AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – March 28, 2019

1 Lexus, Toyota, Ford and Porsche panned for 'poor' keyless car security

Keyless car security systems in Lexus, Toyota, Ford and Porsche cars have been labelled ‘poor' following a test by experts at Thatcham Research. And security on the Suzuki Jimny was found to be so bad that Thatcham labelled it "unacceptable". The poor security of the vehicles leaves them vulnerable to relay attacks, whereby thieves use wireless devices to activate cars' remote central locking keys, opening vehicles' doors and enabling them to drive off. Thatcham's latest research is the result of tests on eleven new cars conducted as the company launches a new rating system intended to provide better guidance on their security. Traditionally, it has focused on security systems rather than cars.

 

2 Opera brings back free VPN service to its Android browser

Opera announced on Wednesday that it’s added its free Virtual Private Network (VPN) service to its Android browser app …again. The Norwegian browser maker offered a stand-alone, built-in VPN service before it was sold to a Chinese consortium, but it stopped working after the sale. Now, it’s back: the latest, VPN-bearing, mobile browser version – Opera for Android 51 – is available now in the Google Play store or on Opera.com. The company hasn’t given any hints about whether it’s planning to bring the VPN to its iOS browser. The VPN is free, unlike private VPN services for which you have to pay additional fees, Opera stressed. It’s also easy: users don’t have to sign in every time they want to use it; all you have to do is hit a switch.

 

3 FTC tells ISPs to disclose exactly what information they collect on users and what it’s for

The Federal Trade Commission, in what could be considered a prelude to new regulatory action, has issued an order to several major internet service providers requiring them to share every detail of their data collection practices. The information could expose patterns of abuse or otherwise troubling data use against which the FTC — or states — may want to take action. The letters requesting info (detailed below) went to Comcast, Google, T-Mobile and both the fixed and wireless sub-companies of Verizon and AT&T. These “represent a range of large and small ISPs, as well as fixed and mobile Internet providers,” an FTC spokesperson said. I’m not sure which is meant to be the small one, but welcome any information the agency can extract from any of them.

 

4 FEMA Defends Actions Following Data Release Affecting 2.3 Million Disaster Victims

On Friday night, FEMA Press Secretary Lizzie Litzow released a statement saying that the agency had identified the data breach “in coordination” with the IG. “Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” she said: “To date, FEMA has found no indicators to suggest survivor data has been compromised. FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with [DHS] cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training.”

 

5 Massive Airport Computer Outage Led to Bad Morning for American, JetBlue, Alaska Airlines Flyers

Even TSA pre-check couldn’t help flyers avoid massive lines and delays at airports across the U.S. Tuesday morning due to a major—albeit temporary—computer outage impacting JetBlue, American, and Alaska Airlines that left passengers and gate attendants alike unable to check into flights and access online information. Sabre, a Texas-based tech company that provides support to the aforementioned airlines, took responsibility and apologized for the since-resolved technological glitch in an early afternoon tweet, noting it “experienced a system issue that impacted some customers.” Although the company didn’t specify the cause of the malfunction, or how long it lasted, some airlines began fielding customers’ concerned tweets about being unable to access the companies’ websites beginning around 9 a.m. ET.

 

6 Most Famous Dark Web Marketplace that Sells Hacking tools & Malware about to Shut Down Next Month

Largest and notorious dark web marketplace Dream Market announced that it is scheduled to shut down its operation’s on April 30, 2019. Dream market has been for six years, it is was the largest market place in the dark web that deals with illegal drugs, taxonomic chemicals, stolen documentation, hacking tools, malware, ransomware and more. Threat actors recently listed sales of SSL/TLS certificates in Dream Market, Wall Street Market, BlockBooth and Nightmare Market. Also, the hacker who stolen 620 million user data from 16 popular websites, with further investigation it appears the data appears to be purchased from infamous Dream Market. Threat actors who registered with Dark markets reported that they received the following message from Dream Market “This market is shutting down on 04/30/2019 and is transferring its services to a partner company, onion address.”

 

7 U.S. pushes Chinese owner of Grindr to divest the dating app

Chinese gaming company Beijing Kunlun Tech Co is seeking to sell Grindr, the popular gay dating app it has owned since 2016, after a U.S. government national security panel raised concerns about its ownership, according to people familiar with the matter. The Committee on Foreign Investment in the United States (CFIUS) has informed Kunlun that its ownership of West Hollywood, California-based Grindr constitutes a national security risk, the two sources said. CFIUS’ specific concerns and whether any attempt was made to mitigate them could not be learned. The United States has been increasingly scrutinizing app developers over the safety of personal data they handle, especially if some of it involves U.S. military or intelligence personnel.

 

8 U.S. Federal Reserve System Exposed to Increased Risk of Unauthorized Access

Federal Reserve Bank (FRB) systems are exposed to an increased risk of unauthorized access because of security weaknesses found in the U.S. Treasury Department's computing systems according to a management report issued by the U.S. Government Accountability Office (GAO). GAO used "an independent public accounting (IPA) firm, under contract, to assist with information system testing, including follow-up on the status of FRBs’ corrective actions to address control deficiencies contained in our prior years’ reports that were not remediated as of September 30, 2017." As part of its audit for the fiscal year that ended on September 30, 2018, performed an extensive review of all computing system controls over key financial systems maintained and operated by FRBs connected to the Schedule of Federal Debt.

