from a conservative perspective, helping insure[sic] you're safe when you shop and eat!" In media interviews, Scott Wallace, the app's creator said he built the app after a series of incidents where conservatives were forced to leave or take MAGA gear off to eat at restaurants or enter various businesses across the US.

 

7 Washington Privacy Act Passes State Senate

On March 6, the Washington state Senate voted 46-1 to approve the Washington Privacy Act (WPA or the Act), otherwise known as SB 5376.  If the bill passes the House, the bill would become the second comprehensive state privacy legislation behind the California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020.  The bill would provide consumer rights, impose obligations on businesses collecting and selling personal information, and create an office of privacy and data protection to interface with state agencies on data privacy and data protection policy matters.  The bill draws from the CCPA and the European Union’s General Data Protection Regulation (GDPR).

 

8 Woman breaks pi world record

The value of the number pi has been calculated to a new world record length of 31 trillion digits, far past the previous record of 22 trillion. Emma Haruka Iwao, a Google employee, found the new digits with the help of the Google's cloud computing service. Pi is the number you get when you divide any circle's circumference by its diameter. The first few digits – 3.142 – are the most commonly known but the number is infinitely long. Extending the known sequence of digits in pi is very difficult because the number follows no set pattern. Pi is used in engineering, physics, supercomputing and space exploration – because its value can be used in calculations for waves, circles and cylinders.

Related Posts