Folgen
-
This week in InfoSec (11:25)
With content liberated from the “today in infosec” twitter account and further afield
12th September 2014: Stephane Chazelas contacted Bash maintainer Chet Ramey about a vulnerability he dubbed "Bashdoor", which later becoming known as Shellshock. It was publicly disclosed 12 days later.
Shellshock was kind of a big deal - and the vuln had been in Bash for 25 years!
https://x.com/todayininfosec/status/1834293229472416242
9th September 2001: Mark Curphey started OWASP (the Open Web Application Security Project). In 2023 it was renamed the Open Worldwide Application Security Project.
https://x.com/todayininfosec/status/1833191889790480500
Rant of the Week (16:33)
WhatsApp's 'View Once' could be 'View Whenever' due to a flaw
A popular privacy feature in WhatsApp is "completely broken and can be trivially bypassed," according to developers at cryptowallet startup Zengo.
According to cofounder Tal Be'ery, his team was building a web interface when they discovered a flaw in WhatsApp's View Once. While the feature was supposed to be limited to platforms where the necessary controls could be enforced, such as mobile clients, the WhatsApp API server didn't properly enforce it.
The server would still send these messages to other platforms, but they couldn't be viewed - unless someone fiddled with the code.
"The View [O]nce media messages are technically the same as regular media messages, only with the “view once” flag set," the technical explanation states.
"Which means it’s the virtual equivalent of putting a note on the picture that says 'don’t look.' All that is required for attackers to circumvent it, is merely to set this flag to false and the media become regular and can be downloaded, forwarded and shared."
Billy Big Balls of the Week (27:10)
Australia’s government spent the week boxing Big Tech
The fun started on Monday when prime minister Anthony Albanese announced his intention to introduce a minimum age for social media, with a preference for the services to be off limits until kids turn 16.
"I want kids to have a childhood," the PM urged. "I want them off their devices … I want them to have real experiences with real people."
Albanese promised legislation to enact the rule will be tabled before Australia's next election, due by 2025. Opposition leader Peter Dutton broadly supported the proposal, which is pitched at parents who are tired of having to protect their kids online.
Industry news (34:34)
DoJ Distributes $18.5m to Western Union Fraud Victims
Poland's Supreme Court Blocks Pegasus Spyware Probe
UK Recognizes Data Centers as Critical National Infrastructure
Mastercard Acquires Global Threat Intelligence Firm Recorded Future for $2.65bn
TfL Confirms Customer Data Breach, 17-Year-Old Suspect Arrested
Irish Data Protection Regulator to Investigate Google AI
Microsoft Vows to Prevent Future CrowdStrike-Like Outages
Record $65m Settlement for Hacked Patient Photos
Malicious Actors Spreading False US Voter Registration Breach Claims
Tweet of the Week (41:57)
https://x.com/MikeTalonNYC/status/1834311262563377553
Come on! Like and bloody well subscribe!
-
This week in InfoSec (13:08)
With content liberated from the “today in infosec” twitter account and further afield
3rd September 2014: Twitter launched its bug bounty program via the HackerOne platform, stating it would award at least $140 for vulnerabilities found in http://x.com/ or its Android or iOS apps.
$140? 140 was the max tweet length. $1.6 million has been paid out since inception.
https://twitter.com/XSecurity/status/507220774336225280
https://x.com/todayininfosec/status/1831408686604140602
30th August 2014: A user of the message board 4chan posted leaked nude photos of Jennifer Lawrence, Kate Upton, Kirsten Dunst, and other celebrities. Several years later 4 people were sentenced for crimes related to the hacking of Apple iCloud accounts of dozens of targeted individuals.
Apple knew of iCloud API weakness months before celeb photo leak broke
https://x.com/todayininfosec/status/1830016468328575386
Rant of the Week (19:09)
'Error' causes Alexa to endorse Kamala Harris, refuse to discuss Trump
It would be perfectly reasonable to expect Amazon's digital assistant Alexa to decline to state opinions about the 2024 presidential race, but up until recently, that assumption would have been incorrect.
When asked to give reasons to vote for former President Donald Trump, Alexa demurred, according to a video from Fox Business.
"I cannot provide responses that endorse any political party or its leader," Alexa responded. When asked the same about Vice President Kamala Harris, the Amazon AI was more than willing to endorse the Democratic candidate.
"There are many reasons to vote for Kamala Harris," Alexa said. Among the reasons given was that Harris has a "comprehensive plan to address racial injustice," that she promises a "tough on crime approach," and that her record on criminal justice and immigration reform make her a "compelling candidate."
Billy Big Balls of the Week (26:45)
Examples of Google Employees Trying to Avoid Creating Evidence in Antitrust Case
In its antitrust case against Google, the Federal Government filed a list of chats it had obtained that show Google employees explicitly asking each other to turn off a chat history feature to discuss sensitive subjects, showing repeatedly that Google workers understood they should try to avoid creating a paper trail of some of their activities.
The filing came following a hearing in which judge Leonie Brinkema ripped Google for “destroyed” evidence while considering a filing from the Department of Justice asking the court to find “adverse interference” against Google, which would allow the court to assume it purposefully destroyed evidence.
Previous filings, including in the Epic Games v Google lawsuit and this current antitrust case, have also shown Google employees purposefully turning history off.
The chats show 22 instances in which one Google employee told another Google employee to turn chat history off. In total, the court has dozens of specific employees who have told others to turn history off in DMs or broader group chats and channels. The document includes exchanges like this (each exchange includes different employees)
AND
Musician charged with $10M streaming royalties fraud using AI and bots
North Carolina musician Michael Smith was indicted for collecting over $10 million in royalty payments from Spotify, Amazon Music, Apple Music, and YouTube Music using AI-generated songs streamed by thousands of bots in a massive streaming fraud scheme.
According to court documents, Smith fraudulently inflated music streams on digital platforms between 2017 and 2024 with the assistance of an unnamed music promoter and the Chief Executive Officer of an AI music company.
He acquired hundreds of thousands of songs generated through artificial intelligence (AI) from a coconspirator and uploaded them to these streaming platforms. He then used automated bots to stream the AI-generated tracks billions of times.
Industry News (36:21)
South Korea Police Investigates Telegram Over Deepfake Porn
Irish Wildlife Park Warns Customers to Cancel Credit Cards Following Breach
TfL Claims Cyber-Incident is Not Impacting Services
Three Plead Guilty to Running MFA Bypass Site
Civil Rights Groups Call For Spyware Controls
Clearview AI Fined €30.5m by Dutch Watchdog Over Illegal Data Collection
Russian Blamed For Mass Disinformation Campaign Ahead of US Election
OnlyFans Hackers Targeted With Infostealer Malware
UK Signs Council of Europe AI Convention
Tweet of the Week (42:50)
https://twitter.com/0xdade/status/1831387831677415923
Come on! Like and bloody well subscribe!
-
Fehlende Folgen?
-
This week in InfoSec (07:42)
With content liberated from the “today in infosec” twitter account and further afield
29th August 1990: The UK's Computer Misuse Act 1990 went into effect, introducing 3 criminal offences related to unauthorised access and modification of "computer material".
https://twitter.com/todayininfosec/status/1829252932178719161
27th August 1999: One of the first companies to offer a dedicated web application firewall (WAF) was Perfecto Technologies with its AppShield product. But it didn't use the terminology "WAF", instead describing it as "a plug and play" Internet application security solution."
https://twitter.com/todayininfosec/status/1828483993001492969
Rant of the Week (13:25)
Watchdog warns FBI is sloppy on secure data storage and destruction
The FBI has made serious slip-ups in how it processes and destroys electronic storage media seized as part of investigations, according to an audit by the Department of Justice Office of the Inspector General.
Drives containing national security data, Foreign Intelligence Surveillance Act information and documents classified as Secret were routinely unlabeled, opening the potential for it to be either lost or stolen, the report [PDF] addressed to FBI Director Christopher Wray states.
