Episoder

  • This week in InfoSec (08:24)

    With content liberated from the “today in infosec” twitter account and further afield

    12th November 2012: John McAfee went into hiding because his neighbour, Gregory Faull, was found dead from a gunshot. Belize police wanted him to come in for questioning, but he fled to Guatemala where he was then arrested. He was never charged, though he lost a $25 million wrongful death suit.

    https://x.com/todayininfosec/status/1856538748361515355

    12th November 2000: Bill Gates demonstrates a functional prototype of a Tablet PC. Microsoft claims “the Tablet PC will represent the next major evolution in PC design and functionality.” However, the Tablet PC initiative never really took off and it wasn't until Apple introduced the iPad in 2010 that tablet computing was widely adopted.

    Microsoft Declares Tablets Are the Future

    Rant of the Week (15:41)

    Amazon MOVEit Leaker Claims to Be Ethical Hacker

    A threat actor who posted 2.8 million lines of Amazon employee data last week has taken to the dark web to claim they are doing so to raise awareness of poor security practice.

    The individual, who goes by the online moniker “Nam3L3ss,” claimed in a series of posts to have obtained data from 25 organisations whose data was compromised via last year’s MOVEit exploit.

    Billy Big Balls of the Week (24:12)

    O2's AI granny knits tall tales to waste scam callers' time

    Watch out, scammers. O2 has created a new weapon in the fight against fraud: an AI granny that will keep you talking until you get bored and give up.

    O2, the mobile operator arm of Brit telecoms giant Virgin Media, says it has built the human-like AI to answer calls from fraudsters in real time, keeping them busy on the phone and wasting their time by pretending to be a potential vulnerable target.

    "Daisy" is claimed to be indistinguishable from a real person, fooling scammers into thinking they've found perfect prey thanks to its ability to engage in "human-like" rambling chat, the biz claims.

    For several weeks in the run-up to International Fraud Awareness Week (November 17–23), the AI has already frustrated scam callers with meandering stories about her family and talked at length about her passion for knitting, according to O2.

    Industry News (28:20)

    Amazon MOVEit Leaker Claims to Be Ethical Hacker

    Bank of England U-turns on Vulnerability Disclosure Rules

    Massive Telecom Hack Exposes US Officials to Chinese Espionage

    Microsoft Power Pages Misconfiguration Leads to Data Exposure

    Sitting Ducks DNS Attacks Put Global Domains at Risk

    O2’s AI Granny Outsmarts Scam Callers with Knitting Tales

    Ransomware Groups Use Cloud Services For Data Exfiltration

    Bitfinex Hacker Jailed for Five Years Over Billion Dollar Crypto Heist

    Palo Alto Networks Confirms New Zero-Day Being Exploited by Threat Actors

    Tweet of the Week (36:05)

    https://x.com/J4vv4D/status/1856981250306687143

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (13:28)

    With content liberated from the “today in infosec” twitter account and further afield

    5th November 1993: Bugtraq was created by Scott Chasin as a full disclosure vulnerability reporting mailing list at the dawn of the World Wide Web. Bugtraq had an enormous influence on how orgs responded to vuln disclosure and paved the way for a shift which led to bug bounty programs.

    https://twitter.com/todayininfosec/status/1853799779626578186

    5th November 2007: Google introduces the Android platform, its mobile operating system for cell phones based on a modified version of the Linux operating system. The first Android-based phone would ship in September of 2008.

    https://thisdayintechhistory.com/11/05/android-introduced/

    Rant of the Week (18:54)

    Voted in America? This Site Doxed You

    If you voted in the U.S. presidential election yesterday in which Donald Trump won comfortably, or a previous election, a website powered by a right-wing group is probably doxing you. VoteRef makes it trivial for anyone to search the name, physical address, age, party affiliation, and whether someone voted that year for people living in most states instantly and for free. This can include ordinary citizens, celebrities, domestic abuse survivors, and many other people.

    Voting rolls are public records, and ways to more readily access them are not new. But during a time of intense division, political violence, or even the broader threat of data being used to dox or harass anyone, sites like VoteRef turn a vital part of the democratic process—simply voting—into a security and privacy threat.

    Billy Big Balls of the Week (27:09)

    Schneider Electric ransomware crew demands $125k paid in baguettes

    https://www.theregister.com/2024/11/05/schneider_electric_cybersecurity_incident/

    Schneider Electric confirmed that it is investigating a breach as a ransomware group Hellcat claims to have stolen more than 40 GB of compressed data — and demanded the French multinational energy management company pay $125,000 in baguettes or else see its sensitive customer and operational information leaked.

    And yes, you read that right: payment in baguettes. As in bread.

    Schneider Electric declined to answer The Register's specific questions about the intrusion, including if the attackers really want $125,000 in baguettes or if they would settle for cryptocurrency.

    A spokesperson, however, emailed us the following statement:

    "Schneider Electric is investigating a cybersecurity incident involving unauthorised access to one of our internal project execution tracking platforms which is hosted within an isolated environment. Our Global Incident Response team has been immediately mobilised to respond to the incident. Schneider Electric's products and services remain unaffected."

    Industry News (33:18)

    Google Cloud to Mandate Multifactor Authentication by 2025

    IRISSCON: Organizations Still Falling Victim to Predictable Cyber-Attacks

    Defenders Outpace Attackers in AI Adoption

    UK Cybersecurity Wages Soar Above Inflation as Stress Levels Rise

    NCSC Publishes Tips to Tackle Malvertising Threat

    Canada Orders Shutdown of Local TikTok Branch Over Security Concerns

    UK Regulator Urges Stronger Data Protection in AI Recruitment Tools

    Interlock Ransomware Targets US Healthcare, IT and Government Sectors

    Major Oilfield Supplier Hit by Ransomware Attack

    Tweet of the Week (41:01)

    https://twitter.com/fesshole/status/1854832499714576399

    Come on! Like and bloody well subscribe!

  • Manglende episoder?

    Klik her for at forny feed.

  • How does Thom also do the episode notes?

    This week in infosec was about a EULA

    Rant of the week

    https://securityaffairs.com/170125/laws-and-regulations/sec-fined-4-companies-misleading-disclosures-impact-solarwinds-attack.html

    Billy Big Balls

    https://www.theregister.com/2024/10/24/anthropic_claude_model_can_use_computers/

    Some news articles from infosecurity-magazine.com

    Tweet of the week

    https://x.com/thomas_violence/status/1849627627474293148

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (08:29)

    With content liberated from the “today in infosec” twitter account and further afield

    10th October 1995: Netscape introduced the "Netscape Bugs Bounty", a program rewarding users who report "bugs" in the beta versions of its recently announced Netscape Navigator 2.0 web browser.

    Navigator was the dominant browser from 1995-1998, when it was overtaken by Internet Explorer.

    https://twitter.com/todayininfosec/status/1844466277718556683

    8th October 2008: University student David Kernell was arraigned. He compromised the Yahoo! email account of US vice presidential candidate Sarah Palin, using public info to reset her password, posting her emails to 4chan. He was later found guilty and died from MS complications in 2018.

    https://twitter.com/todayininfosec/status/1843619068302983592

    Rant of the Week (20:24)

    Cards Against Humanity campaigns to encourage voting, expose personal data abuse

    Up to $100 for planning to vote and a public smear – how is this not illegal?

