The movie "Office Space" was released. With a budget of $10 million, it grossed a measly $13 million worldwide, but became a cult classic with its homage to Superman III's salami slicing and Jennifer Aniston's rant against 37 pieces of flair. Now where's my stapler?

It's a masterclass in a fraud , a segregation of duties failure, or a monitoring gap — but back in 1999, it was just a comedy plot.

Leaked Email Suggests Ring Plans to Expand ‘Search Party’ Surveillance Beyond Dogs

Ring’s controversial, AI-powered “Search Party” feature isn’t intended to always be limited only to dogs, the company’s founder, Jamie Siminoff, told Ring employees in an internal email obtained by 404 Media

Just found out we’re being audited by our cyber insurance provider 

Industry news 

Tweet of the week
https://x.com/whoaish/status/2024344477465456936  

Come on! Like and bloody well subscribe!

Rant of the week is going to put a lot of Parisien street artists out of work

Billy Big Balls proves that on the internet nobody knows you are a dog

Industry News brings us the latest and greatest security news stories from around the world

And

Tweet of the Week makes Thom wonder when Fat Thursdays are coming to the UK

Come on! Like and bloody well subscribe!

Banter, lame jokes, inside jokes, lame inside jokes. 

This week in infosec 

A weak rant.

A billy big balls 

Industry news

Some tweet of the week.

And closing thoughts

Come on! Like and bloody well subscribe!

https://x.com/todayininfosec/status/1986164925039841770  

1. 24th October 2002: The worm-like Friendgreet propagated by emailing all Outlook contacts from each computer where it was installed. But THERE WAS A TWIST!

The software presented a EULA stating it would do that!

They gave fair warning, right!?

(EULA = End User License Agreement)

https://x.com/todayininfosec/status/1981885412374114601

CyberSlop — meet the new threat actor, MIT and Safe Security

Cybersecurity vendors peddling nonsense isn’t new, but lately we have a new dimension — Generative AI. This has allowed vendors — and educators — to peddle cyberslop for profit.

Earlier this year, MIT released a working paper and made a webpage around 80% of ransomware attacks using Generative AI

Law passed for scammers, mules to be caned after victims in Singapore lose almost $4b since 2020

SINGAPORE – Scammers will get at least six strokes of the cane, with the punishment going up to 24 strokes depending on the severity of the offence.

Those to be caned will include syndicate members and recruiters, and those who help them, such as money mules who provide their bank accounts, SIM cards or Singpass credentials.

These mules will face discretionary caning of up to 12 strokes.

Tweet of the week: https://x.com/phl43/status/1985841184141689196 

Come on! Like and bloody well subscribe!

https://www.computerhistory.org/tdih/september/27/#hacker-mitnick-indicted-on-charges

https://thisdayintechhistory.com/09/23/the-first-android-introduced/ 

Rant of the Week is the future of the UK, the future I tell you…

New digital ID will be mandatory for workers in the UK

Billy Big Balls gives the best reason ever to go full speed ahead with AI

Silicon Valley’s latest argument against regulating AI: that would literally be the Antichrist 

Industry News is the latest and greatest security news stories from around the world

Tweet of the Week is valuable fitness advice from infosec

https://bsky.app/profile/secure-ics-ot.bsky.social/post/3lzpgdl7dts2u 

Come on! Like and bloody well subscribe!

Home Depot disclosed that its data breach was estimated to impact 56 million unique payment cards.

https://x.com/todayininfosec/status/1968870469408309285

1. 18th September 2001: The Nimda worm was released. Utilizing 5 different infection vectors, it became the most widespread virus/worm ever after only 22 minutes.

Why "Nimda"?

$ echo "admin" | rev

nimda

https://x.com/todayininfosec/status/1968721441836134825

Rant of the week Google stuffs Chrome full of AI features whether you like it or not

Billy big balls Former Facebook policy lead Niamh Sweeney appointed DPC commissioner 

Tweet of the week https://bsky.app/profile/jwgoerlich.bsky.social/post/3lz4qt5a64k2p 

Come on! Like and bloody well subscribe!

This week in InfoSec is a sticky pickle

Rant of the Week will have you guessing at who it could possibly be, again…

Billy Big Balls is why british men need to take their passport to the bathroom these days

Industry News is the latest and greatest security news stories from around the world

And

Tweet of the Week is well... Thom got it wrong. 

Come on! Like and bloody well subscribe!

https://x.com/todayininfosec/status/1942695691270193211

10th July 1999: Cult of the Dead Cow (cDc) member DilDog debuted the program Back Orifice 2000 (BO2k) at DEF CON 7. It was the successor to Back Orifice, released by cDc a year prior. DilDog proclaimed it "a remote administration tool for corporate America". 

https://x.com/todayininfosec/status/1943440335608385876

Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call Center

The GPS Leak No One Talked About: Uffizio’s Silent Exposure

Hundreds of Malicious Domains Registered Ahead of Prime Day

M&S Chair Details Ransomware Attack, Declines to Confirm if Payment Was Made

Chinese State-Sponsored Hacker Charged Over COVID-19 Research Theft

Qantas Confirms 5.7 Million Customers Hit by Data Breach

Tribunal Ruling Brings ICO’s £12.7m TikTok Fine Closer

Four Arrested in Connection with April UK Retail Attacks

TikTok's Handling of EU User Data in China Comes Under Scrutiny Again

LLMs Fall Short in Vulnerability Discovery and Exploitation

MPs Warn of “Significant” Iranian Cyber-Threat to UK

https://x.com/krezae/status/1943463109173338558

Come on! Like and bloody well subscribe!

https://x.com/todayininfosec/status/1938731279937057144     

1st July 2003: California's data breach notification law went into effect. California became the first US state to require disclosure of breaches of personal information.
https://x.com/todayininfosec/status/1940220561080332760 

Meta calls €200M EU fine over pay-or-consent ad model 'unlawful' 

Meet Soham Parekh, the engineer burning through tech by working at three to four startups simultaneously 

https://x.com/nickvangilder/status/1940110830085054891

Come on! Like and bloody well subscribe!

World Wide Web software producer Spyglass Inc. went public, the year after it had begun distributing its Spyglass Mosaic software, an early browser for navigating the Web. With previous year's earnings at $7 million, Spyglass was founded by students at the Illinois Supercomputing Center, which also inspired Netscape Communications Corp.

https://www.computerhistory.org/tdih/june/27/#spyglass-goes-public  

26th June 1989: Robert Tappan Morris (who released the Morris worm in 1988) became the first person to be indicted under the US's Computer Fraud and Abuse Act (CFAA), enacted by Congress 3 years earlier. He was later sentenced to three years of probation and fined $10,050

https://x.com/todayininfosec/status/1938292354965770278

Visiting students can't hide social media accounts from Uncle Sam anymore 

Meta’s AI training on copyrighted content is ‘fair use’, US judge says

https://x.com/filip_dragovic/status/1937932750415086010

Come on! Like and bloody well subscribe!

13th June 1994: A Russian hacker group led by Vladimir Levin stole $10.7 million from Citibank via X.25, in what was the first international bank robbery over a network to be made public. Levin was caught in London in 1995 and sentenced in the US to 3 years in prison in 1998. https://x.com/todayininfosec/status/1933504310643773697 

“Localhost tracking” explained. It could cost Meta 32 billion. 

Wanted: Junior cybersecurity staff with 10 years' experience and a PhD 

Industry News

#Infosec2025: Top Six Cyber Trends CISOs Need to Know

Half of Mobile Users Now Face Daily Scams

Researcher Finds Five Zero-Days and 20+ Misconfigurations in Salesforce Cloud

Hands-On Skills Now Key to Landing Your First Cyber Role

Phishing Alert as Erie Insurance Reveals Cyber “Event”

Europol Says Criminal Demand for Data is “Skyrocketing”

NIST Publishes New Zero Trust Implementation Guidance

Microsoft 365 Copilot: New Zero-Click AI Vulnerability Allows Corporate Data Theft

European Journalists Targeted by Paragon Spyware, Citizen Lab Confirms

Tweet of the week

https://bsky.app/profile/brianhonan.bsky.social/post/3lrilyd7rpk2m 

Come on! Like and bloody well subscribe!

https://thisdayintechhistory.com/05/26/bill-gates-internet-tidal-wave/

1. 30th May 1996: AT&T Announces Video Phone Call System.  AT&T held a meeting to announce a system that would allow personal computers to make and receive video phone calls over standard telephone lines. In years of efforts by AT&T and others to find success in the technology, the AT&T system made use of Intel's Pentium processors and compression software to allow both video and audio information to share a phone line rather than a high-capacity ISDN, T-1, or T-3 line.

https://www.computerhistory.org/tdih/may/30/#att-announces-video-phone-call-system

Security outfit SentinelOne's services back online after lengthy outage

OpenAI model modifies shutdown script in apparent sabotage effort

https://bsky.app/profile/robmesure.bsky.social/post/3lqcn6kq5oc26 

Come on! Like and bloody well subscribe!

Irish privacy watchdog OKs Meta to train AI on EU folks' posts

Judge allows Delta's lawsuit against CrowdStrike to proceed with millions in damages on the line

https://x.com/fesshole/status/1925815219655233765?s=46&t=1-Sjo1Vy8SG7OdizJ3wVbg

And of course... can't NOT mention: https://www.bbc.co.uk/iplayer/episode/m002d2lh/inside-the-high-street-cyberattacks 

Come on! Like and bloody well subscribe!

Hey, it's hard enough Thom being off that I have to edit and publish this, I need to find an AI to write the notes for me. Love you all, Javvad... now go an subscribe! 

Come on! Like and bloody well subscribe!

00:00 Introduction and Initial Banter 

00:57 Podcast Introduction and Missing Guest 

01:29 Wrestling Anecdotes and Technical Difficulties 

03:04 Travel Plans and Airport Preferences 

05:12 Manchester Trip and Quiet Carriage Etiquette 

08:58 InfoSec History: Banned from the Internet 

11:00 InfoSec History: The Love Letter Virus 

14:17 Rant of the Week: Casino Mindset in Security 

18:19 Understanding the Author's Perspective 

19:19 AI Shopping App Scandal 

24:30 Industry News Highlights 

26:00 TikTok's Data Transfer Fine 

29:08 Meta vs. NSO Group 31:40 Cyber Essentials Certification 

35:58 Tweet of the Week 

38:23 Conclusion and Farewell

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

1st April 1998: Hackers changed the MIT home page to read "Disney to Acquire MIT for $6.9 Billion".

https://x.com/todayininfosec/status/1907094503552336134     

1st April 2004: The now ubiquitous Gmail service is launched as an invitation-only beta service. At first met with skepticism due to it being launched on April Fool’s Day, the ease of use and speed that Gmail offered for a web-based e-mail service quickly won converts. The fact that Gmail was invitiation-only for a long time helped fueled a mystique that those who had a Gmail address were hip and uber-cool. Those of us who are actually hip and uber-cool didn’t mind, of course, as those types of things don’t bother hip and uber-cool people. 

https://thisdayintechhistory.com/04/01/gmail-launched/  

Rant of the Week (14:07)

Kink and LGBT dating apps exposed 1.5m private user images online

https://www.bbc.co.uk/news/articles/c05m5m5v327o

Researchers have discovered nearly 1.5 million pictures from specialist dating apps – many of which are explicit – being stored online without password protection, leaving them vulnerable to hackers and extortionists.

Anyone with the link was able to view the private photos from five platforms developed by M.A.D Mobile: kink sites BDSM People and Chica, and LGBT apps Pink, Brish and Translove.

These services are used by an estimated 800,000 to 900,000 people.

M.A.D Mobile was first warned about the security flaw on 20 January but didn't take action until the BBC emailed on Friday.

They have since fixed it but not said how it happened or why they failed to protect the sensitive images.

Billy Big Balls of the Week (24:00)

Oracle's masterclass in breach comms: Deny, deflect, repeat

There have been some disclosure stinkers in the past. Back in 2016, The Reg discovered that Yahoo! had taken a few years to disclose security snafus that occured in 2013 and 2014, for example. These days we often see organizations simply choose not to publicly address their issues. A quick self-referral to the regulators and some letters sent directly to those affected pass as the bare minimum, and while these organizations won't get any Brownie points for transparency, the approach doesn't tend to invite too much in the way of long-lasting criticism either.

When Oracle issued its flat-out denial of the first breach allegations that surfaced from cybercrime forums, it seemed like it was yet another wannabe big-time scriptkiddie making false claims for clout.

To make matters worse, Oracle seemingly tried to swerve any flak with some careful semantics. Its original denial stated: "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."

Infosec experts Kevin Beaumont and Jake Williams later both claimed that Oracle appears to have used the Internet Wayback Machine's archive exclusion process to remove evidence about the intrusion.

Industry News (33:25)

Google to Switch on E2EE for All Gmail Users

ICO Apologizes After Data Protection Response Snafu

North Korea's Fake IT Worker Scheme Sets Sights on Europe

Royal Mail Investigates Data Breach Affecting Supplier

Stripe API Skimming Campaign Unveils New Techniques for Theft

Over Half of Attacks on Electricity and Water Firms Are Destructive

Amateur Hacker Leverages Russian Bulletproof Hosting Server to Spread Malware

CrushFTP Vulnerability Exploited Following Disclosure Issues

Major Online Platform for Child Exploitation Dismantled

Tweet of the Week (41:25)

https://x.com/MalwareJake/status/1907416667052786110

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

27th February 2002: Timothy Allen Lloyd was sentenced to 41 months in prison for activating a logic bomb at Omega Engineering, 20 days after being fired as a network administrator.

https://x.com/todayininfosec/status/1895255588881474024    

18th February 2013: Burger King's Twitter account was compromised, had its name changed to McDonalds, and shared offensive tweets. The incident was a...well...Whopper! 

https://x.com/todayininfosec/status/1891999132866183322

Rant of the Week (17:34)

Army soldier suspected of AT&T heist Googled ‘can hacking be treason,’ ‘defecting to Russia’

The US Army soldier suspected of compromising AT&T and bragging about getting his hands on President Trump's call logs allegedly tried to sell stolen information to a foreign intel agent.

The military man even Google searched for "can hacking be treason," and "US military personnel defecting to Russia," according to prosecutors who argue he poses a serious flight risk and should be detained.

Cameron John Wagenius, 21, was arrested in Texas in December, and last week told a federal court judge he intends to plead guilty to unlawfully posting and transferring confidential phone records. 

Prosecutors have also linked Wagenius to two other men accused of stealing data from more than 150 Snowflake cloud accounts in April 2024, and then demanding payment to keep a lid on that info.

After admitting his crimes in court, and showing a willingness to enter a guilty plea, "Wagenius should be detained as both a danger to the community — given his ability to access sensitive datasets — and a serious risk of flight," Uncle Sam's attorneys argued.

"While engaged in these criminal activities, Wagenius conducted online searches about how to defect to countries that do not extradite to the United States and that he previously attempted to sell hacked information to at least one foreign intelligence service," the documents allege. 

Billy Big Balls of the Week (24:32)

100-plus spies fired after NSA internal chat board used for kinky sex talk

More than 100 US spies have been fired, and their security clearance revoked, after an internal NSA messaging system was used by staff to chat about their sex lives.

After the NSA – the National Security Agency, that is, not the other meaning – confirmed on state media it was "aware of posts that appear to show inappropriate discussions" by intelligence community employees and that "investigations to address this misuse of government systems are ongoing," Trump's Director of National Intelligence Tulsi Gabbard announced more than 100 people had since been terminated.

The messaging app in question is the NSA's Intelink, a secure intranet service used by various American military and intelligence teams to share information, including top secret and classified threat intel.

Federal workers said to have been involved in the NSFW Intelink chatter included personnel at the NSA, the Defense Intelligence Agency, and US Naval Intelligence.

"There are over 100 people from across the intelligence community that contributed to and participated in … what is really just an egregious violation of trust," Gabbard told Fox News commentator Jesse Watters Tuesday. "What to speak of, like basic rules and standards around professionalism."

Industry News (32:54)

Chinese-Backed Silver Fox Plants Backdoors in Healthcare Networks

Ransomware Gang Publishes Stolen Genea IVF Patient Data

HaveIBeenPwned Adds 244 Million Passwords Stolen By Infostealers

Signal May Exit Sweden If Government Imposes Encryption Backdoor

DISA Global Solutions Confirms Data Breach Affecting 3.3M People

FBI Confirms North Korea’s Lazarus Group as Bybit Crypto Hackers

OpenSSF Publishes Security Framework for Open Source Software

Software Vulnerabilities Take Almost Nine Months to Patch

DragonForce Ransomware Hits Saudi Firm, 6TB Data Stolen

Tweet of the Week (42:59)

https://x.com/roytait/status/1895224942565970354

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

4th December 2013: Troy Hunt launched the free-to-search site "Have I Been Pwned? (HIBP)". At launch, passwords from the Adobe, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures breaches were indexed. Today? Billions of  compromised records from hundreds of breaches.

https://twitter.com/todayininfosec/status/1864299155583127739    

5th December 1996: Julian Assange pleaded guilty to 25 of 31 hacking charges and related charges and was ordered to repay $2,100 to Australian National University. He had been arrested in 1994 for hacking crimes committed in 1991. The court case details weren't released until 2011.

https://twitter.com/todayininfosec/status/1864664694243434977

Rant of the Week (17:21)

Severity of the risk facing the UK is widely underestimated, NCSC annual review warns

The number of security threats in the UK that hit the country's National Cyber Security Centre's (NCSC) maximum severity threshold has tripled compared to the previous 12 months.

Published Tuesday 3rd December, GCHQ's tech offshoot's 2024 review reveals that 12 incidents topped the NCSC's severity classification system out of a total 430 cases that required support from its Incident Management (IM) team between September 2023 and August 2024. The finding represents a 16 percent increase year-over-year.

The number of nationally significant incidents also rose from 62 last year to 89 in the latest data, six of which were caused by exploiting two Palo Alto and Cisco zero-days. This number includes the 12 deemed maximally severe and an undetermined number of attacks on the UK's central government.

Billy Big Balls of the Week (25:50)

Badass Russian techie outsmarts FSB, flees Putinland all while being tracked with spyware

A Russian programmer defied the Federal Security Service (FSB) by publicizing the fact his phone was infected with spyware after being confiscated by authorities.

Kirill Parubets was detained in Russia for 15 days after being accused of sending money to Ukraine, during which time the man was beaten and subjected to aggressive efforts to recruit him as an FSB informant on his contacts in Ukraine.

According to his account of the story, published with his consent by Toronto University's Citizen Lab and First Department legal organization, he says he was threatened with life imprisonment if he failed to comply with the recruitment drive.

In order to secure release, he agreed but before he was indoctrinated he and his wife fled the country. Always keep a second passport, if possible. 

Industry News (32:21)

Crypto.com Launches Massive $2m Bug Bounty Program

German Police Shutter Country’s Largest Dark Web Market

ENISA Launches First State of EU Cybersecurity Report

Wirral Hospital Recovery Continues One Week After Cyber Incident

FBI Warns GenAI is Boosting Financial Fraud

Europol Dismantles Major Online Fraud Platform in Major Blow to Fraudsters

Deloitte Denies Breach, Claims Cyber-Attack Targeted Single Client

Romania Exposes TikTok Propaganda Campaign Supporting Pro-Russian Candidate

FCC Proposes Stricter Cybersecurity Rules for US Telecoms

Tweet of the Week  (43:43)

https://twitter.com/McGrewSecurity/status/1865050788369772974

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

24th November 2014: The Washington Post published an article which included a photo of TSA master keys. A short time later functional keys were 3-d printed using the key patterns in the photo. Oops.

https://twitter.com/todayininfosec/status/1860803840620044356   

22nd November 2010: Matt Blaze published the PowerPoint slides he was contractually required to submit for his 2011 RSA Security Conference presentation. Matt hates PowerPoint. Take a moment to admire the slides he submitted.

https://twitter.com/todayininfosec/status/1860027850369519669

Rant of the Week (12:47)

https://www.theregister.com/2024/11/26/third_major_cyber_incident_declared/

A UK hospital is declaring a "major incident," cancelling all outpatient appointments due to "cybersecurity reasons."

