Articles of interest from the week of September 25, 2023

TikTok Fined 345 Million Euros Over Handling of Children’s Data in Europe

TikTok has been fined 345 million euros ($370 million) for breaching privacy laws regarding the processing of children's personal data in the European Union, its lead regulator in the bloc said on Friday.

The Chinese-owned short-video platform, which has grown rapidly among teenagers around the world in recent years, breached a number of EU privacy laws between July 31, 2020, and Dec. 31, 2020, Ireland's Data Protection Commissioner (DPC) said in a statement. (Reuters)

“TikTok, which surged in popularity during the pandemic, has been scrutinized globally due to concerns regarding user safety and data privacy, especially for minors. Despite addressing specific concerns related to youth accounts, repeated inquiries like this suggest that ByteDance, TikTok’s parent company, consistently compromises the safety and privacy of its younger users and mishandles their data. However, it remains true that any platform with age restrictions can typically have its authorization easily circumvented by providing falsified birthdates, putting the onus on parents or guardians to monitor internet use and have ongoing and meaningful conversations about online safety. Regarding the second inquiry of user data potentially having been transferred to China where it could presumably be accessed by the CCP, it remains to be seen how extensively this may be occurring, or has occurred in the past.” – Jessica Owens, Tier 1 SOC Analyst at Ingalls Information Security

Microsoft Worker Accidentally Exposes 38TB of Sensitive Data in GitHub Blunder

A Microsoft employee accidentally exposed 38 terabytes of private data while publishing a bucket of open-source AI training data on GitHub, according to Wiz security researchers who spotted the leaky account and reported it to the Windows giant.

Redmond, in a Monday write-up, downplayed the blunder, saying it was merely "sharing the learnings" to help customers avoid making similar mistakes. This is despite Wiz claiming the leaky data bucket had private keys, passwords, and over 30,000 internal Microsoft Teams messages, as well as backup data from two employees' workstations. (The Register)

Sophisticated Phishing Campaign Deploying Agent Tesla, OriginBotnet, and RedLine Clipper

A sophisticated phishing campaign uses a Microsoft Word document lure to distribute a trifecta of threats, namely Agent Tesla, OriginBotnet, and RedLine Clipper, to gather a wide range of information from compromised Windows machines.

"A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into clicking on it," the researcher said. (The Hacker News)

DHS Unveils One Common Platform for Reporting Cyber Incidents

Last week, the US Department of Homeland Security (DHS) released a report titled the Harmonization of Cyber Incident Reporting to the Federal Government, that lays out a working template for how the Cybersecurity and Infrastructure Security Agency (CISA) might implement its upcoming cyber incident reporting regulations. (CSO)

Apple Rushes to Patch 3 New Zero-Day Flaws: iOS, macOS, Safari, and More Vulnerable

Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16. The list of security vulnerabilities is as follows -

• CVE-2023-41991 - A certificate validation issue in the Security framework that could allow a malicious app to bypass signature validation.
• CVE-2023-41992 - A security flaw in Kernel that could allow a local attacker to elevate their privileges.
• CVE-2023-41993 - A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content. (The Hacker News)