This week in InfoSec  (06:53)

With content liberated from the “today in infosec” twitter account and further afield

1st March 1988: The MS-DOS boot sector virus "Ping-Pong" was discovered at the Politecnico di Torino (Turin Polytechnic University) in Italy.

The virus would show a small ball bouncing around the screen in both text mode (ASCII character "•") and graphical mode.

https://twitter.com/todayininfosec/status/1763540406443163705  

26th February 2004: Antivirus firm F-Secure apologized for sending the Netsky.B virus to 1000s of its UK customers & partners via a mailing list. The unknown sender sent it through the email list server, which didn't scan for viruses. And there was no business reason to accept external emails.

https://twitter.com/todayininfosec/status/1762092359313936553  

Rant of the Week (11:48)

Meta's pay-or-consent model hides 'massive illegal data processing ops': lawsuit

Consumer groups are filing legal complaints in the EU in a coordinated attempt to use data protection law to stop Meta from giving local users a "fake choice" between paying up and consenting to being profiled and tracked via data collection.

Billy Big Balls of the Week (20:16)

Fox News 'hacker' turns out to be journalist whose lawyers say was doing his job

 A Florida journalist has been arrested and charged with breaking into protected computer systems in a case his lawyers say was less "hacking," more "good investigative journalism." 

Tim Burke was arrested on Thursday and charged with one count of conspiracy, six counts of accessing a protected computer without authorization, and seven counts of intercepting or disclosing wire, oral or electronic communications for his supposed role in the theft of unedited video streams from Fox News.

Industry News (27:48)

UK Unveils Draft Cybersecurity Governance Code to Boost Business Resilience

34 Million Roblox Credentials Exposed on Dark Web in Three Years

Biden Bans Mass Sale of Data to Hostile Nations

US Government Warns Healthcare is Biggest Target for BlackCat Affiliates

Savvy Seahorse Targets Investment Platforms With DNS Scams

Pharma Giant Cencora Reports Cybersecurity Breach

UK Home Office Breached Data Protection Law with Migrant Tracking Program, ICO Finds

Five Eyes Warn of Ivanti Vulnerabilities Exploitation, Detection Tools Insufficient

Biden Warns Chinese Cars Could Steal US Citizens' Data

Tweet of the Week (35:17)

https://twitter.com/_FN8_/status/1762583435745402951

Come on! Like and bloody well subscribe!

This week in InfoSec  (06:25)

With content liberated from the “today in infosec” twitter account and further afield

16th February 2010: Version 2.0 of the CWE/SANS Top 25 Most Dangerous Software Errors was released.

Take a look and decide which of these weaknesses have been eradicated over the last 14 years.

Web Archive

https://twitter.com/todayininfosec/status/1758712418601971748

20th February 2003: Alan Giang Tran, former network admin for 2 companies, was arrested after allegedly destroying data on the companies' networks. Two months later he pleaded guilty to a federal charge of intentionally causing damage to a protected computer.

https://twitter.com/todayininfosec/status/1760021831354896443

Rant of the Week (14:01)

Avast fined $16.5 million for ‘privacy’ software that actually sold users’ browsing data

Avast, the cybersecurity software company, is facing a $16.5 million fine after it was caught storing and selling customer information without their consent. The Federal Trade Commission (FTC) announced the fine on Thursday and said that it’s banning Avast from selling user data for advertising purposes.

From at least 2014 to 2020, Avast harvested user web browsing information through its antivirus software and browser extension, according to the FTC’s complaint. This allowed it to collect data on religious beliefs, health concerns, political views, locations, and financial status. The company then stored this information “indefinitely” and sold it to over 100 third parties without the knowledge of customers, the complaint says.

Billy Big Balls of the Week(25:02)
Husband 'made over a million' by eavesdropping on BP wife

The husband of a BP employee has been charged with insider trading in the US following claims he overheard details of calls made by his wife while working from home.

The US Securities and Exchange Commission alleged Tyler Loudon made $1.76m (£1.39m) in illegal profits.

The regulator claimed Mr Loudon heard several of his wife's conversations about BP's takeover of TravelCenters of America and bought shares in the firm.

BP has declined to comment.

The SEC said: "We allege that Mr Loudon took advantage of his remote working conditions and his wife's trust to profit from information he knew was confidential."

His wife - a mergers and acquisitions manager at BP - worked on the oil giant's takeover of TravelCenters. 

The SEC said Mr Loudon purchased 46,450 shares of TravelCenter's stock, without his wife's knowledge, before the deal was made public in February last year.

Following the announcement, TravelCenter's share price rose nearly 71% and Mr Loudon allegedly immediately sold all of his newly-bought shares for a profit, the SEC said.