    The troublemakers behind the party game Cards Against Humanity have launched a campaign demonstrating how easy it is to buy sensitive personal data about American voters, while simultaneously encouraging those Americans to plan how to cast a vote in the upcoming presidential election.

    The "Cards Against Humanity Pays You to Give a Shit" campaign uses US citizens' personal data obtained from a broker to identify whether individuals voted in the 2020 US presidential election and how they lean politically. Those who didn't vote are asked to put info into the website, promise to vote in the upcoming election, make a voting plan, "and publicly post 'Donald Trump is a human toilet'" in exchange for up to $100.

    Billy Big Balls of the Week (28:42)

    FBI created a cryptocurrency so it could watch it being abused

    The FBI created its own cryptocurrency so it could watch suspected fraudsters use it – an idea that worked so well it produced arrests in three countries

    News of the Feds' currency, an Ethereum-based instrument named NexFundAI, appeared in a Wednesday Department of Justice announcement that eighteen individuals have been charged "for widespread fraud and manipulation in the cryptocurrency markets."

    The Feds allege some of the fraud involved "wash trades" – transactions conducted solely to increase the volume of trades in a security or other asset. Rising volumes of trades are often seen as an indicator that a stock is of increasing interest as it has good growth prospects – a signal that can see prices rise. But wash trades are often conducted by related entities, or even the same entity, to create a false market signal – an arrangement also known as "pump and dump."

    Industry News (34:36)

    New EU Body to Centralize Complaints Against Facebook, TikTok, YouTube

    New Generation of Malicious QR Codes Uncovered by Researchers

    Apple’s iPhone Mirroring Flaw Exposes Employee Privacy Risks

    Former RAC Employees Get Suspended Sentence for Data Theft

    Internet Archive Breached, 31 Million Records Exposed

    Marriott Agrees $52m Settlement for Massive Data Breach

    EU Adopts Cyber Resilience Act for Connected Devices

    Over 10m Conversations Exposed in AI Call Center Hack

    Disinformation Campaign Targets Moldova Ahead of EU Referendum

    Tweet of the Week (45:07)

    https://twitter.com/JackRhysider/status/1844502566799085769

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (10:01)

    With content liberated from the “today in infosec” twitter account and further afield

    27th September 2001: Jan de Wit was sentenced to 150 hours of community service in the Netherlands for creating and spreading the Anna Kournikova virus. It was one of the first of the major viruses created from a virus toolkit - the dawn of cybercrime toolkits.

    https://twitter.com/todayininfosec/status/1839709145282277614

    3rd October 2017: A week after he retired as the result of Equifax's data breach, former CEO Richard F. Smith told members of Congress that one person in the IT department was at fault.

    https://twitter.com/todayininfosec/status/1841893372035838342

    Rant of the Week (14:52)

    It's true, social media moderators do go after conservatives

    Because they're most likely to share crappy misinformation online

    Since Elon Musk bought Twitter nearly two years ago – a $44 billion acquisition he tried to pull out of – the mogul has driven a narrative that moderation of the microblogging website disproportionately targeted conservatives, libertarians, and Trump supporters.

    A scientific paper published in the journal Nature this week confirms that was the case, with justification. The groups more likely to be subjected to moderation were also more likely to share misinformation from low-quality news sites.

    Billy Big Balls of the Week (21:49)

    Use this link to read the story: https://www.404media.co/email/e7ecda94-675a-4538-901f-b2ccb35fe916/?ref=daily-stories-newsletter - the other link below for the show notes (the one above is tied to my account)

    Someone Put Facial Recognition Tech onto Meta's Smart Glasses to Instantly Dox Strangers

    A pair of students at Harvard have built what big tech companies refused to release publicly due to the overwhelming risks and danger involved: smart glasses with facial recognition technology that automatically looks up someone’s face and identifies them. The students have gone a step further too. Their customized glasses also pull other information about their subject from around the web, including their home address, phone number, and family members.

    Industry News (32:05)

    PwC Urges Boards to Give CISOs a Seat at the Table

    Cyber-Attacks Hit Over a Third of English Schools

    ISACA: European Security Teams Are Understaffed and Underfunded

    T-Mobile to Pay $15.75m Penalty for Multiple Data Breaches

    British Hacker Charged in the US For $3.75m Insider Trading Scheme

    Meta Teams Up with Banks to Target Fraudsters

    FIN7 Gang Hides Malware in AI “Deepnude” Sites

    Northern Ireland Police Data Leak Sees Service Fined by ICO

    Microsoft and US Government Disrupt Russian Star Blizzard Operations

    Tweet of the Week (38:52)

    https://twitter.com/iamdevloper/status/1842097858196979989

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (10:44)

    With content liberated from the “today in infosec” twitter account and further afield

    18th September 2001: The Nimda worm was released. Utilising 5 different infection vectors, it became the most widespread virus/worm after only 22 minutes.

    https://twitter.com/todayininfosec/status/1836495262409175187

    17th September 2014: Apple announced that the iOS 8 operating system (used on iPhone and iPad) would be architected to prevent it from being technically feasible for the company to extract data from customer devices. A day later Google made a similar announcement pertaining to Android.

    With iOS 8 Update, Apple Will No Longer Provide User Data to Police

    https://twitter.com/todayininfosec/status/1836071319030374437

    Rant of the Week (17:50)

    No way? Big Tech's 'lucrative surveillance' of everyone is terrible for privacy, freedom

    Buried beneath the endless feeds and attention-grabbing videos of the modern internet is a network of data harvesting and sale that's perhaps far more vast than most people realise, and it desperately needs regulation.

    That's the conclusion the FTC made after spending nearly four years poring over internal data from nine major social media and video streaming corporations in the US.

    These internet behemoths are collecting vast amounts of data, both on and off their services, and the handling of such data is "woefully inadequate," particularly around data belonging to children and teenagers, the FTC said.

    Billy Big Balls of the Week (28:06)

    LinkedIn started harvesting people's posts for training AI without asking for opt-in

    LinkedIn started harvesting user-generated content to train its AI without asking for permission, angering netizens.

    Microsoft’s self-help network on Wednesday published a "trust and safety" update in which senior veep and general counsel Blake Lawit revealed LinkedIn's use of people's posts and other data for both training and using its generative AI features.

    In doing so, he said the site's privacy policy had been updated. We note this policy links to an FAQ that was updated sometime last week also confirming the automatic collecting of posts for training – meaning it appears LinkedIn started gathering up content for its AI models, and opting in users, well before Lawit’s post and the updated privacy policy advised of the changes today.

    Industry News (35:07)

    Over Half of Breached UK Firms Pay Ransom

    ICO Acts Against Sky Betting and Gaming Over Cookies

    AT&T Agrees $13m FCC Settlement Over Cloud Data Breach

    Europol Taskforce Disrupts Global Criminal Network Through Supply Chain Attack

    Google Street View Images Used For Extortion Scams

    8000 Claimants Sue Outsourcing Giant Capita Over 2023 Data Breach

    Western Agencies Warn Risk from Chinese-Controlled Botnet

    Going for Gold: HSBC Approves Quantum-Safe Technology for Tokenized Bullions

    Cybersecurity Skills Gap Leaves Cloud Environments Vulnerable

    Tweet of the Week (42:39)

    https://twitter.com/ProfWoodward/status/1837084678836171089

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (11:25)

    With content liberated from the “today in infosec” twitter account and further afield

    12th September 2014: Stephane Chazelas contacted Bash maintainer Chet Ramey about a vulnerability he dubbed "Bashdoor", which later becoming known as Shellshock. It was publicly disclosed 12 days later.

