Pete Recommends – Weekly highlights on cyber security issues, October 26, 2019

Subject: Equifax Allegedly Made It Super Easy to Hack Customer Data
Source: Digital Trends

Remember that epic Equifax hack from 2017? As it turns out, the company made it pretty easy for hackers to get in. A recent filing in the United States District Court for the Northern District of Georgia, Atlanta Division points out a few of the company’s missteps that might have led to the breach. The first of those issues comes in the form of the password the company users to protect a portal used to manage credit disputes. While you might think a major company holding personal information like people’s names, addresses, and social security numbers might use an exceptionally secure password in that instance, it actually went for something a different: It used “admin” as both the username and password for the portal.

Editors’ Recommendations

Lawsuit over Capital One data breach could eventually get you sweet revenge
Here’s how to claim $100 or more from Yahoo’s massive data breach settlement
Hackers stole 26 million credit cards, but vigilantes just rescued them
Period-tracking apps are sharing people’s intimate data with Facebook
The best password managers for 2019

Subject: Hackers stole 26 million credit cards, but vigilantes just rescued them
Source: Bleeping Computer

Malicious plugins that hide in plain sight and act as backdoors are used by attackers to gain and maintain a foothold on WordPress websites, and to upload web shells and scripts for brute-forcing other sites. For instance, some of these fake plugins with backdoor functionality — named initiatorseo or updrat123 by their creators — were seen cloning the functionality of the highly popular backup/restore WordPress plugin UpdraftPlus, with a current active number of over two million installations. “The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23rd, 2019,” found researchers at web security and protection company Sucuri.

Subject: California Attorney General Issues Draft of New Privacy Regulations
Source: Privacy Rights Clearinghouse

California’s Attorney General issued draft regulations to implement the California Consumer Privacy Act of 2018 (CCPA)—a law creating new rights for Californians effective on January 1, 2020. Among other things, these regulations would

Subject: Specialty Consumer Reports Basics
Source: Privacy Rights Clearinghouse

A specialty consumer report (compiled by a specialty consumer reporting agency) may include:

  • residential or tenant history
  • check writing and banking history
  • employment history
  • insurance claims
  • medical records and prescription history

Subject: New App Helps Prevent Fraud at the Gas Pump
Source: Privacy Rights Clearinghouse

With the ability to steal many card numbers before being discovered, card skimmers placed in gas pumps can transmit their stolen information via Bluetooth. In an effort to combat the problem, the U.S. Secret Service partnered with the University of California, San Diego and the University of Illinois, Urbana-Champaign to develop a mobile app called Bluetana. Designed to quickly detect Bluetooth-enabled card skimmers, it is now helping law enforcement agencies locate compromised gas pumps and reduce fraud.

According to Krebs on Security, researchers scanned 1,185 gas stations across six states with Bluetana and detected a total of 64 skimmers. They were all confiscated by law enforcement (including two missed in manual pump inspections). While scanning Bluetooth signals for skimmers is not an idea unique to Bluetana, other apps designed to scan for these purposes have had issues with making false-positives as other types of devices can also use Bluetooth close by or within gas stations (speed-limit signs, weather sensors). Bluetana was developed with the idea of eliminating the false-positives that other apps could not.

filed under

Subject: Intelligence Report: HUGE FAN OF YOUR WORK: How TURBINE PANDA and China’s Top Spies Enabled Beijing to Cut Corners on the C919 Passenger Jet

16-page PDF – This report is provided for situational awareness and network defense purposes only. DO NOT conduct searches on, communicate with, or engage any individuals, organizations, or network addresses identified in this report. Doing so may put you or your employer at risk and jeopardize ongoing investigation efforts. Copyright 2019.

Rarely in the infosec industry do cyber investigators get the luxury of knowing the full scope of their adversary’s campaign—from tasking, to actual operations, all the way to completion. The oft-repeated mantra “Attribution is hard” largely stands true. Short of kicking down the door just as a cyber actor pushes enter, it is frustratingly hard to prove who is responsible for cyber attacks with 100% certainty. However, a series of recent U.S. Department of Justice (DoJ) indictments released over the course of two years, combined with CrowdStrike Intelligence’s own research, has allowed for startling visibility into a facet of China’s shadowy intelligence apparatus.

In this blog, we take a look at how Beijing used a mixture of cyber actors sourced from China’s underground hacking scene, Ministry of State Security (MSS/国安部) officers, company insiders, and state directives to fill key technology and intelligence gaps in a bid to bolster dual-use turbine engines which could be used for both energy generation and to enable its narrow-body twinjet airliner, the C919, to compete against western aerospace firms. What follows is a remarkable tale of traditional espionage, cyber intrusions, and cover-ups, all of which overlap with activity CrowdStrike Intelligence has previously attributed to the China-based adversary TURBINE PANDA. These operations are ultimately traceable back to the MSS Jiangsu Bureau, the likely perpetrators of the infamous 2015 U.S. Office of Personnel
Management (OPM) breach.

Subject: Trading in your phone may pose a risk to your data, one expert warns
Source: Business Insider

  • As phones become more expensive, trading in older models is one way for consumers to afford to buy new editions.
  • But trading in old devices can be risky if any data is left behind.
  • Russ Ernst, an executive at data sanitization company Blannco, called this a “ticking time bomb,” and he has advice for avoiding disaster.

Smartphones contain texts, emails, bank accounts, and other sensitive information we might not even think about, like GPS data. According to Ernst, performing a factory reset on your phone is only one part of a three-step process you should be doing to protect your data if you trade in a phone, or sell any device.

Subject: US expands DNA collection requirements at the border

The Trump administration is planning to collect DNA samples from asylum-seekers and other migrants detained by immigration officials and will add the information to a massive FBI database used by law enforcement hunting for criminals, a Justice Department official said. The official said the rules would not apply to legal permanent residents or anyone entering the U.S. legally, and children under 14 are exempt, but it’s unclear whether asylum-seekers who come through official crossings will be exempt.

The new policy would allow the government to amass a trove of biometric data on hundreds of thousands of migrants, raising major privacy concerns and questions about whether such data should be compelled even when a person is not suspected of a crime other than crossing the border illegally. Civil rights groups already have expressed concerns that data could be misused, and the new policy is likely to lead to legal action.

Subject: Archive the Web on Demand: The Wayback Machine’s Save Page Now is New and Improved
Source: The Internet Archive Blog via LJ infoDOCKET

From The Internet Archive Blog: You can now save all the “outlinks” of a web page with a single click. By selecting the “save outlinks” checkbox you can save the requested page (and all the embedded resources that make up that page) and also all linked pages (and all the embedded resources that make up those pages). Often, a request to archive a single web page, with outlinks, will cause us to archive hundreds of URLs. Every one of which is shown via the SPN interface as it is archived.

Posted in: Cybersecurity, Financial System, Intellectual Property, Legal Research, Privacy, Search Engines