Industry News (32:16)

Attacker Breakout Time Falls to Just One Hour

NCSC Sounds Alarm Over Private Branch Exchange Attacks

Biden Executive Order to Bolster US Maritime Cybersecurity

Ransomware Warning as CVSS 10.0 ScreenConnect Bug is Exploited

Chinese Duo Found Guilty of $3m Apple Fraud Plot

OWASP Releases Security Checklist for Generative AI Deployment

Russian-Aligned Network Doppelgänger Targets German Elections

Change Healthcare Cyber-Attack Leads to Prescription Delays

ICO Bans Serco Leisure's Use of Facial Recognition for Employee Attendance

Tweet of the Week (42:37)

https://twitter.com/lauriewired/status/1760751495073640705

Come on! Like and bloody well subscribe!

This week in InfoSec  (08:40) 

With content liberated from the “today in infosec” twitter account and further afield

14th February 2001: In a presentation at Black Hat Windows Security Conference 2001, Andrey Malyshev of ElcomSoft shared that Microsoft Excel uses a default encryption password of "VelvetSweatshop".

https://twitter.com/todayininfosec/status/1757782275406622835

16th February 2004: The Netsky worm first appeared. It spread via an email attachment which after opened would search the computer for email addresses then email itself to those addresses. Its dozens of variants accounted for almost a quarter of malware detected in 2004.

https://twitter.com/todayininfosec/status/1758497889972576608      

Rant of the Week (5:10)

Air Canada must pay damages after chatbot lies to grieving passenger about discount

Air Canada must pay a passenger hundreds of dollars in damages after its online chatbot gave the guy wrong information before he booked a flight.

Jake Moffatt took the airline to a small-claims tribunal after the biz refused to refund him for flights he booked from Vancouver to Toronto following the death of his grandmother in November last year. Before he bought the tickets, he researched Air Canada's bereavement fares – special low rates for those traveling due to the loss of an immediate family member – by querying its website chatbot.

The virtual assistant told him that if he purchased a normal-price ticket he would have up to 90 days to claim back a bereavement discount. Following that advice, Moffatt booked a one-way CA$794.98 ticket to Toronto, presumably to attend the funeral or attend to family, and later an CA$845.38 flight back to Vancouver.

He also spoke to an Air Canada representative who confirmed he would be able to get a bereavement discount on his flights and that he should expect to pay roughly $380 to get to Toronto and back. Crucially, the rep didn't say anything about being able to claim the discount as money back after purchasing a ticket.

When Moffatt later submitted his claim for a refund, and included a copy of his grandmother's death certificate, all well within that 90-day window, Air Canada turned him down.

Staff at the airline told him bereavement fare rates can't be claimed back after having already purchased flights, a policy at odds with what the support chatbot told Moffatt. It's understood the virtual assistant was automated, and not a person sat at a keyboard miles away.

Billy Big Balls of the Week (22:06)
Australia passes Right To Disconnect law, including (for now) jail time for bosses who email after-hours

Australia last week passed a Right To Disconnect law that forbids employers contacting workers after hours, with penalties including jail time for bosses who do the wrong thing.

The criminal sanction will soon be overturned – it was the result of parliamentary shenanigans rather than the government's intent – and the whole law could go too if opposition parties and business groups have their way.

European companies have already introduced Right To Disconnect laws in response to digital devices blurring the boundaries between working hours and personal time. The laptops or phones employers provide have obvious after-hours uses, but also mean workers can find themselves browsing emailed or texted messages from their boss at all hours – sometimes with an expectation of a response. That expectation, labor rights orgs argue, extends the working day without increasing pay.

Right To Disconnect laws might better be termed "Right to not read or respond to messages from work" laws because that's what they seek to guarantee.

Industry News (31:45)

US, UK and India Among the Countries Most At Risk of Election Cyber Interference

Southern Water Notifies Customers and Employees of Data Breach

Cybersecurity Spending Expected to be Slashed in 41% of SMEs

GoldPickaxe Trojan Blends Biometrics Theft and Deepfakes to Scam Banks

Microsoft, OpenAI Confirm Nation-States are Weaponizing Generative AI in Cyber-Attacks

Prudential Financial Faces Cybersecurity Breach

Google Warns Unfair AI Rules Could Empower Hackers, Harming Defense

Hackers Exploit EU Agenda in Spear Phishing Campaigns

New Ivanti Vulnerability Observed as Widespread Security Concerns Grow

Tweet of the Week (39:24)

https://twitter.com/MalwareJake/status/1758454999380557885

Come on! Like and bloody well subscribe!

This week in InfoSec  (08:59)

With content liberated from the “today in infosec” twitter account and further afield

8th February 2000: A 15-year-old Canadian identified at the time only by his handle  "MafiaBoy" launched a 4-hour DDoS attack against http://cnn.com. The attacks also targeted Yahoo, eBay, Amazon and other sites over a 3 day period. In 2001 a Canadian court sentenced him to 8 months.

https://twitter.com/todayininfosec/status/1755576730306089245

7th February 2000: Dennis Michael Moran (aka Coolio) performed a smurf attack against Yahoo's routers, causing its websites to be inaccessible for hours. Conversations on an IRC channel led to him being identified and convicted for a series of DDoS and website defacement crimes.

https://twitter.com/todayininfosec/status/1755267532540244316     

Rant of the Week (14:35)

Viral news story of botnet with 3 million toothbrushes was too good to be true

In recent days you may have heard about the terrifying botnet consisting of 3 million electric toothbrushes that were infected with malware. While you absent-mindedly attended to your oral hygiene, little did you know that your toothbrush and millions of others were being controlled remotely by nefarious criminals.