    Shellshock was kind of a big deal - and the vuln had been in Bash for 25 years!

    https://x.com/todayininfosec/status/1834293229472416242

    9th September 2001: Mark Curphey started OWASP (the Open Web Application Security Project). In 2023 it was renamed the Open Worldwide Application Security Project.

    https://x.com/todayininfosec/status/1833191889790480500

    Rant of the Week (16:33)

    WhatsApp's 'View Once' could be 'View Whenever' due to a flaw

    A popular privacy feature in WhatsApp is "completely broken and can be trivially bypassed," according to developers at cryptowallet startup Zengo.

    According to cofounder Tal Be'ery, his team was building a web interface when they discovered a flaw in WhatsApp's View Once. While the feature was supposed to be limited to platforms where the necessary controls could be enforced, such as mobile clients, the WhatsApp API server didn't properly enforce it.

    The server would still send these messages to other platforms, but they couldn't be viewed - unless someone fiddled with the code.

    "The View [O]nce media messages are technically the same as regular media messages, only with the “view once” flag set," the technical explanation states.

    "Which means it’s the virtual equivalent of putting a note on the picture that says 'don’t look.' All that is required for attackers to circumvent it, is merely to set this flag to false and the media become regular and can be downloaded, forwarded and shared."

    Billy Big Balls of the Week (27:10)

    Australia’s government spent the week boxing Big Tech

    The fun started on Monday when prime minister Anthony Albanese announced his intention to introduce a minimum age for social media, with a preference for the services to be off limits until kids turn 16.

    "I want kids to have a childhood," the PM urged. "I want them off their devices 
 I want them to have real experiences with real people."

    Albanese promised legislation to enact the rule will be tabled before Australia's next election, due by 2025. Opposition leader Peter Dutton broadly supported the proposal, which is pitched at parents who are tired of having to protect their kids online.

    Industry news (34:34)

    DoJ Distributes $18.5m to Western Union Fraud Victims

    Poland's Supreme Court Blocks Pegasus Spyware Probe

    UK Recognizes Data Centers as Critical National Infrastructure

    Mastercard Acquires Global Threat Intelligence Firm Recorded Future for $2.65bn

    TfL Confirms Customer Data Breach, 17-Year-Old Suspect Arrested

    Irish Data Protection Regulator to Investigate Google AI

    Microsoft Vows to Prevent Future CrowdStrike-Like Outages

    Record $65m Settlement for Hacked Patient Photos

    Malicious Actors Spreading False US Voter Registration Breach Claims

    Tweet of the Week (41:57)

    https://x.com/MikeTalonNYC/status/1834311262563377553

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (13:08)

    With content liberated from the “today in infosec” twitter account and further afield

    3rd September 2014: Twitter launched its bug bounty program via the HackerOne platform, stating it would award at least $140 for vulnerabilities found in http://x.com/ or its Android or iOS apps.

    $140? 140 was the max tweet length. $1.6 million has been paid out since inception.

    https://twitter.com/XSecurity/status/507220774336225280

    https://x.com/todayininfosec/status/1831408686604140602

    30th August 2014: A user of the message board 4chan posted leaked nude photos of Jennifer Lawrence, Kate Upton, Kirsten Dunst, and other celebrities. Several years later 4 people were sentenced for crimes related to the hacking of Apple iCloud accounts of dozens of targeted individuals.

    Apple knew of iCloud API weakness months before celeb photo leak broke

    https://x.com/todayininfosec/status/1830016468328575386

    Rant of the Week (19:09)

    'Error' causes Alexa to endorse Kamala Harris, refuse to discuss Trump

    It would be perfectly reasonable to expect Amazon's digital assistant Alexa to decline to state opinions about the 2024 presidential race, but up until recently, that assumption would have been incorrect.

    When asked to give reasons to vote for former President Donald Trump, Alexa demurred, according to a video from Fox Business.

    "I cannot provide responses that endorse any political party or its leader," Alexa responded. When asked the same about Vice President Kamala Harris, the Amazon AI was more than willing to endorse the Democratic candidate.

    "There are many reasons to vote for Kamala Harris," Alexa said. Among the reasons given was that Harris has a "comprehensive plan to address racial injustice," that she promises a "tough on crime approach," and that her record on criminal justice and immigration reform make her a "compelling candidate."

    Billy Big Balls of the Week (26:45)

    Examples of Google Employees Trying to Avoid Creating Evidence in Antitrust Case

    In its antitrust case against Google, the Federal Government filed a list of chats it had obtained that show Google employees explicitly asking each other to turn off a chat history feature to discuss sensitive subjects, showing repeatedly that Google workers understood they should try to avoid creating a paper trail of some of their activities.

    The filing came following a hearing in which judge Leonie Brinkema ripped Google for “destroyed” evidence while considering a filing from the Department of Justice asking the court to find “adverse interference” against Google, which would allow the court to assume it purposefully destroyed evidence.

    Previous filings, including in the Epic Games v Google lawsuit and this current antitrust case, have also shown Google employees purposefully turning history off.

    The chats show 22 instances in which one Google employee told another Google employee to turn chat history off. In total, the court has dozens of specific employees who have told others to turn history off in DMs or broader group chats and channels. The document includes exchanges like this (each exchange includes different employees)

    AND

    Musician charged with $10M streaming royalties fraud using AI and bots

    North Carolina musician Michael Smith was indicted for collecting over $10 million in royalty payments from Spotify, Amazon Music, Apple Music, and YouTube Music using AI-generated songs streamed by thousands of bots in a massive streaming fraud scheme.

    According to court documents, Smith fraudulently inflated music streams on digital platforms between 2017 and 2024 with the assistance of an unnamed music promoter and the Chief Executive Officer of an AI music company.

    He acquired hundreds of thousands of songs generated through artificial intelligence (AI) from a coconspirator and uploaded them to these streaming platforms. He then used automated bots to stream the AI-generated tracks billions of times.

    Industry News (36:21)

    South Korea Police Investigates Telegram Over Deepfake Porn

    Irish Wildlife Park Warns Customers to Cancel Credit Cards Following Breach

    TfL Claims Cyber-Incident is Not Impacting Services

    Three Plead Guilty to Running MFA Bypass Site

    Civil Rights Groups Call For Spyware Controls

    Clearview AI Fined €30.5m by Dutch Watchdog Over Illegal Data Collection

    Russian Blamed For Mass Disinformation Campaign Ahead of US Election

    OnlyFans Hackers Targeted With Infostealer Malware

    UK Signs Council of Europe AI Convention

    Tweet of the Week (42:50)

    https://twitter.com/0xdade/status/1831387831677415923

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (07:42)

    With content liberated from the “today in infosec” twitter account and further afield

    29th August 1990: The UK's Computer Misuse Act 1990 went into effect, introducing 3 criminal offences related to unauthorised access and modification of "computer material".

    https://twitter.com/todayininfosec/status/1829252932178719161

    27th August 1999: One of the first companies to offer a dedicated web application firewall (WAF) was Perfecto Technologies with its AppShield product. But it didn't use the terminology "WAF", instead describing it as "a plug and play" Internet application security solution."

    https://twitter.com/todayininfosec/status/1828483993001492969

    Rant of the Week (13:25)

    Watchdog warns FBI is sloppy on secure data storage and destruction

    The FBI has made serious slip-ups in how it processes and destroys electronic storage media seized as part of investigations, according to an audit by the Department of Justice Office of the Inspector General.

