AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 01/23/2023

EU watchdogs agree on how to handle certain cookie consent dark patterns 

Cookie consent banners that use blatant design tricks to try to manipulate web users into agreeing to hand over their data for behavioral advertising, instead of giving people a free and fair choice to refuse this kind of creepy tracking, are facing a coordinated pushback from the European Union’s data protection regulators. A taskforce of several DPAs, led by France’s CNIL along with Austria’s authority, has spent many months on a piece of joint-work analyzing cookie banners. And in a report published this week they’ve arrived at some consensus on how to approach complaints about certain types of cookie consent dark patterns in their respective jurisdictions — a development that looks set to make it harder for deceptive designs to fly around the EU. 


Popular password managers auto-filled credentials on untrusted websites 

Security shortcomings mean that multiple password managers could be tricked into auto-filling credentials on untrusted pages, security researchers at Google warn. The team from Google went public with their findings on Tuesday (17 January), 90 days after notifying the applications – Dashlane, Bitwarden, and the built-in password manager bundled with Apple’s Safari browser – of the vulnerabilities. Both Dashlane and Bitwarden have updated their software although Dashlane, at least, remains unconvinced that the bug represents any kind of security threat. The status of any fix for Apple’s Safari built-in password manager remains unconfirmed at the time of writing. The Daily Swig has asked Apple to comment and we’ll update this story as and when more information comes to hand. 


WhatsApp Hit with €5.5 Million Fine for Violating Data Protection Laws 

The Irish Data Protection Commission (DPC) on Thursday imposed fresh fines of €5.5 million against Meta’s WhatsApp for violating data protection laws when processing users’ personal information. At the heart of the ruling is an update to the messaging platform’s Terms of Service that was enforced in the days leading to the enforcement of the General Data Protection Regulation (GDPR) in May 2018, requiring that users agree to the revised terms in order to continue using the service or risk losing access. The complaint, filed by privacy non-profit NOYB, alleged that WhatsApp breached the regulation by compelling its users to “consent to the processing of their personal data for service improvement and security” by “making the accessibility of its services conditional on users accepting the updated Terms of Service.” 


Over 19,000 end-of-life Cisco routers exposed to RCE attacks 

Over 19,000 end-of-life Cisco VPN routers on the Internet are exposed to attacks targeting a remote command execution exploit chain. By chaining two security flaws disclosed last week, threat actors can bypass authentication (CVE-2023-20025) and execute arbitrary commands (CVE-2023-2002) on the underlying operating system of Cisco Small Business RV016RV042, RV042G, and RV082 routers. Unauthenticated attackers can exploit the critical severity auth bypass flaw remotely via specially crafted HTTP requests sent to the vulnerable routers’ web-based management interface to gain root access. 


Pet fish commits credit card fraud on owner using a Nintendo Switch 

In a freak series of seemingly random events, a Switch owner’s pet fish accessed his eShop account and added funds to it using his credit card. The crime was caught on video during an unsupervised live stream. Hundreds of viewers watched as the little fish stole their owner’s identity while he was gone. The entire heist started as an experiment to see if fish could complete Pokémon Scarlet and Violet unassisted. To do it, Japanese YouTuber “Mutekimaru Channel” set up a webcam focused on his fish bowl. Motion-tracking software monitored the fish as they swam across an overlaid grid populated with controller inputs. If a fish paused or changed direction, the correlating controller input registered in the game. 


A hack at ODIN Intelligence exposes a huge trove of police raid files 

Detailed tactical plans for imminent police raids, confidential police reports with descriptions of alleged crimes and suspects, and a forensic extraction report detailing the contents of a suspect’s phone. These are some of the files in a huge cache of data taken from the internal servers of ODIN Intelligence, a tech company that provides apps and services to police departments, following a hack and defacement of its website over the weekend. 


Riot Games hacked, delays game patches after security breach 

Riot Games, the video game developer and publisher behind League of Legends and Valorant, says it will delay game patches after its development environment was compromised last week. The LA-based game publisher disclosed the incident in a Twitter thread on Friday night and promised to keep customers up-to-date with whatever an ongoing investigation discovers. “Earlier this week, systems in our development environment were compromised via a social engineering attack,” the company said. 


FBI Chief Says He’s ‘Deeply concerned’ by China’s AI Program 

FBI Director Christopher Wray said Thursday that he was “deeply concerned” about the Chinese government’s artificial intelligence program, asserting that it was “not constrained by the rule of law.” Speaking during a panel session at the World Economic Forum in Davos, Switzerland, Wray said Beijing’s AI ambitions were “built on top of massive troves of intellectual property and sensitive data that they’ve stolen over the years.” He said that left unchecked, China could use artificial intelligence advancements to further its hacking operations, intellectual property theft and repression of dissidents inside the country and beyond. 


FanDuels warns of data breach after customer info stolen in vendor hack 

The FanDuel sportsbook and betting site is warning customers that their names and email addresses were exposed in a January 2023 MailChimp security breach, urging users to remain vigilant against phishing emails. On January 13th, MailChimp confirmed they suffered a breach after hackers stole an employee’s credentials using a social engineering attack. Using these credentials, the threat actors accessed an internal MailChimp customer support and administration tool to steal the “audience data” for 133 customers. 

Related Posts