Alas, fiction is sometimes stranger than truth. There weren't really 3 million Internet-connected toothbrushes accessing the website of a Swiss company in a DDoS attack that did millions of dollars of damage. The toothbrush botnet was just a hypothetical example that some journalists wrongly interpreted as having actually happened.

It apparently started with a January 30 story by the Swiss German-language daily newspaper Aargauer Zeitung. Tom's Hardware helped spread the tale in English on Tuesday this week in an article titled, "Three million malware-infected smart toothbrushes used in Swiss DDoS attacks."

https://www.malwarebytes.com/blog/awareness/2024/02/how-to-tell-if-your-toothbrush-is-being-used-in-a-ddos-attack

Billy Big Balls of the Week (21:50)

Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’

A finance worker at a multinational firm was tricked into paying out $25 million to fraudsters using deepfake technology to pose as the company’s chief financial officer in a video conference call, according to Hong Kong police.

The elaborate scam saw the worker duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations, Hong Kong police said at a briefing on Friday.

“(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK.

Chan said the worker had grown suspicious after he received a message that was purportedly from the company’s UK-based chief financial officer. Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out.

However, the worker put aside his early doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized, Chan said.

Believing everyone else on the call was real, the worker agreed to remit a total of $200 million Hong Kong dollars – about $25.6 million, the police officer added.

Industry News (28:58)

Clorox and Johnson Controls Reveal $76m Cyber-Attack Bill

Meta's Oversight Board Urges a Policy Change After a Fake Biden Video

Malware-as-a-Service Now the Top Threat to Organizations

Chinese Spies Hack Dutch Networks With Novel Coathanger Malware

Meta to Introduce Labeling for AI-Generated Images Ahead of US Election

Governments and Tech Giants Unite Against Commercial Spyware

France: 33 Million Social Security Numbers Exposed in Health Insurance Hack

20 Years of Facebook, but Trust in Social Media Remains Rock Bottom

AI-Powered Robocalls Banned Ahead of US Election

Tweet of the Week (37:15)

https://x.com/gossithedog/status/1755282171198054805?s=46&t=1-Sjo1Vy8SG7OdizJ3wVbg

Come on! Like and bloody well subscribe!

This week in InfoSec  (08:19)

With content liberated from the “today in infosec” twitter account and further afield

31st Jan 2011 (13 years ago): Chris Russo reported a vulnerability to dating website PlentyOfFish's CEO Markus Frind's wife. Yada yada yada Markus Frind then accused Russo of extortion and emailed Russo's mother.  

https://techcrunch.com/2011/01/31/plentyoffish-ceo-we-were-hacked-almost-extorted-so-i-emailed-the-hackers-mom/

https://krebsonsecurity.com/2011/01/plentyoffish-com-hacked-blames-messenger/

Rant of the Week (13:56)

The TikTok Hearing Revealed That Congress Is the Problem

For some, the job on Thursday was casting the hearing's only witness, TikTok CEO Shou Zi Chew, as a stand-in for the Chinese government—in some cases, for communism itself—and then belting him like a side of beef. More than a few of the questions lawmakers put to Chew were vague, speculative, and immaterial to the allegations against his company. But the members of Congress asking those questions feigned little interest in Chew’s responses anyway. 

Attempts by Chew, a 40-year-old former Goldman Sachs banker, to elaborate on TikTok’s business practices were frequently interrupted, and his requests to remark on matters supposedly of considerable interest to members of Congress were blocked and occasionally ignored. These opportunities to get the CEO on record, while under oath, were repeatedly blown in the name of expediency and for mostly theatrical reasons. Chew, in contrast, was the portrait of patience, even when he was being talked over. Even when some lawmakers began asking and, without pause, answering their own questions.

The hearing might’ve been a flop, had lawmakers planned to dig up new dirt on TikTok, which is owned by China-based ByteDance, or even hash out what the company could do next to allay their concerns. But that wasn't the aim. The House Energy and Commerce Committee was gathered, it said, to investigate “how Congress can safeguard American data privacy and protect children from online harms.” And on that, the hearing revealed plenty.

Billy Big Balls of the Week (23:41)

ICBC Partners Wary to Resume Trading With Bank After Cyberattack

 Industrial & Commercial Bank of China Ltd., the world’s largest lender by assets, has been unable to convince some market participants that it’s safe to reconnect their computer networks to the bank’s US unit after a ransomware attack disrupted its systems, according to people familiar with the matter.

