Florida teen faces charges for DDoS attack on school district

Felony charges have been filed against an unnamed 17-year year old junior at St. Petersburg High School, who crashed the Pinellas County School District in Florida using a distributed denial of service attack. This resulted in 145 schools being knocked offline for two days last March. The school district’s director of network and telecommunications said the attack was considered “critical” because it coincided with statewide testing. Charter-Spectrum had provided a DDoS protection service to the district for years, but this was not maintained when the district migrated to new infrastructure in 2020. According to a search warrant, the teen said he became “fixated” on the idea of a DDoS after watching videos detailing the vulnerabilities of school networks. 

(InfoSecurity Magazine)

UC Browser calls home

Security researcher Gabi Cirlig reports that both Android and iOS versions of the Alibaba-owned UC Browser sends IP addresses and unique user ID numbers to Alibaba’s US hosted servers, even when in incognito mode. These findings have since been verified by other security researchers. UC Browsers is the fourth biggest browser by user numbers in the world, with a huge user base in Asia. Since these findings were published, the English version of UC Browser was removed from Apple’s App Store, although the Chinese language version and Google Play apps were still available. 

(Forbes)

Ransomware disrupts Massachusetts ferry service

Steamship Authority, the largest ferry service in the state, confirmed it was hit with ransomware on June 2nd. The attack was against land-based IT systems and no ships were directly impacted, with radar and GPS continuing to function as normal. Ferry service is still continuing but Steamship Authority warned customers that reservations systems are temporarily unavailable, and asked customers to bring cash for ferry payments, as availability of credit card processing was currently limited.  

(The Record)

DJI drones are good enough for government work

According to a Pentagon report summary seen by The Hill, two DJI drones built for government use have been cleared for use by the Pentagon, with an audit finding “no malicious code or intent.” In January 2020, the Interior Department grounded its fleet of over 500 DJI drones over security concerns that drones were sharing data with the Chinese government. A prior analysis by Booz Allen Hamilton last year found no evidence of data transfers.   

(The Hill)

Thanks to our episode sponsor, ReversingLabs

Recent supply chain attacks and executive orders have left 1000’s scrambling for guidance. Join ReversingLabs as they take their exclusive supply chain roadshow to your local region virtually. Hear from app sec specialists and security execs, as they discuss lessons learned, and innovative approaches, that will move your supply chain security and compliance program forward. For more information, visit reversinglabs.com.

Norton 360 antivirus now lets you mine crypto because reasons

In a noble effort to somehow make its antivirus solution even more of a resource hog, Norton will roll out a Norton Crypto feature to Norton 360 users enrolled in its early adopter program. When activated, Norton Crypto will use a host machine’s GPU to mine Ethereum, which will be stored in a cloud-hosted Norton wallet. It’s not clear if this mining will be done individually or as part of a larger Norton pool, although if part of a pool, Norton could potentially open a new revenue stream through management fees. Norton said that since cryptojacking and other miners are often flagged by antivirus software, this feature will let users participate in the crypto economy without sacrificing security. 

(Bleeping Computer)

Apple Card experiencing outages

Users began reporting the outages early on June 2nd, and is still ongoing according to Apple’s dashboard as of this recording. Apple confirmed the outage is impacting all users, and includes the ability to use the card for payments, view and manage the card, as well as seeing payments. It’s unclear what is causing the outage. 

(9to5Mac)

Edge goes HTTPS by default

The canary version of Microsoft Edge 92 now supports Automatic HTTPS capabilities, automatically switching URLs to use encrypted HTTPS connections. This feature will carry over when the full Edge 92 version is released. Chrome rolled out a similar HTTPS default feature with Chrome 90 earlier this year. 

(Thurrott)

Judge dismisses bribery case against Apple’s security chief

The case was originally brought by the Santa Clara County District Attorney’s Office in November after a grand jury indicted Apple Chief Security Officer Thomas Moyer for bribery over donating iPads to the Santa Clara Sheriff’s Office in exchange for concealed weapons permits. Judge Eric S. Geffon found that talks about the permits had been ongoing for more than a year at the time of the meeting for the iPad donation, with evidence suggesting Moyer thought the permits were already approved. In dismissing the case, the judge said the prosecutor’s argument about Moyer’s corrupt intent was “pure speculation.”

(Reuters)