AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets – May 2, 2019

Instagram announced at its F8 developer conference today that it’ll start testing a new feature later this week that’ll hide users’ public like counts on videos and photos. The test will only be in Canada, and likes will be hidden in the Feed, permalinked pages, and on profiles. Instagram says it wants followers to “focus on the photos and videos you share, not how many likes they get.” Only the person who owns the account will be able to see how many likes their content received. We thought a feature like this might be in the works. Code hunter Jane Wong published screenshots of this test earlier this month, and at the time, Instagram said it hadn’t tested the feature. Now, we can see it was prepping for the test to run after F8. A spokesperson at the time said, “We’re not testing this at the moment, but exploring ways to reduce pressure on Instagram is something we’re always thinking about.”


2 Nine men arrested in United States for stealing millions through business email compromise and romance scams

Nine men have been arrested in the United States in connection with a string of scams that allegedly netted them a cool US $3.5 million. The men, who were arrested in New York, Florida, and Texas, are said to have stolen a fortune through a mixture of business email compromise (BEC) attacks and digital romance scams. According to a press release on the Department of Justice website, the men were involved in a “Russian oil scam” which tricked victims via email into an investment via an up-front wire transfer. Finally, lonely-hearted individuals were targeted with waves of intimate text messages and emails purporting to come from a woman interested in forming a romantic relationship.


3 Researchers Compromise Netflix Content in Widevine DRM Hack

A bug in the popular anti-piracy framework allows a side-channel attack on premium content. Researchers have used a proof-of-concept (PoC) side-channel attack to download an unencrypted raw file for Netflix’ Stranger Things, in a format that’s ready to distribute out to any buyer on the internet. This pirate’s booty is the result of breaking open the widely deployed digital rights management (DRM) to framework known as Widevine, the DRM engine behind Netflix, Hulu and Amazon Prime, among others. By way of background, Widevine is an encryption method developed by Google but offered royalty-free to content creators and streaming services.


4 Local Credit Union Sues Fiserv Over 'Amateurish Security Lapses'

Fiserv, the leading bank core processor with 37% of the U.S. marketshare in 2018, is being sued by one of its own customers, the Bessemer System Federal Credit Union. Court documents filed in a Mercer County, Pennsylvania court on April 26, 2019 show Bessemer claiming that, "Despite Fiserv's claimed expertise, Fiserv has misreported Bessemer's account records and information, while being plagued with security vulnerabilities that affect the privacy of thousands of Bessemer's members." It adds, "Bessemer's member information has been subject to several instances of critical security vulnerabilities while in Fiserv's custody — each based on baffling and amateurish security lapses."


5 Facebook cares about privacy, for realsies, Zuckerberg swears

“I know that we don’t exactly have the strongest reputation on privacy right now, to put it lightly,” said Mark Zuckerberg from the F8 2019 stage. He was attempting levity, but the joke didn’t land, because it was true but not funny. However, the new and improved Facebook — the company and the site and the associated apps under the Facebook umbrella — are now all about privacy. Zuckerberg swears. The opening few minutes from Zuckerberg’s keynote on the F8 stage were essentially a rehash of his March blog post in which he espoused his “privacy-focused vision for social networking.”


6 Marine Commandant: You Can Have Purple Hair in Our New Cyber Force

The Marine Corps is creating a new cyber unit, the top officer said Monday, and you won't need to meet those strict Devil Dog hair regulations to join. The service will stand up a new cyber auxiliary, Commandant Gen. Robert Neller said at the Future Security Forum 2019 in Washington. "If anybody wants to join, you can sign up. You can have purple hair, too, but no EGA,” he said, referring to the Marines’ famous eagle, globe and anchor insignia. Since Neller said the members of the Marine Corps' new Cyber Auxiliary division won't earn the coveted symbol new Marines get after completing boot camp or earning their commission, this program is likely to be strictly for civilians or veterans.


7 Tesla sued by family of man killed in Autopilot-related crash

Tesla is being sued by the family of Wei “Walter” Huang, a software engineer who died when his Model X with Autopilot engaged crashed into a highway safety barrier in March 2018. In the complaint, the family claims that Huang’s Model X lacked safety features, such as an automatic emergency braking system. Such features are available on much less expensive vehicles from other carmakers as well as on more recent Model Xs, Huang’s family said. The Model X does come with automatic emergency braking, according to the owner’s manual. According to Bloomberg: The family also alleges that Tesla knew, or should have known, “that the Tesla Model X was likely to cause injury to its occupants by leaving travel lanes and striking fixed objects when used in a reasonably foreseeable manner.” The carmaker should have issued a recall or provided a warning “in light of the risk of harm,” the family said in the complaint.