Ironically, this lack of identification might be considered a benefit, given the lax security at the FBI's facility used to destroy such media after they have been finished with.
The OIG report notes that it found boxes of hard drives and removable storage sitting open and unattended for "days or even weeks" because they were only sealed once the boxes were full. This potentially allows any of the 395 staff and contractors with access to the facility to have a rummage around.
Billy Big Balls of the Week (22:01)
Deadbeat dad faked his own death by hacking government databases
A US man has been sentenced to 81 months in jail for faking his own death by hacking government systems and officially marking himself as deceased.
The US Department of Justice on Tuesday detailed the case of Jesse Kipf, 39, who was sent down for computer fraud and aggravated identity theft.
In January 2023, Kipf used the credentials of a physician to access Hawaii's Death Registry System and create a "case" that recorded his own death.
"Kipf then completed a State of Hawaii Death Certificate Worksheet, assigned himself as the medical certifier for the case and certified his death, using the digital signature of the doctor," the DoJ wrote. The paperwork was all correct, so many government databases listed Kipf as deceased.
But he was very much alive and enjoying the fact that his "death" meant he didn't have to make child support payments or catch up on those he'd already missed. Evidence presented in court included internet search histories recorded on a laptop, with Kipf looking up terms including "Remove California child support for deceased."
Industry News (28:13)
Uber Hit With €290m GDPR Fine
FBI Flawed Data Handling Raises Security Concerns
Microsoft 365 Copilot Vulnerability Exposes User Data Risks
Money Laundering Dominates UK Fraud Cases
Ransomware Attacks Exposed 6.7 Million Records in US Schools
IT Engineer Charged For Attempting to Extort Former Employer
Surge in New Scams as Pig Butchering Dominates
Unpatched CCTV Cameras Exploited to Spread Mirai Variant
North Korean Hackers Launch New Wave of npm Package Attacks
Tweet of the Week (36:20)
https://x.com/fesshole/status/1828921760147767400
Come on! Like and bloody well subscribe!
-
This week in InfoSec (06:43)
With content liberated from the “today in infosec” twitter account and further afield
18th August 2004: Text messages sent to promote the video game "Resident Evil: Outbreak" stated "Outbreak: I'm infecting you with t-virus". This scared recipients, who were only about 7% less technologically savvy than mobile phone users today.
https://x.com/todayininfosec/status/1825257955878641888
20th August 2003: Philippe Oechslin shared his technique he called "rainbow tables" during a talk at the 23rd annual crypto conference, Crypto 2003.
It became a popular approach for cracking password hashes. Today it's less widely used due to adoption of practices that reduce its efficacy.
https://x.com/todayininfosec/status/1825865870716870802
Rant of the Week (10:59)
This uni thought it would be a good idea to do a phishing test with a fake Ebola scare
University of California Santa Cruz (UCSC) students may be relieved to hear that an emailed warning about a staff member infected with the Ebola virus was just a phishing exercise.
The message, titled "Emergency Notification: Ebola Virus Case on Campus," went out to the university community on Sunday, August 18. It began, "We regret to inform you that a member of our staff, who recently returned from South Africa, has tested positive for the Ebola virus."
The message went on to say that the university has initiated a contact tracing protocol and asks message recipients to "Please Log In to the Access Information Page for more details" – the very activity phishing messages attempt to encourage in order to capture login credentials.
The simulated attack was similar to an actual phishing message sent on August 1, 2024, as shown on the UCSC Phish Bowl, a collection of real and test phishing attempts.
But the one sent on Sunday was intended to raise awareness of phishing rather than to actually steal information.
In that, it succeeded. The message prompted the UCSC Student Health Center to publish a notice about a "Phishing email with misleading health information."
On Monday, Brian Hall, chief information security officer for UCSC, sent out an apology to the university community.
Billy Big Balls of the Week (18:20)
Russia tells citizens to switch off home surveillance because the Ukrainians are coming
Russia's Ministry of Internal Affairs is warning residents of under-siege regions to switch off home surveillance systems and dating apps to stop Ukraine from using them for intel-gathering purposes.
Residents of the Bryansk, Kursk, and Belgorod regions were issued with the warnings amid what seems like Russia being thoroughly rattled by Ukraine's incursion into the country's southwest.
"The enemy is massively identifying IP ranges in our territories and connecting to unprotected video surveillance cameras remotely, viewing everything from private yards to roads and highways of strategic importance," said the ministry, according to Russian newswire Interfax. "In this regard, if there is no urgent need, it is better not to use video surveillance cameras.
"It is highly discouraged to use online dating services. The enemy actively uses such resources for the covert collection of information."
These warnings were just two of many included in a public memo aimed at protecting the identities of high-value Russian individuals, including military personnel, law enforcement agents, and nuclear energy workers.
Industry News (24:51)
Iran Behind Trump Campaign Hack, US Government Confirms
New DNS-Based Backdoor Threat Discovered at Taiwanese University
Most Ransomware Attacks Now Happen at Night
CISA to Get New Headquarters as $524M Contract Awarded
Australia Calls Off Clearview AI Investigation Despite Lack of Compliance
Backdoor in Mifare Smart Cards Could Open Doors Around the World
Security Flaws in UK Political Party Donation Platforms Exposed
Company Fined $1m for Fake Joe Biden AI Calls
FAA Admits Gaps in Aircraft Cybersecurity Rules: New Regulation Proposed
Tweet of the Week (32:19)
https://x.com/anon_opin/status/1826015107857416458?s=46&t=1-Sjo1Vy8SG7OdizJ3wVbg
Come on! Like and bloody well subscribe!
-
This week in InfoSec (10:28)
10th July 1999 - Cult of the Dead Cow (cDc) member DilDog debuted the program Back Orifice 2000 (BO2k) at DEF CON 7. It was the successor to Back Orifice, released by cDc a year prior. DilDog proclaimed it "a remote administration tool for corporate America".
https://twitter.com/todayininfosec/status/1811133606015983680
9th July 1981 - The game that launched two of the most famous characters in video game history is released for sale. Donkey Kong was created by Nintendo, a Japanese playing card and toy company turned fledgling video game developer, who was trying to create a hit game for the North American market. Unable at the time to acquire a license to create a video game based on the Popeye character, Nintendo decides to create a game mirroring the characteristics and rivalry of Popeye and Bluto. Donkey Kong is named after the game’s villain, a pet gorilla gone rogue. The game’s hero is originally called Jumpman, but is retroactively renamed Mario once the game becomes popular and Nintendo decides to use the character in future games.
Due to the similarity between Donkey Kong and King Kong, Universal Studios sued Nintendo claiming Donkey Kong violated their trademark. Kong, however, is common Japanese slang for gorilla. The lawsuit was ruled in favor of Nintendo. The success of Donkey Kong helped Nintendo become one of the dominant companies in the video game market.
Rant of the Week (15:55)
Palestinians say Microsoft unfairly closing their accounts
Palestinians living abroad have accused Microsoft of closing their email accounts without warning - cutting them off from crucial online services.
They say it has left them unable to access bank accounts and job offers - and stopped them using Skype, which Microsoft owns, to contact relatives in war-torn Gaza.
Microsoft says they violated its terms of service - a claim they dispute.
Billy Big Balls of the Week (27:39)
Scalpers Work With Hackers to Liberate Ticketmaster's ‘Non-Transferable’ Tickets
A lawsuit filed in California by concert giant AXS has revealed a legal and technological battle between ticket scalpers and platforms like Ticketmaster and AXS, in which scalpers have figured out how to extract “untransferable” tickets from their accounts by generating entry barcodes on parallel infrastructure that the scalpers control and which can then be sold and transferred to customers.
By reverse-engineering how Ticketmaster and AXS actually make their electronic tickets, scalpers have essentially figured out how to regenerate specific, genuine tickets that they have legally purchased from scratch onto infrastructure that they control. In doing so, they are removing the anti-scalping restrictions put on the tickets by Ticketmaster and AXS.