The attack, which was claimed by the Russia-linked LockBit cybercrime and extortion gang earlier this month, impeded trading in the $26 billion Treasury market and, the people said, it has left users of the bank’s US arm skittish about trading with the bank.

For its part, ICBC has told users that its US division is back online and operational, the people said. One person familiar with the hack and investigation said a reason the bank could get back online quickly was that a key part of its trading system was unaffected by the attack — a server that was more than 20 years old, made by now-defunct IT equipment maker Novell Inc.. That server contained much of the bank’s trading data and capabilities and is so old that LockBit’s ransomware didn’t work on it, the person said.

Industry News (35:28)

US Agencies Failure to Oversee Ransomware Protections Threaten White House Goals

US Thwarts Volt Typhoon Cyber Espionage Campaign Through Router Disruption

Interpol-Led Initiative Targets 1300 Suspicious IPs

Ivanti Releases Zero-Day Patches and Reveals Two New Bugs

Pump-and-Dump Schemes Make Crypto Fraudsters $240m

Google’s Bazel Exposed to Command Injection Threat

Tweet of the Week (41:51)

https://x.com/MikeIrvo/status/1752123455125016839?s=20

Come on! Like and bloody well subscribe!

This week in InfoSec  (04:51)

With content liberated from the “today in infosec” twitter account and further afield

25th January 2003: The SQL Slammer worm was first observed. It relied on a vulnerability Microsoft reported a whopping 6 months earlier via security bulletin MS02-039. Despite the long-available patch,  75,000 systems were compromised within 10 minutes..

https://twitter.com/todayininfosec/status/1750529757903790431

21st January 1992: Former General Dynamics employee Michael John Lauffenburger was sentenced. He had created a logic bomb, which was programmed to go off on May 24, 1991. Unfortunately for him, an employee accidentally discovered it, dismantled it, and contacted authorities.

https://twitter.com/todayininfosec/status/1749184231752802757     

Rant of the Week (11:10)

Third-party ink cartridges brick HP printers after ‘anti-virus’ update

HP is pushing over-the-air firmware updates to its printers, bricking them if they are using third-party ink cartridges. But don’t worry, it’s not a money-grab, says the company – it’s just trying to protect you from the well-known risk of viruses embedded in ink cartridges …

HP has long been known for sketchy practices in its attempt to turn ink purchases into a subscription service. If you cancel a subscription, for example, the company will immediately stop the printer using the ink you’ve already paid for.

CEO Enrique Lores somehow managed to keep a straight face while explaining to CNBC that the company was only trying to protect users from viruses which might be embedded into aftermarket ink cartridges.

It can create issues [where] the printers stop working because the inks have not been designed to be used in our printers, to then create security issues. We have seen that you can embed viruses in the cartridges, and through the cartridge, go to the printer; from the printer, go to the network.

ArsTechnica asked several security experts whether this could happen, and they said this is so out-there, it would have to be a nation-state attack on a specific individual.

Billy Big Balls of the Week (19:04)

British man Aditya Verma appears in Spanish court over plane-bomb hoax

A British man accused of public disorder after joking about blowing up a flight has gone on trial in Spain.

Aditya Verma made the comment on Snapchat on his way to the island of Menorca with friends in July 2022.

The message, sent before Mr Verma departed Gatwick airport, read: "On my way to blow up the plane (I'm a member of the Taliban)."

Mr Verma told a Madrid court on Monday: "The intention was never to cause public distress or cause public harm."

If found guilty, the university student faces a hefty bill for expenses after two Spanish Air Force jets were scrambled.

Mr Verma's message was picked up by the UK security services who flagged it to Spanish authorities while the easyJet plane was still in the air.

A court in Madrid heard it was assumed the message triggered alarm bells after being picked up via Gatwick's Wi-Fi network.

Industry News (27:39)

Thai Court Blocks 9near.org to Avoid Exposure of 55M Citizens

Mega-Breach Database Exposes 26 Billion Records

French Watchdog Slams Amazon with €32m Fine for Spying on Workers

AI Set to Supercharge Ransomware Threat, Says NCSC

X Makes Passkeys Available for US-Based Users

ChatGPT Cybercrime Surge Revealed in 3000 Dark Web Posts

HPE Says SolarWinds Hackers Accessed its Emails

Southern Water Confirms Data Breach Following Black Basta Claims

China-Aligned APT Group Blackwood Unleashes NSPX30 Implant

Tweet of the Week (33:12)

https://x.com/TheHornetsFury/status/1750612652873928949?s=20

Come on! Like and bloody well subscribe!