The Wirral University Teaching Hospital NHS Trust, located in North West England, said the so-called "incident" affects the whole Trust, which oversees Wirral Women and Children's Hospital, Clatterbridge Hospital, and Arrowe Park Hospital.

Although the tech problems began on Monday, officials confirmed to The Register it is still dealing with the fallout as of Tuesday morning. 

All outpatient appointments were canceled on Monday and the same decision was made today, according to Arrowe Park and Clatterbridge's social media posting. All patients whose appointments were canceled will be contacted to rearrange them.

Billy Big Balls of the Week (20:48)

Put your usernames and passwords in your will, advises Japan's government

Japan's National Consumer Affairs Center on Wednesday suggested citizens start "digital end of life planning" and offered tips on how to do it.

The Center's somewhat maudlin advice is motivated by recent incidents in which citizens struggled to cancel subscriptions their loved ones signed up for before their demise, because they didn't know their usernames or passwords. The resulting "digital legacy" can be unpleasant to resolve, the agency warns, so suggested four steps to simplify ensure our digital legacies aren't complicated:

Ensuring family members can unlock your smartphone or computer in case of emergency;

Maintain a list of your subscriptions, user IDs and passwords;

Consider putting those details in a document intended to be made available when your life ends;

Use a service that allows you to designate someone to have access to your smartphone and other accounts once your time on Earth ends.

The Center suggests now is the time for it to make this suggestion because it is aware of struggles to discover and resolve ongoing expenses after death. With smartphones ubiquitous, the org fears more people will find themselves unable to resolve their loved ones' digital affairs – and powerless to stop their credit cards being charged for services the departed cannot consume.

Some entrepreneurs have already identified end of life services as an opportunity. "Dead Man's Switch" apps can be set to contact whomever you choose if you do not sign in to certain accounts after a period you select as a likely indicator of your departure from this world.

Meta also offers the chance to nominate a "legacy contact" who can manage your account.

Such services aren't just opportunistic: grieving people have a lot on their plate, and executing wills is not always straightforward. 

Industry News (31:08)

ICO Urges More Data Sharing to Tackle Fraud Epidemic

Over a Third of Firms Struggling With Shadow AI

Darknet Services Fuel Holiday Scams and E-Commerce Exploits

NHS Trust Declares Major Incident for “Cybersecurity Reasons”

Nuclear Decommissioning Authority Opens Sellafield Cyber Center

New EU Commission to Unveil Healthcare Cybersecurity Plan in First 100 Days

T-Mobile Claims Salt Typhoon Did Not Access Customer Data

Albanian Drug Smugglers Busted After Cops Decrypt Comms

UK Justice System Failing Cybercrime Victims, Cyber Helpline Finds

Tweet of the Week (39:43)

https://bsky.app/profile/mattpotteruk.bsky.social/post/3lbyu4dy3b22f

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

12th November 2012: John McAfee went into hiding because his neighbour, Gregory Faull, was found dead from a gunshot. Belize police wanted him to come in for questioning, but he fled to Guatemala where he was then arrested. He was never charged, though he lost a $25 million wrongful death suit.

https://x.com/todayininfosec/status/1856538748361515355   

12th November 2000: Bill Gates demonstrates a functional prototype of a Tablet PC. Microsoft claims “the Tablet PC will represent the next major evolution in PC design and functionality.” However, the Tablet PC initiative never really took off and it wasn't until Apple introduced the iPad in 2010 that tablet computing was widely adopted.

Microsoft Declares Tablets Are the Future

Rant of the Week (15:41)

Amazon MOVEit Leaker Claims to Be Ethical Hacker

A threat actor who posted 2.8 million lines of Amazon employee data last week has taken to the dark web to claim they are doing so to raise awareness of poor security practice.

The individual, who goes by the online moniker “Nam3L3ss,” claimed in a series of posts to have obtained data from 25 organisations whose data was compromised via last year’s MOVEit exploit.

Billy Big Balls of the Week (24:12)

O2's AI granny knits tall tales to waste scam callers' time

Watch out, scammers. O2 has created a new weapon in the fight against fraud: an AI granny that will keep you talking until you get bored and give up.

O2, the mobile operator arm of Brit telecoms giant Virgin Media, says it has built the human-like AI to answer calls from fraudsters in real time, keeping them busy on the phone and wasting their time by pretending to be a potential vulnerable target.

"Daisy" is claimed to be indistinguishable from a real person, fooling scammers into thinking they've found perfect prey thanks to its ability to engage in "human-like" rambling chat, the biz claims.

For several weeks in the run-up to International Fraud Awareness Week (November 17–23), the AI has already frustrated scam callers with meandering stories about her family and talked at length about her passion for knitting, according to O2.

Industry News (28:20)

Amazon MOVEit Leaker Claims to Be Ethical Hacker

Bank of England U-turns on Vulnerability Disclosure Rules

Massive Telecom Hack Exposes US Officials to Chinese Espionage

Microsoft Power Pages Misconfiguration Leads to Data Exposure

Sitting Ducks DNS Attacks Put Global Domains at Risk

O2’s AI Granny Outsmarts Scam Callers with Knitting Tales

Ransomware Groups Use Cloud Services For Data Exfiltration

Bitfinex Hacker Jailed for Five Years Over Billion Dollar Crypto Heist

Palo Alto Networks Confirms New Zero-Day Being Exploited by Threat Actors

Tweet of the Week (36:05)

https://x.com/J4vv4D/status/1856981250306687143

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

5th November 1993: Bugtraq was created by Scott Chasin as a full disclosure vulnerability reporting mailing list at the dawn of the World Wide Web. Bugtraq had an enormous influence on how orgs responded to vuln disclosure and paved the way for a shift which led to bug bounty programs.

https://twitter.com/todayininfosec/status/1853799779626578186  

5th November 2007: Google introduces the Android platform, its mobile operating system for cell phones based on a modified version of the Linux operating system. The first Android-based phone would ship in September of 2008.

https://thisdayintechhistory.com/11/05/android-introduced/

Rant of the Week (18:54)  

Voted in America? This Site Doxed You

If you voted in the U.S. presidential election yesterday in which Donald Trump won comfortably, or a previous election, a website powered by a right-wing group is probably doxing you. VoteRef makes it trivial for anyone to search the name, physical address, age, party affiliation, and whether someone voted that year for people living in most states instantly and for free. This can include ordinary citizens, celebrities, domestic abuse survivors, and many other people.

Voting rolls are public records, and ways to more readily access them are not new. But during a time of intense division, political violence, or even the broader threat of data being used to dox or harass anyone, sites like VoteRef turn a vital part of the democratic process—simply voting—into a security and privacy threat.

Billy Big Balls of the Week (27:09)

Schneider Electric ransomware crew demands $125k paid in baguettes

https://www.theregister.com/2024/11/05/schneider_electric_cybersecurity_incident/

Schneider Electric confirmed that it is investigating a breach as a ransomware group Hellcat claims to have stolen more than 40 GB of compressed data — and demanded the French multinational energy management company pay $125,000 in baguettes or else see its sensitive customer and operational information leaked.

And yes, you read that right: payment in baguettes. As in bread.

Schneider Electric declined to answer The Register's specific questions about the intrusion, including if the attackers really want $125,000 in baguettes or if they would settle for cryptocurrency. 

A spokesperson, however, emailed us the following statement:

"Schneider Electric is investigating a cybersecurity incident involving unauthorised access to one of our internal project execution tracking platforms which is hosted within an isolated environment. Our Global Incident Response team has been immediately mobilised to respond to the incident. Schneider Electric's products and services remain unaffected."

Industry News (33:18)

Google Cloud to Mandate Multifactor Authentication by 2025

IRISSCON: Organizations Still Falling Victim to Predictable Cyber-Attacks

Defenders Outpace Attackers in AI Adoption

UK Cybersecurity Wages Soar Above Inflation as Stress Levels Rise

NCSC Publishes Tips to Tackle Malvertising Threat

Canada Orders Shutdown of Local TikTok Branch Over Security Concerns

UK Regulator Urges Stronger Data Protection in AI Recruitment Tools

Interlock Ransomware Targets US Healthcare, IT and Government Sectors

Major Oilfield Supplier Hit by Ransomware Attack

Tweet of the Week (41:01)

https://twitter.com/fesshole/status/1854832499714576399

Come on! Like and bloody well subscribe!

Come on! Like and bloody well subscribe!

This week in infosec  was about a EULA

Rant of the week

https://securityaffairs.com/170125/laws-and-regulations/sec-fined-4-companies-misleading-disclosures-impact-solarwinds-attack.html

Billy Big Balls

https://www.theregister.com/2024/10/24/anthropic_claude_model_can_use_computers/

Some news articles from infosecurity-magazine.com 

Tweet of the week 

https://x.com/thomas_violence/status/1849627627474293148 

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

10th October 1995: Netscape introduced the "Netscape Bugs Bounty", a program rewarding users who report "bugs" in the beta versions of its recently announced Netscape Navigator 2.0 web browser.

Navigator was the dominant browser from 1995-1998, when it was overtaken by Internet Explorer.

https://twitter.com/todayininfosec/status/1844466277718556683

8th October 2008: University student David Kernell was arraigned. He compromised the Yahoo! email account of US vice presidential candidate Sarah Palin, using public info to reset her password, posting her emails to 4chan. He was later found guilty and died from MS complications in 2018.

https://twitter.com/todayininfosec/status/1843619068302983592

Rant of the Week (20:24) 

Cards Against Humanity campaigns to encourage voting, expose personal data abuse

Up to $100 for planning to vote and a public smear – how is this not illegal?

The troublemakers behind the party game Cards Against Humanity have launched a campaign demonstrating how easy it is to buy sensitive personal data about American voters, while simultaneously encouraging those Americans to plan how to cast a vote in the upcoming presidential election.

The "Cards Against Humanity Pays You to Give a Shit" campaign uses US citizens' personal data obtained from a broker to identify whether individuals voted in the 2020 US presidential election and how they lean politically. Those who didn't vote are asked to put info into the website, promise to vote in the upcoming election, make a voting plan, "and publicly post 'Donald Trump is a human toilet'" in exchange for up to $100.

Billy Big Balls of the Week (28:42)

FBI created a cryptocurrency so it could watch it being abused

The FBI created its own cryptocurrency so it could watch suspected fraudsters use it – an idea that worked so well it produced arrests in three countries

News of the Feds' currency, an Ethereum-based instrument named NexFundAI, appeared in a Wednesday Department of Justice announcement that eighteen individuals have been charged "for widespread fraud and manipulation in the cryptocurrency markets."

The Feds allege some of the fraud involved "wash trades" – transactions conducted solely to increase the volume of trades in a security or other asset. Rising volumes of trades are often seen as an indicator that a stock is of increasing interest as it has good growth prospects – a signal that can see prices rise. But wash trades are often conducted by related entities, or even the same entity, to create a false market signal – an arrangement also known as "pump and dump."

Industry News (34:36) 

New EU Body to Centralize Complaints Against Facebook, TikTok, YouTube

New Generation of Malicious QR Codes Uncovered by Researchers

Apple’s iPhone Mirroring Flaw Exposes Employee Privacy Risks

Former RAC Employees Get Suspended Sentence for Data Theft

Internet Archive Breached, 31 Million Records Exposed

Marriott Agrees $52m Settlement for Massive Data Breach

EU Adopts Cyber Resilience Act for Connected Devices

Over 10m Conversations Exposed in AI Call Center Hack

Disinformation Campaign Targets Moldova Ahead of EU Referendum

Tweet of the Week (45:07)

https://twitter.com/JackRhysider/status/1844502566799085769

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

27th September 2001: Jan de Wit was sentenced to 150 hours of community service in the Netherlands for creating and spreading the Anna Kournikova virus. It was one of the first of the major viruses created from a virus toolkit - the dawn of cybercrime toolkits.

https://twitter.com/todayininfosec/status/1839709145282277614

3rd October 2017: A week after he retired as the result of Equifax's data breach, former CEO Richard F. Smith told members of Congress that one person in the IT department was at fault.

https://twitter.com/todayininfosec/status/1841893372035838342

Rant of the Week (14:52)

It's true, social media moderators do go after conservatives

Because they're most likely to share crappy misinformation online

Since Elon Musk bought Twitter nearly two years ago – a $44 billion acquisition he tried to pull out of – the mogul has driven a narrative that moderation of the microblogging website disproportionately targeted conservatives, libertarians, and Trump supporters.

A scientific paper published in the journal Nature this week confirms that was the case, with justification. The groups more likely to be subjected to moderation were also more likely to share misinformation from low-quality news sites.

Billy Big Balls of the Week (21:49)

Use this link to read the story: https://www.404media.co/email/e7ecda94-675a-4538-901f-b2ccb35fe916/?ref=daily-stories-newsletter - the other link below for the show notes (the one above is tied to my account)

Someone Put Facial Recognition Tech onto Meta's Smart Glasses to Instantly Dox Strangers

A pair of students at Harvard have built what big tech companies refused to release publicly due to the overwhelming risks and danger involved: smart glasses with facial recognition technology that automatically looks up someone’s face and identifies them. The students have gone a step further too. Their customized glasses also pull other information about their subject from around the web, including their home address, phone number, and family members.

Industry News (32:05)

PwC Urges Boards to Give CISOs a Seat at the Table

Cyber-Attacks Hit Over a Third of English Schools

ISACA: European Security Teams Are Understaffed and Underfunded

T-Mobile to Pay $15.75m Penalty for Multiple Data Breaches

British Hacker Charged in the US For $3.75m Insider Trading Scheme

Meta Teams Up with Banks to Target Fraudsters

FIN7 Gang Hides Malware in AI “Deepnude” Sites

Northern Ireland Police Data Leak Sees Service Fined by ICO

Microsoft and US Government Disrupt Russian Star Blizzard Operations

Tweet of the Week (38:52)

https://twitter.com/iamdevloper/status/1842097858196979989

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

18th September 2001: The Nimda worm was released. Utilising 5 different infection vectors, it became the most widespread virus/worm after only 22 minutes.

https://twitter.com/todayininfosec/status/1836495262409175187  

17th September 2014: Apple announced that the iOS 8 operating system (used on iPhone and iPad) would be architected to prevent it from being technically feasible for the company to extract data from customer devices. A day later Google made a similar announcement pertaining to Android.

With iOS 8 Update, Apple Will No Longer Provide User Data to Police

https://twitter.com/todayininfosec/status/1836071319030374437

Rant of the Week  (17:50)

No way? Big Tech's 'lucrative surveillance' of everyone is terrible for privacy, freedom

Buried beneath the endless feeds and attention-grabbing videos of the modern internet is a network of data harvesting and sale that's perhaps far more vast than most people realise, and it desperately needs regulation. 

That's the conclusion the FTC made after spending nearly four years poring over internal data from nine major social media and video streaming corporations in the US.

These internet behemoths are collecting vast amounts of data, both on and off their services, and the handling of such data is "woefully inadequate," particularly around data belonging to children and teenagers, the FTC said. 

Billy Big Balls of the Week (28:06)

LinkedIn started harvesting people's posts for training AI without asking for opt-in

LinkedIn started harvesting user-generated content to train its AI without asking for permission, angering netizens.

Microsoft’s self-help network on Wednesday published a "trust and safety" update in which senior veep and general counsel Blake Lawit revealed LinkedIn's use of people's posts and other data for both training and using its generative AI features.

In doing so, he said the site's privacy policy had been updated. We note this policy links to an FAQ that was updated sometime last week also confirming the automatic collecting of posts for training – meaning it appears LinkedIn started gathering up content for its AI models, and opting in users, well before Lawit’s post and the updated privacy policy advised of the changes today.

Industry News (35:07)  

Over Half of Breached UK Firms Pay Ransom

ICO Acts Against Sky Betting and Gaming Over Cookies

AT&T Agrees $13m FCC Settlement Over Cloud Data Breach

Europol Taskforce Disrupts Global Criminal Network Through Supply Chain Attack

Google Street View Images Used For Extortion Scams

8000 Claimants Sue Outsourcing Giant Capita Over 2023 Data Breach

Western Agencies Warn Risk from Chinese-Controlled Botnet

Going for Gold: HSBC Approves Quantum-Safe Technology for Tokenized Bullions

Cybersecurity Skills Gap Leaves Cloud Environments Vulnerable

Tweet of the Week  (42:39)

https://twitter.com/ProfWoodward/status/1837084678836171089

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

12th September 2014: Stephane Chazelas contacted Bash maintainer Chet Ramey about a vulnerability he dubbed "Bashdoor", which later becoming known as Shellshock. It was publicly disclosed 12 days later.

Shellshock was kind of a big deal - and the vuln had been in Bash for 25 years!

https://x.com/todayininfosec/status/1834293229472416242  

9th September 2001: Mark Curphey started OWASP (the Open Web Application Security Project). In 2023 it was renamed the Open Worldwide Application Security Project.

https://x.com/todayininfosec/status/1833191889790480500  

Rant of the Week (16:33)

WhatsApp's 'View Once' could be 'View Whenever' due to a flaw

A popular privacy feature in WhatsApp is "completely broken and can be trivially bypassed," according to developers at cryptowallet startup Zengo.

According to cofounder Tal Be'ery, his team was building a web interface when they discovered a flaw in WhatsApp's View Once. While the feature was supposed to be limited to platforms where the necessary controls could be enforced, such as mobile clients, the WhatsApp API server didn't properly enforce it.

The server would still send these messages to other platforms, but they couldn't be viewed - unless someone fiddled with the code.

"The View [O]nce media messages are technically the same as regular media messages, only with the “view once” flag set," the technical explanation states.

"Which means it’s the virtual equivalent of putting a note on the picture that says 'don’t look.' All that is required for attackers to circumvent it, is merely to set this flag to false and the media become regular and can be downloaded, forwarded and shared."

Billy Big Balls of the Week (27:10)

Australia’s government spent the week boxing Big Tech

The fun started on Monday when prime minister Anthony Albanese announced his intention to introduce a minimum age for social media, with a preference for the services to be off limits until kids turn 16.

"I want kids to have a childhood," the PM urged. "I want them off their devices … I want them to have real experiences with real people."

Albanese promised legislation to enact the rule will be tabled before Australia's next election, due by 2025. Opposition leader Peter Dutton broadly supported the proposal, which is pitched at parents who are tired of having to protect their kids online.

Industry news (34:34)

DoJ Distributes $18.5m to Western Union Fraud Victims

Poland's Supreme Court Blocks Pegasus Spyware Probe

UK Recognizes Data Centers as Critical National Infrastructure

Mastercard Acquires Global Threat Intelligence Firm Recorded Future for $2.65bn

TfL Confirms Customer Data Breach, 17-Year-Old Suspect Arrested

Irish Data Protection Regulator to Investigate Google AI

Microsoft Vows to Prevent Future CrowdStrike-Like Outages

Record $65m Settlement for Hacked Patient Photos

Malicious Actors Spreading False US Voter Registration Breach Claims

Tweet of the Week (41:57)

https://x.com/MikeTalonNYC/status/1834311262563377553

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

3rd September 2014: Twitter launched its bug bounty program via the HackerOne platform, stating it would award at least $140 for vulnerabilities found in http://x.com/ or its Android or iOS apps.

$140? 140 was the max tweet length. $1.6 million has been paid out since inception.

https://twitter.com/XSecurity/status/507220774336225280

https://x.com/todayininfosec/status/1831408686604140602

30th August 2014: A user of the message board 4chan posted leaked nude photos of Jennifer Lawrence, Kate Upton, Kirsten Dunst, and other celebrities. Several years later 4 people were sentenced for crimes related to the hacking of Apple iCloud accounts of dozens of targeted individuals.

Apple knew of iCloud API weakness months before celeb photo leak broke

https://x.com/todayininfosec/status/1830016468328575386

Rant of the Week (19:09)

'Error' causes Alexa to endorse Kamala Harris, refuse to discuss Trump

It would be perfectly reasonable to expect Amazon's digital assistant Alexa to decline to state opinions about the 2024 presidential race, but up until recently, that assumption would have been incorrect.

When asked to give reasons to vote for former President Donald Trump, Alexa demurred, according to a video from Fox Business. 

"I cannot provide responses that endorse any political party or its leader," Alexa responded. When asked the same about Vice President Kamala Harris, the Amazon AI was more than willing to endorse the Democratic candidate. 