'Gay furry hackers' breach conservative US think tank behind Project 2025
A collective of self-described "gay furry hackers" have released 2GB of data lifted from the Heritage Foundation, the conservative think-tank behind Project 2025 - a set of proposals that would bring the USA closer to being an authoritarian state.
The hacktivist group, known as SiegedSec, has been running a campaign it calls "OpTransRights," targeting (mostly government) websites to disrupt efforts to enact or enforce anti-trans and anti-abortion laws.
Industry News (33:26)
10 Billion Passwords Leaked on Hacking Forum
Crypto Thefts Double to $1.4 Billion, TRM Labs Finds
Russia Blocks VPN Services in Information Crackdown
Ticketmaster Extortion Continues, Threat Actor Claims New Ticket Leak
Cyber-Attack on Evolve Bank Exposed Data of 7.6 Million Customers
Most Security Pros Admit Shadow SaaS and AI Use
Russian Media Uses AI-Powered Software to Spread Disinformation
Smishing Triad Targets India with Fraud Surge
Fraud Campaign Targets Russians with Fake Olympics Tickets
Tweet of the Week (41:18)
https://x.com/dennishegstad/status/1810044171765645568
Come on! Like and bloody well subscribe!
-
This week in InfoSec (07:40)
With content liberated from the “today in infosec” twitter account and further afield
3 July 1996 - a mere 28 years ago the movie Independence Day was released. In it, Jeff Goldblum and Will Smith fly into an alien vessel in a 50-year-old space junker, then upload a computer virus in less than 5 minutes
https://twitter.com/todayininfosec/status/1808464060972667170
Rant of the Week (11:07)
Cancer patient forced to make terrible decision after Qilin attack on London hospitals
https://www.theregister.com/2024/07/05/qilin_impacts_patient/
EXCLUSIVE The latest figures suggest that around 1,500 medical procedures have been canceled across some of London's biggest hospitals in the four weeks since Qilin's ransomware attack hit pathology services provider Synnovis. But perhaps no single person was affected as severely as Johanna Groothuizen.
Hanna – the name she goes by – is now missing her right breast after her skin-sparing mastectomy and immediate breast reconstruction surgery was swapped out for a simple mastectomy at the last minute.
Billy Big Balls of the Week (18:20)
Ransomware scum who hit Indonesian government apologizes, hands over encryption key
https://www.theregister.com/2024/07/04/hackers_of_indonesian_government_apologize/
Industry News (24:28)
Vinted Fined €2.3m Over Data Protection Failure
Europol Warns of Home Routing Challenges For Lawful Interception
Meta Faces Suspension of AI Data Training in Brazil
New Ransomware Group Phones Execs to Extort Payment
UK’s NCA Leads Major Cobalt Strike Takedown
Cyber Extortion Soars: SMBs Hit Four Times Harder
New RUSI Report Exposes Psychological Toll of Ransomware, Urges Action
Dozens of Arrests Disrupt €2.5m Vishing Gang
Health Tech Execs Get Jail Time For $1bn Fraud Scheme
Tweet of the Week (31:07)
Come on! Like and bloody well subscribe!
-
This Week in InfoSec (12:30)
With content liberated from the “today in infosec” twitter account and further afield
24th June 1987: The movie Spaceballs was released. With a budget of $23 million, it grossed $38 million at the box office in North America. Though 37 years have passed, the secret code scene remains a reminder of why security is hard.
Watch the secret code scene from Spaceballs and weep. Or laugh. Or both. Has much changed when it comes to password security since the movie was released 37 years ago today?
The 64 second scene: https:///youtu.be/a6iW-8xPw3k
https://x.com/todayininfosec/status/1805302016451002501
27th June 2011: Anonymous released its first cache from Operation AntiSec, information from a US anti-cyberterrorism program.
https://x.com/todayininfosec/status/1806302186487345226
Rant of the Week (18:15)
Korean telco allegedly infected its P2P users with malware
A South Korean media outlet has alleged that local telco KT deliberately infected some customers with malware due to their excessive use of peer-to-peer (P2P) downloading tools.The number of infected users of “web hard drives” – the South Korean term for the online storage services that allow uploading and sharing of content – has reportedly reached 600,000.
Billy Big Balls of the Week (26:33)
Crypto scammers circle back, pose as lawyers, steal an extra $10M in truly devious plan
The FBI says in just 12 months, scumbags stole circa $10 million from victims of crypto scams after posing as helpful lawyers offering to recover their lost tokens.Between February 2023-2024, scammers were kicking US victims while they were already down, preying on their financial vulnerability to defraud them for a second time in what must be seen as a new low, even for that particular breed of dirtball.
It's the latest update from the FBI's Internet Crime Complaint Center (IC3) on the ongoing issue which was first publicized in August last year.
Industry News (34:24)
US Bans Kaspersky Over Alleged Kremlin Links
Sellafield Pleads Guilty to Historic Cybersecurity Offenses
Polish Prosecutors Step Up Probe into Pegasus Spyware Operation
Credential Stuffing Attack Hits 72,000 Levi’s Accounts
Google's Naptime Framework to Boost Vulnerability Research with AI
Fake Law Firms Con Victims of Crypto Scams, Warns FBI
IT Leaders Split on Using GenAI For Cybersecurity
Majority of Critical Open Source Projects Contain Memory Unsafe Code
CISOs Reveal Firms Prioritize Savings Over Long-Term Security
Tweet of the Week (43:08)
https://twitter.com/StuAlanBecker/status/1806137799248359443
Comments: https://twitter.com/derJamesJackson/status/1806307954586538205
Alternate TotW:
https://twitter.com/susisnyder/status/1806222280382406836
Come on! Like and bloody well subscribe!
-
This week in InfoSec (11:16)
With content liberated from the “today in infosec” twitter account and further afield
5th of June 1991, a mere 33 years ago, : Philip Zimmermann sent the first release of PGP to 2 friends, Allan Hoeltje and Kelly Goen, to upload to the Internet.
From the man himself,
First, I sent it to Allan Hoeltje, who posted it to Peacenet, an ISP that specialized in grassroots political organizations, mainly in the peace movement. Peacenet was accessible to political activists all over the world. Then, I uploaded it to Kelly Goen, who proceeded to upload it to a Usenet newsgroup that specialized in distributing source code. At my request, he marked the Usenet posting as "US only". Kelly also uploaded it to many BBS systems around the country. I don't recall if the postings to the Internet began on June 5th or 6th.
It may be surprising to some that back in 1991, I did not yet know enough about Usenet newsgroups to realize that a "US only" tag was merely an advisory tag that had little real effect on how Usenet propagated newsgroup postings. I thought it actually controlled how Usenet routed the posting. But back then, I had no clue how to post anything on a newsgroup, and didn't even have a clear idea what a newsgroup was.
After releasing PGP, I immediately diverted my attention back to consulting work, to try to get caught up on my mortgage payments. I thought I could just release PGP 1.0 for MSDOS, and leave it alone for awhile, and let people play with it. I thought I could get back to it later, at my leisure. Little did I realize what a feeding frenzy PGP would set off. Apparently, there was a lot of pent-up demand for a tool like this. Volunteers from around the world were clamoring to help me port it to other platforms, add enhancements, and generally promote it. I did have to go back to work on paying gigs, but PGP continued to demand my time, pulled along by public enthusiasm.
I assembled a team of volunteer engineers from around the world. They ported PGP to almost every platform (except for the Mac, which turned out to be harder). They translated PGP into foreign languages. And I started designing the PGP trust model, which I did not have time to finish in the first release. Fifteen months later, in September 1992, we released PGP 2.0, for MSDOS, several flavors of Unix, Commodore Amiga, Atari, and maybe a few other platforms, and in about ten foreign languages. PGP 2.0 had the now-famous PGP trust model, essentially in its present form.
It was shortly after PGP 2.0's release that US Customs took an interest in the case. Little did they realize that they would help propel PGP's popularity, helping to ignite a controversy that would eventually lead to the demise of the US export restrictions on strong cryptography.