This week in InfoSec  (09:34)

With content liberated from the “today in infosec” twitter account and further afield

11th January 2000: Newly declassified documents proved the existence of ECHELON, a global eavesdropping network run by the NSA.

https://twitter.com/todayininfosec/status/1745518896495390826  

13th January 2009: The domain name http://clintonemail.com was registered - the one used for email addresses on the Clinton family's private email server, which drew controversy when it was revealed that then Secretary of State Hillary Clinton used it for official communications.

https://twitter.com/todayininfosec/status/1746214861091053961    

Rant of the Week (15:53)

The 'nothing-happened' Y2K bug – how the IT industry worked overtime to save world's computers

Forty years ago, both Jerome and Marilyn Murray saw their brainchild reach the light of day. In 1984, their book, Computers in Crisis, was published, becoming the first authoritative guide to the Millennium Bug coding problem, which, in the final year of the century, would consume media, political and business attention.

Today, more than 20 years after the date-field imposed deadline passed, the Millennium Bug — or Y2K problem — still gets a mixed reception. 

While many in the industry see it as a job well done — or at least adequately done — it has also become a byword for the over-reach of experts.

Billy Big Balls of the Week (26:55)

Woman films herself being fired by HR to expose how cold U.S. corporate culture can be (Link to actual TikTok video in here)

Forbes article: Viral TikTok Video Of Cloudflare Employee Is A Lesson On How To Not Fire Workers

Recently, many of the new workplace trends have emanated from TikTok. Influencers have ushered in new themes, such as bare minimum Mondays, acting your wage, quiet quitting and rage applying. A new phenomenon has arisen where employees are now documenting their layoffs on the social media platform.

This week, Brittany Pietsch, a mid-market account executive at Cloudflare, an Internet infrastructure provider that offers a variety of security, performance and reliability services for websites and applications, went viral after posting a video of her being let go from the tech company.

Pietsch anticipated her firing, as her “work bff” had been given the pink slip 30 minutes prior to her meeting. The account executive was joined on a video call by a member of the human resources team and another individual, who didn’t introduce himself and jumped right into the purpose of the call, “We have an important meeting today. We finished our evaluations of 2023 performance. This is where you have not met Cloudflare expectations for performance. We have decided to part ways with you.”

Industry News (36:02)

1.3 Million FNF Customers' Data Potentially Exposed in Ransomware Attack

HelloFresh Fined £140K After Sending 80 Million Spam Messages

British Library Catalogue Back Online After Ransomware Attack

Senators Demand Probe into SEC Hack After Bitcoin Price Spike

Tool Identifies Pegasus and Other iOS Spyware

Majorca Tourist Hotspot Hit With $11m Ransom Demand

AI, Gaming, FinTech Named Major Cybersecurity Threats For Kids

NCSC Builds New “Cyber League” Threat Tracking Community

Iranian Phishing Campaign Targets Israel-Hamas War Experts

Tweet of the Week (42:01)

https://twitter.com/0xdade/status/1747820425693045014

Come on! Like and bloody well subscribe!

This week in InfoSec  (06:16)

With content liberated from the “today in infosec” twitter account and further afield

6th January 2014: Intel renamed its McAfee subsidiary Intel Security, distancing itself from the name of McAfee's founder, John McAfee. In 2017 Intel spun off McAfee as a separate company...then several months later John McAfee and Intel settled a lawsuit over Intel's use of the McAfee name.

https://twitter.com/todayininfosec/status/1743711096559554607

10th January 2000: The FBI was after the hacker Maxim after he posted credit card numbers online when CD Universe refused to pay $100,000 in extortion. 6 months later it was shared that he'd likely never be prosecuted b/c 1 or more of the firms which performed IR screwed up chain of custody.

Data thief threatens to strike again

https://twitter.com/todayininfosec/status/1745207259058081942   

8th January 1986: "The Hacker Manifesto" was written by Loyd Blankenship (aka The Mentor) and originally titled "The Conscience of a Hacker".

8 months later it was published in issue 7 of the hacker zine Phrack.

Read it [again]. 

http://phrack.org/issues/7/3.html#article

https://twitter.com/todayininfosec/status/1744413963696161010

Rant of the Week (16:44)

Cybercrooks play dress-up as 'helpful' researchers in latest ransomware ruse

Posing as cyber samaritans, scumbags are kicking folks when they're down

Ransomware victims already reeling from potential biz disruption and the cost of resolving the matter are now being subjected to follow-on extortion attempts by criminals posing as helpful security researchers.

Researchers at Arctic Wolf Labs publicized two cases in which casulaties of the Royal and Akira ransomware gangs were targeted by a third party, believed to be the same individual or group in both scenarios, and extorted by a fake cyber samaritan.

Victims were approached by a "security researcher" who offered post-exploitation services. In one case, the mark was told the ransomware gang's server could be hacked and their stolen data could be deleted.

Another victim was told the "researcher," who used different monikers in each attempt, gained access to the servers used to store victims' stolen data, offering the chance to either delete it or grant the victim access to the server themselves.

In return, the hacked customers were asked for a fee of approximately 5 Bitcoin ($225,823 at today's exchange rate).

"As far as Arctic Wolf Labs is aware, this is the first published instance of a threat actor posing as a legitimate security researcher offering to delete hacked data from a separate ransomware group," Stefan Hostetler and Steven Campbell, both senior threat intelligence researchers at Arctic Wolf, blogged.