"There are many reasons to vote for Kamala Harris," Alexa said. Among the reasons given was that Harris has a "comprehensive plan to address racial injustice," that she promises a "tough on crime approach," and that her record on criminal justice and immigration reform make her a "compelling candidate." 

Billy Big Balls of the Week (26:45)

Examples of Google Employees Trying to Avoid Creating Evidence in Antitrust Case

In its antitrust case against Google, the Federal Government filed a list of chats it had obtained that show Google employees explicitly asking each other to turn off a chat history feature to discuss sensitive subjects, showing repeatedly that Google workers understood they should try to avoid creating a paper trail of some of their activities. 

The filing came following a hearing in which judge Leonie Brinkema ripped Google for “destroyed” evidence while considering a filing from the Department of Justice asking the court to find “adverse interference” against Google, which would allow the court to assume it purposefully destroyed evidence. 

Previous filings, including in the Epic Games v Google lawsuit and this current antitrust case, have also shown Google employees purposefully turning history off.

The chats show 22 instances in which one Google employee told another Google employee to turn chat history off. In total, the court has dozens of specific employees who have told others to turn history off in DMs or broader group chats and channels. The document includes exchanges like this (each exchange includes different employees)

AND

Musician charged with $10M streaming royalties fraud using AI and bots

North Carolina musician Michael Smith was indicted for collecting over $10 million in royalty payments from Spotify, Amazon Music, Apple Music, and YouTube Music using AI-generated songs streamed by thousands of bots in a massive streaming fraud scheme.

According to court documents, Smith fraudulently inflated music streams on digital platforms between 2017 and 2024 with the assistance of an unnamed music promoter and the Chief Executive Officer of an AI music company.

He acquired hundreds of thousands of songs generated through artificial intelligence (AI) from a coconspirator and uploaded them to these streaming platforms. He then used automated bots to stream the AI-generated tracks billions of times.

Industry News (36:21)

South Korea Police Investigates Telegram Over Deepfake Porn

Irish Wildlife Park Warns Customers to Cancel Credit Cards Following Breach

TfL Claims Cyber-Incident is Not Impacting Services

Three Plead Guilty to Running MFA Bypass Site

Civil Rights Groups Call For Spyware Controls

Clearview AI Fined €30.5m by Dutch Watchdog Over Illegal Data Collection

Russian Blamed For Mass Disinformation Campaign Ahead of US Election

OnlyFans Hackers Targeted With Infostealer Malware

UK Signs Council of Europe AI Convention

Tweet of the Week (42:50)

https://twitter.com/0xdade/status/1831387831677415923

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

29th August 1990: The UK's Computer Misuse Act 1990 went into effect, introducing 3 criminal offences related to unauthorised access and modification of "computer material".

https://twitter.com/todayininfosec/status/1829252932178719161  

27th August 1999: One of the first companies to offer a dedicated web application firewall (WAF) was Perfecto Technologies with its AppShield product. But it didn't use the terminology "WAF", instead describing it as "a plug and play" Internet application security solution."

https://twitter.com/todayininfosec/status/1828483993001492969

Rant of the Week (13:25) 

Watchdog warns FBI is sloppy on secure data storage and destruction

The FBI has made serious slip-ups in how it processes and destroys electronic storage media seized as part of investigations, according to an audit by the Department of Justice Office of the Inspector General.

Drives containing national security data, Foreign Intelligence Surveillance Act information and documents classified as Secret were routinely unlabeled, opening the potential for it to be either lost or stolen, the report [PDF] addressed to FBI Director Christopher Wray states.

Ironically, this lack of identification might be considered a benefit, given the lax security at the FBI's facility used to destroy such media after they have been finished with.

The OIG report notes that it found boxes of hard drives and removable storage sitting open and unattended for "days or even weeks" because they were only sealed once the boxes were full. This potentially allows any of the 395 staff and contractors with access to the facility to have a rummage around.

Billy Big Balls of the Week (22:01)

Deadbeat dad faked his own death by hacking government databases

A US man has been sentenced to 81 months in jail for faking his own death by hacking government systems and officially marking himself as deceased.

The US Department of Justice on Tuesday detailed the case of Jesse Kipf, 39, who was sent down for computer fraud and aggravated identity theft.

In January 2023, Kipf used the credentials of a physician to access Hawaii's Death Registry System and create a "case" that recorded his own death.

"Kipf then completed a State of Hawaii Death Certificate Worksheet, assigned himself as the medical certifier for the case and certified his death, using the digital signature of the doctor," the DoJ wrote. The paperwork was all correct, so many government databases listed Kipf as deceased.

But he was very much alive and enjoying the fact that his "death" meant he didn't have to make child support payments or catch up on those he'd already missed. Evidence presented in court included internet search histories recorded on a laptop, with Kipf looking up terms including "Remove California child support for deceased."

Industry News (28:13)

Uber Hit With €290m GDPR Fine

FBI Flawed Data Handling Raises Security Concerns

Microsoft 365 Copilot Vulnerability Exposes User Data Risks

Money Laundering Dominates UK Fraud Cases

Ransomware Attacks Exposed 6.7 Million Records in US Schools

IT Engineer Charged For Attempting to Extort Former Employer

Surge in New Scams as Pig Butchering Dominates

Unpatched CCTV Cameras Exploited to Spread Mirai Variant

North Korean Hackers Launch New Wave of npm Package Attacks

Tweet of the Week (36:20)

https://x.com/fesshole/status/1828921760147767400

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

18th August 2004: Text messages sent to promote the video game "Resident Evil: Outbreak" stated "Outbreak: I'm infecting you with t-virus". This scared recipients, who were only about 7% less technologically savvy than mobile phone users today.

https://x.com/todayininfosec/status/1825257955878641888   

20th August 2003: Philippe Oechslin shared his technique he called "rainbow tables" during a talk at the 23rd annual crypto conference, Crypto 2003.

It became a popular approach for cracking password hashes. Today it's less widely used due to adoption of practices that reduce its efficacy.

https://x.com/todayininfosec/status/1825865870716870802

Rant of the Week  (10:59)

This uni thought it would be a good idea to do a phishing test with a fake Ebola scare

University of California Santa Cruz (UCSC) students may be relieved to hear that an emailed warning about a staff member infected with the Ebola virus was just a phishing exercise.

The message, titled "Emergency Notification: Ebola Virus Case on Campus," went out to the university community on Sunday, August 18. It began, "We regret to inform you that a member of our staff, who recently returned from South Africa, has tested positive for the Ebola virus."

The message went on to say that the university has initiated a contact tracing protocol and asks message recipients to "Please Log In to the Access Information Page for more details" – the very activity phishing messages attempt to encourage in order to capture login credentials.

The simulated attack was similar to an actual phishing message sent on August 1, 2024, as shown on the UCSC Phish Bowl, a collection of real and test phishing attempts.

But the one sent on Sunday was intended to raise awareness of phishing rather than to actually steal information.

In that, it succeeded. The message prompted the UCSC Student Health Center to publish a notice about a "Phishing email with misleading health information."

On Monday, Brian Hall, chief information security officer for UCSC, sent out an apology to the university community.

Billy Big Balls of the Week (18:20)

Russia tells citizens to switch off home surveillance because the Ukrainians are coming

Russia's Ministry of Internal Affairs is warning residents of under-siege regions to switch off home surveillance systems and dating apps to stop Ukraine from using them for intel-gathering purposes.

Residents of the Bryansk, Kursk, and Belgorod regions were issued with the warnings amid what seems like Russia being thoroughly rattled by Ukraine's incursion into the country's southwest.

"The enemy is massively identifying IP ranges in our territories and connecting to unprotected video surveillance cameras remotely, viewing everything from private yards to roads and highways of strategic importance," said the ministry, according to Russian newswire Interfax. "In this regard, if there is no urgent need, it is better not to use video surveillance cameras.

"It is highly discouraged to use online dating services. The enemy actively uses such resources for the covert collection of information."

These warnings were just two of many included in a public memo aimed at protecting the identities of high-value Russian individuals, including military personnel, law enforcement agents, and nuclear energy workers.

Industry News (24:51)

Iran Behind Trump Campaign Hack, US Government Confirms

New DNS-Based Backdoor Threat Discovered at Taiwanese University

Most Ransomware Attacks Now Happen at Night

CISA to Get New Headquarters as $524M Contract Awarded

Australia Calls Off Clearview AI Investigation Despite Lack of Compliance

Backdoor in Mifare Smart Cards Could Open Doors Around the World

Security Flaws in UK Political Party Donation Platforms Exposed

Company Fined $1m for Fake Joe Biden AI Calls

FAA Admits Gaps in Aircraft Cybersecurity Rules: New Regulation Proposed

Tweet of the Week (32:19)

https://x.com/anon_opin/status/1826015107857416458?s=46&t=1-Sjo1Vy8SG7OdizJ3wVbg

Come on! Like and bloody well subscribe!

10th July 1999 - Cult of the Dead Cow (cDc) member DilDog debuted the program Back Orifice 2000 (BO2k) at DEF CON 7. It was the successor to Back Orifice, released by cDc a year prior. DilDog proclaimed it "a remote administration tool for corporate America".

https://twitter.com/todayininfosec/status/1811133606015983680

9th July 1981 - The game that launched two of the most famous characters in video game history is released for sale. Donkey Kong was created by Nintendo, a Japanese playing card and toy company turned fledgling video game developer, who was trying to create a hit game for the North American market. Unable at the time to acquire a license to create a video game based on the Popeye character, Nintendo decides to create a game mirroring the characteristics and rivalry of Popeye and Bluto. Donkey Kong is named after the game’s villain, a pet gorilla gone rogue. The game’s hero is originally called Jumpman, but is retroactively renamed Mario once the game becomes popular and Nintendo decides to use the character in future games.

Due to the similarity between Donkey Kong and King Kong, Universal Studios sued Nintendo claiming Donkey Kong violated their trademark. Kong, however, is common Japanese slang for gorilla. The lawsuit was ruled in favor of Nintendo. The success of Donkey Kong helped Nintendo become one of the dominant companies in the video game market.

Rant of the Week (15:55)

Palestinians say Microsoft unfairly closing their accounts

Palestinians living abroad have accused Microsoft of closing their email accounts without warning - cutting them off from crucial online services.

They say it has left them unable to access bank accounts and job offers - and stopped them using Skype, which Microsoft owns, to contact relatives in war-torn Gaza.

Microsoft says they violated its terms of service - a claim they dispute.

Billy Big Balls of the Week (27:39)

Scalpers Work With Hackers to Liberate Ticketmaster's ‘Non-Transferable’ Tickets

A lawsuit filed in California by concert giant AXS has revealed a legal and technological battle between ticket scalpers and platforms like Ticketmaster and AXS, in which scalpers have figured out how to extract “untransferable” tickets from their accounts by generating entry barcodes on parallel infrastructure that the scalpers control and which can then be sold and transferred to customers.

By reverse-engineering how Ticketmaster and AXS actually make their electronic tickets, scalpers have essentially figured out how to regenerate specific, genuine tickets that they have legally purchased from scratch onto infrastructure that they control. In doing so, they are removing the anti-scalping restrictions put on the tickets by Ticketmaster and AXS. 

'Gay furry hackers' breach conservative US think tank behind Project 2025

A collective of self-described "gay furry hackers" have released 2GB of data lifted from the Heritage Foundation, the conservative think-tank behind Project 2025 - a set of proposals that would bring the USA closer to being an authoritarian state.

The hacktivist group, known as SiegedSec, has been running a campaign it calls "OpTransRights," targeting (mostly government) websites to disrupt efforts to enact or enforce anti-trans and anti-abortion laws.

Industry News (33:26)

10 Billion Passwords Leaked on Hacking Forum

Crypto Thefts Double to $1.4 Billion, TRM Labs Finds

Russia Blocks VPN Services in Information Crackdown

Ticketmaster Extortion Continues, Threat Actor Claims New Ticket Leak

Cyber-Attack on Evolve Bank Exposed Data of 7.6 Million Customers

Most Security Pros Admit Shadow SaaS and AI Use

Russian Media Uses AI-Powered Software to Spread Disinformation

Smishing Triad Targets India with Fraud Surge

Fraud Campaign Targets Russians with Fake Olympics Tickets

Tweet of the Week (41:18)

https://x.com/dennishegstad/status/1810044171765645568

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

3 July 1996 - a mere 28 years ago the movie Independence Day was released.  In it, Jeff Goldblum and Will Smith fly into an alien vessel in a 50-year-old space junker, then upload a computer virus in less than 5 minutes

https://twitter.com/todayininfosec/status/1808464060972667170

Rant of the Week (11:07)

Cancer patient forced to make terrible decision after Qilin attack on London hospitals

https://www.theregister.com/2024/07/05/qilin_impacts_patient/

EXCLUSIVE The latest figures suggest that around 1,500 medical procedures have been canceled across some of London's biggest hospitals in the four weeks since Qilin's ransomware attack hit pathology services provider Synnovis. But perhaps no single person was affected as severely as Johanna Groothuizen.

Hanna – the name she goes by – is now missing her right breast after her skin-sparing mastectomy and immediate breast reconstruction surgery was swapped out for a simple mastectomy at the last minute.

Billy Big Balls of the Week (18:20)

Ransomware scum who hit Indonesian government apologizes, hands over encryption key

https://www.theregister.com/2024/07/04/hackers_of_indonesian_government_apologize/

Industry News (24:28)

Vinted Fined €2.3m Over Data Protection Failure

Europol Warns of Home Routing Challenges For Lawful Interception

Meta Faces Suspension of AI Data Training in Brazil

New Ransomware Group Phones Execs to Extort Payment

UK’s NCA Leads Major Cobalt Strike Takedown

Cyber Extortion Soars: SMBs Hit Four Times Harder

New RUSI Report Exposes Psychological Toll of Ransomware, Urges Action

Dozens of Arrests Disrupt €2.5m Vishing Gang

Health Tech Execs Get Jail Time For $1bn Fraud Scheme

Tweet of the Week (31:07)

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

24th June 1987: The movie Spaceballs was released. With a budget of $23 million, it grossed $38 million at the box office in North America. Though 37 years have passed, the secret code scene remains a reminder of why security is hard.

Watch the secret code scene from Spaceballs and weep. Or laugh. Or both. Has much changed when it comes to password security since the movie was released 37 years ago today?

The 64 second scene: https:///youtu.be/a6iW-8xPw3k

https://x.com/todayininfosec/status/1805302016451002501  

27th June 2011: Anonymous released its first cache from Operation AntiSec, information from a US anti-cyberterrorism program.

https://x.com/todayininfosec/status/1806302186487345226

Rant of the Week (18:15)

Korean telco allegedly infected its P2P users with malware
A South Korean media outlet has alleged that local telco KT deliberately infected some customers with malware due to their excessive use of peer-to-peer (P2P) downloading tools.

The number of infected users of “web hard drives” – the South Korean term for the online storage services that allow uploading and sharing of content – has reportedly reached 600,000.

Billy Big Balls of the Week (26:33)

Crypto scammers circle back, pose as lawyers, steal an extra $10M in truly devious plan
The FBI says in just 12 months, scumbags stole circa $10 million from victims of crypto scams after posing as helpful lawyers offering to recover their lost tokens.

Between February 2023-2024, scammers were kicking US victims while they were already down, preying on their financial vulnerability to defraud them for a second time in what must be seen as a new low, even for that particular breed of dirtball.

It's the latest update from the FBI's Internet Crime Complaint Center (IC3) on the ongoing issue which was first publicized in August last year. 

Industry News (34:24)

US Bans Kaspersky Over Alleged Kremlin Links

Sellafield Pleads Guilty to Historic Cybersecurity Offenses

Polish Prosecutors Step Up Probe into Pegasus Spyware Operation

Credential Stuffing Attack Hits 72,000 Levi’s Accounts

Google's Naptime Framework to Boost Vulnerability Research with AI

Fake Law Firms Con Victims of Crypto Scams, Warns FBI

IT Leaders Split on Using GenAI For Cybersecurity

Majority of Critical Open Source Projects Contain Memory Unsafe Code

CISOs Reveal Firms Prioritize Savings Over Long-Term Security

Tweet of the Week (43:08)

https://twitter.com/StuAlanBecker/status/1806137799248359443

Comments: https://twitter.com/derJamesJackson/status/1806307954586538205  

Alternate TotW: 

https://twitter.com/susisnyder/status/1806222280382406836

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

5th of June  1991, a mere 33 years ago, : Philip Zimmermann sent the first release of PGP to 2 friends, Allan Hoeltje and Kelly Goen, to upload to the Internet. 

From the man himself, 

First, I sent it to Allan Hoeltje, who posted it to Peacenet, an ISP that specialized in grassroots political organizations, mainly in the peace movement. Peacenet was accessible to political activists all over the world. Then, I uploaded it to Kelly Goen, who proceeded to upload it to a Usenet newsgroup that specialized in distributing source code. At my request, he marked the Usenet posting as "US only". Kelly also uploaded it to many BBS systems around the country. I don't recall if the postings to the Internet began on June 5th or 6th.

It may be surprising to some that back in 1991, I did not yet know enough about Usenet newsgroups to realize that a "US only" tag was merely an advisory tag that had little real effect on how Usenet propagated newsgroup postings. I thought it actually controlled how Usenet routed the posting. But back then, I had no clue how to post anything on a newsgroup, and didn't even have a clear idea what a newsgroup was.

After releasing PGP, I immediately diverted my attention back to consulting work, to try to get caught up on my mortgage payments. I thought I could just release PGP 1.0 for MSDOS, and leave it alone for awhile, and let people play with it. I thought I could get back to it later, at my leisure. Little did I realize what a feeding frenzy PGP would set off. Apparently, there was a lot of pent-up demand for a tool like this. Volunteers from around the world were clamoring to help me port it to other platforms, add enhancements, and generally promote it. I did have to go back to work on paying gigs, but PGP continued to demand my time, pulled along by public enthusiasm.

I assembled a team of volunteer engineers from around the world. They ported PGP to almost every platform (except for the Mac, which turned out to be harder). They translated PGP into foreign languages. And I started designing the PGP trust model, which I did not have time to finish in the first release. Fifteen months later, in September 1992, we released PGP 2.0, for MSDOS, several flavors of Unix, Commodore Amiga, Atari, and maybe a few other platforms, and in about ten foreign languages. PGP 2.0 had the now-famous PGP trust model, essentially in its present form.

It was shortly after PGP 2.0's release that US Customs took an interest in the case. Little did they realize that they would help propel PGP's popularity, helping to ignite a controversy that would eventually lead to the demise of the US export restrictions on strong cryptography.

7 June 2009. A mere 15 years ago.  Sophos launched its (utterly shit) IT vigilante marketing campaign

Dress up a British man (who appears to have had a nervous breakdown over a corporate data breach incident) in an orange gimp suit – that will sell security software for sure!

At least, that was the plan made by Sophos’s marketing department for its “IT Vigilante” campaign.

https://www.youtube.com/watch?v=-gc6sDqofcI

https://grahamcluley.com/top-five-worst-videos-anti-virus/

Other awful videos:

Happy birthday Eugene Kaspersky: https://www.youtube.com/watch?v=ujnq188E5-w

Eugene’s “silent movie”: https://www.youtube.com/watch?v=Ib8UjCQl5sE&t=6s

Rant of the Week (22:45)

https://www.bbc.co.uk/news/articles/cxee7317kgmo

Russian hackers are behind the cyber attack on a number of major London hospitals, according to the former chief executive of the National Cyber Security Centre.

Ransomware attacks on the healthcare industry as a whole have increased significantly over the past year. Whaley attributes the uptick to “lives on the line.”

“While no sector is invulnerable to these attacks… healthcare providers have proven time and time again that they’re the most willing to pay a ransom following these incidents," Whaley said.

“Bad actors know this and smell blood in water,” he added. 

Whaley pointed out that the rise in state-sponsored cyberattacks combined “with the further digitization of the NHS paints a pretty grim picture for the defensive capabilities of the British healthcare sector… and possibly a warning sign of much larger attacks to come.”