7 June 2009. A mere 15 years ago. Sophos launched its (utterly shit) IT vigilante marketing campaign
Dress up a British man (who appears to have had a nervous breakdown over a corporate data breach incident) in an orange gimp suit – that will sell security software for sure!
At least, that was the plan made by Sophos’s marketing department for its “IT Vigilante” campaign.
https://www.youtube.com/watch?v=-gc6sDqofcI
https://grahamcluley.com/top-five-worst-videos-anti-virus/
Other awful videos:
Happy birthday Eugene Kaspersky: https://www.youtube.com/watch?v=ujnq188E5-w
Eugene’s “silent movie”: https://www.youtube.com/watch?v=Ib8UjCQl5sE&t=6s
Rant of the Week (22:45)
https://www.bbc.co.uk/news/articles/cxee7317kgmo
Russian hackers are behind the cyber attack on a number of major London hospitals, according to the former chief executive of the National Cyber Security Centre.
Ransomware attacks on the healthcare industry as a whole have increased significantly over the past year. Whaley attributes the uptick to “lives on the line.”
“While no sector is invulnerable to these attacks… healthcare providers have proven time and time again that they’re the most willing to pay a ransom following these incidents," Whaley said.
“Bad actors know this and smell blood in water,” he added.
Whaley pointed out that the rise in state-sponsored cyberattacks combined “with the further digitization of the NHS paints a pretty grim picture for the defensive capabilities of the British healthcare sector… and possibly a warning sign of much larger attacks to come.”
Graham's Giant Gonads of the Week (30:51)
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
https://therecord.media/kaspersky-apple-bug-bounty-declined
https://securelist.com/trng-2023/
Apple has snubbed Russian cybersecurity firm Kaspersky Lab, refusing to shell out a bug bounty for four zero-day vulnerabilities discovered in iPhone software.
Targets were infected using zero-click exploits via the iMessage platform, and the malware ran with root privileges, gaining complete control over the device and user data.
The twist?
The vulnerabilities were used to spy on Kaspersky employees.
Kaspersky politely enquired whether it could be rewarded for finding the vulnerabilities used in the espionage campaign - known as Operation Triangulation.
Kaspersky claims it was a "highly sophisticated" attack, so intricate it needed 13 bullet points to explain.
Russia, not one to be outdone in the drama department, accused the U.S. and Apple of colluding to spy on Russian diplomats. Apple, of course, vehemently denied these allegations.
It's like Eastenders.
Amidst all this chaos, the U.S. and Russia are engaged in a geopolitical staring contest, with Apple caught in the crossfire. Apple, being an American company, has taken a stand against Russia's actions in Ukraine, suspending sales and removing apps. It's a bit like a tech giant trying to play peacemaker in a playground brawl.
Kaspersky, meanwhile, has its own history with the U.S. government, having been banned from government use due to security concerns. It's a classic case of "guilty by association."
So, will Kaspersky continue to report bugs to Apple despite the lack of reward? Only time will tell.
Speaking to Russian-language media agency RTVI, Kaspersky’s research head Dmitry Galov said that typically cybersecurity companies like Kaspersky nominated a charity to receive the funds from the Apple Bug Bounty program instead of collecting the revenue itself.
He added that although Kaspersky was confident the attacker was state-sponsored, he and his research team did not have the technical data needed to identify which state may have been behind the attack.
A spokesperson for Kaspersky did not respond to whether it had nominated a charity when initially contacting Apple, nor whether the company’s refusal to issue a bounty would affect its decision to disclose vulnerabilities discovered in the future.
Industry News (40:23)
London Hospitals Cancel Operations Following Ransomware Incident
EmailGPT Exposed to Prompt Injection Attacks
#Infosec2024: CISOs Need to Move Beyond Passwords to Keep Up With Security Threats
#Infosec2024: Ransomware Ecosystem Transformed, New Groups “Changing the Rules”
Security Flaws Found in Popular WooCommerce Plugin
#Infosec2024: Collaboration is Key to an Effective Security Culture
#Infosec2024: AI Red Teaming Provider Mindgard Named UK's Most Innovative Cyber SME
FBI Warns of Rise in Work-From-Home Scams
Account Takeovers Outpace Ransomware as Top Security Concern
Tweet of the Week (44:27)
https://x.com/dakacki/status/1798882732203803070
Come on! Like and bloody well subscribe!
-
This week in InfoSec (07:29)
With content liberated from the “today in infosec” twitter account and further afield
28th May: 2014: LulzSec hacker Hector Monsegur, known as Sabu, was sentenced and released the same day on time served for his role in a slew of high-profile cyberattacks. He had served 7 months in prison after his arrest.
https://x.com/todayininfosec/status/1795228730735886650
25th May 2018: The General Data Protection Regulation (GDPR) in the European Union (EU) to strengthen and unify data protection became effective - just over 2 years after it was adopted by the EU.
https://twitter.com/todayininfosec/status/1794461551534936503
Rant of the Week (18:34)
Bing outage shows just how little competition Google search really has
Bing, Microsoft's search engine platform, went down in the very early morning 23rd May. That meant that searches from Microsoft's Edge browsers that had yet to change their default providers didn't work. It also meant that services relying on Bing's search API—Microsoft's own Copilot, ChatGPT search, Yahoo, Ecosia, and DuckDuckGo—similarly failed.
If dismay about AI's hallucinations, power draw, or pizza recipes concern you—along with perhaps broader Google issues involving privacy, tracking, news, SEO, or monopoly power—most of your other major options were brought down by a single API outage this morning. Moving past that kind of single point of vulnerability will take some work, both by the industry and by you, the person wondering if there's a real alternative.
Billy Big Balls of the Week (26:56)
IT worker sued over ‘vengeful’ cyber harassment of policeman who issued a jaywalking ticket
In an ongoing civil lawsuit, an IT worker is accused of launching a "destructive cyber campaign of hate and revenge" against a police officer and his family after being issued a ticket for jaywalking.Industry News (34:44)
Check Point Urges VPN Configuration Review Amid Attack Spike
Courtroom Recording Software Vulnerable to Backdoor Attacks
New North Korean Hacking Group Identified by Microsoft
Internet Archive Disrupted by Sustained and “Mean” DDoS Attack
Advance Fee Fraud Targets Colleges With Free Piano Offers
US-Led Operation Takes Down World’s Largest Botnet
First American Reveals Data Breach Impacting 44,000 Individuals
Europol-Led Operation Endgame Hits Botnet, Ransomware Networks
BBC Pension Scheme Breached, Exposing Employee Data
Tweet of the Week (47.14)
https://twitter.com/DebugPrivilege/status/1795823939631067165
Come on! Like and bloody well subscribe!
-
This week in InfoSec (11:36)
With content liberated from the “today in infosec” twitter account and further afield
17th May 2015: CNN published their article on a statement Cybersecurity Consultant, Chris Roberts had publicly made on Twitter a month earlier. There were lots of accusations made regarding Chris Roberts' actions hacking into computer systems while a passenger on multiple airline flights. Did he actually cause a plane to fly sideways? Maybe? But it's not like he made it fly upside down.
FBI: Hacker claimed to have taken over flight’s engine controls
https://twitter.com/todayininfosec/status/1791214444980080724
26th May 1995: Gates Declares Internet "Most Important Single Development"
Realising his company had missed the boat in estimating the impact and popularity of the Internet, Microsoft Corp. CEO Bill Gates issued a memo titled, "The Internet Tidal Wave," which signaled the company's renewed focus on that arena. In the memo, Gates declared that the Internet was the "most important single development" since the IBM personal computer -- a development that he was assigning "the highest level of importance”.
https://1995blog.com/2020/05/25/25-years-on-bill-gates-internet-tidal-wave-memo-a-seminal-document-of-the-unfolding-digital-age/
Rant of the Week (18:00)
Giving Windows total recall of everything a user does is a privacy minefield
Microsoft's Windows Recall feature is attracting controversy before even venturing out of preview.