"While the personalities involved in these secondary extortion attempts were presented as separate entities, we assess with moderate confidence that the extortion attempts were likely perpetrated by the same threat actor."

Billy Big Balls of the Week (21:34)

All India Pregnant Job service: Indian men conned by 'impregnating women' scam

As cyber scams go, this one is rather unique.

In early December Mangesh Kumar (name changed) was scrolling on Facebook when he came across a video from the "All India Pregnant Job Service" and decided to check it out.

The job sounded too good to be true: money - and lots of it - in return for getting a woman pregnant.

It was, of course, too good to be true. So far, the 33-year-old, who earns 15,000 rupees ($180; £142) per month working for a wedding party decoration company, has already lost 16,000 rupees to fraudsters - and they are asking for more.

But Mangesh, from the northern Indian state of Bihar, is not the only person to fall for the scam.

Deputy superintendent of police Kalyan Anand, who heads the cyber cell in Bihar's Nawada district, told the BBC there were hundreds of victims of an elaborate con where gullible men were lured to part with their cash on the promise of a huge pay day, and a night in a hotel with a childless woman.

So far, his team have arrested eight men, seized nine mobile phones and a printer, and are still searching for 18 others.

But finding the victims has proved more tricky.

Industry News (29:21)

23andMe Blames User “Negligence” for Data Breach

Merck Settles With Insurers Over $700m NotPetya Claim

North Korean Hackers Stole $600m in Crypto in 2023

Anti-Hezbollah Groups Hack Beirut Airport Screens

Ukrainian “Blackjack” Hackers Take Out Russian ISP

Cyber Insurance Market to be Worth Over $90bn by 2033

Only 4% of US States Fully Prepared for Cyber-Attacks Targeting Elections

NCSC Publishes Practical Security Guidance For SMBs

Mandiant's X Account Was Hacked in Brute-Force Password Attack

Tweet of the Week (38:11)

https://twitter.com/chris_walker_/status/1744805492273430886

Come on! Like and bloody well subscribe!

This week in InfoSec (12:55)

With content liberated from the “Today in infosec” Twitter account and further afield

11th December 2010: The hacker group Gnosis released the source code for Gawker's website and 1.3 million of its users' password hashes.

After a jury found Gawker's parent company liable in a lawsuit filed by Hulk Hogan and awarded him $140 million, Gawker shut down in 2016. 

https://twitter.com/todayininfosec/status/1734217170173763907

14th December 2009: RockYou admitted that 32 million users' passwords (stored as plain text) and email addresses were compromised via a SQL injection vulnerability. RockYou's customer notification said "it was important to notify you of this immediately"...10 days after they became aware.

https://twitter.com/todayininfosec/status/1735357287147995514   

Not really infosec https://x.com/depthsofwiki/status/1735147763447595024?s=20 but 14th Dec 2008 was the infamous Bush shoeing incident. Where Bush ducked the shoes thrown by Al-Zaidi while the Iraqi PM Nouri Al-Maliki tried to parry it. 

Rant of the Week (22:10)

UK government woefully unprepared for 'catastrophic' ransomware attack

The UK has failed to address the threat posed by ransomware, leaving the country at the mercy of a catastrophic ransomware attack that the Joint Committee on National Security Strategy (JCNSS) yesterday warned could occur "at any moment."

The Parliamentary Select Committee reached this conclusion in a scathing report released December 13 that accused the government of failing to take ransomware seriously, and of providing "next-to-no support" to victims of ransomware attacks.

"There is a high risk that the government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking," the report concluded. "There will be no excuse for this approach when a major crisis occurs, and it will rightly be seen as a strategic failure."

Recent examples of ransomware infections at UK government institutions and critical private infrastructure are not hard to find.

Manchester Police, Royal Mail and the British Library have all fallen victim to ransomware attacks since September 2023.

In July 2023, the Barts Health NHS Trust hospital group was hit by the BlackCat ransomware gang. The NHS had already been taught a lesson about the vicious power of ransomware in 2017 when multiple Brit hospitals stopped taking new patients, other than in emergencies, after being hobbled by WannaCry.

Third-party providers of NHS software systems have been hit as well, taking systems offline and forcing care providers to revert to pen and paper.

In short, the situation with ransomware in the UK is already bad, and the JCNSS has predicted things will likely get worse.

Billy Big Balls of the Week (29:54)

Polish Hackers Repaired Trains the Manufacturer Artificially Bricked.

After breaking trains simply because an independent repair shop had worked on them, NEWAG is now demanding that trains fixed by hackers be removed from service.

They did DRM to a train. 

In one of the coolest and more outrageous repair stories in quite some time, three white-hat hackers helped a regional rail company in southwest Poland unbrick a train that had been artificially rendered inoperable by the train’s manufacturer after an independent maintenance company worked on it. The train’s manufacturer is now threatening to sue the hackers who were hired by the independent repair company to fix it. 