Graham's Giant Gonads of the Week (30:51)

Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab

https://therecord.media/kaspersky-apple-bug-bounty-declined

https://securelist.com/trng-2023/

Apple has snubbed Russian cybersecurity firm Kaspersky Lab, refusing to shell out a bug bounty for four zero-day vulnerabilities discovered in iPhone software.  

Targets were infected using zero-click exploits via the iMessage platform, and the malware ran with root privileges, gaining complete control over the device and user data. 

The twist?

The vulnerabilities were used to spy on Kaspersky employees.

Kaspersky politely enquired whether it could be rewarded for finding the vulnerabilities used in the espionage campaign - known as Operation Triangulation.

Kaspersky claims it was a "highly sophisticated" attack, so intricate it needed 13 bullet points to explain.

Russia, not one to be outdone in the drama department, accused the U.S. and Apple of colluding to spy on Russian diplomats. Apple, of course, vehemently denied these allegations.

It's like Eastenders.

Amidst all this chaos, the U.S. and Russia are engaged in a geopolitical staring contest, with Apple caught in the crossfire. Apple, being an American company, has taken a stand against Russia's actions in Ukraine, suspending sales and removing apps. It's a bit like a tech giant trying to play peacemaker in a playground brawl.

Kaspersky, meanwhile, has its own history with the U.S. government, having been banned from government use due to security concerns. It's a classic case of "guilty by association."

So, will Kaspersky continue to report bugs to Apple despite the lack of reward? Only time will tell.

Speaking to Russian-language media agency RTVI, Kaspersky’s research head Dmitry Galov said that typically cybersecurity companies like Kaspersky nominated a charity to receive the funds from the Apple Bug Bounty program instead of collecting the revenue itself. 

He added that although Kaspersky was confident the attacker was state-sponsored, he and his research team did not have the technical data needed to identify which state may have been behind the attack.

A spokesperson for Kaspersky did not respond to whether it had nominated a charity when initially contacting Apple, nor whether the company’s refusal to issue a bounty would affect its decision to disclose vulnerabilities discovered in the future.

Industry News (40:23)

London Hospitals Cancel Operations Following Ransomware Incident

EmailGPT Exposed to Prompt Injection Attacks

#Infosec2024: CISOs Need to Move Beyond Passwords to Keep Up With Security Threats

#Infosec2024: Ransomware Ecosystem Transformed, New Groups “Changing the Rules”

Security Flaws Found in Popular WooCommerce Plugin

#Infosec2024: Collaboration is Key to an Effective Security Culture

#Infosec2024: AI Red Teaming Provider Mindgard Named UK's Most Innovative Cyber SME

FBI Warns of Rise in Work-From-Home Scams

Account Takeovers Outpace Ransomware as Top Security Concern

Tweet of the Week (44:27)

https://x.com/dakacki/status/1798882732203803070

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

28th May: 2014: LulzSec hacker Hector Monsegur, known as Sabu, was sentenced and released the same day on time served for his role in a slew of high-profile cyberattacks. He had served 7 months in prison after his arrest.

https://x.com/todayininfosec/status/1795228730735886650

25th May 2018: The General Data Protection Regulation (GDPR) in the European Union (EU) to strengthen and unify data protection became effective - just over 2 years after it was adopted by the EU.

https://twitter.com/todayininfosec/status/1794461551534936503

Rant of the Week (18:34)

Bing outage shows just how little competition Google search really has

Bing, Microsoft's search engine platform, went down in the very early morning 23rd May. That meant that searches from Microsoft's Edge browsers that had yet to change their default providers didn't work. It also meant that services relying on Bing's search API—Microsoft's own Copilot, ChatGPT search, Yahoo, Ecosia, and DuckDuckGo—similarly failed.

If dismay about AI's hallucinations, power draw, or pizza recipes concern you—along with perhaps broader Google issues involving privacy, tracking, news, SEO, or monopoly power—most of your other major options were brought down by a single API outage this morning. Moving past that kind of single point of vulnerability will take some work, both by the industry and by you, the person wondering if there's a real alternative.

Billy Big Balls of the Week (26:56)

IT worker sued over ‘vengeful’ cyber harassment of policeman who issued a jaywalking ticket

In an ongoing civil lawsuit, an IT worker is accused of launching a "destructive cyber campaign of hate and revenge" against a police officer and his family after being issued a ticket for jaywalking.

Industry News (34:44)

Check Point Urges VPN Configuration Review Amid Attack Spike

Courtroom Recording Software Vulnerable to Backdoor Attacks

New North Korean Hacking Group Identified by Microsoft

Internet Archive Disrupted by Sustained and “Mean” DDoS Attack

Advance Fee Fraud Targets Colleges With Free Piano Offers

US-Led Operation Takes Down World’s Largest Botnet

First American Reveals Data Breach Impacting 44,000 Individuals

Europol-Led Operation Endgame Hits Botnet, Ransomware Networks

BBC Pension Scheme Breached, Exposing Employee Data

Tweet of the Week (47.14)

https://twitter.com/DebugPrivilege/status/1795823939631067165  

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

17th May 2015: CNN published their article on a statement Cybersecurity Consultant, Chris Roberts had publicly made on Twitter a month earlier.  There were lots of accusations made regarding Chris Roberts' actions hacking into computer systems while a passenger on multiple airline flights. Did he actually cause a plane to fly sideways? Maybe? But it's not like he made it fly upside down.

FBI: Hacker claimed to have taken over flight’s engine controls

https://twitter.com/todayininfosec/status/1791214444980080724

26th May 1995: Gates Declares Internet "Most Important Single Development"

Realising his company had missed the boat in estimating the impact and popularity of the Internet, Microsoft Corp. CEO Bill Gates issued a memo titled, "The Internet Tidal Wave," which signaled the company's renewed focus on that arena. In the memo, Gates declared that the Internet was the "most important single development" since the IBM personal computer -- a development that he was assigning "the highest level of importance”.

https://1995blog.com/2020/05/25/25-years-on-bill-gates-internet-tidal-wave-memo-a-seminal-document-of-the-unfolding-digital-age/

Rant of the Week (18:00)

Giving Windows total recall of everything a user does is a privacy minefield

Microsoft's Windows Recall feature is attracting controversy before even venturing out of preview.

Like so many of Microsoft's AI-infused products, Windows Recall will remain in preview while Microsoft refines it based on user feedback – or simply gives up and pretends it never happened.

The principle is simple. Windows takes a snapshot of a user's active screen every few seconds and dumps it to disk. The user can then scroll through the archive of snapshots to find what were doing some time back, or query an AI system to recall past screenshots by text.

Billy Big Balls of the Week (28:58)

Hacker Breaches Scam Call Center, Warns Victims They've Been Scammed

A hacker claims to have breached a scam call center, stolen the source code for the company’s tools, and emailed the company’s scam victims.

The hack is the latest in a long series of vigilante actions in which hackers take matters into their own hands and breach or otherwise disrupt scam centers. A massively popular YouTube community, with creators mocking their targets, also exists around the practice.

Industry News (34:17)

Authorities Arrest $100m Incognito Drugs Market Suspect

AI Seoul Summit: 16 AI Companies Sign Frontier AI Safety Commitments

UK Government in £8.5m Bid to Tackle AI Cyber-Threats

Mastercard Doubles Speed of Fraud Detection with Generative AI

PSNI Faces £750,000 Data Breach Fine After Spreadsheet Leak

GitHub Fixes Maximum Severity Flaw in Enterprise Server

National Records of Scotland Data Breached in NHS Cyber-Attack

NVD Leaves Exploited Vulnerabilities Unchecked

Microsoft: Gift Card Fraud Rising, Costing Businesses up to $100,000 a Day

Tweet of the Week (41:59)

https://twitter.com/gcluley/status/1792881296907043217

Two for one:

https://twitter.com/mer__edith/status/1793888092321202634

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

27th April 2012: The Information Commissioner's Office (ICO) in the UK issued its first-ever data breach fine to an NHS (National Health Service) organisation, fining Aneurin Bevan Health Board in Wales £70,000. 

https://www.digitalhealth.net/2012/04/first-nhs-fine-issued-by-ico/

Rant of the Week

Dropbox dropped the ball on security, haemorrhaging customer and third-party info

Dropbox has revealed a major attack on its systems that saw customers' personal information accessed by unknown and unauthorized entities.

The attack, detailed in a regulatory filing, impacted Dropbox Sign – a service it bills as an "eSignature solution [that] lets you send, sign, and store important documents in one seamless workflow, without ever leaving Dropbox." So basically a DocuSign clone.

The filing states that management became aware of the incident last week – on April 24 – and "immediately activated our cyber security incident response process to investigate, contain, and remediate the incident."

That effort led to the discovery that "the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings."

Billy Big Balls of the Week

Chinese government website security is often worryingly bad, say Chinese researchers

Five Chinese researchers examined the configurations of nearly 14,000 government websites across the country and found worrying lapses that could lead to malicious attacks, according to a not-yet-peer-reviewed study released last week.

The researchers concluded the investigation has uncovered "pressing security and dependency issues" that may not have a quick fix.

"Despite thorough analyses, practical solutions to bolster the security of these systems remain elusive," wrote the researchers. "Their susceptibility to cyber attacks, which could facilitate the spread of malicious content or malware, underscores the urgent need for real-time monitoring and malicious activity detection."

The study also highlights the need for "stringent vetting and regular updates" of third-party libraries and advocates "a diversified distribution of network nodes, which could substantially augment system resilience and performance."

The study will likely not go down well in Beijing, as China's government has urged improvements to government digital services and apps often issues edicts about improving cybersecurity. 

Industry News

Google Blocks 2.3 Million Apps From Play Store Listing

Disinformation: EU Opens Probe Against Facebook and Instagram Ahead of Election

NCSC’s New Mobile Risk Model Aimed at “High-Threat” Firms

Lawsuits and Company Devaluations Await For Breached Firms

UnitedHealth CEO Confirms Breach Tied to Stolen Credentials, No MFA

REvil Ransomware Affiliate Sentenced to Over 13 Years in Prison

Security Breach Exposes Dropbox Sign Users

Indonesia is a Spyware Haven, Amnesty International Finds

North Korean Hackers Spoofing Journalist Emails to Spy on Policy Experts

Tweet of the Week 

https://twitter.com/summer__heidi/status/1783829402574639187

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

23rd April 2005: The first video uploaded to YouTube, “Me at the zoo,” is posted on April 23, 2005 at 8:27 PM by co-founder Jawed Karim. For now being a piece of history, the video is actually pretty dumb.

Note to future entrepreneurs: what you do may be for posterity. Choose wisely.

22nd April 1988: 1988: The VIRUS-L email mailing list was created and moderated by Ken van Wyk while he was working at Lehigh University. It was the first electronic forum dedicated to discussing computer viruses.

https://twitter.com/todayininfosec/status/1782424224348446910

Rant of the Week (13:21)

Ring dinged for $5.6M after, among other claims, rogue insider spied on 'pretty girls'

The FTC today announced it would be sending refunds totaling $5.6 million to Ring customers, paid from the Amazon subsidiary's coffers.

The windfall stems from allegations made by the US watchdog that folks could have been, and were, spied upon by cybercriminals and rogue Ring workers via their Ring home security cameras.

The regulator last year accused Ring of sloppy privacy protections that allowed the aforementioned spying to occur or potentially occur.

Specifically, the FTC formally charged Ring with "compromising its customers' privacy by allowing any employee or contractor to access consumers' private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers' accounts, cameras, and videos."

Billy Big Balls of the Week (21:41)
Cops cuff man for allegedly framing colleague with AI-generated hate speech clip

Baltimore police have arrested Dazhon Leslie Darien, the former athletic director of Pikesville High School (PHS), for allegedly impersonating the school's principal using AI software to make it seem as if he made racist and antisemitic remarks.

Darien, of Baltimore, Maryland, was subsequently charged with witness retaliation, stalking, theft, and disrupting school operations. He was detained late at night trying to board a flight at BWI Thurgood Marshall Airport. Security personnel stopped him because the declared firearm he had with him was improperly packed and an ensuing background check revealed an open warrant for his arrest.

He is quoted as saying “Arse cock pussy”. 😀

"On January 17, 2024, the Baltimore County Police Department became aware of a voice recording being circulated on social media," said Robert McCullough, Chief of Baltimore County Police, at a streamed press conference today. "It was alleged the voice captured on the audio file belong to Mr Eric Eiswert, the Principal at the Pikesville High School. We now have conclusive evidence that the recording was not authentic.

Industry News (30:51)

Quishing Attacks Jump Tenfold, Attachment Payloads Halve

Alarming Decline in Cybersecurity Job Postings in the US

NCSC Announces PwC’s Richard Horne as New CEO

NSA Launches Guidance for Secure AI Deployment

End-to-End Encryption Sparks Concerns Among EU Law Enforcement

Fifth of CISOs Admit Staff Leaked Data Via GenAI

US Congress Passes Bill to Ban TikTok

Online Banking Security Still Not Up to Par, Says Which?

Ring to Pay Out $5.6m in Refunds After Customer Privacy Breach

Tweet of the Week   (38:56)

https://twitter.com/KimZetter/status/1783556843798671591

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

7th April 1969: Steve Crocker, a graduate student at UCLA and part of the team developing ARPANET, writes the first “Request for Comments“. The ARPANET, a research project of the Department of Defense’s Advanced Research Projects Agency (ARPA), was the foundation of today’s modern Internet. RFC 1 defined the design of the host software for communication between ARPANET nodes. This host software would be run on Interface Message Processors or IMPs, which were the precursor to Internet routers. The “host software” defined in RFC 1 would later be known as the Network Control Protocol or NCP, which itself was the forerunner to the modern TCP/IP protocol the Internet runs on today.

https://thisdayintechhistory.com/04/07/rfc-1-defines-the-building-block-of-internet-communication/

7th April 2014: The Heartbleed Bug was publicly disclosed. The buffer over-read vulnerability had been discovered by Neel Mehta and later privately reported to the OpenSSL project, which patched it the next day. The vulnerability was inadvertently introduced into OpenSSL 2 years prior.

https://twitter.com/todayininfosec/status/1777136463882183076  

Rant of the Week (17:09)

OpenTable is adding your first name to previously anonymous reviews

Restaurant reservation platform OpenTable says that all reviews on the platform will no longer be fully anonymous starting May 22nd and will now show members' profile pictures and first names.

OpenTable notified members of this new policy change today in emails to members who had previously left a review on the platform, stating the change was made to provide more transparency.

"At OpenTable, we strive to build a community in which diners can help other diners discover new restaurants, and reviews are a big part of that," reads the OpenTable email seen by BleepingComputer.

"We've heard from you, our diners, that trust and transparency are important when looking at reviews."

"To build on the credibility of our review program, starting May 22, 2024, OpenTable will begin displaying diner first names and profile photos on all diner reviews. This update will also apply to past reviews.

Billy Big Balls of the Week (26:36)
Lloyds Bank axes risk staff after executives complain they are a ‘blocker’

Lloyds Banking Group plans to cut jobs in risk management after an internal review found the function was a “blocker to our strategic transformation”.  

The restructuring was outlined in a memo last month from Lloyds’ chief risk officer Stephen Shelley, who said two-thirds of executives believed risk management was blocking progress while “less than half our workforce believe intelligent risk-taking is encouraged”.  The lender was “resetting our approach to risk and controls”, Shelley said in the memo, seen by the Financial Times, adding that “the initial focus is on non-financial risks”. 

Industry News (33:55)

T: Famous YouTube Channels Hacked to Distribute Infostealers

A: US Federal Data Privacy Law Introduced by Legislators

J: Foreign Interference Drives Record Surge in IP Theft

T: Half of UK Businesses Hit by Cyber-Incident in Past Year, UK Government Finds

A: US Claims to Have Recovered $1.4bn in COVID Fraud

J: Women Experience Exclusion Twice as Often as Men in Cybersecurity

T: Threat Actors Game GitHub Search to Spread Malware

A: Data Breach Exposes 300k Taxi Passengers’ Information

J: Apple Boosts Spyware Alerts For Mercenary Attacks

Tweet of the Week  (52:08)

https://x.com/ErrataRob/status/1778536622163984590

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

3rd April 2011: Email marketing and loyalty program management company Epsilon reported a data breach of names and email addresses of numerous companies' customers, totaling at least 60 million records. Dozens of companies were impacted, including Kroger, Walgreens, Verizon, and Chase.

https://twitter.com/todayininfosec/status/1775598288277835996  

1st April 1995: US President Bill Clinton and Russian President Boris Yeltsin announced a pact to exchange their personal PGP keys and to make the technology available to all citizens worldwide. (April Fools' Day)

https://twitter.com/todayininfosec/status/1774994645053010184

Rant of the Week (13:06)

William Wragg honey trap scandal is ‘extremely troubling’ says minister

Explosive revelations that a senior Conservative MP leaked colleagues’ phone numbers to a man he had met on the gay dating app Grindr are “very serious”, a minister has warned, amid questions over whether the MP will face sanctions.

Vice chairman of the 1922 committee William Wragg admitted he sent the numbers after becoming concerned about the power the recipient had over him since he had sent intimate pictures of himself.

Treasury minister Gareth Davies said the situation was “incredibly troubling and very serious” but maintained that Mr Wragg would keep the party whip while the incident is being investigated.

Billy Big Balls of the Week (24:09)
Amazon Ditches 'Just Walk Out' Checkouts at Its Grocery Stores

Amazon Fresh is moving away from a feature of its grocery stores where customers could skip checkout altogether.

Amazon is phasing out its checkout-less grocery stores with “Just Walk Out” technology, first reported by The Information Tuesday. The company’s senior vice president of grocery stores says they’re moving away from Just Walk Out, which relied on cameras and sensors to track what people were leaving the store with.

Just over half of Amazon Fresh stores are equipped with Just Walk Out. The technology allows customers to skip checkout altogether by scanning a QR code when they enter the store. Though it seemed completely automated, Just Walk Out relied on more than 1,000 people in India watching and labeling videos to ensure accurate checkouts. The cashiers were simply moved off-site, and they watched you as you shopped.

On Wednesday, GeekWire reported that Amazon Web Services is cutting a few hundred jobs in its Physical Stores Technology team, according to internal emails. The layoffs will allegedly impact portions of Amazon’s identity and checkout teams.

Industry News (29:46)

Dataset of 73 Million AT&T Customers Linked to Dark Web Data Breach

Firms Must Work Harder to Guard Children’s Privacy, Says UK ICO

Threat Actor Claims Classified Five Eyes Data Theft

Leicester Council Confirms Confidential Documents Leaked in Ransomware Attack

Jackson County IT Systems Hit By Ransomware Attack

LockBit Scrambles After Takedown, Repopulates Leak Site with Old Breaches

China Using AI-Generated Content to Sow Division in US, Microsoft Finds

Wiz Discovers Flaws in GenAI Models Enabling Customer Data Theft

Chinese Threat Actors Deploy New TTPs to Exploit Ivanti Vulnerabilities

Tweet of the Week (35:58)

https://twitter.com/belldotbz/status/1776187040813441272

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

20th March 2007: Dragos Ruiu announced the first Pwn2Own contest, which was held that April in Vancouver, Canada. The contest is still being held today - and in fact Pwn2Own Vancouver 2024 started today.

https://twitter.com/todayininfosec/status/1770592695255249038

16th March 1971: The first computer virus, Creeper, infected computers on the ARPANET, displaying "I'M THE CREEPER : CATCH ME IF YOU CAN." It was named after the Creeper - a villain from a 1970 episode of the TV series "Scooby-Doo, Where Are You!"

https://twitter.com/todayininfosec/status/1768973007555375317

Rant of the Week (14:29)

Majority of Americans now use ad blockers

More than half of Americans are using ad blocking software, and among advertising, programming, and security professionals that fraction is more like two-thirds to three-quarters.

According to a survey of 2,000 Americans conducted by research firm Censuswide, on behalf of Ghostery, a maker of software to block ads and online tracking, 52 percent of Americans now use an ad blocker, up from 34 percent according to 2022 Statista data.

Billy Big Balls of the Week (23:01)

Execs in Japan busted for winning dev bids then outsourcing to North Koreans

Two executives were issued arrest warrants in Japan on Wednesday, reportedly for charges related to establishing a business that outsourced work to North Korean IT engineers.

