AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – March 25, 2019

1 Don't have a heart attack but your implanted defibrillator can be hacked over the air

Medical gear maker Medtronic is once again at the center of a hacker panic storm. This time, a number of its heart defibrillators, implanted in patients' chests, can, in certain circumstances, be wirelessly hijacked and reprogrammed, perhaps to lethal effect. On Thursday, the US government's Dept of Homeland Security issued an alert over two CVE-listed vulnerabilities in Medtronic's wireless communications system Conexus, which is used by some of its heart defibrillators and their control units. Conexus exchanges data between implanted devices and their control units over the air using radio-waves, with a range of roughly 25 feet without any signal boosting.

 

2 Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is probing a series of security failures in which employees built applications that logged unencrypted password data for Facebook users and stored it in plain text on internal company servers. That’s according to a senior Facebook employee who is familiar with the investigation and who spoke on condition of anonymity because they were not authorized to speak to the press.

 

3 D.C. Attorney General Calls for Expanding Data Breach Notice Law

The District of Columbia’s top lawyer has unveiled a proposal that would expand the city’s data breach notification law and give the attorney general’s office greater enforcement power. D.C. Attorney General Karl Racine (D) announced the Security Breach Protection Amendment Act March 21. It would regulate companies that faced “major data breaches that have put tens of millions of consumers, and hundreds of thousands of District residents, at risk of identity theft and other types of fraud.” Racine’s proposal comes as a growing number of states and territories are pushing for local privacy laws. California’s comprehensive privacy law will take effect January 2020, and states such as Washington and New York are looking to pass their own privacy standards.

 

4 Oregon reveals data breach affected hundreds in welfare, children’s programs

The Oregon agency that runs the state’s foster care and welfare programs announced on Thursday afternoon that the personal information of more than 350 people in those programs might have been comprised, after a Jan. 28 data breach. An unidentified attacker gained access to the state’s records after nine employees at the Department of Human Services opened so-called “phishing” emails and clicked on a link that allowed the outside party to gain access to their state email accounts, according to a state press release. The state did not say specifically how many Oregonians might be affected. It did say the breach involved their protected health information. Examples of the types of information that might have been compromised includes first and last names, addresses, dates of birth, Social Security numbers and case numbers.

 

5 Vietnam’s premier hacking group ramps up targeting of global car companies

A Vietnamese hacking group has been aggressively targeting multinational automotive companies in an apparent bid to support the country’s domestic auto industry, researchers who closely track the group told CyberScoop. Since February, the group known as APT32 sent malicious lures to between five and 10 organizations in the automotive sector, according to Nick Carr, senior manager at cybersecurity company FireEye. FireEye “assesses with moderate confidence” that APT32’s latest activity is in support of “the Vietnamese government’s stated domestic vehicle and auto part manufacturing goals,” Carr said. It is unclear how successful the operation has been. Carr declined to say whether the lures led to compromises of the automotive organizations’ networks. What is clear is that FireEye mobilized resources in response to the threat.

 

6 RESEARCHERS BUILT AN ‘ONLINE LIE DETECTOR.’

In last month's issue of the journal Computers in Human Behavior, Florida State University and Stanford researchers proposed a system that uses automated algorithms to separate truths and lies, what they refer to as the first step toward "an online polygraph system—or a prototype detection system for computer-mediated deception when face-to-face interaction is not available." They say that in a series of experiments, they were able to train a machine learning model to separate liars and truth-tellers by watching a one-on-one conversation between two people typing online, while using only the content and speed of their typing—and none of the other physical clues that polygraph machines claim can sort lies from truth.

 

7 Instagram to block anti-vaccine hashtags amid misinformation crackdown

Instagram said Thursday it plans to block a slew of anti-vaccine hashtags amid an ongoing crackdown on medical misinformation on the platform. The company, which is owned by Facebook, shared its plans after media outlets inquired about anti-vaccine misinformation continuing to spread on the social media giant's platforms. Facebook three weeks ago unveiled plans to combat anti-vaccine content, including a pledge that it would no longer promote anti-vaccine posts on Instagram's search and "explore" features.

 

8 NIST pushes new encryption protocols for quantum, connected devices

The National Institute of Standards and Technology is inching closer to developing two new encryption standards designed to protect the federal government from new and emerging cybersecurity threats. Many experts believe the advanced computing capabilities of quantum computers will render most traditional encryption protocols used today obsolete. While true quantum computing is still decades away, the federal government is already preparing contingencies for how to defend its current IT assets and equipment from the threat.

 

9 FEMA mistakes put 2.3 million victims of hurricanes, wildfires at risk of ID theft, government watchdog says

FEMA improperly shared the personal data of some 2.3 million victims from four major 2017 disasters, a government watchdog report concluded. The agency's misstep has put the survivors of Hurricanes Harvey, Irma and Maria and the California wildfires "at increased risk of identity theft and fraud," according to the report from John V. Kelly, acting Inspector General for the Homeland Security Department. FEMA is a division of Homeland Security. The breach occurred because proper safeguards were not taken for disaster victims who participated in FEMA's program to provide transitional shelter to survivors left homeless, often placing them in hotels and other temporary lodging arrangements, the report said.

 

10 Congressmen urge FBI to investigate bots targeting veterans with fake news

Four congressmen urged the FBI on Tuesday to investigate “foreign entities” believed to be targeting servicemembers and veterans online with false information. Reps. Gil Cisneros, D-Calif., Don Bacon, R-Neb., Ted Lieu, D-Calif., and Greg Steube, R-Fla., wrote to FBI Director Christopher Wray, asking for an investigation into “suspicious” social media accounts that could be impersonating veterans service organizations. “Online influence and psychological operations against trusted civilian community leaders like our nation’s veterans are novel threats that demand law enforcement attention,” they wrote.

 

11 Thousands of Reddit users are trying to delete Google from their lives, but they're finding it impossible because Google is everywhere

Thousands of Reddit users have joined r/deGoogle, a community dedicated to surviving on the internet without Google. The goal is to try and avoid handing any personal information over to Google, and involves avoiding services like Google search, YouTube, Gmail, and Google Docs. The exercise shows how Google has come to dominate almost every aspect of how we use the internet. A privacy expert warned that the more people rely on Google, the more it can lock people into an ecosystem that sucks up data.

Related Posts