    Drives containing national security data, Foreign Intelligence Surveillance Act information and documents classified as Secret were routinely unlabeled, opening the potential for it to be either lost or stolen, the report [PDF] addressed to FBI Director Christopher Wray states.

    Ironically, this lack of identification might be considered a benefit, given the lax security at the FBI's facility used to destroy such media after they have been finished with.

    The OIG report notes that it found boxes of hard drives and removable storage sitting open and unattended for "days or even weeks" because they were only sealed once the boxes were full. This potentially allows any of the 395 staff and contractors with access to the facility to have a rummage around.

    Billy Big Balls of the Week (22:01)

    Deadbeat dad faked his own death by hacking government databases

    A US man has been sentenced to 81 months in jail for faking his own death by hacking government systems and officially marking himself as deceased.

    The US Department of Justice on Tuesday detailed the case of Jesse Kipf, 39, who was sent down for computer fraud and aggravated identity theft.

    In January 2023, Kipf used the credentials of a physician to access Hawaii's Death Registry System and create a "case" that recorded his own death.

    "Kipf then completed a State of Hawaii Death Certificate Worksheet, assigned himself as the medical certifier for the case and certified his death, using the digital signature of the doctor," the DoJ wrote. The paperwork was all correct, so many government databases listed Kipf as deceased.

    But he was very much alive and enjoying the fact that his "death" meant he didn't have to make child support payments or catch up on those he'd already missed. Evidence presented in court included internet search histories recorded on a laptop, with Kipf looking up terms including "Remove California child support for deceased."

    Industry News (28:13)

    Uber Hit With €290m GDPR Fine

    FBI Flawed Data Handling Raises Security Concerns

    Microsoft 365 Copilot Vulnerability Exposes User Data Risks

    Money Laundering Dominates UK Fraud Cases

    Ransomware Attacks Exposed 6.7 Million Records in US Schools

    IT Engineer Charged For Attempting to Extort Former Employer

    Surge in New Scams as Pig Butchering Dominates

    Unpatched CCTV Cameras Exploited to Spread Mirai Variant

    North Korean Hackers Launch New Wave of npm Package Attacks

    Tweet of the Week (36:20)

    https://x.com/fesshole/status/1828921760147767400

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (06:43)

    With content liberated from the “today in infosec” twitter account and further afield

    18th August 2004: Text messages sent to promote the video game "Resident Evil: Outbreak" stated "Outbreak: I'm infecting you with t-virus". This scared recipients, who were only about 7% less technologically savvy than mobile phone users today.

    https://x.com/todayininfosec/status/1825257955878641888

    20th August 2003: Philippe Oechslin shared his technique he called "rainbow tables" during a talk at the 23rd annual crypto conference, Crypto 2003.

    It became a popular approach for cracking password hashes. Today it's less widely used due to adoption of practices that reduce its efficacy.

    https://x.com/todayininfosec/status/1825865870716870802

    Rant of the Week (10:59)

    This uni thought it would be a good idea to do a phishing test with a fake Ebola scare

    University of California Santa Cruz (UCSC) students may be relieved to hear that an emailed warning about a staff member infected with the Ebola virus was just a phishing exercise.

    The message, titled "Emergency Notification: Ebola Virus Case on Campus," went out to the university community on Sunday, August 18. It began, "We regret to inform you that a member of our staff, who recently returned from South Africa, has tested positive for the Ebola virus."

    The message went on to say that the university has initiated a contact tracing protocol and asks message recipients to "Please Log In to the Access Information Page for more details" – the very activity phishing messages attempt to encourage in order to capture login credentials.

    The simulated attack was similar to an actual phishing message sent on August 1, 2024, as shown on the UCSC Phish Bowl, a collection of real and test phishing attempts.

    But the one sent on Sunday was intended to raise awareness of phishing rather than to actually steal information.

    In that, it succeeded. The message prompted the UCSC Student Health Center to publish a notice about a "Phishing email with misleading health information."

    On Monday, Brian Hall, chief information security officer for UCSC, sent out an apology to the university community.

    Billy Big Balls of the Week (18:20)

    Russia tells citizens to switch off home surveillance because the Ukrainians are coming

    Russia's Ministry of Internal Affairs is warning residents of under-siege regions to switch off home surveillance systems and dating apps to stop Ukraine from using them for intel-gathering purposes.

    Residents of the Bryansk, Kursk, and Belgorod regions were issued with the warnings amid what seems like Russia being thoroughly rattled by Ukraine's incursion into the country's southwest.

    "The enemy is massively identifying IP ranges in our territories and connecting to unprotected video surveillance cameras remotely, viewing everything from private yards to roads and highways of strategic importance," said the ministry, according to Russian newswire Interfax. "In this regard, if there is no urgent need, it is better not to use video surveillance cameras.

    "It is highly discouraged to use online dating services. The enemy actively uses such resources for the covert collection of information."

    These warnings were just two of many included in a public memo aimed at protecting the identities of high-value Russian individuals, including military personnel, law enforcement agents, and nuclear energy workers.

    Industry News (24:51)

    Iran Behind Trump Campaign Hack, US Government Confirms

    New DNS-Based Backdoor Threat Discovered at Taiwanese University

    Most Ransomware Attacks Now Happen at Night

    CISA to Get New Headquarters as $524M Contract Awarded

    Australia Calls Off Clearview AI Investigation Despite Lack of Compliance

    Backdoor in Mifare Smart Cards Could Open Doors Around the World

    Security Flaws in UK Political Party Donation Platforms Exposed

    Company Fined $1m for Fake Joe Biden AI Calls

    FAA Admits Gaps in Aircraft Cybersecurity Rules: New Regulation Proposed

    Tweet of the Week (32:19)

    https://x.com/anon_opin/status/1826015107857416458?s=46&t=1-Sjo1Vy8SG7OdizJ3wVbg

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (10:28)

    10th July 1999 - Cult of the Dead Cow (cDc) member DilDog debuted the program Back Orifice 2000 (BO2k) at DEF CON 7. It was the successor to Back Orifice, released by cDc a year prior. DilDog proclaimed it "a remote administration tool for corporate America".

    https://twitter.com/todayininfosec/status/1811133606015983680

    9th July 1981 - The game that launched two of the most famous characters in video game history is released for sale. Donkey Kong was created by Nintendo, a Japanese playing card and toy company turned fledgling video game developer, who was trying to create a hit game for the North American market. Unable at the time to acquire a license to create a video game based on the Popeye character, Nintendo decides to create a game mirroring the characteristics and rivalry of Popeye and Bluto. Donkey Kong is named after the game’s villain, a pet gorilla gone rogue. The game’s hero is originally called Jumpman, but is retroactively renamed Mario once the game becomes popular and Nintendo decides to use the character in future games.