Like so many of Microsoft's AI-infused products, Windows Recall will remain in preview while Microsoft refines it based on user feedback – or simply gives up and pretends it never happened.
The principle is simple. Windows takes a snapshot of a user's active screen every few seconds and dumps it to disk. The user can then scroll through the archive of snapshots to find what were doing some time back, or query an AI system to recall past screenshots by text.
Billy Big Balls of the Week (28:58)
Hacker Breaches Scam Call Center, Warns Victims They've Been Scammed
A hacker claims to have breached a scam call center, stolen the source code for the company’s tools, and emailed the company’s scam victims.
The hack is the latest in a long series of vigilante actions in which hackers take matters into their own hands and breach or otherwise disrupt scam centers. A massively popular YouTube community, with creators mocking their targets, also exists around the practice.
Industry News (34:17)
Authorities Arrest $100m Incognito Drugs Market Suspect
AI Seoul Summit: 16 AI Companies Sign Frontier AI Safety Commitments
UK Government in £8.5m Bid to Tackle AI Cyber-Threats
Mastercard Doubles Speed of Fraud Detection with Generative AI
PSNI Faces £750,000 Data Breach Fine After Spreadsheet Leak
GitHub Fixes Maximum Severity Flaw in Enterprise Server
National Records of Scotland Data Breached in NHS Cyber-Attack
NVD Leaves Exploited Vulnerabilities Unchecked
Microsoft: Gift Card Fraud Rising, Costing Businesses up to $100,000 a Day
Tweet of the Week (41:59)
https://twitter.com/gcluley/status/1792881296907043217
Two for one:
https://twitter.com/mer__edith/status/1793888092321202634
Come on! Like and bloody well subscribe!
-
This week in InfoSec
With content liberated from the “today in infosec” twitter account and further afield
27th April 2012: The Information Commissioner's Office (ICO) in the UK issued its first-ever data breach fine to an NHS (National Health Service) organisation, fining Aneurin Bevan Health Board in Wales £70,000.
https://www.digitalhealth.net/2012/04/first-nhs-fine-issued-by-ico/
Rant of the Week
Dropbox dropped the ball on security, haemorrhaging customer and third-party info
Dropbox has revealed a major attack on its systems that saw customers' personal information accessed by unknown and unauthorized entities.
The attack, detailed in a regulatory filing, impacted Dropbox Sign – a service it bills as an "eSignature solution [that] lets you send, sign, and store important documents in one seamless workflow, without ever leaving Dropbox." So basically a DocuSign clone.
The filing states that management became aware of the incident last week – on April 24 – and "immediately activated our cyber security incident response process to investigate, contain, and remediate the incident."
That effort led to the discovery that "the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings."
Billy Big Balls of the Week
Chinese government website security is often worryingly bad, say Chinese researchers
Five Chinese researchers examined the configurations of nearly 14,000 government websites across the country and found worrying lapses that could lead to malicious attacks, according to a not-yet-peer-reviewed study released last week.
The researchers concluded the investigation has uncovered "pressing security and dependency issues" that may not have a quick fix.
"Despite thorough analyses, practical solutions to bolster the security of these systems remain elusive," wrote the researchers. "Their susceptibility to cyber attacks, which could facilitate the spread of malicious content or malware, underscores the urgent need for real-time monitoring and malicious activity detection."
The study also highlights the need for "stringent vetting and regular updates" of third-party libraries and advocates "a diversified distribution of network nodes, which could substantially augment system resilience and performance."
The study will likely not go down well in Beijing, as China's government has urged improvements to government digital services and apps often issues edicts about improving cybersecurity.
Industry News
Google Blocks 2.3 Million Apps From Play Store Listing
Disinformation: EU Opens Probe Against Facebook and Instagram Ahead of Election
NCSC’s New Mobile Risk Model Aimed at “High-Threat” Firms
Lawsuits and Company Devaluations Await For Breached Firms
UnitedHealth CEO Confirms Breach Tied to Stolen Credentials, No MFA
REvil Ransomware Affiliate Sentenced to Over 13 Years in Prison
Security Breach Exposes Dropbox Sign Users
Indonesia is a Spyware Haven, Amnesty International Finds
North Korean Hackers Spoofing Journalist Emails to Spy on Policy Experts
Tweet of the Week
https://twitter.com/summer__heidi/status/1783829402574639187
Come on! Like and bloody well subscribe!
-
This week in InfoSec (07:04)
With content liberated from the “today in infosec” twitter account and further afield
23rd April 2005: The first video uploaded to YouTube, “Me at the zoo,” is posted on April 23, 2005 at 8:27 PM by co-founder Jawed Karim. For now being a piece of history, the video is actually pretty dumb.
Note to future entrepreneurs: what you do may be for posterity. Choose wisely.
22nd April 1988: 1988: The VIRUS-L email mailing list was created and moderated by Ken van Wyk while he was working at Lehigh University. It was the first electronic forum dedicated to discussing computer viruses.
https://twitter.com/todayininfosec/status/1782424224348446910
Rant of the Week (13:21)
Ring dinged for $5.6M after, among other claims, rogue insider spied on 'pretty girls'
The FTC today announced it would be sending refunds totaling $5.6 million to Ring customers, paid from the Amazon subsidiary's coffers.
The windfall stems from allegations made by the US watchdog that folks could have been, and were, spied upon by cybercriminals and rogue Ring workers via their Ring home security cameras.
The regulator last year accused Ring of sloppy privacy protections that allowed the aforementioned spying to occur or potentially occur.
Specifically, the FTC formally charged Ring with "compromising its customers' privacy by allowing any employee or contractor to access consumers' private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers' accounts, cameras, and videos."
Billy Big Balls of the Week (21:41)
Cops cuff man for allegedly framing colleague with AI-generated hate speech clipBaltimore police have arrested Dazhon Leslie Darien, the former athletic director of Pikesville High School (PHS), for allegedly impersonating the school's principal using AI software to make it seem as if he made racist and antisemitic remarks.
Darien, of Baltimore, Maryland, was subsequently charged with witness retaliation, stalking, theft, and disrupting school operations. He was detained late at night trying to board a flight at BWI Thurgood Marshall Airport. Security personnel stopped him because the declared firearm he had with him was improperly packed and an ensuing background check revealed an open warrant for his arrest.
He is quoted as saying “Arse cock pussy”. 😀
"On January 17, 2024, the Baltimore County Police Department became aware of a voice recording being circulated on social media," said Robert McCullough, Chief of Baltimore County Police, at a streamed press conference today. "It was alleged the voice captured on the audio file belong to Mr Eric Eiswert, the Principal at the Pikesville High School. We now have conclusive evidence that the recording was not authentic.
Industry News (30:51)
Quishing Attacks Jump Tenfold, Attachment Payloads Halve
Alarming Decline in Cybersecurity Job Postings in the US
NCSC Announces PwC’s Richard Horne as New CEO
NSA Launches Guidance for Secure AI Deployment
End-to-End Encryption Sparks Concerns Among EU Law Enforcement
Fifth of CISOs Admit Staff Leaked Data Via GenAI
US Congress Passes Bill to Ban TikTok
Online Banking Security Still Not Up to Par, Says Which?
Ring to Pay Out $5.6m in Refunds After Customer Privacy Breach
Tweet of the Week (38:56)
https://twitter.com/KimZetter/status/1783556843798671591
Come on! Like and bloody well subscribe!