The fallout from the situation is currently roiling Polish infrastructure circles and the repair world, with the manufacturer of those trains denying bricking the trains despite ample evidence to the contrary. The manufacturer is also now demanding that the repaired trains immediately be removed from service because they have been “hacked,” and thus might now be unsafe, a claim they also cannot substantiate. 

Industry News (38:38)

EU Reaches Agreement on AI Act Amid Three-Day Negotiations

Europol Raises Alarm on Criminal Misuse of Bluetooth Trackers

Widespread Security Flaws Blamed for Northern Ireland Police Data Breach

UK Ministry of Defence Fined For Afghan Data Breach

UK at High Risk of Catastrophic Ransomware Attack, Government Ill-Prepared

MITRE Launches Critical Infrastructure Threat Model Framework

Microsoft Targets Prolific Outlook Fraudster Storm-1152

Vulnerabilities Now Top Initial Access Route For Ransomware

Cozy Bear Hackers Target JetBrains TeamCity Servers in Global Campaign

Tweet of the Week (46:06)  

https://x.com/WorkRetireDie/status/1732108681087508947?s=20

Come on! Like and bloody well subscribe!

This week in InfoSec (07:51)

With content liberated from the “today in infosec” twitter account and further afield

5th December 2011: Fyodor reported that CNET's http://Download.com had been wrapping its Nmap downloads in a trojan installer...in order to monetize spyware and adware. CNET quickly stopped, then resumed within days, it affected other downloads, and was a debacle.

Download.com Caught Adding Malware to Nmap & Other Software

https://twitter.com/todayininfosec/status/1732073893912047860

4th December 2013: Troy Hunt launched the site "Have I Been Pwned? (HIBP)". At launch, passwords from the Adobe, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures breaches were indexed. Today? Billions of  compromised records from hundreds of breaches. Search your email addresses for free.

https://twitter.com/todayininfosec/status/1731673318560801228    

Rant of the Week (13:29)

It's ba-ack... UK watchdog publishes age verification proposals

The UK's communications regulator has laid out guidance on how online services might perform age checks as part of the Online Safety Act.

The range of proposals from Ofcom are likely to send privacy activists running for the hills. These include credit card checks, facial age estimation, and photo ID matching.

The checks are all in the name of protecting children from the grot that festoons large swathes of the world wide web. However, service providers will likely be stuck between a rock and a hard place in implementing the guidance without also falling foul of privacy regulations. For example, Ofcom notes the following age checks as potentially "highly effective":

• Open banking, where a bank confirms a user is over 18 without sharing any other personal information.
• Mobile network operator (MNO) age check, where the responsibility is shunted onto an MNO content restriction filter that can only be removed if the device user can prove to the MNO that they are over 18.
• Photo ID matching, where an image of the user is compared to an uploaded document used as proof of age to verify that they are the same person.
• Credit card checks, where a credit card account is checked for validity – in the UK, credit card holders must be over 18.
• Digital identity wallets and, our favorite, facial age estimation, where the features of a user's face are analyzed to estimate the user's age.

It doesn't take a genius to imagine how a determined teenager might circumvent many of these restrictions, nor the potential privacy nightmare inherent in many of them if an adult is forced to share this level of info when accessing age-restricted sites.

Billy Big Balls of the Week (23:12)

WhatsApp's New Secret Code Feature Lets Users Protect Private Chats with Password

Meta-owned WhatsApp has launched a new Secret Code feature to help users protect sensitive conversations with a custom password on the messaging platform.

The feature has been described as an "additional way to protect those chats and make them harder to find if someone has access to your phone or you share a phone with someone else."

Secret Code builds on another feature called Chat Lock that WhatsApp announced in May, which moves chats to a separate folder of their own such that they can be accessed only upon providing their device password or biometrics.

By setting a unique password for these locked chats that are different from the password used to unlock the phone, the aim is to give users an additional layer of privacy, WhatsApp noted.

"You'll have the option to hide the Locked Chats folder from your chatlist so that they can only be discovered by typing your secret code in the search bar," it added.

The development comes weeks after WhatsApp introduced a "Protect IP Address in Calls" feature that masks users' IP addresses to other parties by relaying the calls through its servers.

Industry News

Sellafield Accused of Covering Up Major Cyber Breaches

Porn Age Checks Threaten Security and Privacy, Report Warns

US Federal Agencies Miss Deadline for Incident Response Requirements

Disney+ Cyber Scheme Exposes New Impersonation Attack Tactics

Police Arrest 1000 Suspected Money Mules

Deutsche Wohnen Ruling Set to Drive Up GDPR Fines

Cambridge Hospitals Admit Two Excel-Based Data Breaches

Governments Spying on Apple and Google Users, Says Senator

Liability Fears Damaging CISO Role, Says Former Uber CISO

Tweet of the Week 

https://twitter.com/MalwareJake/status/1732463774949310547

Come on! Like and bloody well subscribe!