    Due to the similarity between Donkey Kong and King Kong, Universal Studios sued Nintendo claiming Donkey Kong violated their trademark. Kong, however, is common Japanese slang for gorilla. The lawsuit was ruled in favor of Nintendo. The success of Donkey Kong helped Nintendo become one of the dominant companies in the video game market.

    Rant of the Week (15:55)

    Palestinians say Microsoft unfairly closing their accounts

    Palestinians living abroad have accused Microsoft of closing their email accounts without warning - cutting them off from crucial online services.

    They say it has left them unable to access bank accounts and job offers - and stopped them using Skype, which Microsoft owns, to contact relatives in war-torn Gaza.

    Microsoft says they violated its terms of service - a claim they dispute.

    Billy Big Balls of the Week (27:39)

    Scalpers Work With Hackers to Liberate Ticketmaster's ‘Non-Transferable’ Tickets

    A lawsuit filed in California by concert giant AXS has revealed a legal and technological battle between ticket scalpers and platforms like Ticketmaster and AXS, in which scalpers have figured out how to extract “untransferable” tickets from their accounts by generating entry barcodes on parallel infrastructure that the scalpers control and which can then be sold and transferred to customers.

    By reverse-engineering how Ticketmaster and AXS actually make their electronic tickets, scalpers have essentially figured out how to regenerate specific, genuine tickets that they have legally purchased from scratch onto infrastructure that they control. In doing so, they are removing the anti-scalping restrictions put on the tickets by Ticketmaster and AXS.

    'Gay furry hackers' breach conservative US think tank behind Project 2025

    A collective of self-described "gay furry hackers" have released 2GB of data lifted from the Heritage Foundation, the conservative think-tank behind Project 2025 - a set of proposals that would bring the USA closer to being an authoritarian state.

    The hacktivist group, known as SiegedSec, has been running a campaign it calls "OpTransRights," targeting (mostly government) websites to disrupt efforts to enact or enforce anti-trans and anti-abortion laws.

    Industry News (33:26)

    10 Billion Passwords Leaked on Hacking Forum

    Crypto Thefts Double to $1.4 Billion, TRM Labs Finds

    Russia Blocks VPN Services in Information Crackdown

    Ticketmaster Extortion Continues, Threat Actor Claims New Ticket Leak

    Cyber-Attack on Evolve Bank Exposed Data of 7.6 Million Customers

    Most Security Pros Admit Shadow SaaS and AI Use

    Russian Media Uses AI-Powered Software to Spread Disinformation

    Smishing Triad Targets India with Fraud Surge

    Fraud Campaign Targets Russians with Fake Olympics Tickets

    Tweet of the Week (41:18)

    https://x.com/dennishegstad/status/1810044171765645568

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (07:40)

    With content liberated from the “today in infosec” twitter account and further afield

    3 July 1996 - a mere 28 years ago the movie Independence Day was released. In it, Jeff Goldblum and Will Smith fly into an alien vessel in a 50-year-old space junker, then upload a computer virus in less than 5 minutes

    https://twitter.com/todayininfosec/status/1808464060972667170

    Rant of the Week (11:07)

    Cancer patient forced to make terrible decision after Qilin attack on London hospitals

    https://www.theregister.com/2024/07/05/qilin_impacts_patient/

    EXCLUSIVE The latest figures suggest that around 1,500 medical procedures have been canceled across some of London's biggest hospitals in the four weeks since Qilin's ransomware attack hit pathology services provider Synnovis. But perhaps no single person was affected as severely as Johanna Groothuizen.

    Hanna – the name she goes by – is now missing her right breast after her skin-sparing mastectomy and immediate breast reconstruction surgery was swapped out for a simple mastectomy at the last minute.

    Billy Big Balls of the Week (18:20)

    Ransomware scum who hit Indonesian government apologizes, hands over encryption key

    https://www.theregister.com/2024/07/04/hackers_of_indonesian_government_apologize/

    Industry News (24:28)

    Vinted Fined €2.3m Over Data Protection Failure

    Europol Warns of Home Routing Challenges For Lawful Interception

    Meta Faces Suspension of AI Data Training in Brazil

    New Ransomware Group Phones Execs to Extort Payment

    UK’s NCA Leads Major Cobalt Strike Takedown

    Cyber Extortion Soars: SMBs Hit Four Times Harder

    New RUSI Report Exposes Psychological Toll of Ransomware, Urges Action

    Dozens of Arrests Disrupt €2.5m Vishing Gang

    Health Tech Execs Get Jail Time For $1bn Fraud Scheme

    Tweet of the Week (31:07)

    Come on! Like and bloody well subscribe!

  • This Week in InfoSec (12:30)

    With content liberated from the “today in infosec” twitter account and further afield

    24th June 1987: The movie Spaceballs was released. With a budget of $23 million, it grossed $38 million at the box office in North America. Though 37 years have passed, the secret code scene remains a reminder of why security is hard.

    Watch the secret code scene from Spaceballs and weep. Or laugh. Or both. Has much changed when it comes to password security since the movie was released 37 years ago today?

    The 64 second scene: https:///youtu.be/a6iW-8xPw3k

    https://x.com/todayininfosec/status/1805302016451002501

    27th June 2011: Anonymous released its first cache from Operation AntiSec, information from a US anti-cyberterrorism program.

    https://x.com/todayininfosec/status/1806302186487345226

    Rant of the Week (18:15)

    Korean telco allegedly infected its P2P users with malware
    A South Korean media outlet has alleged that local telco KT deliberately infected some customers with malware due to their excessive use of peer-to-peer (P2P) downloading tools.

    The number of infected users of “web hard drives” – the South Korean term for the online storage services that allow uploading and sharing of content – has reportedly reached 600,000.

    Billy Big Balls of the Week (26:33)

    Crypto scammers circle back, pose as lawyers, steal an extra $10M in truly devious plan
    The FBI says in just 12 months, scumbags stole circa $10 million from victims of crypto scams after posing as helpful lawyers offering to recover their lost tokens.

    Between February 2023-2024, scammers were kicking US victims while they were already down, preying on their financial vulnerability to defraud them for a second time in what must be seen as a new low, even for that particular breed of dirtball.

    It's the latest update from the FBI's Internet Crime Complaint Center (IC3) on the ongoing issue which was first publicized in August last year.

    Industry News (34:24)

    US Bans Kaspersky Over Alleged Kremlin Links

    Sellafield Pleads Guilty to Historic Cybersecurity Offenses

    Polish Prosecutors Step Up Probe into Pegasus Spyware Operation

    Credential Stuffing Attack Hits 72,000 Levi’s Accounts

    Google's Naptime Framework to Boost Vulnerability Research with AI

    Fake Law Firms Con Victims of Crypto Scams, Warns FBI

    IT Leaders Split on Using GenAI For Cybersecurity

    Majority of Critical Open Source Projects Contain Memory Unsafe Code

    CISOs Reveal Firms Prioritize Savings Over Long-Term Security

    Tweet of the Week (43:08)

    https://twitter.com/StuAlanBecker/status/1806137799248359443

    Comments: https://twitter.com/derJamesJackson/status/1806307954586538205

    Alternate TotW:

    https://twitter.com/susisnyder/status/1806222280382406836

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (11:16)

    With content liberated from the “today in infosec” twitter account and further afield

    5th of June 1991, a mere 33 years ago, : Philip Zimmermann sent the first release of PGP to 2 friends, Allan Hoeltje and Kelly Goen, to upload to the Internet.

