This week I stumbled upon with Cookie Monster, an article written by CS and security professor Lorrie Faith at Carnegie Mellon University where she exposes the pitiful state of the mandatory cookie banners in the Web.

The lab at the Carnegie Mellon University conducted a study where 1000 people from the U.S. where presented one of 12 cookie banners while they were shopping. After the task was completed they were interviewed about what they consented to and why.

The results are that if a user is presented with an easy selection of any of the options, they tend to accept fewer cookies. If they banner is unobtrusive, they are likely not to interact with it, and therefore default policy applies. However, if a permanent button is shown floating on the right bottom side of the page, nobody interacts with it.

The author also mentions the use of obscure patterns so that users are tricked into giving consent to all cookies. In other cases found in the study, the banners are completely useless as they do not even comply with the law and they just state that the website uses cookies and they do not give any option to the user.

The terms to use are not standardised and varies from region to region, which create confusion among users.

Automated solutions have been proposed to allow users to set their preferences in their web browser rather than a website by website basis. These include “Do Not Track” and a more recent solution called “Global Privacy Control” which allow users to automatically send requests to not to sell their personal information to all website they visit. GPC requests are considered valid under the the California Consumer Privacy Act (CCPA) and websites that ignore them may face enforcement actions in California. However, these mechanisms are usually ignored by most of the sties.

The author proposes in the short term to provide cleaner cookie banners so that users can access easily to their choices and remove banners where no relevant choices are given to users. On the long term, automated solutions are needed so that user’s choices are respected everywhere.

Still a long way to have a harmonised and automated way of keeping the privacy cookie monster away from our browsers.

This week cybersecurity news

• Lastpass internal source-code and some documentation was stolen by a cyber attacker. The company assures that no user data or encrypted password vaults are at risk.

• A security researcher has found a novel way to exfiltrate data from air-gapped machines by abusing the LED activity indicators that are usually present in NICs (network interface controllers). This new technique named ETHERLED demonstrates that an attacker could use malware to exfiltrate data by encoding as Morse code, for instance. The receiver of the information could be placed tens to hundreds of meters away from the air-gapped machine.

• A cybercrime organization is allegedly trying to sell NATO missile classified data from MBDA company. The criminals are trying to sell around 70 GB of data for 1 BTC.

• iOS lockdown mode detection test: The people from Cryptee have created a proof-of-concept test that is able to assess by opening this website if you are running lockdown mode on your iPhone. Remember that lockdown mode disables messaging and other engagements with people who are not on your contact list, link previews and on Safari it disables JIT compilation (Just In Time) and custom fonts.

• Google Chrome is releasing a security update to mitigate CVE-2022-3075. Google states that is aware that exploits exist in the wild.

• Microsoft discovered a one-click exploit for TikTok on Android platform. The vulnerability (CVE-2022-28799) can lead to account hijacking as stated in Microsoft’s write-up

• Apple issued a security update for iOS 12 (12.5.6) which addresses a major security vulnerability, recently patched for iOS 15. Apple states that is aware of a report that the vulnerability may have been actively exploited.

❤️ My favorite things

• Liveoverflow’s great video on kernel root exploitation of a race condition: This video is a wonderful learning resource of how race conditions can be exploited. It is explained in detail and with simple explanations that ease the difficulty of such kind of exploitation.

Infosec resources

• pwnedkeys offer an API to check if any private key that you may be using has been leaked or reused? You can check on this website if a key you are using is untrustworthy.

• DEFCON 30 repository contains video, slides, audios, white-papers and other resources that were presented at DEFCON 30.

Open-source repositories

• GaloisInc/MATE: MATE is a suite of tools for interactive program analysis with a focus on hunting for bugs in C and C++ code using Code Property Graphs. The documentation can be found on: https://galoisinc.github.io/MATE/

• Google/paranoid_crypto: Paranoid project checks for well known weaknesses on cryptographic artifacts such as public keys, digital signatures and general pseudorandom numbers.