AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 08/24/2023

Experian Pays $650,000 to Settle Spam Claims 

Experian Consumer Services has agreed to a permanent injunction and to pay a civil penalty of $650,000 to settle allegations relating to the CAN-SPAM Act. The firm, whose parent company is credit agency giant Experian, provides online credit reports, scores and monitoring products to customers. A case filed in the US District Court for the Central District of California revolved around emails sent by the company to consumers who had created free Experian accounts in order to freeze their credit reports for anti-fraud purposes. 


Facebook Messenger Brings End-to-End Encryption to More Users 

Meta is bringing end-to-end encryption on Facebook Messenger to more users. This is one important security feature that Facebook Messenger lacks compared to the Meta-owned WhatsApp, Telegram, Signal, or Apple’s iMessage. Many people probably see Facebook as the exact opposite of privacy, but the company claims it started working on end-to-end encryption for Messenger back in 2019. Implementing end-to-end encryption required Meta to move to a new server architecture and rewrite the Facebook Messenger codebase. 


Lapsus$: court finds teenagers carried out hacking spree 

A court has found an 18-year-old from Oxford was a part of an international cyber-crime gang responsible for a hacking spree against major tech firms. Arion Kurtaj was a key member of the Lapsus$ group which hacked the likes of Uber, Nvidia and Rockstar Games. A court heard Kurtaj leaked clips of the unreleased Grand Theft Auto 6 game while on bail in a Travelodge hotel. The audacious attacks by Lapsus$ in 2021 and 2022 shocked the cyber security world. 


DuoLingo investigating dark web post offering data from 2.6 million accounts 

Language learning platform DuoLingo said it is investigating a post on a hacking forum offering information on 2.6 million customer accounts for $1,500. A spokesperson for the company said they are aware of the post, which was created on Tuesday morning and offers emails, phone numbers, courses taken and other information on how customers use the platform. “These records were obtained by data scraping public profile information,” a spokesperson said. “No data breach or hack has occurred. We take data privacy and security seriously and are continuing to investigate this matter to determine if there’s any further action needed to protect our learners.” 


WinRAR 0-day that uses poisoned JPG and TXT files under exploit since April 

A newly discovered zero-day in the widely used WinRAR file-compression program has been exploited for four months by unknown attackers who are using it to install malware when targets open booby-trapped JPGs and other innocuous inside file archives. The vulnerability, residing in the way WinRAR processes the ZIP file format, has been under active exploit since April in securities trading forums, researchers from security firm Group IB reported Wednesday. The attackers have been using the vulnerability to remotely execute code that installs malware from families, including DarkMe, GuLoader, and Remcos RAT. From there, the criminals withdraw money from broker accounts. The total amount of financial losses and total number of victims infected is unknown, although Group-IB said it has tracked at least 130 individuals known to have been compromised. WinRAR developers fixed the vulnerability, tracked as CVE-2023-38831, earlier this month. 


Bitwarden releases free and open-source E2EE Secrets Manager 

Bitwarden, the maker of the popular open-source password manager tool, has released ‘Secrets Manager,’ an end-to-end encrypted secrets manager for IT professionals, software development teams, and the DevOps industry. The tool aims to act as a secure alternative to hard-coding secrets or sharing ‘.env’ files over email, giving users flexibility, scalability, and keeping their secrets safe in the case of a data breach. Those secrets typically include API keys, user authentication certificates, database passwords, SSL and TLS certificates, private encryption keys, SSH keys, etc. 


YouTube may face billions in fines if FTC confirms child privacy violations 

Four nonprofit groups seeking to protect kids’ privacy online asked the Federal Trade Commission (FTC) to investigate YouTube today, after back-to-back reports allegedly showed that YouTube is still targeting personalized ads on videos “made for kids.” Now it has become urgent that the FTC probe YouTube’s data and advertising practices, the groups’ letter said, and potentially intervene. Otherwise, it’s possible that YouTube could continue to allegedly harvest data on millions of kids, seemingly in violation of the Children’s Online Privacy Protection Act (COPPA) and the FTC Act. 

Related Posts