InfoSec News Nuggets 6/22/2020

To evade detection, hackers are requiring targets to complete CAPTCHAs CAPTCHAs, those puzzles with muffled sounds or blurred or squiggly letters that websites use to filter out bots (often unsuccessfully), have been annoying end users for more than a decade. Now, the challenge-and-response tests are likely to vex targets in malware attacks. Microsoft recently spotted an attack group distributing a malicious Excel document on a site requiring users to complete a CAPTCHA, most likely in an…
Read More

InfoSec News Nuggets 5/22/2020

COVID-19 contact tracing text message scams There’s no question, contact tracing plays a vital role in helping to stop the spread of COVID-19. But scammers, pretending to be contact tracers and taking advantage of how the process works, are also sending text messages. But theirs are spam text messages that ask you to click a link. Check out the image below. Unlike a legitimate text message from a health department, which only wants to let…
Read More

InfoSec News Nuggets 5/21/2020

REvil Ransomware found buyer for Trump data, now targeting Madonna The REvil ransomware group claims to have buyers ready for documents containing damaging information about US‌ President Donald Trump and is preparing to auction data on international celebrity Madonna. The hackers breached the network of Grubman Shire Meiselas & Sacks (GSMLaw), a law firm representing a huge number of A-list celebrities, stealing everything they considered of value before encrypting the data. After unfruitful negotiations with…
Read More

InfoSec News Nuggets 5/20/2020

Apple details its plan to safely reopen retail stores Apple’s head of retail Deidre O’Brien has posted a letter on the company’s website detailing how it plans to safely restart operations at its retail stores. Apple shut all of its stores outside Greater China in March as COVID-19 spread worldwide; all the Greater China stores reopened that same month, while Apple is still in the process of taking careful steps elsewhere. “Our commitment is to only move…
Read More

InfoSec News Nuggets 4/29/2020

Online auction of record-breaking whisky collection hit by cyber-attack A record-breaking online auction of rare whiskies has been postponed indefinitely after being targeted in a cyber-attack. The sale of Richard Gooding’s “The Perfect Collection” was marketed as “the largest and most unprecedented private whisky collection ever to be offered for public sale”. The first phase of the auction, consisting of more than 1,900 bottles, fetched more than £3.2m earlier this year. The second phase of…
Read More

InfoSec News Nuggets 4/27/2020

The pandemic is bringing us closer to our robot takeout future Robot deliveries remain rare enough that it's easy to dismiss them as curiosities. But that's a mistake. The technology works now. Starship already has hundreds of robots in service delivering food to real customers. Spurred by demand from locked-down customers, that number could soon soar to the thousands and eventually into the millions. With lower costs and no need to tip, robots could make…
Read More

InfoSec News Nuggets 4/22/2020

CFAA latest: Supremes to tackle old chestnut of what 'authorized use' of a computer really means in America If someone is authorized to use a computer – to access a database, for example – is that a blanket authorization, and can they use it so long as they continue to use their existing login? Or does it depend on the circumstances? Can someone’s authorization be dependent on the application's terms of service? The question may…
Read More

InfoSec News Nuggets 4/15/2020

Amazon stops accepting new online grocery customers amid surging demand Amazon will begin to put new grocery delivery customers on a wait-list and curtail shopping hours at some Whole Foods stores to prioritize orders from existing customers buying food online during the coronavirus outbreak, the company said on Sunday. Many shoppers recently seeking to purchase groceries from the Seattle-based ​e-commerce company found they could not place orders due to a lack of available delivery slots. Amazon…
Read More

InfoSec News Nuggets 4/13/2020

Facebook proposes 3D navigation task for training autonomous robots Researchers at Facebook, the Georgia Institute of Technology, and Oregon State University describe in a preprint paper published this week a new task for AI — navigating a 3D environment by listening to natural language directions (e.g., “Go down the hall and turn left at the wooden desk”). They say this could lay the groundwork for robot assistants that follow natural language instructions. The researchers’ task, which they…
Read More

InfoSec News Nuggets 4/10/2020

MIT develops privacy-preserving COVID-19 contact tracing inspired by Apple’s ‘Find My’ feature One of the efforts that’s been proposed to contain the spread of COVID-19 is a contact trace and track program, that would allow health officials to keep better tabs on individuals who have been infected, and alert them to potential spread. Contract tracing has already seemingly proven effective in some parts of the world that have managed to curb the coronavirus spread, but…
Read More

InfoSec News Nuggets 4/7/2020

Microsoft: Emotet Took Down a Network by Overheating All Computers Microsoft says that an Emotet infection was able to take down an organization's entire network by maxing out CPUs on Windows devices and bringing its Internet connection down to a crawl after one employee was tricked to open a phishing email attachment. "After a phishing email delivered Emotet, a polymorphic virus that propagates via network shares and legacy protocols, the virus shut down the organization’s…
Read More

InfoSec News Nuggets 3/31/2020

Leave the pandemic out of your phishing simulations, Cofense says to industry At least one anti-phishing company says it won’t be testing its customers with coronavirus-themed emails, out of concerns that it’s not socially responsible to play into fears around the current pandemic. Cofense says it has removed all COVID-19-themed spearphishing templates from its repository of attacks, and the Virginia-based company is recommending other organizations join it in a pledge to avoid using the global health crisis as fodder. Like other…
Read More

