



In short, Google settled another location-tracking lawsuit, but was again fined relatively small amounts.

Washington Attorney General Bob Ferguson’s office last week announced a $39.9 million fine, along with Google tracking several state orders to clarify what data is collected and for what purposes. It also announced the news that reforms need to be implemented.

“Today’s resolution holds one of the most powerful companies to account for its unethical and illegal tactics,” Ferguson said in a statement.

The lawsuit is similar to other lawsuits filed across the country last year, with attorneys general from Indiana, Texas and Washington, D.C. joining Washington as Google using “dark patterns” to trick users into using location tracking and data. It sued Google for allowing it to collect. Opting out will also be difficult.

In January, Washington, D.C. and Indiana announced joint settlements with Google, benefiting $9.5 million and $20 million, respectively, but the Washington state legislature office said it would not settle to increase state coffers. announced that it had selected

Ferguson’s office said, “Instead of participating in a multistate settlement, the Ferguson office filed its own lawsuit and obtained this resolution. We estimate that we received more than double what we would have received under the settlement.”

It’s true that Washington earned considerably more than Washington, D.C., or Indiana, but Alphabet’s accountants, as they often have to do with El Regu, were forced into the $40 million settlement. It is worth noting that the chances of stopping are low.

In the first quarter of this year, Google’s parent company announced: [PDF] Net profit was $15.05 billion.

Ferguson’s office said it intends to use the fine against Google to continue enforcing consumer protection laws. Its enforcement agency, the Consumer Protection Agency, receives minimal cash from the government, mostly funded by reparations from incidents like this one.

Critical Vulnerability of the Week: KeePass Edition

Users of the password manager KeePass beware. It contains a nasty vulnerability that can be used to retrieve all but the first letter of a user’s master password in plaintext from any number of different memory dump files on the target system. increase. According to the researchers who discovered it, there will be no mitigations until KeePass version 2.54 is released next month.

In the hot exploit news, it’s worth mentioning two seven-year-old vulnerabilities related to Java Management Extensions (JMX). They are pervasive and dangerous, and CISA said they are being actively exploited.

CVE-2016-3427 is the first pair and involves an unspecified vulnerability in Oracle Java SE versions 6u113, 7u99, and 8u77. According to NIST, Java SE Embedded 8u77 and JRockit R28.3.9 could allow a remote attacker to “impact confidentiality, integrity, and availability via JMX-related vectors.” Combine this with his RCE vulnerability, which exists in multiple versions of Apache Tomcat that requires an attacker to access her JMX port, and it could spell disaster.

In unrelated KEV news, Ruckus Wireless Admin up to version 10.4 allows RCE via unauthenticated HTTP Get requests. A patch has been released, so install it now.

In ICS news, there are three issues to watch out for this week.

CVSS 10.0 – Multiple CVEs: Johnson Controls OpenBlue Enterprise Manager Data Collector firmware prior to 3.2.5.75 contains improper authentication issue that attackers can exploit to make API calls CVSS 9.8 – CVE- 2020-6967: Rockwell Automation FactoryTalk Diagnostics software 6.11 between versions 2.00 contains a deserialization flaw that an attacker can exploit to execute code with system-level privileges. CVSS 8.6 – Multiple CVEs: Snap One’s OvrC Pro software prior to version 7.3 contains numerous vulnerabilities that could allow an attacker to claim a device, execute arbitrary code, and disclose device information. It contains.His non-phone Android devices still ship with malware

Black Hat Asia’s Trend Micro security researchers recently reported that they found malware in millions of Android devices manufactured by low-budget OEMs, but a new report this week says: , noted that the popular Android TV box sold on Amazon has a similar problem.

According to security researcher Daniel Milisich, who bought an infected set-top Android box from Chinese company AllWinner from Amazon, some of the popular models from AllWinner, as well as RockChip, a Chinese company, have a C2 server as soon as they are powered on. It is said that it is bundled with malware that reaches

Like other similar malware, much of it comes with low-cost hardware manufactured by companies with poor supply chain security practices, and the bug affects the number of supply partners at any stage of manufacturing. It may have been lost regardless.

Milisich claims to have found an expired certificate on his device pointing to the supposedly defunct mobile advertising platform Dotinapp. Add this to the long list of similar problems his budget Android device has addressed over the years. Think of this as a lesson in “you get what you pay for” when it comes to computing hardware.

Google Retires All CVEs Due To Most Severe Vulnerability

Google said it plans to add a quality rating system to its security vulnerability reports (yeah), while also announcing that it plans to stop assigning CVEs to most reported issues (boo ).

Few would argue that a vulnerability report could benefit from quality assessment based on details, analysis, proof of concept, etc. However, not attaching his CVE number to the “Most Moderate Severity Issues” is cataloged for aesthetics rather than to encourage discovery and high-quality reporting of vulnerabilities. It seems like a way to reduce the amount of content that

CISA explains that assigning a CVE ID is the first step in cataloging known exploited vulnerabilities. Without data on medium- and low-severity vulnerabilities in Google products, only one company could benefit from obfuscating the majority of vulnerabilities. It’s Google.

