AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – March 20, 2019

1 Home DNA kit company now lets users opt out of FBI data sharing

FamilyTreeDNA emailed users last week to let them know that they can now opt out of DNA matching that will be used to help police identify the remains of deceased people or to help them track down violent criminals. It’s now calling that type of investigative DNA research Law Enforcement Matching (LEM). The gene-matching company also set up a separate process for police to upload genetic files to the database. Police-uploaded files must now be used for the purpose of identifying a dead person or the perpetrator of a homicide or sexual assault.

 

2 Google Open Sources Sandboxed API

It’s not uncommon for applications to be affected by memory corruption or other types of vulnerabilities that can be exploited for remote code execution and other purposes. Using a sandbox ensures that the code responsible for processing user input can only access the resources it needs to, which mitigates the impact of a flaw by containing the exploit to a restricted environment and preventing it from interacting with other software components. While sandboxing can be highly useful, Google says it’s often not easy to implement. That is why the internet giant has decided to open source its Sandboxed API, which should make it easier to sandbox C and C++ libraries. The company has also open sourced its core sandboxing project, Sandbox2, which can be used on its own to secure Linux processes.

 

3 Education and Science Giant Elsevier Left Users’ Passwords Exposed Online

Elsevier, the company behind scientific journals such as The Lancet, left a server open to the public internet, exposing user email addresses and passwords. The impacted users include people from universities and educational institutions from across the world. It’s not entirely clear how long the server was exposed or how many accounts were impacted, but it provided a rolling list of passwords as well as password reset links when a user requested to change their login credentials. “Most users are .edu [educational institute] accounts, either students or teachers,” Mossab Hussein, chief security officer at cybersecurity company SpiderSilk who found the issue, told Motherboard in an online chat. “They could be using the same password for their emails, iCloud, etc.”

 

4 MySpace loses 12 years worth of photos, songs & video files

Last time the once prominent social network website MySpace made headlines in 2016 after it suffered a massive data breach in which personal data of 427 million users including emails and passwords was stolen and leaked online. Now, it has been revealed that MySpace has lost another trove of user data however this time it happened due to server migration project and not because of a data breach. According to the banner on the site’s homepage it is being announced that audio, video, and photos uploaded more than three years may no longer be available. In a tweet, former CTO of Kickstarter Andy Baio said that “Myspace accidentally lost all the music uploaded from its first 12 years in a server migration, losing over 50 million songs from 14 million artists.”

 

5 AI identifies which primates could be carrying the Zika virus

Zika, a species of the genus flavivirus spread mostly by mosquitoes, is associated with mild symptoms in most adults, but with more severe complications in pregnant women and young children. It’s linked to microcephaly, a birth defect in which the brain doesn’t develop properly, which in rare cases can cause paralysis and death. Mosquitos aren’t the only animals that harbor Zika — primates do, as well. With that top of mind and in an effort to predict the disease’s spread, researchers at IBM and the Cary Institute of Ecosystem Studies used machine learning techniques to develop models that isolate likely carriers. They explain their work in a paper published in the journal Epidemics.

 

6 Why Metro is trying to hack into its own railcars

Metro plans to hack its own new 7000 Series railcars over the next few months to figure out whether missing cybersecurity requirements in the contract left Metro data exposed or riders at risk. The “penetration testing” will be completed by the end of August, a response to Metro’s Office of Inspector General said. The last of the 748 new railcars are due to be delivered within the next year. “While it is too late to affect the procurement, we will be able to leverage this test to identify any severe cybersecurity vulnerabilities in those cars and begin the process of remediation,” the management response said. Such “white hat” hacking is a common cyber defense tool, and it’s extremely important now because Metro had no specific cybersecurity requirements in place for contracts beyond some vague references, Inspector General Geoff Cherrington said.

 

7 Round 4: Hacker returns and puts 26Mil user records for sale on the Dark Web

A hacker who has previously put up for sale over 840 million user records in the past month, has returned with a fourth round of hacked data that he's selling on a dark web marketplace. This time, the hacker has put up for sale the data of six companies, totaling 26.42 million user records, for which he's asking 1.2431 bitcoin ($4,940). The hacker's name is Gnosticplayers, and since February 11 the hacker has put up for sale data for 32 companies in three rounds [stories on Round 1, Round 2, and Round 3] on Dream Market, a dark web marketplace. Today, the hacker published a new batch of files from six new companies, namely game dev platform GameSalad, Brazilian book store Estante Virtual, online task manager and scheduling apps Coubic and LifeBear, Indonesia e-commerce giant Bukalapak, and Indonesian student career site YouthManual.

 

8 Desperate to get through to executives, some cybersecurity vendors are resorting to lies and blackmail

The cybersecurity vendor marketplace is growing so crowded that some companies have been resorting to extreme tactics to get security executives on the phone to pitch their products, including lying about security emergencies and threatening to expose insignificant breaches to the media. The aggressive tactics come as the cybersecurity market expands dramatically, with a “long tail” of thousands of vendors with niche specialties. These sales tactics can make it harder for overworked cybersecurity execs to find and stop real threats. It can also result in overhyped publicity about breaches and hacks that are actually minor, which confuses customers and consumers.


Related Posts