At least one of the individuals – a 53 year old named Pak Hyon-il – is a South Korean national. His alleged accomplice, 42-year old Toshiron Minomo, is Japanese and once worked for Hyon-il, according to local media.

Pak served as president of Fuchu-based IT firm ITZ, while Minomo was the head of Fukuyama-based Robast.

Industry News (29:09)

UK Blames China for 2021 Hack Targeting Millions of Voters' Data

Fake Ozempic Deals on the Rise as Experts Warn of Phishing Scams

Portugal Forces Sam Altman's Worldcoin to Stop Collecting Biometric Data

Only 5% of Boards Have Cybersecurity Expertise, Despite Financial Benefits

UK Law Enforcers Arrest 400 in Major Fraud Crackdown

Chinese Hackers Target ASEAN Entities in Espionage Campaign

NHS Trust Confirms Clinical Data Leaked by “Recognized Ransomware Group”

US Treasury Urges Financial Sector to Address AI Cybersecurity Threats

CISA Launches New Cyber Incident Reporting Rules for US Defense Contractors

Tweet of the Week  (40:52)

https://twitter.com/bettersafetynet/status/1773626490384511113

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

7th March 2017: WikiLeaks began its new series of leaks on the U.S. Central Intelligence Agency (CIA). Code-named Vault 7 by WikiLeaks, it was the largest ever publication of confidential documents on the agency.

https://twitter.com/todayininfosec/status/1765828993713090565

14th March 2013: Security journalist Brian Krebs was swatted when police responded to a spoofed 911 call claiming Russians had broken into his home and had shot his wife.

One of several people who made the false report, Eric Taylor (aka Cosmo the God), was sentenced to probation in 2017.

https://twitter.com/todayininfosec/status/1768253237260435814

Rant of the Week (21:38)

US Congress goes bang, bang, on TikTok sale-or-ban plan

The United States House of Representatives on Wednesday passed the Protecting Americans from Foreign Adversary Controlled Applications Act – a law aimed at forcing TikTok's Chinese parent ByteDance to sell the app's US operations or face the prospect of a ban.

The bill names only TikTok as a "foreign adversary controlled application" and prohibits "Providing services to distribute, maintain, or update" the app – including by offering it for sale in an app store. Even updates to the app aren't allowed.

If TikTok's US operations were locally owned and operated, none of the sanctions the bill mentions would be enforceable. And US lawmakers' fears that TikTok gives Beijing a way to gather intelligence and surveil citizens would be eased.

[Related or coincidental? Or a BBB?]

Former US Treasury secretary Steve Mnuchin thinking about buying TikTok

On the heels of the US House of Representatives passing a TikTok ban bill, former US Treasury secretary and private equity mogul Steve Mnuchin is apparently thinking about buying the platform.

Speaking to CNBC's pre-market team at Squawk Box, Mnuchin said he hoped the TikTok ban would pass in the Senate, forcing a sale of the platform to a US-based parent. 

"It's a great business and I'm going to put together a group to buy TikTok," Mnuchin told CNBC. Mnuchin didn't mention whether partners had been identified, or what phase the purchase was in.

Billy Big Balls of the Week (32:14)

CEO of Data Privacy Company Onerep.com Founded Dozens of People-Search Firms

The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years.

Onerep’s “Protect” service starts at $8.33 per month for individuals and $15/mo for families, and promises to remove your personal information from nearly 200 people-search sites. Onerep also markets its service to companies seeking to offer their employees the ability to have their data continuously removed from people-search sites.

Industry News (41:21)

UnitedHealth Sets Timeline to Restore Change Healthcare Systems After BlackCat Hit

Russia’s Midnight Blizzard Accesses Microsoft Source Code

Third-Party Breach and Missing MFA Contributed to British Library Cyber-Attack

Lawmakers Slam UK Government’s “Ostrich Strategy” for Cybersecurity

Google to Restrict Election-Related Answers on AI Chatbot Gemini

Meta Sues Former VP After Defection to AI Startup

Google Paid $10m in Bug Bounties to Security Researchers in 2023

French Employment Agency Data Breach Could Affect 43 Million People

TikTok Faces US Ban as House Votes to Compel ByteDance to Sell

Tweet of the Week (50:29)

https://twitter.com/andylapteff/status/1767952062279492006

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

1st March 1988: The MS-DOS boot sector virus "Ping-Pong" was discovered at the Politecnico di Torino (Turin Polytechnic University) in Italy.

The virus would show a small ball bouncing around the screen in both text mode (ASCII character "•") and graphical mode.

https://twitter.com/todayininfosec/status/1763540406443163705  

26th February 2004: Antivirus firm F-Secure apologized for sending the Netsky.B virus to 1000s of its UK customers & partners via a mailing list. The unknown sender sent it through the email list server, which didn't scan for viruses. And there was no business reason to accept external emails.

https://twitter.com/todayininfosec/status/1762092359313936553  

Rant of the Week (11:48)

Meta's pay-or-consent model hides 'massive illegal data processing ops': lawsuit

Consumer groups are filing legal complaints in the EU in a coordinated attempt to use data protection law to stop Meta from giving local users a "fake choice" between paying up and consenting to being profiled and tracked via data collection.

Billy Big Balls of the Week (20:16)

Fox News 'hacker' turns out to be journalist whose lawyers say was doing his job

 A Florida journalist has been arrested and charged with breaking into protected computer systems in a case his lawyers say was less "hacking," more "good investigative journalism." 

Tim Burke was arrested on Thursday and charged with one count of conspiracy, six counts of accessing a protected computer without authorization, and seven counts of intercepting or disclosing wire, oral or electronic communications for his supposed role in the theft of unedited video streams from Fox News.

Industry News (27:48)

UK Unveils Draft Cybersecurity Governance Code to Boost Business Resilience

34 Million Roblox Credentials Exposed on Dark Web in Three Years

Biden Bans Mass Sale of Data to Hostile Nations

US Government Warns Healthcare is Biggest Target for BlackCat Affiliates

Savvy Seahorse Targets Investment Platforms With DNS Scams

Pharma Giant Cencora Reports Cybersecurity Breach

UK Home Office Breached Data Protection Law with Migrant Tracking Program, ICO Finds

Five Eyes Warn of Ivanti Vulnerabilities Exploitation, Detection Tools Insufficient

Biden Warns Chinese Cars Could Steal US Citizens' Data

Tweet of the Week (35:17)

https://twitter.com/_FN8_/status/1762583435745402951

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

16th February 2010: Version 2.0 of the CWE/SANS Top 25 Most Dangerous Software Errors was released.

Take a look and decide which of these weaknesses have been eradicated over the last 14 years.

Web Archive

https://twitter.com/todayininfosec/status/1758712418601971748

20th February 2003: Alan Giang Tran, former network admin for 2 companies, was arrested after allegedly destroying data on the companies' networks. Two months later he pleaded guilty to a federal charge of intentionally causing damage to a protected computer.

https://twitter.com/todayininfosec/status/1760021831354896443

Rant of the Week (14:01)

Avast fined $16.5 million for ‘privacy’ software that actually sold users’ browsing data

Avast, the cybersecurity software company, is facing a $16.5 million fine after it was caught storing and selling customer information without their consent. The Federal Trade Commission (FTC) announced the fine on Thursday and said that it’s banning Avast from selling user data for advertising purposes.

From at least 2014 to 2020, Avast harvested user web browsing information through its antivirus software and browser extension, according to the FTC’s complaint. This allowed it to collect data on religious beliefs, health concerns, political views, locations, and financial status. The company then stored this information “indefinitely” and sold it to over 100 third parties without the knowledge of customers, the complaint says.

Billy Big Balls of the Week(25:02)
Husband 'made over a million' by eavesdropping on BP wife

The husband of a BP employee has been charged with insider trading in the US following claims he overheard details of calls made by his wife while working from home.

The US Securities and Exchange Commission alleged Tyler Loudon made $1.76m (£1.39m) in illegal profits.

The regulator claimed Mr Loudon heard several of his wife's conversations about BP's takeover of TravelCenters of America and bought shares in the firm.

BP has declined to comment.

The SEC said: "We allege that Mr Loudon took advantage of his remote working conditions and his wife's trust to profit from information he knew was confidential."

His wife - a mergers and acquisitions manager at BP - worked on the oil giant's takeover of TravelCenters. 

The SEC said Mr Loudon purchased 46,450 shares of TravelCenter's stock, without his wife's knowledge, before the deal was made public in February last year.

Following the announcement, TravelCenter's share price rose nearly 71% and Mr Loudon allegedly immediately sold all of his newly-bought shares for a profit, the SEC said.

Industry News (32:16)

Attacker Breakout Time Falls to Just One Hour

NCSC Sounds Alarm Over Private Branch Exchange Attacks

Biden Executive Order to Bolster US Maritime Cybersecurity

Ransomware Warning as CVSS 10.0 ScreenConnect Bug is Exploited

Chinese Duo Found Guilty of $3m Apple Fraud Plot

OWASP Releases Security Checklist for Generative AI Deployment

Russian-Aligned Network Doppelgänger Targets German Elections

Change Healthcare Cyber-Attack Leads to Prescription Delays

ICO Bans Serco Leisure's Use of Facial Recognition for Employee Attendance

Tweet of the Week (42:37)

https://twitter.com/lauriewired/status/1760751495073640705

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

14th February 2001: In a presentation at Black Hat Windows Security Conference 2001, Andrey Malyshev of ElcomSoft shared that Microsoft Excel uses a default encryption password of "VelvetSweatshop".

https://twitter.com/todayininfosec/status/1757782275406622835

16th February 2004: The Netsky worm first appeared. It spread via an email attachment which after opened would search the computer for email addresses then email itself to those addresses. Its dozens of variants accounted for almost a quarter of malware detected in 2004.

https://twitter.com/todayininfosec/status/1758497889972576608      

Rant of the Week (5:10)

Air Canada must pay damages after chatbot lies to grieving passenger about discount

Air Canada must pay a passenger hundreds of dollars in damages after its online chatbot gave the guy wrong information before he booked a flight.

Jake Moffatt took the airline to a small-claims tribunal after the biz refused to refund him for flights he booked from Vancouver to Toronto following the death of his grandmother in November last year. Before he bought the tickets, he researched Air Canada's bereavement fares – special low rates for those traveling due to the loss of an immediate family member – by querying its website chatbot.

The virtual assistant told him that if he purchased a normal-price ticket he would have up to 90 days to claim back a bereavement discount. Following that advice, Moffatt booked a one-way CA$794.98 ticket to Toronto, presumably to attend the funeral or attend to family, and later an CA$845.38 flight back to Vancouver.

He also spoke to an Air Canada representative who confirmed he would be able to get a bereavement discount on his flights and that he should expect to pay roughly $380 to get to Toronto and back. Crucially, the rep didn't say anything about being able to claim the discount as money back after purchasing a ticket.

When Moffatt later submitted his claim for a refund, and included a copy of his grandmother's death certificate, all well within that 90-day window, Air Canada turned him down.

Staff at the airline told him bereavement fare rates can't be claimed back after having already purchased flights, a policy at odds with what the support chatbot told Moffatt. It's understood the virtual assistant was automated, and not a person sat at a keyboard miles away.

Billy Big Balls of the Week (22:06)
Australia passes Right To Disconnect law, including (for now) jail time for bosses who email after-hours

Australia last week passed a Right To Disconnect law that forbids employers contacting workers after hours, with penalties including jail time for bosses who do the wrong thing.

The criminal sanction will soon be overturned – it was the result of parliamentary shenanigans rather than the government's intent – and the whole law could go too if opposition parties and business groups have their way.

European companies have already introduced Right To Disconnect laws in response to digital devices blurring the boundaries between working hours and personal time. The laptops or phones employers provide have obvious after-hours uses, but also mean workers can find themselves browsing emailed or texted messages from their boss at all hours – sometimes with an expectation of a response. That expectation, labor rights orgs argue, extends the working day without increasing pay.

Right To Disconnect laws might better be termed "Right to not read or respond to messages from work" laws because that's what they seek to guarantee.

Industry News (31:45)

US, UK and India Among the Countries Most At Risk of Election Cyber Interference

Southern Water Notifies Customers and Employees of Data Breach

Cybersecurity Spending Expected to be Slashed in 41% of SMEs

GoldPickaxe Trojan Blends Biometrics Theft and Deepfakes to Scam Banks

Microsoft, OpenAI Confirm Nation-States are Weaponizing Generative AI in Cyber-Attacks

Prudential Financial Faces Cybersecurity Breach

Google Warns Unfair AI Rules Could Empower Hackers, Harming Defense

Hackers Exploit EU Agenda in Spear Phishing Campaigns

New Ivanti Vulnerability Observed as Widespread Security Concerns Grow

Tweet of the Week (39:24)

https://twitter.com/MalwareJake/status/1758454999380557885

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

8th February 2000: A 15-year-old Canadian identified at the time only by his handle  "MafiaBoy" launched a 4-hour DDoS attack against http://cnn.com. The attacks also targeted Yahoo, eBay, Amazon and other sites over a 3 day period. In 2001 a Canadian court sentenced him to 8 months.

https://twitter.com/todayininfosec/status/1755576730306089245

7th February 2000: Dennis Michael Moran (aka Coolio) performed a smurf attack against Yahoo's routers, causing its websites to be inaccessible for hours. Conversations on an IRC channel led to him being identified and convicted for a series of DDoS and website defacement crimes.

https://twitter.com/todayininfosec/status/1755267532540244316     

Rant of the Week (14:35)

Viral news story of botnet with 3 million toothbrushes was too good to be true

In recent days you may have heard about the terrifying botnet consisting of 3 million electric toothbrushes that were infected with malware. While you absent-mindedly attended to your oral hygiene, little did you know that your toothbrush and millions of others were being controlled remotely by nefarious criminals.

Alas, fiction is sometimes stranger than truth. There weren't really 3 million Internet-connected toothbrushes accessing the website of a Swiss company in a DDoS attack that did millions of dollars of damage. The toothbrush botnet was just a hypothetical example that some journalists wrongly interpreted as having actually happened.

It apparently started with a January 30 story by the Swiss German-language daily newspaper Aargauer Zeitung. Tom's Hardware helped spread the tale in English on Tuesday this week in an article titled, "Three million malware-infected smart toothbrushes used in Swiss DDoS attacks."

https://www.malwarebytes.com/blog/awareness/2024/02/how-to-tell-if-your-toothbrush-is-being-used-in-a-ddos-attack

Billy Big Balls of the Week (21:50)

Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’

A finance worker at a multinational firm was tricked into paying out $25 million to fraudsters using deepfake technology to pose as the company’s chief financial officer in a video conference call, according to Hong Kong police.

The elaborate scam saw the worker duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations, Hong Kong police said at a briefing on Friday.

“(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK.

Chan said the worker had grown suspicious after he received a message that was purportedly from the company’s UK-based chief financial officer. Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out.

However, the worker put aside his early doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized, Chan said.

Believing everyone else on the call was real, the worker agreed to remit a total of $200 million Hong Kong dollars – about $25.6 million, the police officer added.

Industry News (28:58)

Clorox and Johnson Controls Reveal $76m Cyber-Attack Bill

Meta's Oversight Board Urges a Policy Change After a Fake Biden Video

Malware-as-a-Service Now the Top Threat to Organizations

Chinese Spies Hack Dutch Networks With Novel Coathanger Malware

Meta to Introduce Labeling for AI-Generated Images Ahead of US Election

Governments and Tech Giants Unite Against Commercial Spyware

France: 33 Million Social Security Numbers Exposed in Health Insurance Hack

20 Years of Facebook, but Trust in Social Media Remains Rock Bottom

AI-Powered Robocalls Banned Ahead of US Election

Tweet of the Week (37:15)

https://x.com/gossithedog/status/1755282171198054805?s=46&t=1-Sjo1Vy8SG7OdizJ3wVbg

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

31st Jan 2011 (13 years ago): Chris Russo reported a vulnerability to dating website PlentyOfFish's CEO Markus Frind's wife. Yada yada yada Markus Frind then accused Russo of extortion and emailed Russo's mother.  

https://techcrunch.com/2011/01/31/plentyoffish-ceo-we-were-hacked-almost-extorted-so-i-emailed-the-hackers-mom/

https://krebsonsecurity.com/2011/01/plentyoffish-com-hacked-blames-messenger/

Rant of the Week (13:56)

The TikTok Hearing Revealed That Congress Is the Problem

For some, the job on Thursday was casting the hearing's only witness, TikTok CEO Shou Zi Chew, as a stand-in for the Chinese government—in some cases, for communism itself—and then belting him like a side of beef. More than a few of the questions lawmakers put to Chew were vague, speculative, and immaterial to the allegations against his company. But the members of Congress asking those questions feigned little interest in Chew’s responses anyway. 

Attempts by Chew, a 40-year-old former Goldman Sachs banker, to elaborate on TikTok’s business practices were frequently interrupted, and his requests to remark on matters supposedly of considerable interest to members of Congress were blocked and occasionally ignored. These opportunities to get the CEO on record, while under oath, were repeatedly blown in the name of expediency and for mostly theatrical reasons. Chew, in contrast, was the portrait of patience, even when he was being talked over. Even when some lawmakers began asking and, without pause, answering their own questions.

The hearing might’ve been a flop, had lawmakers planned to dig up new dirt on TikTok, which is owned by China-based ByteDance, or even hash out what the company could do next to allay their concerns. But that wasn't the aim. The House Energy and Commerce Committee was gathered, it said, to investigate “how Congress can safeguard American data privacy and protect children from online harms.” And on that, the hearing revealed plenty.

Billy Big Balls of the Week (23:41)

ICBC Partners Wary to Resume Trading With Bank After Cyberattack

 Industrial & Commercial Bank of China Ltd., the world’s largest lender by assets, has been unable to convince some market participants that it’s safe to reconnect their computer networks to the bank’s US unit after a ransomware attack disrupted its systems, according to people familiar with the matter.

The attack, which was claimed by the Russia-linked LockBit cybercrime and extortion gang earlier this month, impeded trading in the $26 billion Treasury market and, the people said, it has left users of the bank’s US arm skittish about trading with the bank.

For its part, ICBC has told users that its US division is back online and operational, the people said. One person familiar with the hack and investigation said a reason the bank could get back online quickly was that a key part of its trading system was unaffected by the attack — a server that was more than 20 years old, made by now-defunct IT equipment maker Novell Inc.. That server contained much of the bank’s trading data and capabilities and is so old that LockBit’s ransomware didn’t work on it, the person said.

Industry News (35:28)

US Agencies Failure to Oversee Ransomware Protections Threaten White House Goals

US Thwarts Volt Typhoon Cyber Espionage Campaign Through Router Disruption

Interpol-Led Initiative Targets 1300 Suspicious IPs

Ivanti Releases Zero-Day Patches and Reveals Two New Bugs

Pump-and-Dump Schemes Make Crypto Fraudsters $240m

Google’s Bazel Exposed to Command Injection Threat

Tweet of the Week (41:51)

https://x.com/MikeIrvo/status/1752123455125016839?s=20

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

25th January 2003: The SQL Slammer worm was first observed. It relied on a vulnerability Microsoft reported a whopping 6 months earlier via security bulletin MS02-039. Despite the long-available patch,  75,000 systems were compromised within 10 minutes..

https://twitter.com/todayininfosec/status/1750529757903790431

21st January 1992: Former General Dynamics employee Michael John Lauffenburger was sentenced. He had created a logic bomb, which was programmed to go off on May 24, 1991. Unfortunately for him, an employee accidentally discovered it, dismantled it, and contacted authorities.

https://twitter.com/todayininfosec/status/1749184231752802757     

Rant of the Week (11:10)

Third-party ink cartridges brick HP printers after ‘anti-virus’ update

HP is pushing over-the-air firmware updates to its printers, bricking them if they are using third-party ink cartridges. But don’t worry, it’s not a money-grab, says the company – it’s just trying to protect you from the well-known risk of viruses embedded in ink cartridges …

HP has long been known for sketchy practices in its attempt to turn ink purchases into a subscription service. If you cancel a subscription, for example, the company will immediately stop the printer using the ink you’ve already paid for.

CEO Enrique Lores somehow managed to keep a straight face while explaining to CNBC that the company was only trying to protect users from viruses which might be embedded into aftermarket ink cartridges.

