UCLA Student
Infosec Blog

Google Calendar on watch

By Tara Seals| threatpost.com

Automatic invite notifications are spreading malicious links.


A sophisticated cyberattack is targeting Gmail users through fraudulent, unsolicited Google Calendar notifications.

The campaign takes advantage of a common default feature for people using Gmail on their smartphone: Calendar invites automatically pop up on phones, prompting users to accept or decline them.


Ninjio Season 4: Episode 4

The message is shocking and uncomfortable, threatening Stuart with the release of truly embarrassing material if he doesn’t pay hackers thousands of dollars in Bitcoin. Trying to control his destiny, Stuart discusses the email with his boss – but it might not actually be what it seems.

Watch Here

snapchat machine

By Lindsey O'Donnell | threatpost.com

After a report found that Snap employees were abusing their access to Snapchat data, experts are warning that insider threats will continue to be a top challenge for privacy. Snap, the company behind the popular Snapchat social media app, has found itself in hot water after a recent report revealed that Snap employees were abusing their access to private user data – which includes location data, saved Snaps and phone numbers.

According to a Thursday Motherboard report, Snap touted several internal tools enabling employees to access Snapchat users’ personal data. One such tool, dubbed SnapLion, was originally created to help collect data in response to law enforcement requests via court orders. However, several internal emails obtained by Motherboard showed several employees abused this capability, with one Snap employee looking up an email address for an account outside of a law enforcement situation, for instance.


confidential folder

By Dennis Fisher| duo.com

Enterprises that use Google’s G Suite for email will soon see a significant change in the way the system handles sensitive messages. In late June, Google will turn on a feature by default called Confidential mode that prevents recipients from forwarding, copying, or printing the messages and allows senders to set expiration times for their emails, as well.

Confidential mode for G Suite has been available in beta for a few months now, but on June 25 Google plans to make it the default setting for all enterprise customers. Administrators still will have the option to disable Confidential mode if they choose, though. In practice, Confidential mode enables people to send messages that don’t actually contain text in the body. Instead, each message contains a link to the content, including any attachments.


ninjio season 4, episode 3

Still a little new at his job with a large, widely-followed company, Chris feels like he has a bit to prove. 

This drive leads him to make a few social forum and social media posts detailing non-confirmed company information.  Now he must face the consequences of his actions and learn the meaning of his team’s data classification policies. 

Watch Here



ninjio season 4, episode 2

The hackers have a plan, a way to bypass a large company’s MDM, or Mobile Device Management, software to gain access to their sensitive data.

Using inside contacts, custom servers, and text message phishing, they can get everything that they want – as long as the mobile devices in question haven’t had their software and anti-virus kept up-to-date. 

Watch Here


Ninjio season 4, episode 1

After her husband’s wrongful arrest, Megan desperately researches what might have led to his stolen identity. She uncovers a case of Business Email Compromise, and hurries to share what she’s learned with their lawyer. 

Watch Here

honey pot

By Tiffany Hsu | nytimes.com

The punch cards stuffed in your wallet know next to nothing about you, except maybe how many frozen yogurts you still need to buy to get a free one. 

But loyalty programs, as they shift from paper and plastic to apps and websites, are increasingly tracking a currency that can be more valuable than how much you spend: personal data. As a result, the programs know things about you that some of your friends may not, like your favorite flavor (mango), when your cravings strike (early afternoon) and how you pay (with your Visa), in addition to billing details and contact information.
Hackers are in close pursuit.

Some criminals use stolen credentials to impersonate customers, breach loyalty profiles and then tap into separate accounts. Others deplete balances or sell points on dark web marketplaces. One hacked Southwest Airlines rewards account with at least 50,000 miles was advertised for $98.88, according to the cloud security company Armor. 


Social Media apps

By Dan Goodin | arstechnica.com

Attacks used app's call function. Targets didn't have to answer to be infected.

Attackers have been exploiting a vulnerability in WhatsApp that allowed them to infect phones with advanced spyware made by Israeli developer NSO Group, the Financial Times reported on Monday, citing the company and a spyware technology dealer.
A representative of WhatsApp, which is used by 1.5 billion people, told Ars that company researchers discovered the vulnerability earlier this month while they were making security improvements. CVE-2019-3568, as the vulnerability has been indexed, is a buffer overflow vulnerability in the WhatsApp VOIP stack that allows remote code execution when specially crafted series of SRTCP packets are sent to a target phone number, according to this advisory.



WSU to pay up to $4.7 million for data theft involving 1.2 million people. Breaches that involve health data generally will cost you more. Asia Fields reports:

Washington State University learned a costly lesson after a hard drive containing the personal information of more than a million people was stolen from a self-storage locker in 2017. Now, the university is going to have to pay even more.

In a settlement approved in King County Superior Court on Thursday, the university agreed to pay up to $4.7 million in cash reimbursements, attorneys fees and administrative expenses. On top of that, the university will pay for two years of credit monitoring and insurance services for up to 1,193,190 people, according to the settlement agreement.