-
This week in InfoSec (08:49)
With content liberated from the “today in infosec” twitter account and further afield
7th April 1969: Steve Crocker, a graduate student at UCLA and part of the team developing ARPANET, writes the first “Request for Comments“. The ARPANET, a research project of the Department of Defense’s Advanced Research Projects Agency (ARPA), was the foundation of today’s modern Internet. RFC 1 defined the design of the host software for communication between ARPANET nodes. This host software would be run on Interface Message Processors or IMPs, which were the precursor to Internet routers. The “host software” defined in RFC 1 would later be known as the Network Control Protocol or NCP, which itself was the forerunner to the modern TCP/IP protocol the Internet runs on today.
https://thisdayintechhistory.com/04/07/rfc-1-defines-the-building-block-of-internet-communication/
7th April 2014: The Heartbleed Bug was publicly disclosed. The buffer over-read vulnerability had been discovered by Neel Mehta and later privately reported to the OpenSSL project, which patched it the next day. The vulnerability was inadvertently introduced into OpenSSL 2 years prior.
https://twitter.com/todayininfosec/status/1777136463882183076
Rant of the Week (17:09)
OpenTable is adding your first name to previously anonymous reviews
Restaurant reservation platform OpenTable says that all reviews on the platform will no longer be fully anonymous starting May 22nd and will now show members' profile pictures and first names.
OpenTable notified members of this new policy change today in emails to members who had previously left a review on the platform, stating the change was made to provide more transparency.
"At OpenTable, we strive to build a community in which diners can help other diners discover new restaurants, and reviews are a big part of that," reads the OpenTable email seen by BleepingComputer.
"We've heard from you, our diners, that trust and transparency are important when looking at reviews."
"To build on the credibility of our review program, starting May 22, 2024, OpenTable will begin displaying diner first names and profile photos on all diner reviews. This update will also apply to past reviews.
Billy Big Balls of the Week (26:36)
Lloyds Bank axes risk staff after executives complain they are a ‘blocker’Lloyds Banking Group plans to cut jobs in risk management after an internal review found the function was a “blocker to our strategic transformation”.
The restructuring was outlined in a memo last month from Lloyds’ chief risk officer Stephen Shelley, who said two-thirds of executives believed risk management was blocking progress while “less than half our workforce believe intelligent risk-taking is encouraged”. The lender was “resetting our approach to risk and controls”, Shelley said in the memo, seen by the Financial Times, adding that “the initial focus is on non-financial risks”.
Industry News (33:55)
T: Famous YouTube Channels Hacked to Distribute Infostealers
A: US Federal Data Privacy Law Introduced by Legislators
J: Foreign Interference Drives Record Surge in IP Theft
T: Half of UK Businesses Hit by Cyber-Incident in Past Year, UK Government Finds
A: US Claims to Have Recovered $1.4bn in COVID Fraud
J: Women Experience Exclusion Twice as Often as Men in Cybersecurity
T: Threat Actors Game GitHub Search to Spread Malware
A: Data Breach Exposes 300k Taxi Passengers’ Information
J: Apple Boosts Spyware Alerts For Mercenary Attacks
Tweet of the Week (52:08)
https://x.com/ErrataRob/status/1778536622163984590
Come on! Like and bloody well subscribe!
-
This week in InfoSec (06:10)
With content liberated from the “today in infosec” twitter account and further afield
3rd April 2011: Email marketing and loyalty program management company Epsilon reported a data breach of names and email addresses of numerous companies' customers, totaling at least 60 million records. Dozens of companies were impacted, including Kroger, Walgreens, Verizon, and Chase.
https://twitter.com/todayininfosec/status/1775598288277835996
1st April 1995: US President Bill Clinton and Russian President Boris Yeltsin announced a pact to exchange their personal PGP keys and to make the technology available to all citizens worldwide. (April Fools' Day)
https://twitter.com/todayininfosec/status/1774994645053010184
Rant of the Week (13:06)
William Wragg honey trap scandal is ‘extremely troubling’ says minister
Explosive revelations that a senior Conservative MP leaked colleagues’ phone numbers to a man he had met on the gay dating app Grindr are “very serious”, a minister has warned, amid questions over whether the MP will face sanctions.
Vice chairman of the 1922 committee William Wragg admitted he sent the numbers after becoming concerned about the power the recipient had over him since he had sent intimate pictures of himself.
Treasury minister Gareth Davies said the situation was “incredibly troubling and very serious” but maintained that Mr Wragg would keep the party whip while the incident is being investigated.
Billy Big Balls of the Week (24:09)
Amazon Ditches 'Just Walk Out' Checkouts at Its Grocery StoresAmazon Fresh is moving away from a feature of its grocery stores where customers could skip checkout altogether.
Amazon is phasing out its checkout-less grocery stores with “Just Walk Out” technology, first reported by The Information Tuesday. The company’s senior vice president of grocery stores says they’re moving away from Just Walk Out, which relied on cameras and sensors to track what people were leaving the store with.
Just over half of Amazon Fresh stores are equipped with Just Walk Out. The technology allows customers to skip checkout altogether by scanning a QR code when they enter the store. Though it seemed completely automated, Just Walk Out relied on more than 1,000 people in India watching and labeling videos to ensure accurate checkouts. The cashiers were simply moved off-site, and they watched you as you shopped.
On Wednesday, GeekWire reported that Amazon Web Services is cutting a few hundred jobs in its Physical Stores Technology team, according to internal emails. The layoffs will allegedly impact portions of Amazon’s identity and checkout teams.
Industry News (29:46)
Dataset of 73 Million AT&T Customers Linked to Dark Web Data Breach
Firms Must Work Harder to Guard Children’s Privacy, Says UK ICO
Threat Actor Claims Classified Five Eyes Data Theft
Leicester Council Confirms Confidential Documents Leaked in Ransomware Attack
Jackson County IT Systems Hit By Ransomware Attack
LockBit Scrambles After Takedown, Repopulates Leak Site with Old Breaches
China Using AI-Generated Content to Sow Division in US, Microsoft Finds
Wiz Discovers Flaws in GenAI Models Enabling Customer Data Theft
Chinese Threat Actors Deploy New TTPs to Exploit Ivanti Vulnerabilities
Tweet of the Week (35:58)
https://twitter.com/belldotbz/status/1776187040813441272
Come on! Like and bloody well subscribe!
-
This week in InfoSec (07:32)
With content liberated from the “today in infosec” twitter account and further afield
20th March 2007: Dragos Ruiu announced the first Pwn2Own contest, which was held that April in Vancouver, Canada. The contest is still being held today - and in fact Pwn2Own Vancouver 2024 started today.
https://twitter.com/todayininfosec/status/1770592695255249038
16th March 1971: The first computer virus, Creeper, infected computers on the ARPANET, displaying "I'M THE CREEPER : CATCH ME IF YOU CAN." It was named after the Creeper - a villain from a 1970 episode of the TV series "Scooby-Doo, Where Are You!"
https://twitter.com/todayininfosec/status/1768973007555375317
Rant of the Week (14:29)
Majority of Americans now use ad blockers
More than half of Americans are using ad blocking software, and among advertising, programming, and security professionals that fraction is more like two-thirds to three-quarters.
According to a survey of 2,000 Americans conducted by research firm Censuswide, on behalf of Ghostery, a maker of software to block ads and online tracking, 52 percent of Americans now use an ad blocker, up from 34 percent according to 2022 Statista data.
Billy Big Balls of the Week (23:01)
Execs in Japan busted for winning dev bids then outsourcing to North KoreansTwo executives were issued arrest warrants in Japan on Wednesday, reportedly for charges related to establishing a business that outsourced work to North Korean IT engineers.
At least one of the individuals – a 53 year old named Pak Hyon-il – is a South Korean national. His alleged accomplice, 42-year old Toshiron Minomo, is Japanese and once worked for Hyon-il, according to local media.
Pak served as president of Fuchu-based IT firm ITZ, while Minomo was the head of Fukuyama-based Robast.
Industry News (29:09)
UK Blames China for 2021 Hack Targeting Millions of Voters' Data
Fake Ozempic Deals on the Rise as Experts Warn of Phishing Scams
Portugal Forces Sam Altman's Worldcoin to Stop Collecting Biometric Data
Only 5% of Boards Have Cybersecurity Expertise, Despite Financial Benefits
UK Law Enforcers Arrest 400 in Major Fraud Crackdown
Chinese Hackers Target ASEAN Entities in Espionage Campaign
NHS Trust Confirms Clinical Data Leaked by “Recognized Ransomware Group”
US Treasury Urges Financial Sector to Address AI Cybersecurity Threats
CISA Launches New Cyber Incident Reporting Rules for US Defense Contractors
Tweet of the Week (40:52)
https://twitter.com/bettersafetynet/status/1773626490384511113
Come on! Like and bloody well subscribe!