It can create issues [where] the printers stop working because the inks have not been designed to be used in our printers, to then create security issues. We have seen that you can embed viruses in the cartridges, and through the cartridge, go to the printer; from the printer, go to the network.

ArsTechnica asked several security experts whether this could happen, and they said this is so out-there, it would have to be a nation-state attack on a specific individual.

Billy Big Balls of the Week (19:04)

British man Aditya Verma appears in Spanish court over plane-bomb hoax

A British man accused of public disorder after joking about blowing up a flight has gone on trial in Spain.

Aditya Verma made the comment on Snapchat on his way to the island of Menorca with friends in July 2022.

The message, sent before Mr Verma departed Gatwick airport, read: "On my way to blow up the plane (I'm a member of the Taliban)."

Mr Verma told a Madrid court on Monday: "The intention was never to cause public distress or cause public harm."

If found guilty, the university student faces a hefty bill for expenses after two Spanish Air Force jets were scrambled.

Mr Verma's message was picked up by the UK security services who flagged it to Spanish authorities while the easyJet plane was still in the air.

A court in Madrid heard it was assumed the message triggered alarm bells after being picked up via Gatwick's Wi-Fi network.

Industry News (27:39)

Thai Court Blocks 9near.org to Avoid Exposure of 55M Citizens

Mega-Breach Database Exposes 26 Billion Records

French Watchdog Slams Amazon with €32m Fine for Spying on Workers

AI Set to Supercharge Ransomware Threat, Says NCSC

X Makes Passkeys Available for US-Based Users

ChatGPT Cybercrime Surge Revealed in 3000 Dark Web Posts

HPE Says SolarWinds Hackers Accessed its Emails

Southern Water Confirms Data Breach Following Black Basta Claims

China-Aligned APT Group Blackwood Unleashes NSPX30 Implant

Tweet of the Week (33:12)

https://x.com/TheHornetsFury/status/1750612652873928949?s=20

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

11th January 2000: Newly declassified documents proved the existence of ECHELON, a global eavesdropping network run by the NSA.

https://twitter.com/todayininfosec/status/1745518896495390826  

13th January 2009: The domain name http://clintonemail.com was registered - the one used for email addresses on the Clinton family's private email server, which drew controversy when it was revealed that then Secretary of State Hillary Clinton used it for official communications.

https://twitter.com/todayininfosec/status/1746214861091053961    

Rant of the Week (15:53)

The 'nothing-happened' Y2K bug – how the IT industry worked overtime to save world's computers

Forty years ago, both Jerome and Marilyn Murray saw their brainchild reach the light of day. In 1984, their book, Computers in Crisis, was published, becoming the first authoritative guide to the Millennium Bug coding problem, which, in the final year of the century, would consume media, political and business attention.

Today, more than 20 years after the date-field imposed deadline passed, the Millennium Bug — or Y2K problem — still gets a mixed reception. 

While many in the industry see it as a job well done — or at least adequately done — it has also become a byword for the over-reach of experts.

Billy Big Balls of the Week (26:55)

Woman films herself being fired by HR to expose how cold U.S. corporate culture can be (Link to actual TikTok video in here)

Forbes article: Viral TikTok Video Of Cloudflare Employee Is A Lesson On How To Not Fire Workers

Recently, many of the new workplace trends have emanated from TikTok. Influencers have ushered in new themes, such as bare minimum Mondays, acting your wage, quiet quitting and rage applying. A new phenomenon has arisen where employees are now documenting their layoffs on the social media platform.

This week, Brittany Pietsch, a mid-market account executive at Cloudflare, an Internet infrastructure provider that offers a variety of security, performance and reliability services for websites and applications, went viral after posting a video of her being let go from the tech company.

Pietsch anticipated her firing, as her “work bff” had been given the pink slip 30 minutes prior to her meeting. The account executive was joined on a video call by a member of the human resources team and another individual, who didn’t introduce himself and jumped right into the purpose of the call, “We have an important meeting today. We finished our evaluations of 2023 performance. This is where you have not met Cloudflare expectations for performance. We have decided to part ways with you.”

Industry News (36:02)

1.3 Million FNF Customers' Data Potentially Exposed in Ransomware Attack

HelloFresh Fined £140K After Sending 80 Million Spam Messages

British Library Catalogue Back Online After Ransomware Attack

Senators Demand Probe into SEC Hack After Bitcoin Price Spike

Tool Identifies Pegasus and Other iOS Spyware

Majorca Tourist Hotspot Hit With $11m Ransom Demand

AI, Gaming, FinTech Named Major Cybersecurity Threats For Kids

NCSC Builds New “Cyber League” Threat Tracking Community

Iranian Phishing Campaign Targets Israel-Hamas War Experts

Tweet of the Week (42:01)

https://twitter.com/0xdade/status/1747820425693045014

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

6th January 2014: Intel renamed its McAfee subsidiary Intel Security, distancing itself from the name of McAfee's founder, John McAfee. In 2017 Intel spun off McAfee as a separate company...then several months later John McAfee and Intel settled a lawsuit over Intel's use of the McAfee name.

https://twitter.com/todayininfosec/status/1743711096559554607

10th January 2000: The FBI was after the hacker Maxim after he posted credit card numbers online when CD Universe refused to pay $100,000 in extortion. 6 months later it was shared that he'd likely never be prosecuted b/c 1 or more of the firms which performed IR screwed up chain of custody.

Data thief threatens to strike again

https://twitter.com/todayininfosec/status/1745207259058081942   

8th January 1986: "The Hacker Manifesto" was written by Loyd Blankenship (aka The Mentor) and originally titled "The Conscience of a Hacker".

8 months later it was published in issue 7 of the hacker zine Phrack.

Read it [again]. 

http://phrack.org/issues/7/3.html#article

https://twitter.com/todayininfosec/status/1744413963696161010

Rant of the Week (16:44)

Cybercrooks play dress-up as 'helpful' researchers in latest ransomware ruse

Posing as cyber samaritans, scumbags are kicking folks when they're down

Ransomware victims already reeling from potential biz disruption and the cost of resolving the matter are now being subjected to follow-on extortion attempts by criminals posing as helpful security researchers.

Researchers at Arctic Wolf Labs publicized two cases in which casulaties of the Royal and Akira ransomware gangs were targeted by a third party, believed to be the same individual or group in both scenarios, and extorted by a fake cyber samaritan.

Victims were approached by a "security researcher" who offered post-exploitation services. In one case, the mark was told the ransomware gang's server could be hacked and their stolen data could be deleted.

Another victim was told the "researcher," who used different monikers in each attempt, gained access to the servers used to store victims' stolen data, offering the chance to either delete it or grant the victim access to the server themselves.

In return, the hacked customers were asked for a fee of approximately 5 Bitcoin ($225,823 at today's exchange rate).

"As far as Arctic Wolf Labs is aware, this is the first published instance of a threat actor posing as a legitimate security researcher offering to delete hacked data from a separate ransomware group," Stefan Hostetler and Steven Campbell, both senior threat intelligence researchers at Arctic Wolf, blogged.

"While the personalities involved in these secondary extortion attempts were presented as separate entities, we assess with moderate confidence that the extortion attempts were likely perpetrated by the same threat actor."

Billy Big Balls of the Week (21:34)

All India Pregnant Job service: Indian men conned by 'impregnating women' scam

As cyber scams go, this one is rather unique.

In early December Mangesh Kumar (name changed) was scrolling on Facebook when he came across a video from the "All India Pregnant Job Service" and decided to check it out.

The job sounded too good to be true: money - and lots of it - in return for getting a woman pregnant.

It was, of course, too good to be true. So far, the 33-year-old, who earns 15,000 rupees ($180; £142) per month working for a wedding party decoration company, has already lost 16,000 rupees to fraudsters - and they are asking for more.

But Mangesh, from the northern Indian state of Bihar, is not the only person to fall for the scam.

Deputy superintendent of police Kalyan Anand, who heads the cyber cell in Bihar's Nawada district, told the BBC there were hundreds of victims of an elaborate con where gullible men were lured to part with their cash on the promise of a huge pay day, and a night in a hotel with a childless woman.

So far, his team have arrested eight men, seized nine mobile phones and a printer, and are still searching for 18 others.

But finding the victims has proved more tricky.

Industry News (29:21)

23andMe Blames User “Negligence” for Data Breach

Merck Settles With Insurers Over $700m NotPetya Claim

North Korean Hackers Stole $600m in Crypto in 2023

Anti-Hezbollah Groups Hack Beirut Airport Screens

Ukrainian “Blackjack” Hackers Take Out Russian ISP

Cyber Insurance Market to be Worth Over $90bn by 2033

Only 4% of US States Fully Prepared for Cyber-Attacks Targeting Elections

NCSC Publishes Practical Security Guidance For SMBs

Mandiant's X Account Was Hacked in Brute-Force Password Attack

Tweet of the Week (38:11)

https://twitter.com/chris_walker_/status/1744805492273430886

Come on! Like and bloody well subscribe!

With content liberated from the “Today in infosec” Twitter account and further afield

11th December 2010: The hacker group Gnosis released the source code for Gawker's website and 1.3 million of its users' password hashes.

After a jury found Gawker's parent company liable in a lawsuit filed by Hulk Hogan and awarded him $140 million, Gawker shut down in 2016. 

https://twitter.com/todayininfosec/status/1734217170173763907

14th December 2009: RockYou admitted that 32 million users' passwords (stored as plain text) and email addresses were compromised via a SQL injection vulnerability. RockYou's customer notification said "it was important to notify you of this immediately"...10 days after they became aware.

https://twitter.com/todayininfosec/status/1735357287147995514   

Not really infosec https://x.com/depthsofwiki/status/1735147763447595024?s=20 but 14th Dec 2008 was the infamous Bush shoeing incident. Where Bush ducked the shoes thrown by Al-Zaidi while the Iraqi PM Nouri Al-Maliki tried to parry it. 

Rant of the Week (22:10)

UK government woefully unprepared for 'catastrophic' ransomware attack

The UK has failed to address the threat posed by ransomware, leaving the country at the mercy of a catastrophic ransomware attack that the Joint Committee on National Security Strategy (JCNSS) yesterday warned could occur "at any moment."

The Parliamentary Select Committee reached this conclusion in a scathing report released December 13 that accused the government of failing to take ransomware seriously, and of providing "next-to-no support" to victims of ransomware attacks.

"There is a high risk that the government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking," the report concluded. "There will be no excuse for this approach when a major crisis occurs, and it will rightly be seen as a strategic failure."

Recent examples of ransomware infections at UK government institutions and critical private infrastructure are not hard to find.

Manchester Police, Royal Mail and the British Library have all fallen victim to ransomware attacks since September 2023.

In July 2023, the Barts Health NHS Trust hospital group was hit by the BlackCat ransomware gang. The NHS had already been taught a lesson about the vicious power of ransomware in 2017 when multiple Brit hospitals stopped taking new patients, other than in emergencies, after being hobbled by WannaCry.

Third-party providers of NHS software systems have been hit as well, taking systems offline and forcing care providers to revert to pen and paper.

In short, the situation with ransomware in the UK is already bad, and the JCNSS has predicted things will likely get worse.

Billy Big Balls of the Week (29:54)

Polish Hackers Repaired Trains the Manufacturer Artificially Bricked.

After breaking trains simply because an independent repair shop had worked on them, NEWAG is now demanding that trains fixed by hackers be removed from service.

They did DRM to a train. 

In one of the coolest and more outrageous repair stories in quite some time, three white-hat hackers helped a regional rail company in southwest Poland unbrick a train that had been artificially rendered inoperable by the train’s manufacturer after an independent maintenance company worked on it. The train’s manufacturer is now threatening to sue the hackers who were hired by the independent repair company to fix it. 

The fallout from the situation is currently roiling Polish infrastructure circles and the repair world, with the manufacturer of those trains denying bricking the trains despite ample evidence to the contrary. The manufacturer is also now demanding that the repaired trains immediately be removed from service because they have been “hacked,” and thus might now be unsafe, a claim they also cannot substantiate. 

Industry News (38:38)

EU Reaches Agreement on AI Act Amid Three-Day Negotiations

Europol Raises Alarm on Criminal Misuse of Bluetooth Trackers

Widespread Security Flaws Blamed for Northern Ireland Police Data Breach

UK Ministry of Defence Fined For Afghan Data Breach

UK at High Risk of Catastrophic Ransomware Attack, Government Ill-Prepared

MITRE Launches Critical Infrastructure Threat Model Framework

Microsoft Targets Prolific Outlook Fraudster Storm-1152

Vulnerabilities Now Top Initial Access Route For Ransomware

Cozy Bear Hackers Target JetBrains TeamCity Servers in Global Campaign

Tweet of the Week (46:06)  

https://x.com/WorkRetireDie/status/1732108681087508947?s=20

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

5th December 2011: Fyodor reported that CNET's http://Download.com had been wrapping its Nmap downloads in a trojan installer...in order to monetize spyware and adware. CNET quickly stopped, then resumed within days, it affected other downloads, and was a debacle.

Download.com Caught Adding Malware to Nmap & Other Software

https://twitter.com/todayininfosec/status/1732073893912047860

4th December 2013: Troy Hunt launched the site "Have I Been Pwned? (HIBP)". At launch, passwords from the Adobe, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures breaches were indexed. Today? Billions of  compromised records from hundreds of breaches. Search your email addresses for free.

https://twitter.com/todayininfosec/status/1731673318560801228    

Rant of the Week (13:29)

It's ba-ack... UK watchdog publishes age verification proposals

The UK's communications regulator has laid out guidance on how online services might perform age checks as part of the Online Safety Act.

The range of proposals from Ofcom are likely to send privacy activists running for the hills. These include credit card checks, facial age estimation, and photo ID matching.

The checks are all in the name of protecting children from the grot that festoons large swathes of the world wide web. However, service providers will likely be stuck between a rock and a hard place in implementing the guidance without also falling foul of privacy regulations. For example, Ofcom notes the following age checks as potentially "highly effective":

• Open banking, where a bank confirms a user is over 18 without sharing any other personal information.
• Mobile network operator (MNO) age check, where the responsibility is shunted onto an MNO content restriction filter that can only be removed if the device user can prove to the MNO that they are over 18.
• Photo ID matching, where an image of the user is compared to an uploaded document used as proof of age to verify that they are the same person.
• Credit card checks, where a credit card account is checked for validity – in the UK, credit card holders must be over 18.
• Digital identity wallets and, our favorite, facial age estimation, where the features of a user's face are analyzed to estimate the user's age.

It doesn't take a genius to imagine how a determined teenager might circumvent many of these restrictions, nor the potential privacy nightmare inherent in many of them if an adult is forced to share this level of info when accessing age-restricted sites.

Billy Big Balls of the Week (23:12)

WhatsApp's New Secret Code Feature Lets Users Protect Private Chats with Password

Meta-owned WhatsApp has launched a new Secret Code feature to help users protect sensitive conversations with a custom password on the messaging platform.

The feature has been described as an "additional way to protect those chats and make them harder to find if someone has access to your phone or you share a phone with someone else."

Secret Code builds on another feature called Chat Lock that WhatsApp announced in May, which moves chats to a separate folder of their own such that they can be accessed only upon providing their device password or biometrics.

By setting a unique password for these locked chats that are different from the password used to unlock the phone, the aim is to give users an additional layer of privacy, WhatsApp noted.

"You'll have the option to hide the Locked Chats folder from your chatlist so that they can only be discovered by typing your secret code in the search bar," it added.

The development comes weeks after WhatsApp introduced a "Protect IP Address in Calls" feature that masks users' IP addresses to other parties by relaying the calls through its servers.

Industry News

Sellafield Accused of Covering Up Major Cyber Breaches

Porn Age Checks Threaten Security and Privacy, Report Warns

US Federal Agencies Miss Deadline for Incident Response Requirements

Disney+ Cyber Scheme Exposes New Impersonation Attack Tactics

Police Arrest 1000 Suspected Money Mules

Deutsche Wohnen Ruling Set to Drive Up GDPR Fines

Cambridge Hospitals Admit Two Excel-Based Data Breaches

Governments Spying on Apple and Google Users, Says Senator

Liability Fears Damaging CISO Role, Says Former Uber CISO

Tweet of the Week 

https://twitter.com/MalwareJake/status/1732463774949310547

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

24th November 2014: The Washington Post published an article which included a photo of TSA master keys. A short time later functional keys were 3-d printed using the key patterns in the photo. 

https://twitter.com/todayininfosec/status/1728048404452782497

26th November 2001: "In an effort to turn the tide in the war on terrorism", Cult of the Dead Cow offered its expertise to the FBI. How did it plan on helping? By architecting a new version of Back Orifice for use by the US federal government.

"THE CULT OF THE DEAD COW OFFERS A HELPING HAND IN AMERICA'S TIME OF NEED"

https://twitter.com/todayininfosec/status/1728998509033238952   

Rant of the Week (18:55)

Interpol makes first border arrest using Biometric Hub to ID suspect

European police have for the first time made an arrest after remotely checking Interpol's trove of biometric data to identify a suspected smuggler.

The fugitive migrant, we're told, gave a fake name and phony identification documents at a police check in Sarajevo, Bosnia and Herzegovina, while traveling toward Western Europe. And he probably would have got away with it, too, if it weren't for you meddling kids Interpol's Biometric Hub – a recently activated tool that uses French identity and biometrics vendor Idemia's technology to match people's biometric data against the multinational policing org's global fingerprint and facial recognition databases.

"When the smuggler's photo was run through the Biometric Hub, it immediately flagged that he was wanted in another European country," Interpol declared. "He was arrested and is currently awaiting extradition."

Interpol introduced the Biometric Hub – aka BioHub – in October, and it is now available to law enforcement in all 196 member countries.

Billy Big Balls of the Week (27:42)

https://www.theregister.com/2023/11/28/cert_in_rti_exemption/

India's government has granted its Computer Emergency Response Team, CERT-In, immunity from Right To Information (RTI) requests – the nation's equivalent of the freedom of information queries in the US, UK, or Australia.

Reasons for the exemption have not been explained, but The Register has reported on one case in which an RTI request embarrassed CERT-In.

That case related to India's sudden decision, in April 2022, to require businesses of all sizes to report infosec incidents to CERT-in within six hours of detection. The rapid reporting requirement applied both to serious incidents like ransomware attacks, and less critical messes like the compromise of a social media account.

CERT-In justified the rules as necessary to defend the nation's cyberspace and gave just sixty days notice for implementation.

The plan generated local and international criticism for being onerous and inconsistent with global reporting standards such as Europe's 72-hour deadline for notifying authorities of data breaches.

The reporting requirements even applied to cloud operators, who were asked to report incidents on tenants' servers. Big Tech therefore opposed the plan.

Industry News (34:04)

Cybersecurity Incident Hits Fidelity National Financial

Cybercriminals Hesitant About Using Generative AI

Google Fixes Sixth Chrome Zero-Day Bug of the Year

DeleFriend Weakness Puts Google Workspace Security at Risk

Okta Admits All Customer Support Users Impacted By Breach

Thousands of Dollar Tree Staff Hit By Supplier Breach

Booking.com Customers Scammed in Novel Social Engineering Campaign

Manufacturing Top Targeted Industry in Record-Breaking Cyber Extortion Surge

North Korean Hackers Amass $3bn in Cryptocurrency Heists

Tweet of the Week (43:12)

https://twitter.com/JamesGoz/status/1730498780812767350

Come on! Like and bloody well subscribe!

23rd November 2011: KrebsonSecurity reported that Apple took over 3 years to fix the iTunes software update process vulnerability which the FinFisher remote spying Trojan exploited. Evilgrade toolkit author Francisco Amato had reported it to Apple in 2008.

Apple Took 3+ Years to Fix FinFisher Trojan Hole

https://twitter.com/todayininfosec/status/1727687798017106025

12th November 2009: John Matherly announced the public beta launch of Shodan (@shodanhq) - the first search engine for internet-connected devices.

https://twitter.com/todayininfosec/status/1727462790330232951  

Rant of the Week (10:51)

Former infosec COO pleads guilty to attacking hospitals to drum up business

An Atlanta tech company's former COO has pleaded guilty to a 2018 incident in which he deliberately launched online attacks on two hospitals, later citing the incidents in sales pitches.