    From the man himself,

    First, I sent it to Allan Hoeltje, who posted it to Peacenet, an ISP that specialized in grassroots political organizations, mainly in the peace movement. Peacenet was accessible to political activists all over the world. Then, I uploaded it to Kelly Goen, who proceeded to upload it to a Usenet newsgroup that specialized in distributing source code. At my request, he marked the Usenet posting as "US only". Kelly also uploaded it to many BBS systems around the country. I don't recall if the postings to the Internet began on June 5th or 6th.

    It may be surprising to some that back in 1991, I did not yet know enough about Usenet newsgroups to realize that a "US only" tag was merely an advisory tag that had little real effect on how Usenet propagated newsgroup postings. I thought it actually controlled how Usenet routed the posting. But back then, I had no clue how to post anything on a newsgroup, and didn't even have a clear idea what a newsgroup was.

    After releasing PGP, I immediately diverted my attention back to consulting work, to try to get caught up on my mortgage payments. I thought I could just release PGP 1.0 for MSDOS, and leave it alone for awhile, and let people play with it. I thought I could get back to it later, at my leisure. Little did I realize what a feeding frenzy PGP would set off. Apparently, there was a lot of pent-up demand for a tool like this. Volunteers from around the world were clamoring to help me port it to other platforms, add enhancements, and generally promote it. I did have to go back to work on paying gigs, but PGP continued to demand my time, pulled along by public enthusiasm.

    I assembled a team of volunteer engineers from around the world. They ported PGP to almost every platform (except for the Mac, which turned out to be harder). They translated PGP into foreign languages. And I started designing the PGP trust model, which I did not have time to finish in the first release. Fifteen months later, in September 1992, we released PGP 2.0, for MSDOS, several flavors of Unix, Commodore Amiga, Atari, and maybe a few other platforms, and in about ten foreign languages. PGP 2.0 had the now-famous PGP trust model, essentially in its present form.

    It was shortly after PGP 2.0's release that US Customs took an interest in the case. Little did they realize that they would help propel PGP's popularity, helping to ignite a controversy that would eventually lead to the demise of the US export restrictions on strong cryptography.

    7 June 2009. A mere 15 years ago. Sophos launched its (utterly shit) IT vigilante marketing campaign

    Dress up a British man (who appears to have had a nervous breakdown over a corporate data breach incident) in an orange gimp suit – that will sell security software for sure!

    At least, that was the plan made by Sophos’s marketing department for its “IT Vigilante” campaign.

    https://www.youtube.com/watch?v=-gc6sDqofcI

    https://grahamcluley.com/top-five-worst-videos-anti-virus/

    Other awful videos:

    Happy birthday Eugene Kaspersky: https://www.youtube.com/watch?v=ujnq188E5-w

    Eugene’s “silent movie”: https://www.youtube.com/watch?v=Ib8UjCQl5sE&t=6s

    Rant of the Week (22:45)

    https://www.bbc.co.uk/news/articles/cxee7317kgmo

    Russian hackers are behind the cyber attack on a number of major London hospitals, according to the former chief executive of the National Cyber Security Centre.

    Ransomware attacks on the healthcare industry as a whole have increased significantly over the past year. Whaley attributes the uptick to “lives on the line.”

    “While no sector is invulnerable to these attacks
 healthcare providers have proven time and time again that they’re the most willing to pay a ransom following these incidents," Whaley said.

    “Bad actors know this and smell blood in water,” he added.

    Whaley pointed out that the rise in state-sponsored cyberattacks combined “with the further digitization of the NHS paints a pretty grim picture for the defensive capabilities of the British healthcare sector
 and possibly a warning sign of much larger attacks to come.”

    Graham's Giant Gonads of the Week (30:51)

    Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab

    https://therecord.media/kaspersky-apple-bug-bounty-declined

    https://securelist.com/trng-2023/

    Apple has snubbed Russian cybersecurity firm Kaspersky Lab, refusing to shell out a bug bounty for four zero-day vulnerabilities discovered in iPhone software.

    Targets were infected using zero-click exploits via the iMessage platform, and the malware ran with root privileges, gaining complete control over the device and user data.

    The twist?

    The vulnerabilities were used to spy on Kaspersky employees.

    Kaspersky politely enquired whether it could be rewarded for finding the vulnerabilities used in the espionage campaign - known as Operation Triangulation.

    Kaspersky claims it was a "highly sophisticated" attack, so intricate it needed 13 bullet points to explain.

    Russia, not one to be outdone in the drama department, accused the U.S. and Apple of colluding to spy on Russian diplomats. Apple, of course, vehemently denied these allegations.

    It's like Eastenders.

    Amidst all this chaos, the U.S. and Russia are engaged in a geopolitical staring contest, with Apple caught in the crossfire. Apple, being an American company, has taken a stand against Russia's actions in Ukraine, suspending sales and removing apps. It's a bit like a tech giant trying to play peacemaker in a playground brawl.

    Kaspersky, meanwhile, has its own history with the U.S. government, having been banned from government use due to security concerns. It's a classic case of "guilty by association."

    So, will Kaspersky continue to report bugs to Apple despite the lack of reward? Only time will tell.

    Speaking to Russian-language media agency RTVI, Kaspersky’s research head Dmitry Galov said that typically cybersecurity companies like Kaspersky nominated a charity to receive the funds from the Apple Bug Bounty program instead of collecting the revenue itself.

    He added that although Kaspersky was confident the attacker was state-sponsored, he and his research team did not have the technical data needed to identify which state may have been behind the attack.

    A spokesperson for Kaspersky did not respond to whether it had nominated a charity when initially contacting Apple, nor whether the company’s refusal to issue a bounty would affect its decision to disclose vulnerabilities discovered in the future.

    Industry News (40:23)

    London Hospitals Cancel Operations Following Ransomware Incident

    EmailGPT Exposed to Prompt Injection Attacks

    #Infosec2024: CISOs Need to Move Beyond Passwords to Keep Up With Security Threats

    #Infosec2024: Ransomware Ecosystem Transformed, New Groups “Changing the Rules”

    Security Flaws Found in Popular WooCommerce Plugin

    #Infosec2024: Collaboration is Key to an Effective Security Culture

    #Infosec2024: AI Red Teaming Provider Mindgard Named UK's Most Innovative Cyber SME

    FBI Warns of Rise in Work-From-Home Scams

    Account Takeovers Outpace Ransomware as Top Security Concern

    Tweet of the Week (44:27)

    https://x.com/dakacki/status/1798882732203803070

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (07:29)

    With content liberated from the “today in infosec” twitter account and further afield

    28th May: 2014: LulzSec hacker Hector Monsegur, known as Sabu, was sentenced and released the same day on time served for his role in a slew of high-profile cyberattacks. He had served 7 months in prison after his arrest.

    https://x.com/todayininfosec/status/1795228730735886650

    25th May 2018: The General Data Protection Regulation (GDPR) in the European Union (EU) to strengthen and unify data protection became effective - just over 2 years after it was adopted by the EU.

    https://twitter.com/todayininfosec/status/1794461551534936503

    Rant of the Week (18:34)

    Bing outage shows just how little competition Google search really has

    Bing, Microsoft's search engine platform, went down in the very early morning 23rd May. That meant that searches from Microsoft's Edge browsers that had yet to change their default providers didn't work. It also meant that services relying on Bing's search API—Microsoft's own Copilot, ChatGPT search, Yahoo, Ecosia, and DuckDuckGo—similarly failed.