 

9 Apple Pay is coming to major US transit systems this year

Apple's Monday press event was chock full of big announcements. The iPhone maker revealed it's now diving into news subscriptions, original video content, and even credit cards. But one major announcement that Apple snuck into its keynote presentation has a huge potential to change millions of people's lives. Apple revealed at its Monday press event that Apple Pay will be supported by the public transit systems in New York City, Portland, and Chicago starting later in 2019. Specific details on how it will work or when each city will get Apple Pay support were scant. The announcement was couched within a larger reveal of Apple's credit card and additional Apple Pay developments, so it wasn't a big priority during the presentation.

 

10 Philadelphia Is Building a $50 Million Esports Stadium

Professional gamers on the East Coast will soon have a stadium to call home. Philadelphia and Comcast announced plans to build a $50 million, 60,000-square-foot stadium dedicated to esports, set to open in 2021. The new stadium will be the home of Fusion, Comcast’s Overwatch League team, as well as a hub for East Coast gaming events. It will seat 3,500 and rest in the city's 47-acre stadium complex, down the street from the home of baseball’s Phillies and football’s Philadelphia Eagles. The message of the location is clear—esports may be new, but it’s quickly becoming just as popular as other, more traditional sports.

 

11 Verizon Set To Offer Free App To Block Robocalls, New Tech To Combat Spam

Verizon is getting ready to offer a free robocall blocking app at the end of this month, as it steps up efforts to combat the growing plague of spam calls. In 2019, pretty much everyone is on a robocaller's speed-dial list. That often means several spam calls per day. Verizon knows this of course. It already offers a paid blocking app for $2.99 a month. But the new freemium (free + premium) strategy means that in addition to the paid app, there will now be a free* version. Verizon expects to have instructions on how you can download and use the free app by the end of this coming week, I was told by Verizon.

 

12  Cybersecurity program launches for high school girls

A national cybersecurity program designed specifically for high school girls has launched, to encourage more females into the industry and reduce the digital skills gap. Girls need to be at least 13 years old and either in grade 9, 10, 11 or 12 to qualify. The program awards winning participants with cash prizes of up to $1,000 and college scholarships of $500. There are three stages to the program: CyberStart Assess, CyberStart Game and CyberStart Compete. Girls-only cybersecurity program Girls Go CyberStart which has officially launched today, is the result of a partnership between 27 state governors and SANS Institute. It is designed to encourage more young women into the cybersecurity sector and reduce the digital skills gap in America.

 

13 Tech giants back bill that privacy advocates claim is toothless

Washington state is on the road to passing a privacy bill that tech giants think is great and that the American Civil Liberties Union (ACLU) thinks is toothless. Shankar Narayan, director of the Washington ACLU’s Technology and Liberty Project, clashed with the bill’s sponsor, Washington State Senator Reuven Carlyle, on Thursday during a panel discussion that featured privacy and antitrust experts. That panel was hosted by the Seattle media organization Crosscut. As Crosscut reports, Carlyle has said that his proposed bill, which will address how companies collect and share internet users’ data, borrows best practices from the privacy bills we now have: the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). The proposed bill recently cleared the Washington State Senate and is now being considered in the State House.

 

14 Facebook Blocks More Accounts Over Influence Campaigns

Facebook said Tuesday it shut down more than 2,600 fake accounts linked to Iran, Russia, Macedonia and Kosovo and aiming to influence political sentiment in various parts of the world. It was the latest effort by the leading social network to shut down "inauthentic" accounts on Facebook and Instagram seeking to influence politics in the US and elsewhere. Facebook said the accounts blocked in the four countries were not necessarily centrally coordinated but "used similar tactics by creating networks of accounts to mislead others about who they were and what they were doing," said Nathaniel Gleicher, head of cybersecurity policy for the company. "We are constantly working to detect and stop this type of activity because we don't want our services to be used to manipulate people," Gleicher said in a blog post.

 

15 Microsoft exec bans company from pulling any dumb April Fools’ pranks

April 1 has long been a spectacularly annoying day to be alive, with brands falling over themselves to be "funny" and usually revealing themselves to be anything but.  This was particularly striking in Google's 2016 mic drop feature on Gmail, where clicking the "mic drop" button sent a recipient a gif of a Despicable Me minion—a vile affront to humanity in and of itself—and then muted and archived the conversation, thus hiding any responses to it. Microsoft, for one, wants no part of this. In a move that can only be welcomed, Microsoft's Chief Marketing Officer Chris Capossela sent a company-wide e-mail (leaked to the Verge) imploring staff to refrain from creating any public-facing April Fools' Day stunts. Capossela writes that according to the company's data, the stunts have "limited positive impact" and can result in "unwanted news cycles."

 

16 Several webpages from Elections Canada and MPs lack basic data protections

Several Elections Canada webpages and personal websites from MPs don't have the basic encryption necessary to stop your information from being hacked as it's sent from point A to point B. Pages to request publications from Elections Canada, as well as the websites of Liberal, Conservative and NDP MPs use an outdated, unprotected chain to carry information you send to them through the network. Liberal Democratic Institutions Minister Karina Gould, Conservative Finance Critic Pierre Poilievre and the NDP's Ruth Ellen Brosseau had this deficiency on the "contact me" form that asks for personal information — like your email, name and address — before sending feedback to your MP. Gould and other Liberal MPs updated their sites after queries from CBC News.

Related Posts