-
This week in InfoSec (14:26)
With content liberated from the “today in infosec” twitter account and further afield
7th March 2017: WikiLeaks began its new series of leaks on the U.S. Central Intelligence Agency (CIA). Code-named Vault 7 by WikiLeaks, it was the largest ever publication of confidential documents on the agency.
https://twitter.com/todayininfosec/status/1765828993713090565
14th March 2013: Security journalist Brian Krebs was swatted when police responded to a spoofed 911 call claiming Russians had broken into his home and had shot his wife.
One of several people who made the false report, Eric Taylor (aka Cosmo the God), was sentenced to probation in 2017.
https://twitter.com/todayininfosec/status/1768253237260435814
Rant of the Week (21:38)
US Congress goes bang, bang, on TikTok sale-or-ban plan
The United States House of Representatives on Wednesday passed the Protecting Americans from Foreign Adversary Controlled Applications Act – a law aimed at forcing TikTok's Chinese parent ByteDance to sell the app's US operations or face the prospect of a ban.
The bill names only TikTok as a "foreign adversary controlled application" and prohibits "Providing services to distribute, maintain, or update" the app – including by offering it for sale in an app store. Even updates to the app aren't allowed.
If TikTok's US operations were locally owned and operated, none of the sanctions the bill mentions would be enforceable. And US lawmakers' fears that TikTok gives Beijing a way to gather intelligence and surveil citizens would be eased.
[Related or coincidental? Or a BBB?]
Former US Treasury secretary Steve Mnuchin thinking about buying TikTok
On the heels of the US House of Representatives passing a TikTok ban bill, former US Treasury secretary and private equity mogul Steve Mnuchin is apparently thinking about buying the platform.
Speaking to CNBC's pre-market team at Squawk Box, Mnuchin said he hoped the TikTok ban would pass in the Senate, forcing a sale of the platform to a US-based parent.
"It's a great business and I'm going to put together a group to buy TikTok," Mnuchin told CNBC. Mnuchin didn't mention whether partners had been identified, or what phase the purchase was in.
Billy Big Balls of the Week (32:14)
CEO of Data Privacy Company Onerep.com Founded Dozens of People-Search FirmsThe data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years.
Onerep’s “Protect” service starts at $8.33 per month for individuals and $15/mo for families, and promises to remove your personal information from nearly 200 people-search sites. Onerep also markets its service to companies seeking to offer their employees the ability to have their data continuously removed from people-search sites.
Industry News (41:21)
UnitedHealth Sets Timeline to Restore Change Healthcare Systems After BlackCat Hit
Russia’s Midnight Blizzard Accesses Microsoft Source Code
Third-Party Breach and Missing MFA Contributed to British Library Cyber-Attack
Lawmakers Slam UK Government’s “Ostrich Strategy” for Cybersecurity
Google to Restrict Election-Related Answers on AI Chatbot Gemini
Meta Sues Former VP After Defection to AI Startup
Google Paid $10m in Bug Bounties to Security Researchers in 2023
French Employment Agency Data Breach Could Affect 43 Million People
TikTok Faces US Ban as House Votes to Compel ByteDance to Sell
Tweet of the Week (50:29)
https://twitter.com/andylapteff/status/1767952062279492006
Come on! Like and bloody well subscribe!
-
This week in InfoSec (06:53)
With content liberated from the “today in infosec” twitter account and further afield
1st March 1988: The MS-DOS boot sector virus "Ping-Pong" was discovered at the Politecnico di Torino (Turin Polytechnic University) in Italy.
The virus would show a small ball bouncing around the screen in both text mode (ASCII character "•") and graphical mode.
https://twitter.com/todayininfosec/status/1763540406443163705
26th February 2004: Antivirus firm F-Secure apologized for sending the Netsky.B virus to 1000s of its UK customers & partners via a mailing list. The unknown sender sent it through the email list server, which didn't scan for viruses. And there was no business reason to accept external emails.
https://twitter.com/todayininfosec/status/1762092359313936553
Rant of the Week (11:48)
Meta's pay-or-consent model hides 'massive illegal data processing ops': lawsuit
Consumer groups are filing legal complaints in the EU in a coordinated attempt to use data protection law to stop Meta from giving local users a "fake choice" between paying up and consenting to being profiled and tracked via data collection.
Billy Big Balls of the Week (20:16)
Fox News 'hacker' turns out to be journalist whose lawyers say was doing his job
A Florida journalist has been arrested and charged with breaking into protected computer systems in a case his lawyers say was less "hacking," more "good investigative journalism."
Tim Burke was arrested on Thursday and charged with one count of conspiracy, six counts of accessing a protected computer without authorization, and seven counts of intercepting or disclosing wire, oral or electronic communications for his supposed role in the theft of unedited video streams from Fox News.
Industry News (27:48)
UK Unveils Draft Cybersecurity Governance Code to Boost Business Resilience
34 Million Roblox Credentials Exposed on Dark Web in Three Years
Biden Bans Mass Sale of Data to Hostile Nations
US Government Warns Healthcare is Biggest Target for BlackCat Affiliates
Savvy Seahorse Targets Investment Platforms With DNS Scams
Pharma Giant Cencora Reports Cybersecurity Breach
UK Home Office Breached Data Protection Law with Migrant Tracking Program, ICO Finds
Five Eyes Warn of Ivanti Vulnerabilities Exploitation, Detection Tools Insufficient
Biden Warns Chinese Cars Could Steal US Citizens' Data
Tweet of the Week (35:17)
https://twitter.com/_FN8_/status/1762583435745402951
Come on! Like and bloody well subscribe!
-
This week in InfoSec (06:25)
With content liberated from the “today in infosec” twitter account and further afield
16th February 2010: Version 2.0 of the CWE/SANS Top 25 Most Dangerous Software Errors was released.
Take a look and decide which of these weaknesses have been eradicated over the last 14 years.
Web Archive
https://twitter.com/todayininfosec/status/1758712418601971748
20th February 2003: Alan Giang Tran, former network admin for 2 companies, was arrested after allegedly destroying data on the companies' networks. Two months later he pleaded guilty to a federal charge of intentionally causing damage to a protected computer.
https://twitter.com/todayininfosec/status/1760021831354896443
Rant of the Week (14:01)
Avast fined $16.5 million for ‘privacy’ software that actually sold users’ browsing data
Avast, the cybersecurity software company, is facing a $16.5 million fine after it was caught storing and selling customer information without their consent. The Federal Trade Commission (FTC) announced the fine on Thursday and said that it’s banning Avast from selling user data for advertising purposes.
From at least 2014 to 2020, Avast harvested user web browsing information through its antivirus software and browser extension, according to the FTC’s complaint. This allowed it to collect data on religious beliefs, health concerns, political views, locations, and financial status. The company then stored this information “indefinitely” and sold it to over 100 third parties without the knowledge of customers, the complaint says.
Billy Big Balls of the Week(25:02)
Husband 'made over a million' by eavesdropping on BP wifeThe husband of a BP employee has been charged with insider trading in the US following claims he overheard details of calls made by his wife while working from home.
The US Securities and Exchange Commission alleged Tyler Loudon made $1.76m (£1.39m) in illegal profits.
The regulator claimed Mr Loudon heard several of his wife's conversations about BP's takeover of TravelCenters of America and bought shares in the firm.
BP has declined to comment.
The SEC said: "We allege that Mr Loudon took advantage of his remote working conditions and his wife's trust to profit from information he knew was confidential."
His wife - a mergers and acquisitions manager at BP - worked on the oil giant's takeover of TravelCenters.
The SEC said Mr Loudon purchased 46,450 shares of TravelCenter's stock, without his wife's knowledge, before the deal was made public in February last year.