    If dismay about AI's hallucinations, power draw, or pizza recipes concern you—along with perhaps broader Google issues involving privacy, tracking, news, SEO, or monopoly power—most of your other major options were brought down by a single API outage this morning. Moving past that kind of single point of vulnerability will take some work, both by the industry and by you, the person wondering if there's a real alternative.

    Billy Big Balls of the Week (26:56)

    IT worker sued over ‘vengeful’ cyber harassment of policeman who issued a jaywalking ticket


    In an ongoing civil lawsuit, an IT worker is accused of launching a "destructive cyber campaign of hate and revenge" against a police officer and his family after being issued a ticket for jaywalking.

    Industry News (34:44)

    Check Point Urges VPN Configuration Review Amid Attack Spike

    Courtroom Recording Software Vulnerable to Backdoor Attacks

    New North Korean Hacking Group Identified by Microsoft

    Internet Archive Disrupted by Sustained and “Mean” DDoS Attack

    Advance Fee Fraud Targets Colleges With Free Piano Offers

    US-Led Operation Takes Down World’s Largest Botnet

    First American Reveals Data Breach Impacting 44,000 Individuals

    Europol-Led Operation Endgame Hits Botnet, Ransomware Networks

    BBC Pension Scheme Breached, Exposing Employee Data

    Tweet of the Week (47.14)

    https://twitter.com/DebugPrivilege/status/1795823939631067165

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (11:36)

    With content liberated from the “today in infosec” twitter account and further afield

    17th May 2015: CNN published their article on a statement Cybersecurity Consultant, Chris Roberts had publicly made on Twitter a month earlier. There were lots of accusations made regarding Chris Roberts' actions hacking into computer systems while a passenger on multiple airline flights. Did he actually cause a plane to fly sideways? Maybe? But it's not like he made it fly upside down.

    FBI: Hacker claimed to have taken over flight’s engine controls

    https://twitter.com/todayininfosec/status/1791214444980080724

    26th May 1995: Gates Declares Internet "Most Important Single Development"

    Realising his company had missed the boat in estimating the impact and popularity of the Internet, Microsoft Corp. CEO Bill Gates issued a memo titled, "The Internet Tidal Wave," which signaled the company's renewed focus on that arena. In the memo, Gates declared that the Internet was the "most important single development" since the IBM personal computer -- a development that he was assigning "the highest level of importance”.

    https://1995blog.com/2020/05/25/25-years-on-bill-gates-internet-tidal-wave-memo-a-seminal-document-of-the-unfolding-digital-age/

    Rant of the Week (18:00)

    Giving Windows total recall of everything a user does is a privacy minefield

    Microsoft's Windows Recall feature is attracting controversy before even venturing out of preview.

    Like so many of Microsoft's AI-infused products, Windows Recall will remain in preview while Microsoft refines it based on user feedback – or simply gives up and pretends it never happened.

    The principle is simple. Windows takes a snapshot of a user's active screen every few seconds and dumps it to disk. The user can then scroll through the archive of snapshots to find what were doing some time back, or query an AI system to recall past screenshots by text.

    Billy Big Balls of the Week (28:58)

    Hacker Breaches Scam Call Center, Warns Victims They've Been Scammed

    A hacker claims to have breached a scam call center, stolen the source code for the company’s tools, and emailed the company’s scam victims.

    The hack is the latest in a long series of vigilante actions in which hackers take matters into their own hands and breach or otherwise disrupt scam centers. A massively popular YouTube community, with creators mocking their targets, also exists around the practice.

    Industry News (34:17)

    Authorities Arrest $100m Incognito Drugs Market Suspect

    AI Seoul Summit: 16 AI Companies Sign Frontier AI Safety Commitments

    UK Government in ÂŁ8.5m Bid to Tackle AI Cyber-Threats

    Mastercard Doubles Speed of Fraud Detection with Generative AI

    PSNI Faces ÂŁ750,000 Data Breach Fine After Spreadsheet Leak

    GitHub Fixes Maximum Severity Flaw in Enterprise Server

    National Records of Scotland Data Breached in NHS Cyber-Attack

    NVD Leaves Exploited Vulnerabilities Unchecked

    Microsoft: Gift Card Fraud Rising, Costing Businesses up to $100,000 a Day

    Tweet of the Week (41:59)

    https://twitter.com/gcluley/status/1792881296907043217

    Two for one:

    https://twitter.com/mer__edith/status/1793888092321202634

    Come on! Like and bloody well subscribe!

  • This week in InfoSec

    With content liberated from the “today in infosec” twitter account and further afield

    27th April 2012: The Information Commissioner's Office (ICO) in the UK issued its first-ever data breach fine to an NHS (National Health Service) organisation, fining Aneurin Bevan Health Board in Wales ÂŁ70,000.

    https://www.digitalhealth.net/2012/04/first-nhs-fine-issued-by-ico/

    Rant of the Week

    Dropbox dropped the ball on security, haemorrhaging customer and third-party info

    Dropbox has revealed a major attack on its systems that saw customers' personal information accessed by unknown and unauthorized entities.

    The attack, detailed in a regulatory filing, impacted Dropbox Sign – a service it bills as an "eSignature solution [that] lets you send, sign, and store important documents in one seamless workflow, without ever leaving Dropbox." So basically a DocuSign clone.

    The filing states that management became aware of the incident last week – on April 24 – and "immediately activated our cyber security incident response process to investigate, contain, and remediate the incident."

    That effort led to the discovery that "the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings."

    Billy Big Balls of the Week

    Chinese government website security is often worryingly bad, say Chinese researchers

    Five Chinese researchers examined the configurations of nearly 14,000 government websites across the country and found worrying lapses that could lead to malicious attacks, according to a not-yet-peer-reviewed study released last week.

    The researchers concluded the investigation has uncovered "pressing security and dependency issues" that may not have a quick fix.

    "Despite thorough analyses, practical solutions to bolster the security of these systems remain elusive," wrote the researchers. "Their susceptibility to cyber attacks, which could facilitate the spread of malicious content or malware, underscores the urgent need for real-time monitoring and malicious activity detection."

    The study also highlights the need for "stringent vetting and regular updates" of third-party libraries and advocates "a diversified distribution of network nodes, which could substantially augment system resilience and performance."

    The study will likely not go down well in Beijing, as China's government has urged improvements to government digital services and apps often issues edicts about improving cybersecurity.

