AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 04/13/2021

1 – LinkedIn confirmed that it was not a victim of a data breach

LinkedIn has issued a formal statement to deny that the recent leak that exposed the account details of more than 500 million of its registered users was caused by a security breach. A threat actor has put for sale on a popular hacker forum an archive containing data purportedly scraped from 500 million LinkedIn profiles, with another 2 million records leaked as a proof-of-concept sample by the post author. The four leaked files contain information about the users whose data has been allegedly scraped by the threat actor, including their full names, email addresses, phone numbers, workplace information, and more. Users on the hacker forum can view the leaked samples for about $2 worth of forum credits, the threat actor was auctioning the much-larger 500 million user database for at least a 4-digit sum, worth of bitcoin or other cryptocurrencies.


2 – Millions of Chrome users quietly added to Google’s FLoC pilot

Last month, Google began a test pilot of its Federated Learning of Cohorts—or FLoC—program, which the company has advertised as the newest, privacy-preserving alternative in Google Chrome to the infamous third-party cookie. Sounds promising, right? Well, about that. Despite Google’s rhetoric about maintaining user privacy, its FLoC trial leaves much to be desired. Google Chrome users had no choice in whether they were included in the FLoC trial, they received no individualized notification, and, currently, they have no option to specifically opt-out, instead having to block all third-party cookies on their Google Chrome browsers to leave the trial. Electronic Frontier Foundation (EFF), which analyzed Google’s published materials and Chromium’s source code to better understand FLoC, lambasted the pilot program and the technology behind it.


3 – Apple seeks NFC digital identity patent

Apple has applied for a patent for a user authentication framework that would allow users to store digital identity documents such as their passport, driving licence and national ID card and present them for verification on their NFC-enabled iPhone or other mobile device. The application filed with the US Patent and Trademark Office (USPTO) lays out how various embodiments of the framework could use technologies including NFC, RFID and biometrics to import and authenticate digital ID documents in a secure element (SE) within a mobile device. “In such an embodiment, when the user presents the mobile device to a corresponding reader attempting to authenticate the user, the mobile device may attempt to verify the identity of the user (eg, via a biosensor in the mobile device in some embodiments) before permitting the secure element to provide the identification information to the reader,” the application for a user authentication framework patent states.


4 – Biden Administration calls chip shortage a ‘national security issue’

The Biden Administration views the current chip shortages plaguing the global economy as a “national security issue” ahead of a White House Summit focused on addressing the problem. Back in February, President Joe Biden signed an executive order aimed at mitigating problems with the semiconductor supply chain. Part of the initiative to address the ongoing issues include a White House Summit on Monday. When asked about whether the Biden Administration sees the chip shortage as a national security issue, White House Press Secretary Jan Psaki said “we certainly do.” As far as specific solutions to the chip issue, Psaki said the administration is looking at a “holistic, long-term, across-government approach.” She also held off on announcing specific short-term solutions ahead of the summit Monday. However, Psaki added that the White House is exploring options to ensure that similar chip shortages don’t happen in the future. That could include allocating funds to boost U.S. chip production, among other potential solutions.


5 – Expert publicly released Chromium-based browsers exploit demonstrated at Pwn2Own 2021

The Indian security researcher Rajvardhan Agarwal has publicly released a proof-of-concept exploit code for a recently discovered vulnerability that affects Google Chrome, Microsoft Edge, and other Chromium-based browsers (i.e. Opera, Brave). The researchers uploaded the PoC code on GitHub and announced its availability via Twitter.  According to The Record, the PoC code released by the experts was the same exploited by the security duo composed of Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow during the Pwn2Own 2021 hacking contest. The two experts earned $100,000 for demonstrating an exploit for Chrome and Microsoft Edge web browsers. “The team used a Typer Mismatch bug to exploit the Chrome renderer and Microsoft Edge. Same exploit for both browsers. They earn $100,000 total and 10 Master of Pwn points.” states the post published on the official site of the competition.

Related Posts