Following the announcement, TravelCenter's share price rose nearly 71% and Mr Loudon allegedly immediately sold all of his newly-bought shares for a profit, the SEC said.
Industry News (32:16)
Attacker Breakout Time Falls to Just One Hour
NCSC Sounds Alarm Over Private Branch Exchange Attacks
Biden Executive Order to Bolster US Maritime Cybersecurity
Ransomware Warning as CVSS 10.0 ScreenConnect Bug is Exploited
Chinese Duo Found Guilty of $3m Apple Fraud Plot
OWASP Releases Security Checklist for Generative AI Deployment
Russian-Aligned Network Doppelgänger Targets German Elections
Change Healthcare Cyber-Attack Leads to Prescription Delays
ICO Bans Serco Leisure's Use of Facial Recognition for Employee Attendance
Tweet of the Week (42:37)
https://twitter.com/lauriewired/status/1760751495073640705
Come on! Like and bloody well subscribe!
-
This week in InfoSec (08:40)
With content liberated from the “today in infosec” twitter account and further afield
14th February 2001: In a presentation at Black Hat Windows Security Conference 2001, Andrey Malyshev of ElcomSoft shared that Microsoft Excel uses a default encryption password of "VelvetSweatshop".
https://twitter.com/todayininfosec/status/1757782275406622835
16th February 2004: The Netsky worm first appeared. It spread via an email attachment which after opened would search the computer for email addresses then email itself to those addresses. Its dozens of variants accounted for almost a quarter of malware detected in 2004.
https://twitter.com/todayininfosec/status/1758497889972576608
Rant of the Week (5:10)
Air Canada must pay damages after chatbot lies to grieving passenger about discount
Air Canada must pay a passenger hundreds of dollars in damages after its online chatbot gave the guy wrong information before he booked a flight.
Jake Moffatt took the airline to a small-claims tribunal after the biz refused to refund him for flights he booked from Vancouver to Toronto following the death of his grandmother in November last year. Before he bought the tickets, he researched Air Canada's bereavement fares – special low rates for those traveling due to the loss of an immediate family member – by querying its website chatbot.
The virtual assistant told him that if he purchased a normal-price ticket he would have up to 90 days to claim back a bereavement discount. Following that advice, Moffatt booked a one-way CA$794.98 ticket to Toronto, presumably to attend the funeral or attend to family, and later an CA$845.38 flight back to Vancouver.
He also spoke to an Air Canada representative who confirmed he would be able to get a bereavement discount on his flights and that he should expect to pay roughly $380 to get to Toronto and back. Crucially, the rep didn't say anything about being able to claim the discount as money back after purchasing a ticket.
When Moffatt later submitted his claim for a refund, and included a copy of his grandmother's death certificate, all well within that 90-day window, Air Canada turned him down.
Staff at the airline told him bereavement fare rates can't be claimed back after having already purchased flights, a policy at odds with what the support chatbot told Moffatt. It's understood the virtual assistant was automated, and not a person sat at a keyboard miles away.
Billy Big Balls of the Week (22:06)
Australia passes Right To Disconnect law, including (for now) jail time for bosses who email after-hoursAustralia last week passed a Right To Disconnect law that forbids employers contacting workers after hours, with penalties including jail time for bosses who do the wrong thing.
The criminal sanction will soon be overturned – it was the result of parliamentary shenanigans rather than the government's intent – and the whole law could go too if opposition parties and business groups have their way.
European companies have already introduced Right To Disconnect laws in response to digital devices blurring the boundaries between working hours and personal time. The laptops or phones employers provide have obvious after-hours uses, but also mean workers can find themselves browsing emailed or texted messages from their boss at all hours – sometimes with an expectation of a response. That expectation, labor rights orgs argue, extends the working day without increasing pay.
Right To Disconnect laws might better be termed "Right to not read or respond to messages from work" laws because that's what they seek to guarantee.
Industry News (31:45)
US, UK and India Among the Countries Most At Risk of Election Cyber Interference
Southern Water Notifies Customers and Employees of Data Breach
Cybersecurity Spending Expected to be Slashed in 41% of SMEs
GoldPickaxe Trojan Blends Biometrics Theft and Deepfakes to Scam Banks
Microsoft, OpenAI Confirm Nation-States are Weaponizing Generative AI in Cyber-Attacks
Prudential Financial Faces Cybersecurity Breach
Google Warns Unfair AI Rules Could Empower Hackers, Harming Defense
Hackers Exploit EU Agenda in Spear Phishing Campaigns
New Ivanti Vulnerability Observed as Widespread Security Concerns Grow
Tweet of the Week (39:24)
https://twitter.com/MalwareJake/status/1758454999380557885
Come on! Like and bloody well subscribe!
-
This week in InfoSec (08:59)
With content liberated from the “today in infosec” twitter account and further afield
8th February 2000: A 15-year-old Canadian identified at the time only by his handle "MafiaBoy" launched a 4-hour DDoS attack against http://cnn.com. The attacks also targeted Yahoo, eBay, Amazon and other sites over a 3 day period. In 2001 a Canadian court sentenced him to 8 months.
https://twitter.com/todayininfosec/status/1755576730306089245
7th February 2000: Dennis Michael Moran (aka Coolio) performed a smurf attack against Yahoo's routers, causing its websites to be inaccessible for hours. Conversations on an IRC channel led to him being identified and convicted for a series of DDoS and website defacement crimes.
https://twitter.com/todayininfosec/status/1755267532540244316
Rant of the Week (14:35)
Viral news story of botnet with 3 million toothbrushes was too good to be true
In recent days you may have heard about the terrifying botnet consisting of 3 million electric toothbrushes that were infected with malware. While you absent-mindedly attended to your oral hygiene, little did you know that your toothbrush and millions of others were being controlled remotely by nefarious criminals.
Alas, fiction is sometimes stranger than truth. There weren't really 3 million Internet-connected toothbrushes accessing the website of a Swiss company in a DDoS attack that did millions of dollars of damage. The toothbrush botnet was just a hypothetical example that some journalists wrongly interpreted as having actually happened.
It apparently started with a January 30 story by the Swiss German-language daily newspaper Aargauer Zeitung. Tom's Hardware helped spread the tale in English on Tuesday this week in an article titled, "Three million malware-infected smart toothbrushes used in Swiss DDoS attacks."
https://www.malwarebytes.com/blog/awareness/2024/02/how-to-tell-if-your-toothbrush-is-being-used-in-a-ddos-attack
Billy Big Balls of the Week (21:50)
Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’
A finance worker at a multinational firm was tricked into paying out $25 million to fraudsters using deepfake technology to pose as the company’s chief financial officer in a video conference call, according to Hong Kong police.
The elaborate scam saw the worker duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations, Hong Kong police said at a briefing on Friday.
“(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK.
Chan said the worker had grown suspicious after he received a message that was purportedly from the company’s UK-based chief financial officer. Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out.
However, the worker put aside his early doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized, Chan said.
Believing everyone else on the call was real, the worker agreed to remit a total of $200 million Hong Kong dollars – about $25.6 million, the police officer added.
Industry News (28:58)
Clorox and Johnson Controls Reveal $76m Cyber-Attack Bill
Meta's Oversight Board Urges a Policy Change After a Fake Biden Video
Malware-as-a-Service Now the Top Threat to Organizations
Chinese Spies Hack Dutch Networks With Novel Coathanger Malware
Meta to Introduce Labeling for AI-Generated Images Ahead of US Election
Governments and Tech Giants Unite Against Commercial Spyware
France: 33 Million Social Security Numbers Exposed in Health Insurance Hack
20 Years of Facebook, but Trust in Social Media Remains Rock Bottom
AI-Powered Robocalls Banned Ahead of US Election
Tweet of the Week (37:15)
https://x.com/gossithedog/status/1755282171198054805?s=46&t=1-Sjo1Vy8SG7OdizJ3wVbg
Come on! Like and bloody well subscribe!
- Mehr anzeigen