InfoSec News Nuggets 3/30/2020

Rare BadUSB attack detected in the wild against US hospitality provider A US hospitality provider has recently been the target of an incredibly rare BadUSB attack, ZDNet has learned from cyber-security firm Trustwave. The attack happened after the company received an envelope containing a fake BestBuy gift card, along with a USB thumb drive. The receiving company was told to plug the USB thumb drive into a computer to access a list of items the…
Read More

InfoSec News Nuggets 3/16/2020

1 - US is preparing to ban foreign-made drones from government use The Trump administration is preparing an executive order to ban federal departments and agencies from buying or using foreign-made drones, citing a risk to national security, TechCrunch has learned. The draft order, which was drafted in the past few weeks and seen by TechCrunch, would effectively ban both foreign-made drones or drones made with foreign components out of fear that sensitive data collected…
Read More

InfoSec News Nuggets 3/2/2020

1 - DNC warns campaigns about cybersecurity after attempted scam An online “impersonator” of a Democratic National Committee (DNC) staffer tried to contact presidential campaigns, including Sen. Bernie Sanders’s (I-Vt.) campaign, the committee said in a statement to the candidates Wednesday. Bob Lord, the DNC’s chief security officer, wrote in an email to the campaigns obtained by The Hill that “adversaries will often try to impersonate real people on a campaign." He added that the “adversaries”…
Read More

InfoSec News Nuggets 1/29/2020

1 - Watch out Google. You've got competition. Verizon has a new 'privacy-focused' search engine Verizon has slung out a new, privacy-focused search engine in an effort to win over customers who prefer not to have their browsing habits tracked by ad-slingers and the like. Verizon said the new search engine, named One Search, won't share user's personal information with advertisers, or store their search history. A new "Advanced Privacy Mode" will encrypt search terms…
Read More

InfoSec News Nuggets 1/14/2020

1 - Australia Bushfire Donors Affected by Credit Card Skimming Attack Attackers have compromised a website collecting donations for the victims of the Australia bushfires and injected a malicious script that steals the payment information of the donors. This type of attack is called Magecart and involves hackers compromising a web site and injecting malicious JavaScript into eCommerce or checkout pages. These scripts will then steal any credit cards or payment information that is submitted and send it off…
Read More

InfoSec News Nuggets 1/9/2020

1 - U of O gives notice of potential privacy breach impacting 188 people The University of Ottawa has given notice of a potential privacy breach impacting 188 people, including elementary and high school students who attended a summer program on campus. The breach stems from an incident in late November 2019 when a password-protected laptop was stolen from a university employee’s vehicle, the administration said in a press release on Friday. The laptop was used for Destination Clic,…
Read More

InfoSec News Nuggets 1/6/2020

1 - CCPA Kickoff: What Businesses Need to Know New year, new privacy regulations: The California Consumer Privacy Act (CCPA) went into effect on January 1, marking the start of a widespread law that will likely have implications beyond state lines. For businesses, it's high time to think about what this means and how to get ahead. CCPA, the original version of which was passed in 2018, was introduced to protect the personal data of…
Read More

InfoSec News Nuggets 1/3/2020

1 - Apple answers dev concerns that location tracking alerts will upset users When Apple released iOS 13 towards the end of September 2019 it brought with it a new warning that told users when an app repeatedly accessed their location data in the background. A new Wall Street Journal report (via MacRumors) notes that developers are worried that the alerts will make users doubt their apps. But Apple isn't concerned. According to the report…
Read More

InfoSec News Nuggets 12/30/2019

1 - A Twitter app bug was used to match 17 million phone numbers to user accounts A security researcher said he has matched 17 million phone numbers to Twitter  user accounts by exploiting a flaw in Twitter’s Android app. Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter’s contacts upload feature. “If you upload your phone number, it fetches user data in return,” he told TechCrunch. He said…
Read More

InfoSec News Nuggets 12/17/2019

1 - Prosecutors say a man stole $88,000 from a bank vault. The FBI caught him after he flashed stacks of bills on social media. If you're systematically stealing money from a bank vault, it may not be a good idea to post the evidence on your social media pages. A bank employee in Charlotte, North Carolina, allegedly stole $88,000 from the bank's vault, according to a release from the United States Attorney's Office Western District of…
Read More

InfoSec News Nuggets 12/10/2019

1 - Britain investigating whether leaked trade papers were hacked British cyber security officials are investigating whether classified UK-U.S. trade documents that were shared online ahead of Thursday’s election were acquired by hacking or were leaked, two sources told Reuters.  Beside the fears that Russia could be meddling in another Western election, the disclosure of the classified documents has raised questions about the security of sensitive discussions between the United States and one of its…
Read More

InfoSec News Nuggets 11/04/2019

1 - Windows BlueKeep RDP Attacks Are Here, Infecting with Miners The BlueKeep remote code execution vulnerability in the Windows Remote Desktop Services is currently exploited in the wild. Vulnerable machines exposed to the web are apparently compromised for cryptocurrency mining purposes. The attempts have been recorded by honeypots that expose only port 3389, specific for remote assistance connections via the Remote Desktop Protocol (RDP). Security researcher Kevin Beaumont noticed on Saturday that multiple honeypots…
Read More

InfoSec News Nuggets 10/16/2019

1- Mozilla Rolls Out Code Injection Attack Protection in Firefox Mozilla rolled out protection measures to block code injection attacks in the Firefox web browser, with the attack surface being reduced by removing eval()-like functions and inline scripts occurrences. "A proven effective way to counter code injection attacks is to reduce the attack surface by removing potentially dangerous artifacts in the codebase and hence hardening the code at various levels," said the Mozilla Security Team today.…
Read More