Under a plea deal he signed last week, Vikas Singla, a former business leader at network security vendor Securolytics – a provider to healthcare institutions, among others – admitted that in September 2018 he rendered the Ascom phone system of Gwinnett Medical Center inoperable.

Gwinnett Medical Center operates hospitals in Duluth and Lawrenceville and the deliberate disablement of the Ascom phone system meant the main communication line between doctors and nurses was unavailable to them.

More than 200 phones were taken offline, which were used for internal communications, including "code blue" incidents that often relate to cardiac or respiratory emergencies.

Billy Big Balls of the Week (18:52) 

UK's cookie crumble: Data watchdog serves up tougher recipe for consent banners

The UK's Information Commissioner's Office (ICO) is getting tough on website design, insisting that opting out of cookies must be as simple as opting in.

At question are advertising cookies, where users should be able to "Accept All" advertising cookies or reject them. Users will still see adverts regardless of their selection, but rejecting advertising cookies means ads must not be tailored to the person browsing.

However, the ICO noted that: "Some websites do not give users fair choices over whether or not to be tracked for personalized advertising." This is despite guidance issued in August regarding harmful designs that can trick users into giving up more personal information than intended.

A few months on, the ICO has upped the ante. It has now given 30 days' notice to companies running many of the UK's most visited sites that they must comply with data protection regulations or face enforcement action.

Industry News (26:16) 

Cybersecurity Executive Pleads Guilty to Hacking Hospitals

Regulator Issues Privacy Ultimatum to UK’s Top Websites

Microsoft Launches Defender Bug Bounty Program

Why Ensuring Supply Chain Security in the Space Sector is Critical

British Library: Ransomware Attack Led to Data Breach

North Korea Blamed For CyberLink Supply Chain Attacks

US Seizes $9m From Pig Butchering Scammers

North Korean Software Supply Chain Threat is Booming, UK and South Korea Warn

InfectedSlurs Botnet Resurrects Mirai With Zero-Days

Tweet of the Week (32:28)

https://twitter.com/MichaelaOkla/status/1721715089970274542

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

1. 15th November 1994: The earliest known example of the Good Times email hoax virus was posted to the TECH-LAW mailing list. Variants of the hoax spread for several years. In 1997, Cult of the Dead Cow (cDc) claimed responsibility for initiating the hoax..

https://twitter.com/todayininfosec/status/1724867863725412627

1. 12th November 2012: John McAfee went into hiding because his neighbor, Gregory Faull, was found dead from a gunshot. Belize police wanted him to come in for questioning, but he fled to Guatemala where he was then arrested. He was never charged, though he lost a $25 million wrongful death suit. 

https://twitter.com/todayininfosec/status/1723790884053938623

11:57 Rant of the Week

Clorox CISO flushes self after multimillion-dollar cyberattack

The Clorox Company's chief security officer has left her job in the wake of a corporate network breach that cost the manufacturer hundreds of millions of dollars.

 18:15 Billy Big Balls

BlackCat plays with malvertising traps to lure corporate victims

Ads for Slack and Cisco AnyConnect actually downloaded Nitrogen malware

AlphV files SEC complaint

Affiliates of ransomware gang AlphV (aka BlackCat) claimed to have compromised digital lending firm MeridianLink – and reportedly filed an SEC complaint against the fintech firm for failing to disclose the intrusion to the US watchdog.

First reported by DataBreaches, the break-in apparently happened on November 7. AlphaV’s operatives claimed they did not encrypt any files but did steal some data – and MeridianLink was allegedly aware of the intrusion the day it occurred.

24:15 Industry news

MPs Dangerously Uninformed About Facial Recognition – Report

Cyber-Attack Could Have “Devastating” Impact on Aussie Exports

NCSC: UK Facing “Enduring and Significant” Cyber-Threat

UK Privacy Regulator Issues Black Friday Smart Device Warning

US Government Unveils First AI Roadmap For Cybersecurity

European Police Take Down $9m Vishing Gang

BlackCat Ransomware Group Reports Victim to SEC

Russian Hacking Group Sandworm Linked to Unprecedented Attack on Danish Critical Infrastructure

Cyber-Criminals Exploit Gaza Crisis With Fake Charity

30:56 Tweet of the Week

https://twitter.com/FadzaiVeanah/status/1724825417196904743

Come on! Like and bloody well subscribe!

2002: In response to a report which insinuated Mac is less vulnerable than Windows, Microsoft suggested few focus on discovering Mac vulnerabilities and that products with more customers will have more vulnerabilities reported.

https://t.co/WOUUDOB0g6

https://x.com/todayininfosec/status/1721895407545143382?s=20

Rant of the Week (11:09)

Photos of naked patients and medical records have been posted online by extortionists who hacked a Las Vegas plastic surgery, driving victims to file a lawsuit claiming not enough care was taken to protect their private information.

https://www.bitdefender.com/blog/hotforsecurity/women-sue-plastic-surgery-after-hack-saw-their-naked-photos-posted-online/

Billy Big Balls of the Week (20:48)

A federal judge on Tuesday refused to bring back a class action lawsuitalleging four auto manufacturers had violated Washington state’s privacy laws by using vehicles’ on-board infotainment systems to record and intercept customers’ private text messages and mobile phone call logs.

https://therecord.media/class-action-lawsuit-cars-text-messages-privacy

Industry News (29:28) 

SentinelOne to acquire cybersecurity consulting firm Krebs Stamos Group

NATO allies express support for collective response to cyberattacks

Council for Scottish islands faces IT outage after ‘incident’

Mortgage giant Mr. Cooper using alternative payment options after cyberattack

Serbian pleads guilty to running ‘Monopoly’ darknet marketplace

Japan Aviation Electronics says servers accessed during cyberattack

Tweet of the Week (42:39)

https://twitter.com/j4vv4d/status/1722916507653394575?s=61&t=0s-EyC1T6uSS3Lo_cyqI4w

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

26th October 2006: Christopher Soghoian created a website allowing visitors to generate fake airlines boarding passes. A congressman called for his arrest, his ISP shut down his site, the FBI raided his home, and then the same congressman said DHS should hire him. His career since? Notable.

https://twitter.com/todayininfosec/status/1717530966229475523

24th October 2010: Eric Butler announced Firefox extension Firesheep's release at Toorcon, making HTTP session hijacking on open Wi-Fi trivial. Today >95% of websites have enabled HTTPS and efforts like browser HTTPS-Only mode have largely eliminated the risk. A security industry success! 

https://twitter.com/todayininfosec/status/1716990537171918976

Rant of the Week (16:00)

First Brexit, now X-it: Musk 'considering' pulling platform from EU over probe

Elon Musk is said to be toying with the idea of withdrawing access to X in the European Union rather than go to the effort of complying with the bloc's Digital Services Act.

As The Register reported last week, His Muskiness had a rather public spat on the website with Thierry Breton, EU Commissioner for Internal Market, who was simply reminding social media platforms of their content moderation obligations under the law.

This was particularly in light of renewed hostilities between Israel and Hamas, and the potential disinformation campaigns that had begun swirling online. Meta, TikTok, and YouTube were also sent letters.

"Free speech absolutist" Musk's response was sarcastic and juvenile, the kind of smack talk that would get a teen grounded. It would take a couple of days for the adult in the room, CEO Linda Yaccarino, to get a formal response written.

However, by then the EU had indicated that X was now under investigation on account of its designation as Very Large Online Platform under the Digital Services Act, which means it has to follow rules regarding how it handles illegal content among many other things.

Since Musk increasingly appears to see obeying the law as optional for him, it would be very unlike the X owner to actually do anything, and whispers out of the company seem to support this.

That most watertight of sources, "a person familiar with the matter," told Insider that Musk "has discussed simply removing the app's availability in the region, or blocking users in the European Union from accessing it," much like how Meta's Threads declined to launch in the EU because it was unwilling and/or unable to meet the union's onerous data protection and privacy requirements.

Twitter, which was once intensely moderated, has become a wild west of violence, misinformation, disinformation, racism, and hardcore pornography. Many of the website's rules judging what users can and can't post have been screwed up and tossed in the trash.

Billy Big Balls of the Week (26:45)

‘How not to hire a North Korean plant posing as a techie’ guide updated by US and South Korean authorities

US and South Korean authorities have updated their guidance on how to avoid hiring North Korean agents seeking work as freelance IT practitioners

Thousands of North Korean techies are thought to prowl the world’s freelance platforms seeking work outside the Republic. Kim Jong Un’s regime uses the workers to earn hard currency, and infiltrate organizations they work for to steal secrets and plant malware. The FBI has previously warned employers to watch for suspicious behavior such as logging in from multiple IP addresses, working odd hours, and inconsistencies in name spellings across different online platforms.

The updated advice adds other indicators that freelancer you are thinking about hiring could be a North Korean plant, including:

• Repeated requests for prepayment followed by “anger or aggression when the request is denied”;
• Threats to release proprietary source codes if additional payments are not made;
• Using a freight forwarder’s address as the destination for a company laptop rather than a home address, and changing that address frequently;
• Evading in-person meetings or requests for drug tests;
• Changing payment methods or accounts on freelance-finder platforms;
• Having multiple online profiles for the same identity with different pictures, or online profiles with no picture.

The updated guidance suggests requiring recruitment companies to document their background checking processes, to be sure that they can screen out North Korean stooges. 

Conducting your own due diligence on workers suggested by recruiters is also recommended.

Industry News (33:45)

Okta Breached Via Stolen Credential

Generative AI Can Save Phishers Two Days of Work

AI to Create Demand for Digital Trust Professionals, ISACA Survey Finds

AWS: Security Not a Priority For a Third of SMBs

Humans Need to Rethink Trust in the Wake of Generative AI

UK Parliament Opens Inquiry into Cyber-Resilience

CISA Releases Cybersecurity Toolkit For Healthcare

Europol: Police Must Start Planning For Post-Quantum Future

UK IT Pros Express Concerns About C-Suite’s Generative AI Ambitions

NADINE DORRIES: I Googled my name, and learnt all about Big Tech!

https://www.dailymail.co.uk/debate/article-12663701/NADINE-DORRIES-Googled-learnt-Big-Tech.html

https://twitter.com/AdamBienkov/status/1716735397802233947

“Nadine Dorries, who until last year was in charge of digital regulation in the UK, says tech executives have “big dials” which they deliberately use to “nudge opinion ever leftwards” and suggests this was somehow hidden from her when she met them”

Tweet of the Week (41:05)

https://twitter.com/gcluley/status/1717433320823218640

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

8th October 2018: Google announced that it exposed the private info of hundreds of thousands of Google+ users between 2015 and 2018, only disclosing it 7 months after discovery because it was reported by The Wall Street Journal. Social network Google+ launched in 2011 and closed in 2019. 

Google hid major Google+ security flaw that exposed users’ personal information

https://twitter.com/todayininfosec/status/1711159728552685667

16th October 1983: FBI agents raided homes of "young electronics buffs known as 'hackers'" in 6 states as part of an investigation of unauthorized intrusions into scores of large commercial and DoD computers. These teens included Lord Flathead - real name Tom Anderson, future MySpace founder.

https://twitter.com/todayininfosec/status/1712593589237076056

Rant of the Week (15:44)

Everest cybercriminals offer corporate insiders cold, hard cash for remote access

The Everest ransomware group is stepping up its efforts to purchase access to corporate networks directly from employees amid what researchers believe to be a major transition for the cybercriminals.

In a post at the top of its dark web victim blog, Everest said it will offer a "good percentage" of the profits generated from successful attacks to those who assist in its initial intrusion.

The group also promised to offer partners "full transparency" regarding the nature of each operation, as well as confidentiality about their role in the attack.

Everest is specifically looking for access to organizations based in the US, Canada, and Europe, and would accept remote access by a variety of means including TeamViewer, AnyDesk, and RDP.

Billy Big Balls of the Week (22:23)

Chinese citizens feel their government is doing a fine job with surveillance

Chinese residents are generally comfortable with widespread use of surveillance technology, according to a year-long project conducted by the Australian Strategic Policy Institute (ASPI) and an unnamed non-government research partner.

The project mainly investigated how state surveillance is conducted by Beijing and how the population of the People's Republic of China (PRC) perceives it. For the investigation, the researchers conducted media analysis, and an online survey of over 4,000 Chinese citizens.

Most respondents ranked their trust in central government positively – at an average of 7.3 on a scale out of 10. Businesses received a 6.7 rating. When it came to surveillance – by video, audio or internet activity – roughly half said they were comfortable.

As part of the project, ASPI provided a tool that could be considered quite subversive in China: an interactive website that provided access to uncensored non-Beijing information about deployed surveillance technologies and the agencies that run them. It consisted of five educational modules with quizzes at the end.

The website content was shaped by the survey results and reached over 55,000 users over the course of four months. It covered facial recognition, Wi-Fi probes, DNA surveillance, database management and surveillance cameras.

Industry News (28:08)

AWS to Mandate Multi-Factor Authentication from 2024

Blackbaud Settles Ransomware Breach Case For $49.5m

DNA Tester 23andMe Hit By Credential Stuffing Campaign

MGM Resorts Reveals Over $100M in Costs After Ransomware Attack

Air Europa Asks Customers to Cancel Cards After Breach

US Smashes Annual Data Breach Record With Three Months Left

European Police Hackathon Hunts Down Traffickers

Chinese APT ToddyCat Targets Asian Telecoms, Governments

California Enacts “Delete Act” For Data Privacy

Tweet of the Week (36:01) 

https://twitter.com/ireteeh/status/1712408097170325968

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

2006: The http://wikileaks.org domain name was registered, though the first document wasn't posted to WikiLeaks until December.

Assange taken from Ecuador embassy in April 2019, since been staying at his majesty’s pleasure at Belmarsh.

2005: The Samy worm, the first self-propagating cross-site scripting worm, was released onto the mega-popular MySpace by 19-year-old Samy Kamkar (

@samykamkar

He's since made numerous impactful security and privacy field contributions. 

https://en.m.wikipedia.org/wiki/Samy_Kamkar

https://en.wikipedia.org/wiki/Samy_(computer_worm)

The worm itself was relatively harmless; it carried a payload that would display the string "but most of all, samy is my hero" on a victim's MySpace profile page as well as send Samy a friend request. When a user viewed that profile page, the payload would then be replicated and planted on their own profile page continuing the distribution of the worm. MySpace has since secured its site against the vulnerability.[1]

2017: A week after he retired as the result of Equifax's data breach, former CEO Richard F. Smith told members of Congress one person in the IT department was at fault. 

https://www.nytimes.com/2017/10/03/business/equifax-congress-data-breach.html

It took 960 hours (40 days) between Equifax finding out about the breach and warning the public.  Millions of people’s data in US, UK, and elsewhere stolen.

Three Equifax execs sold $1.8 million of stock days after breach discovery

Rant of the Week (17:16) 

https://www.theregister.com/2023/10/04/onedrive_to_acquire_copilot_skills/

Microsoft is to overhaul OneDrive in a move that will bring Copilot to the cloud storage service and herd users towards the tool's web interface.

Inevitably, Copilot skills are due to arrive in OneDrive. Microsoft hopes these will help users find files and stay organized. Worryingly, in the example given, Copilot can move files around and create folders depending on its interpretation of the user's instructions. What could possibly go wrong?

Billy Big Balls of the Week (26:06)

EXCLUSIVE A four-hour system interruption in September at the Veterans Affairs Medical Center in Kansas City, Missouri has been attributed to a cat jumping on a technician's keyboard.

So we're told by a source, who heard the tale on one of the regular weekday calls held by the US government department with its CIO, during which recent IT problems are reviewed. We understand that roughly 100 people – contractors, vendors, and employees – participate in these calls at a time.

On a mid-September call, one of the participants explained that while a technician was reviewing the configuration of a server cluster, their cat jumped on the keyboard and deleted it. Or at least that's their story.

Kurt DelBene, assistant secretary for information and technology and CIO at the Department of Veterans Affairs, is said to have responded on the call with words to the effect that: "This is why I have a dog." There was laughter and not much more – it was a short incident report.

https://www.theregister.com/2023/10/05/hospital_cat_incident/

Industry News (31:30)

Apple Issues Emergency Patches for More Zero-Day Bugs

Record Numbers of Ransomware Victims Named on Leak Sites

CISA and NSA Tackle IAM Security Challenges in New Report

Scammers Impersonate Companies to Steal Cryptocurrency from Job Seekers

Critical Glibc Bug Puts Linux Distributions at Risk

US Government Proposes SBOM Rules for Contractors

China Poised to Disrupt US Critical Infrastructure with Cyber-Attacks, Microsoft Warns

GoldDigger Android Trojan Drains Victim Bank Accounts

LightSpy iPhone Spyware Linked to Chinese APT41 Group

Tweet of the Week (40:56)

https://twitter.com/infosecmo/status/1709289777973883000?s=61&t=UAjRqPj0iqNyKsG8ZaAiig

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

25th September 1986: "The Hacker Manifesto" was published by The Mentor (Loyd Blankenship) in issue 7 of the hacker zine Phrack. It was originally titled "The Conscience of a Hacker". 

Phrack #7

https://twitter.com/todayininfosec/status/1706364950623515017  

26th September 1988: Time Magazine published the article "Technology: Invasion of the Data Snatchers - A 'virus' epidemic strikes terror in the computer world". The 9 page article is an interesting glimpse into the state of malware risk, response, and fears 35 years ago.

Technology: Invasion of the Data Snatchers

https://twitter.com/todayininfosec/status/1706690706863952278

Rant of the Week (13:54) 

After failing at privacy, again, Google is working to keep Bard chats out of Search

Google's Bard chatbot is currently being re-educated to better understand privacy.

In July, Bard gained the ability to share conversations with other people using a unique public link. Unfortunately, Google Search has indexed those shared links, making them more widely available and discoverable than Bard patrons might expect.

[Open the story and read from there - it’s much easier 🙂]

At least such oversights don't happen all that often at Google, which has a 33-page privacy policy [PDF] detailing how much the company values user privacy. Apart from an $100 million biometric privacy settlement with Illinois in April 2022, an $85 million location data settlement with Arizona in October 2022, a $391.5 million privacy settlement in November 2022 with a 40-state coalition of Attorneys General, and $29.5 million to settle location tracking claims in Indiana and Washington DC, you have to back all the way to 2019 – when the FTC settled with Google and YouTube for gathering kids info without consent – to find substantive privacy issues at the 25-year-old search advertising biz.

Frankly, the presence of Bard chats in Google Search barely rates on a list of text ads giant's greatest privacy misses, which includes Street View cars collecting sensitive data from Wi-Fi networks and combining its ad data with Google user's personal data.

Billy Big Balls of the Week (22:46)

China's national security minister rates fake news among most pressing cyber threats

This story in a meme:

Chinese minister for national security Chen Yixin has penned an article rating the digital risks his country faces and rated network security incidents as the most realistic source of harm to the Chinternet – both in terms of attacks and the dissemination of fake news.

The new article reiterates Xi Jinping's thoughts on network and cyber power, which boil down to a recognition of the internet's central role in almost all aspects of modern life and the subsequent need for security and governance.

In China governance includes restrictions on free speech and detection and deletion of information felt to be incorrect. Or as minister Chen put it, after machine translation: "The internet has increasingly become the source, conductor, and amplifier of various risks. A small incident can become a whirlpool of public opinion. Some rumours can easily turn a 'storm in a teacup' into a 'tornado' in real society."

Chen's article rates "increasingly fierce competition between great powers in cyberspace" as the most significant competitive threat China faces in the digital domain. He accused rivals of using "so-called 'risk removal' as an excuse and using ideology as a standard to create technology 'small circles' such as 'Clean Network' and 'Chip Alliance,' and even expanded the use of policy tools such as export controls, security reviews, and restricted exchanges."

The minister argues such initiatives are motivated by other nations' desire to cement technology leadership positions and build monopolies, rather than genuine concerns.