    Industry News

    Google Blocks 2.3 Million Apps From Play Store Listing

    Disinformation: EU Opens Probe Against Facebook and Instagram Ahead of Election

    NCSC’s New Mobile Risk Model Aimed at “High-Threat” Firms

    Lawsuits and Company Devaluations Await For Breached Firms

    UnitedHealth CEO Confirms Breach Tied to Stolen Credentials, No MFA

    REvil Ransomware Affiliate Sentenced to Over 13 Years in Prison

    Security Breach Exposes Dropbox Sign Users

    Indonesia is a Spyware Haven, Amnesty International Finds

    North Korean Hackers Spoofing Journalist Emails to Spy on Policy Experts

    Tweet of the Week

    https://twitter.com/summer__heidi/status/1783829402574639187

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (07:04)

    With content liberated from the “today in infosec” twitter account and further afield

    23rd April 2005: The first video uploaded to YouTube, “Me at the zoo,” is posted on April 23, 2005 at 8:27 PM by co-founder Jawed Karim. For now being a piece of history, the video is actually pretty dumb.

    Note to future entrepreneurs: what you do may be for posterity. Choose wisely.

    22nd April 1988: 1988: The VIRUS-L email mailing list was created and moderated by Ken van Wyk while he was working at Lehigh University. It was the first electronic forum dedicated to discussing computer viruses.

    https://twitter.com/todayininfosec/status/1782424224348446910

    Rant of the Week (13:21)

    Ring dinged for $5.6M after, among other claims, rogue insider spied on 'pretty girls'

    The FTC today announced it would be sending refunds totaling $5.6 million to Ring customers, paid from the Amazon subsidiary's coffers.

    The windfall stems from allegations made by the US watchdog that folks could have been, and were, spied upon by cybercriminals and rogue Ring workers via their Ring home security cameras.

    The regulator last year accused Ring of sloppy privacy protections that allowed the aforementioned spying to occur or potentially occur.

    Specifically, the FTC formally charged Ring with "compromising its customers' privacy by allowing any employee or contractor to access consumers' private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers' accounts, cameras, and videos."

    Billy Big Balls of the Week (21:41)
    Cops cuff man for allegedly framing colleague with AI-generated hate speech clip

    Baltimore police have arrested Dazhon Leslie Darien, the former athletic director of Pikesville High School (PHS), for allegedly impersonating the school's principal using AI software to make it seem as if he made racist and antisemitic remarks.

    Darien, of Baltimore, Maryland, was subsequently charged with witness retaliation, stalking, theft, and disrupting school operations. He was detained late at night trying to board a flight at BWI Thurgood Marshall Airport. Security personnel stopped him because the declared firearm he had with him was improperly packed and an ensuing background check revealed an open warrant for his arrest.

    He is quoted as saying “Arse cock pussy”. 😀

    "On January 17, 2024, the Baltimore County Police Department became aware of a voice recording being circulated on social media," said Robert McCullough, Chief of Baltimore County Police, at a streamed press conference today. "It was alleged the voice captured on the audio file belong to Mr Eric Eiswert, the Principal at the Pikesville High School. We now have conclusive evidence that the recording was not authentic.

    Industry News (30:51)

    Quishing Attacks Jump Tenfold, Attachment Payloads Halve

    Alarming Decline in Cybersecurity Job Postings in the US

    NCSC Announces PwC’s Richard Horne as New CEO

    NSA Launches Guidance for Secure AI Deployment

    End-to-End Encryption Sparks Concerns Among EU Law Enforcement

    Fifth of CISOs Admit Staff Leaked Data Via GenAI

    US Congress Passes Bill to Ban TikTok

    Online Banking Security Still Not Up to Par, Says Which?

    Ring to Pay Out $5.6m in Refunds After Customer Privacy Breach

    Tweet of the Week (38:56)

    https://twitter.com/KimZetter/status/1783556843798671591

    Come on! Like and bloody well subscribe!

  • This week in InfoSec (08:49)

    With content liberated from the “today in infosec” twitter account and further afield

    7th April 1969: Steve Crocker, a graduate student at UCLA and part of the team developing ARPANET, writes the first “Request for Comments“. The ARPANET, a research project of the Department of Defense’s Advanced Research Projects Agency (ARPA), was the foundation of today’s modern Internet. RFC 1 defined the design of the host software for communication between ARPANET nodes. This host software would be run on Interface Message Processors or IMPs, which were the precursor to Internet routers. The “host software” defined in RFC 1 would later be known as the Network Control Protocol or NCP, which itself was the forerunner to the modern TCP/IP protocol the Internet runs on today.

    https://thisdayintechhistory.com/04/07/rfc-1-defines-the-building-block-of-internet-communication/

    7th April 2014: The Heartbleed Bug was publicly disclosed. The buffer over-read vulnerability had been discovered by Neel Mehta and later privately reported to the OpenSSL project, which patched it the next day. The vulnerability was inadvertently introduced into OpenSSL 2 years prior.

    https://twitter.com/todayininfosec/status/1777136463882183076

    Rant of the Week (17:09)

    OpenTable is adding your first name to previously anonymous reviews

    Restaurant reservation platform OpenTable says that all reviews on the platform will no longer be fully anonymous starting May 22nd and will now show members' profile pictures and first names.

    OpenTable notified members of this new policy change today in emails to members who had previously left a review on the platform, stating the change was made to provide more transparency.

    "At OpenTable, we strive to build a community in which diners can help other diners discover new restaurants, and reviews are a big part of that," reads the OpenTable email seen by BleepingComputer.

    "We've heard from you, our diners, that trust and transparency are important when looking at reviews."

    "To build on the credibility of our review program, starting May 22, 2024, OpenTable will begin displaying diner first names and profile photos on all diner reviews. This update will also apply to past reviews.

    Billy Big Balls of the Week (26:36)
    Lloyds Bank axes risk staff after executives complain they are a ‘blocker’

    Lloyds Banking Group plans to cut jobs in risk management after an internal review found the function was a “blocker to our strategic transformation”.

    The restructuring was outlined in a memo last month from Lloyds’ chief risk officer Stephen Shelley, who said two-thirds of executives believed risk management was blocking progress while “less than half our workforce believe intelligent risk-taking is encouraged”. The lender was “resetting our approach to risk and controls”, Shelley said in the memo, seen by the Financial Times, adding that “the initial focus is on non-financial risks”.

    Industry News (33:55)

    T: Famous YouTube Channels Hacked to Distribute Infostealers

    A: US Federal Data Privacy Law Introduced by Legislators

    J: Foreign Interference Drives Record Surge in IP Theft

    T: Half of UK Businesses Hit by Cyber-Incident in Past Year, UK Government Finds

    A: US Claims to Have Recovered $1.4bn in COVID Fraud

    J: Women Experience Exclusion Twice as Often as Men in Cybersecurity

    T: Threat Actors Game GitHub Search to Spread Malware

    A: Data Breach Exposes 300k Taxi Passengers’ Information

    J: Apple Boosts Spyware Alerts For Mercenary Attacks

    Tweet of the Week (52:08)

    https://x.com/ErrataRob/status/1778536622163984590

    Come on! Like and bloody well subscribe!