8 Social Media Platforms Increasingly Popular With Cybercriminals

Fraud is one of the major challenges posed by the digital revolution and a new white paper by RSA Security suggests that social media is the perfect place for it to thrive. The U.S. information security company (which is part of the Dell family) released their annual “Current State of Cybercrime Report” for 2019, alerting readers to the growing trend of cybercriminals relying on social media platforms to commit fraud as well as securely communicate with each other about coordinating and automating their attacks. According to RSA, social media fraud attacks have increased by 43% over the last year alone and cybercriminals are constantly finding new ways to exploit these platforms.


9 Russian Citizen Indicted For $1.5 Million Cyber Tax Fraud Scheme

Earlier today in federal court in Brooklyn, an indictment was returned charging Anton Bogdanov, a citizen of Russia, with wire fraud conspiracy, aggravated identity theft and computer intrusion in connection with a scheme in which he and others used stolen personal information to file federal tax returns and fraudulently obtain more than $1.5 million in tax refunds from the Internal Revenue Service. Bogdanov was arrested on Phuket, Thailand, on November 28, 2018 pursuant to a provisional arrest request.  He was extradited to the United States in March 2019.  Bogdanov will be arraigned at a later date. “As alleged in the indictment, Bogdanov and his co-conspirators combined sophisticated computer hacking and identity theft with old-fashioned fraud to steal more than $1.5 million from the U.S. Treasury,” stated United States Attorney Donoghue.  “This Office, together with our law enforcement partners, will use all our available resources to target and bring cybercriminals to justice, wherever they are.”


10 After account hacks, Twitch streamers take security into their own hands

Twitch  has an account hacking problem. After the breach of popular browser game Town of Salem in January, some 7.8 million stolen passwords quickly became the weakest link not only for the game but gamers’ other accounts. The passwords were stored using a long-deprecated scrambling algorithm, making them easily cracked. It didn’t take long for security researcher and gamer Matthew Jakubowski to see the aftermath. In the weeks following, the main subreddit for Amazon-owned game streaming site Twitch — of which Jakubowski is a moderator — was flooded with complaints about account hijacks. One after the other, users said their accounts had been hacked. Many of the hijacked accounts had used their Town of Salem password for their Twitch account.


11 New Documents Reveal DHS Asserting Broad, Unconstitutional Authority to Search Travelers’ Phones and Laptops

The Electronic Frontier Foundation (EFF) and the ACLU today asked a federal court to rule without trial that the Department of Homeland Security violates the First and Fourth Amendments by searching travelers’ smartphones and laptops at airports and other U.S. ports of entry without a warrant. The request for summary judgment comes after the groups obtained documents and deposition testimony revealing that U.S. Customs and Border Protection and U.S. Immigration and Customs Enforcement authorize border officials to search travelers’ phones and laptops for general law enforcement purposes, and consider requests from other government agencies when deciding whether to conduct such warrantless searches.


12 A ‘Cyber Event’ Disrupted the Power Grid in California and Wyoming, But Don’t Panic Just Yet

On March 5, between 9 a.m. and 7 p.m. in some parts of California, Utah, and Wyoming, a “cyber event” caused the interruption of energy grid operations, according to a Department of Energy report first uncovered by E&E News. The report is cryptic at best, and the Department of Energy has not responded to a request by Motherboard for more information about the incident. A “cyber event,” according to infrastructure hacking experts, could be anything from hackers messing with the grid remotely, to a much less dramatic hardware or software bug. It’s also unclear which utility company suffered the incident, as the report does not specify. Patrick Miller, a critical infrastructure security expert, explained to Motherboard that utility companies have to report cyberattacks in an OE-417 Electric Emergency and Disturbance Report, a document put together by the Department of Energy to track energy incidents and emergencies. Miller said that the fact that the company reported the incident in an OE-417 means “it had to actually disrupt operations.”



As the Senate prepares to hold another hearing on potentially creating a comprehensive privacy framework, experts are urging legislators to go the extra step and create a standalone agency to enforce existing privacy regulations as well as any future laws. Various congressional committees have been convening hearings on privacy regulations, data breaches, and the possibility of building a privacy framework for several months now, without any tangible results. The mishmash of state data breach laws and industry specific privacy regulations can be difficult for enterprises to wade through, and privacy advocates and security experts have been urging Congress for many years to pass federal legislation, but it hasn’t happened. On Wednesday, the Senate Committee on Commerce, Science and Transportation will hold a hearing on the need for a federal privacy framework, with testimony from the American Civil Liberties Union, the Future of Privacy Forum, and the data protection commissioner from the Republic of Ireland


Related Posts