Industry News (30:07)

UK-US Confirm Agreement for Personal Data Transfers

US Government IT Staffer Arrested on Espionage Charges

Half of Cyber-Attacks Go Unreported

NCSC Launches Cyber Incident Exercise Scheme

Attacks on European Financial Services Double in a Year

Regulator Warns Breaches Can Cost Lives

US and Japan Warn of Chinese Router Attacks

US Lawmaker: Government Shutdown Will Leave Americans Exposed to Cyber-Attacks

Booking.com Customers Targeted in Major Phishing Campaign

Tweet of the Week (37:51)

https://twitter.com/SoVeryBritish/status/1707463344016306453

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

18th September 2001: The Nimda worm was released. Utilising 5 different infection vectors, it became the most widespread virus/worm after only 22 minutes. $ echo "admin" | rev nimda  

https://twitter.com/todayininfosec/status/1703760366688211041

16th September 2008: 20-year-old David Kernell compromised the Yahoo! email account of US vice presidential candidate Sarah Palin, then posted her emails to 4chan. 2 years later he was found guilty and sentenced to a year in prison. At age 30 he died of complications related to MS.

https://twitter.com/todayininfosec/status/1703169477548884296

Rant of the Week (14:55)

[We’re sympathetic of companies who get hacked and what they have to deal with, but there comes a time when they’re repeatedly hacked and you have to ask questions]:

T-Mobile app glitch let users see other people's account info

T-Mobile customers said they could see other peoples' account and billing information after logging into the company's official mobile application.

According to user reports on social media, the exposed information included customers' names, phone numbers, addresses, account balances, and credit card details like the expiration dates and the last four digits.

As first reported by The Verge, some of the customers affected by this issue could see the sensitive information of multiple other people while logged into their own accounts.

While a massive number of reports started surfacing earlier today on Reddit and Twitter, some T-Mobile customers also claimed that they've been experiencing this throughout the last two weeks.

"Reported this issue when it first popped up here on Reddit over 2 weeks ago and sent pics of the other person's info to their security team. No response, but wow, just wow," one customer said.

Nine data breaches since 2018

In May, T-Mobile disclosed the second data breach since the start of 2023 after hundreds of customers had their personal information exposed between late February and March after attackers hacked into the carrier's systems.

In January, the mobile carrier revealed another data breach after the sensitive info of 37 million customers was stolen using one of its Application Programming Interfaces (APIs).

Since 2018, T-Mobile has been hit by seven other data breaches:

• In August 2018, attackers accessed the data of around 3% of all T-Mobile customers.
• In 2019, T-Mobile exposed the account info of an undisclosed number of prepaid customers.
• In March 2020, T-Mobile employees were affected by a breach exposing their personal and financial information.
• In December 2020, threat actors accessed customer proprietary network info (phone numbers, call records).
• In February 2021, an internal T-Mobile app was accessed by unknown attackers without authorization.
• In August 2021, hackers brute-forced their way through T-Mobile's network following a breach of one of its testing environments.
• In April 2022, the notorious Lapsus$ extortion gang breached T-Mobile's network using stolen credentials.

Billy Big Balls of the Week  (23:31)

Singapore may split liability for phishing losses between banks and victims

Singapore officials announced on Monday that next month they will deliver a consultation paper detailing a split liability scheme that will mean both consumers and banks are on the hook for financial losses flowing from scams.

It is an answer to a common question these days: in a world of rampant payment and transfer scams, who is responsible?

Countries like Australia have also considered shared loss schemes. Meanwhile, the European Commission has proposed a "refund" to victims of certain types of fraud, including authorised push payment scams.

Starting next year, the UK will enforce mandatory reimbursement by banks to scam victims up to one million pounds – with the sending and receiving banks sharing the bill.

Singapore's minister of state Alvin Tan has a different view.

"There are some views that banks can easily absorb losses arising from individual scam cases. However, full restitution without due consideration of culpability is neither fair nor desirable," he told Parliament on Monday.

Industry News (33:01)

Caesars Entertainment Reveals Major Ransomware Breach

Pirated Software Likely Cause of Airbus Breach

TikTok Fined $368m For Child Data Privacy Offenses

Illegal Betting Ring Used Satellite Tech to Get Scoop on Results

Microsoft AI Researchers Leak 38TB of Private Data

Clorox Struggling to Recover From August Cyber-Attack

Threat Actor Claims Major TransUnion Data Breach

Finnish Authorities Shutter Dark Web Drugs Marketplace

International Criminal Court Reveals Security Breach

Tweet of the Week (41:32) 

https://x.com/gabsmashh/status/1704875732282077244?s=20

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

13th September 2011: Backup tapes containing info on 4.9 million TRICARE military health care customers were stolen from an SAIC employee's parked car which a burglar broke into by breaking a vent window.  

TRICARE Breach Affects 4.9 Million

https://twitter.com/todayininfosec/status/1701936923579732231

12th September 2001: MafiaBoy (Michael Calce) was sentenced in Canada to 8 months of open custody, 1 year of probation, and restricted Internet use for crimes related to DoS attacks he performed against numerous high profile websites at age 15 the year prior.

Cyber Attacks

https://twitter.com/todayininfosec/status/1701628591262302571

Rant of the Week (17:27)

[Responsible disclosure?  Even close competitors share threat intel]:

https://twitter.com/vegasstarfish/status/1702076730075492739 - video in link too

Billy Big Balls of the Week (25:21)

10 years ago, Apple finally convinced us to lock our phones

Every phone you pick up today has a fingerprint scanner, a face scanner, an option for PINs with four, six, or more digits, and often all of them at once. Phones prompt you to set up a scan and a passcode the first time you turn them on, and you’d be hard-pressed to find anyone who doesn’t have some form of security set up.

But go back just 10 years, and the story was very different. Back when our phones were still used almost entirely as phones and not teeny personal computers, most of the “locking” features on mobile devices were designed more to prevent you from butt-dialing anyone than to protect your sensitive information.

It wasn’t until the iPhone 5S came along — 10 years ago this month — that everything changed.

It just goes to show how much of an innovator and an investor in security Apple always has been. 

They removed the headphone jack and called it courage…

Just a couple of days ago they pushed the boundaries of innovation even more and introduced USB C to the latest iphones. Now that’s real courage

Industry News  (34:29)

Ransomware Attack Wipes Out Sri Lankan Government Data

Europol: Financial Crime Makes “Billions” and Impacts “Millions”

Cyber-criminals “Jailbreak” AI Chatbots For Malicious Ends

UK ICO and NCSC Set to Share Anonymized Threat Intelligence

MGM Criticized for Repeated Security Failures

New Microsoft Teams Phishing Campaign Targets Corporate Employees

Lazarus Group Blamed For $53m Heist at CoinEx

Elon Musk in Hot Water With FTC Over Twitter Privacy Issues

Manchester Police Officers’ Data Breached in Third-Party Attack

Tweet of the Week (41:54)

https://x.com/Marlebean/status/1308858471106871298?s=20

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

6th September 1987: Thomas Haynie was accused of intentionally jamming Playboy's satellite network with a text-only message. Haynie was an uplink engineer at the Christian Broadcasting Network and was on duty at the time of the jamming. He received 3 years of probation. 

CBN engineer denies pre-empting soft-porn movies

https://twitter.com/todayininfosec/status/1302620593322438656

Rant of the Week (20:12)

If you like to play along with the illusion of privacy, smart devices are a dumb idea

Depressingly predictable research from Which? serves as another reminder, if one was needed, that furnishing your home with internet-connected "smart" devices could be a dumb idea if you'd rather try to preserve your privacy.

The consumer rights organization's analysis of a number of IoT products – from speakers and security cameras to TVs and washing machines – found that they all demand customer data above and beyond what is needed for the product to perform its function, and then distribute that information to a horde of faceless corporations.

Consumer campaign group Which? pointed out that this means consumers are not only in many cases paying thousands for the product itself, with all its "smart" connected bells and whistles, but continue to pay in the form of their personal data.

The outfit broke down what information is required to set up an account with the product manufacturers, what permissions the associated apps request, and what customer activity companies are tapping into.

Spoiler alert: it's all for ads and marketing.

Disturbingly, every single brand examined required both exact and approximate location data – as though your fancy washing machine needed to "know" where it is to clean your clothes.

Billy Big Balls of the Week (28:52)

Guy who ran Bitcoins4Less tells Feds he had less than zero laundering protections

A California man has admitted he failed to bake anti-money laundering protections into his cryptocurrency exchange, thus allowing scammers and drug traffickers to launder millions of dollars through the service.

Charles James Randol, 33, who is now due to be sentenced, faces a maximum of five years in federal prison and three years supervised release, plus a fine of up to $250,000 or twice the total illicit proceeds from the scams, whichever amount is greater.

Randol provided cryptocurrency exchange services in various ways, including via the post, ATMs, and occasionally in person, prosecutors told a Los Angeles federal court on Tuesday. The Santa Monica man would handle crypto-cash transactions exceeding $10,000 without knowing who his customers were – folks known only as "Puppet Shariff," "White Jetta," "Aaavvv," "Aaaa," and "Yogurt Monster," for example – which is hardly in line with regulatory requirements.

To stay on the right side of American law, Randol should have verified and recorded their identities.

In his plea agreement, the cryptocurrency dealer admitted to three in-person transactions between October 2020 to January 2021 in which he gave an undercover FBI agent a total of $273,940 in cash for Bitcoin, and kept a four percent commission fee. 

Randol "did not request a name, proof of identity, social security number, or any other information about [the undercover agent] or the source of the funds being exchanged," the plea agreement says.

[Good comment]: Working for an American financial institution, we must go through mandatory AML (anti money laundering) training each year, and the consequences for the firm if an audit finds a violation tend to be in the high 6-digit payouts.

With that in mind, a kid operating a blatantly open money laundering gig takes a proportionally much smaller punishment (assuming white-glove inmates usually manage to leave the can way before their time is served)]

Industry News (36:14)

UK Electoral Commission Fails Cybersecurity Test Amid Data Breach

Crypto Casino Stake.com Back Online After $40m Heist

UK Government Backs Down on Anti-Encryption Stance

Hundreds of Scam Pages Uncovered in Major Investment Fraud Campaign

Think Tank Urges Labour to Promote “Securonomics” Agenda

Chinese Hacker Steals Microsoft Signing Key, Spies on US Government

IBM Reports Patient Data Breach at Johnson & Johnson Subsidiary

UK and US Sanction 11 Russians Tied to Conti/TrickBot Ransomware

Zero-Day Flaw Exposes Atlas VPN User IPs

Tweet of the Week (44:39)

https://twitter.com/KimZetter/status/1699546860187472034

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

29th August 1990: The British Computer Misuse Act Goes into Effect  

One of the earliest laws anywhere designed to address computer fraud, the Act resulted from a long debate in the 1980s over failed prosecutions of hackers -- in one well-publicised case, two men hacked into a British Telecom computer leaving messages in the Duke of Edinburgh's private mailbox.

Archive of historic BT 'email' hack preserved

24th August 1993: Perhaps the most famous lawsuit in technology history is decided for Microsoft. Apple claimed that Microsoft’s Windows violated their copyrights on the “visual displays” of the Macintosh. The judge in the case ruled that most of the claims were covered by a 1985 licensing agreement. Other claims were not violations of copyright due to the “merger doctrine”, which basically states that ideas can not be copyrighted. This paved the way for Microsoft to develop Windows 95, which imitated the Macintosh even more so than previous versions of Windows.

Today in Apple history: Tide turns against Apple in war with Microsoft

Rant of the Week (16:57)

X wants permission to start collecting your biometric data and employment history

X, the platform previously known as Twitter, is expanding the amount of data it collects on users. The social network has updated its privacy policy to include carveouts for “biometric information” and “employment history,” as spotted by Bloomberg.

“Based on your consent, we may collect and use your biometric information for safety, security, and identification purposes,” the privacy policy reads. It doesn’t include any details on what kind of biometric information this includes — or how X plans to collect it — but it typically involves fingerprints, iris patterns, or facial features.

X Corp. was named in a proposed class action lawsuit in July over claims that its data collection violates the Illinois Biometric Information Privacy Act. The lawsuit alleges that X “has not adequately informed individuals” that it “collects and/or stores their biometric identifiers in every photograph containing a face” that’s uploaded to the platform.

Billy Big Balls of the Week (27:28)

Classiscam fraud-as-a-service expands, now targets banks and 251 brands

The "Classiscam" scam-as-a-service operation has broadened its reach worldwide, targeting many more brands, countries, and industries, causing more significant financial damage than before.

Like a ransomware-as-a-service operation, this Telegram-based operation recruits affiliates who use the service's phishing kits to create fake ads and pages to steal money, credit card information, and, more recently, banking credentials.

Group-IB has published new information on the operation today, reporting that Classiscam has made $64.5 million in combined earnings from scamming users of classifieds sites and stealing their money and payment card details.

The number of targeted brands has also grown from 169 brands last year to 251 this year, and there are now 393 criminal gangs targeting users in 79 countries, coordinating in one of the operation's 1,366 Telegram channels.

[This is better than most public companies annual report calls]:

Industry News (33:57) 

Report Reveals Growing Disparity in Cyber Insurance Landscape

Privacy Regulator Warns of Surge in “Text Pest” Cases

NCSC Issues Cyber Warning Over AI Chatbots

OpenAI Promises Enterprise-Grade Security with ChatGPT for Business

FBI-Led Operation Duck Hunt Shuts Down QakBot Malware

Chinese Hackers Target US, Other Govts With Barracuda Flaw

Classiscam Spreads: $64.5M Scheme Targets 79 Countries

Facebook Accounts Targeted by Vietnamese Threat Groups

New Research Exposes Airbnb as Breeding Ground For Cybercrime

Tweet of the Week (43:17)

https://twitter.com/HedgehogCycling/status/1696568821505552666?s=20

Come on! Like and bloody well subscribe!

With content liberated from the “today in infosec” twitter account and further afield

18th August 2003: The Nachi worm began infecting Windows computers with the goal of REMOVING the Blaster worm and patching the vulnerability exploited by both worms.   

Worm aims to eradicate Blaster

https://twitter.com/todayininfosec/status/1692616573524050259

26th August 2008: It was reported that a laptop on the International Space Station was infected by removable media containing the http://W32.Gammima.AG worm. Space. Where you don't want to be dealing with malware.

Malware detected at the International Space Station

https://twitter.com/todayininfosec/status/1298690676448735232

Rant of the Week (19:02)

Cellebrite asks cops to keep its phone hacking tech ‘hush hush’

For years, cops and other government authorities all over the world have been using phone hacking technology provided by Cellebrite to unlock phones and obtain the data within. And the company has been keen on keeping the use of its technology “hush hush.”

As part of the deal with government agencies, Cellebrite asks users to keep its tech — and the fact that they used it — secret, TechCrunch has learned. This request concerns legal experts who argue that powerful technology like the one Cellebrite builds and sells, and how it gets used by law enforcement agencies, ought to be public and scrutinized.

[That was this weeks Rant of the week]

Billy Big Balls of the Week (28:35)

Two teens were among those behind the Lapsus$ cyber-crime spree, jury finds

Two teenage members of the chaotic Lapsus$ cyber-crime gang helped compromise computer systems of Uber and Nvidia, and also blackmailed Grand Theft Auto maker Rockstar Games among other high-profile victims, a jury has decided.

At Southwark Crown Court in London, England, on Wednesday, Arion Kurtaj, 18, and a 17-year-old male who because of his age cannot be identified for legal reasons were found to have committed various crimes. Kurtaj was held in custody while the other was released on bail; both await sentencing.

This was an unusual case in that the jury was told not to find Kurtaj, who is autistic, guilty or not guilty as psychiatrists had earlier assessed that he was unfit to stand trial. Instead, the panel was asked to decided whether or not he did the things he was accused of.

The two teens, along with other Lapsus$ members, also broke into and attempted to extort telecoms giant BT, Microsoft, Samsung, Vodafone, fintech firm Revolut, and Okta during their crime spree between 2021 and 2022.

Industry News (36:23)

UK’s AI Safety Summit Scheduled For Early November

Police Insider Tipped Off Criminal Friend About EncroChat Bust

Tesla: Insiders Responsible For Major Data Breach

Cyber-Attack on Australian Utility Firm Energy One Spreads to UK Systems

Experian Pays $650,000 to Settle Spam Claims

WinRAR Vulnerability Affects Traders Worldwide

Sensitive Data of 10 Million at Risk After French Employment Agency Breach

Data of 2.6 Million Duolingo Users Leaked on Hacking Forum

FBI Flags $40M Crypto Cash-Out Plot By North Korean Hackers

Tweet of the Week (47:47)

https://twitter.com/securityweekly/status/1694705119793746015

Come on! Like and bloody well subscribe!

With content liberated from the “Today in Infosec” Twitter account and further afield

4th August 1998: Microsoft published a critical security bulletin MS98-010, titled 'Information on the "Back Orifice" Program'.  

Microsoft Security Bulletin MS98-010 - Critical

https://twitter.com/todayininfosec/status/1423037189714219020   

27th July 2000: In security bulletin MS00-047, Microsoft thanked PGP's COVERT Labs and Sir Dystic of Cult of the Dead Cow for reporting NetBIOS vulnerabilities 

Patch Available for 'NetBIOS Name Server Protocol Spoofing' Vulnerability

https://twitter.com/todayininfosec/status/1287934373019385861

Rant of the Week (18:31)

Brit healthcare body rapped for WhatsApp chat sharing patient data

Staff at NHS Lanarkshire - which serves over half a million Scottish residents - used WhatsApp to swap photos and personal info about patients, including children's names and addresses.

Following a probe, the UK Information Commissioner's Office (ICO) has now issued a heavily redacted official reprimand to the organization, which oversees three hospitals plus clinics and more across rural and urban Lanarkshire in the Central Lowlands of Scotland. It said a group chat created in March 2020 – just as the UK government issued the first COVID lockdown – was in breach of Article 58 of the UK GDPR.

Information was shared between 26 staff for more than two years – from 1 April 2020 to 25 April 2022 – over hundreds of entries within the WhatsApp group that included adult and child patients' names, plus hundreds of patients' phone numbers, many dates of birth, and at least 28 home addresses, "15 images, three videos, and four screenshots." Some of this info included clinical information, and therefore "special category" data in breach of Article 9 of the UK GDPR.

Yes, on their actual work phones, using software provided via NHS portal.

The staffers were using copies of WhatsApp downloaded directly via NHS Lanarkshire's portal on their work phones, it emerged, but someone, whose name was redacted, was added to the group "in error." That "unauthorised individual" was given access to "four students' names and student numbers, one child's name, and two children's names and addresses."

The ICO noted that since WhatsApp stated it was an encrypted platform, staff thought it would be secure. This, the watchdog said, "demonstrates that information governance expectations regarding WhatsApp were not understood by staff involved in the WhatsApp Group."

Billy Big Balls of the Week (31:21)

[The fact the government doesn’t even try to hide what they do and gaslight the country by saying it would be the worst intelligence failure of their time is a BBB move to me - but I’ll let Jav decide 😀]

White House: Losing Section 702 spy powers would be among 'worst intelligence failures of our time'

The White House has weighed in on the Section 702 debate, urging lawmakers to reauthorize, "without new and operationally damaging restrictions," the controversial snooping powers before they expire at the end of the year.

Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows the American government to monitor electronic communications of foreign persons outside of the United States [PDF], and people they confer with, including US persons. While it's supposed to be used as an intelligence tool — to prevent terrorist attacks or track down similar targets — it's also at times abused to conduct warrantless snooping on Americans including protesters, campaign donors, and elected officials.

The controversial law, introduced in 2008, is up for renewal at the end of the year, and the US intelligence community has been frantically lobbying to keep these surveillance powers. FBI Director Chris Wray said last week that Section 702 data was responsible for "97 percent of our raw technical reporting on cyber actors."

Now the White House has thrown its weight behind its intel services, arguing that curbing the legislation or letting it drop would be "one of the worst intelligence failures of our time."

Despite unanimously recommending that Congress renew Section 702, the PIAB's report [PDF] does acknowledge that "complacency, a lack of proper procedures, and the sheer volume of Section 702 activity led to FBI's inappropriate use" of the surveillance powers to query US persons

Industry News  (37:04)

NHS Staff Reprimanded For WhatsApp Data Sharing

Canon Inkjet Printers Expose Wi-Fi Threat

AI-Enhanced Phishing Driving Ransomware Surge

Hundreds of Citrix Endpoints Compromised With Webshells

Cocaine Smugglers that Posed as PC Sellers Jailed