This week in InfoSec  (09:40)

With content liberated from the “today in infosec” twitter account and further afield

24th November 2014: The Washington Post published an article which included a photo of TSA master keys. A short time later functional keys were 3-d printed using the key patterns in the photo. 

https://twitter.com/todayininfosec/status/1728048404452782497

26th November 2001: "In an effort to turn the tide in the war on terrorism", Cult of the Dead Cow offered its expertise to the FBI. How did it plan on helping? By architecting a new version of Back Orifice for use by the US federal government.

"THE CULT OF THE DEAD COW OFFERS A HELPING HAND IN AMERICA'S TIME OF NEED"

https://twitter.com/todayininfosec/status/1728998509033238952   

Rant of the Week (18:55)

Interpol makes first border arrest using Biometric Hub to ID suspect

European police have for the first time made an arrest after remotely checking Interpol's trove of biometric data to identify a suspected smuggler.

The fugitive migrant, we're told, gave a fake name and phony identification documents at a police check in Sarajevo, Bosnia and Herzegovina, while traveling toward Western Europe. And he probably would have got away with it, too, if it weren't for you meddling kids Interpol's Biometric Hub – a recently activated tool that uses French identity and biometrics vendor Idemia's technology to match people's biometric data against the multinational policing org's global fingerprint and facial recognition databases.

"When the smuggler's photo was run through the Biometric Hub, it immediately flagged that he was wanted in another European country," Interpol declared. "He was arrested and is currently awaiting extradition."

Interpol introduced the Biometric Hub – aka BioHub – in October, and it is now available to law enforcement in all 196 member countries.

Billy Big Balls of the Week (27:42)

https://www.theregister.com/2023/11/28/cert_in_rti_exemption/

India's government has granted its Computer Emergency Response Team, CERT-In, immunity from Right To Information (RTI) requests – the nation's equivalent of the freedom of information queries in the US, UK, or Australia.

Reasons for the exemption have not been explained, but The Register has reported on one case in which an RTI request embarrassed CERT-In.

That case related to India's sudden decision, in April 2022, to require businesses of all sizes to report infosec incidents to CERT-in within six hours of detection. The rapid reporting requirement applied both to serious incidents like ransomware attacks, and less critical messes like the compromise of a social media account.

CERT-In justified the rules as necessary to defend the nation's cyberspace and gave just sixty days notice for implementation.

The plan generated local and international criticism for being onerous and inconsistent with global reporting standards such as Europe's 72-hour deadline for notifying authorities of data breaches.

The reporting requirements even applied to cloud operators, who were asked to report incidents on tenants' servers. Big Tech therefore opposed the plan.

Industry News (34:04)

Cybersecurity Incident Hits Fidelity National Financial

Cybercriminals Hesitant About Using Generative AI

Google Fixes Sixth Chrome Zero-Day Bug of the Year

DeleFriend Weakness Puts Google Workspace Security at Risk

Okta Admits All Customer Support Users Impacted By Breach

Thousands of Dollar Tree Staff Hit By Supplier Breach

Booking.com Customers Scammed in Novel Social Engineering Campaign

Manufacturing Top Targeted Industry in Record-Breaking Cyber Extortion Surge

North Korean Hackers Amass $3bn in Cryptocurrency Heists

Tweet of the Week (43:12)

https://twitter.com/JamesGoz/status/1730498780812767350

Come on! Like and bloody well subscribe!

This week in InfoSec (06:40) 

23rd November 2011: KrebsonSecurity reported that Apple took over 3 years to fix the iTunes software update process vulnerability which the FinFisher remote spying Trojan exploited. Evilgrade toolkit author Francisco Amato had reported it to Apple in 2008.

Apple Took 3+ Years to Fix FinFisher Trojan Hole

https://twitter.com/todayininfosec/status/1727687798017106025

12th November 2009: John Matherly announced the public beta launch of Shodan (@shodanhq) - the first search engine for internet-connected devices.

https://twitter.com/todayininfosec/status/1727462790330232951  

Rant of the Week (10:51)

Former infosec COO pleads guilty to attacking hospitals to drum up business

An Atlanta tech company's former COO has pleaded guilty to a 2018 incident in which he deliberately launched online attacks on two hospitals, later citing the incidents in sales pitches.

Under a plea deal he signed last week, Vikas Singla, a former business leader at network security vendor Securolytics – a provider to healthcare institutions, among others – admitted that in September 2018 he rendered the Ascom phone system of Gwinnett Medical Center inoperable.

Gwinnett Medical Center operates hospitals in Duluth and Lawrenceville and the deliberate disablement of the Ascom phone system meant the main communication line between doctors and nurses was unavailable to them.

More than 200 phones were taken offline, which were used for internal communications, including "code blue" incidents that often relate to cardiac or respiratory emergencies.

Billy Big Balls of the Week (18:52) 

UK's cookie crumble: Data watchdog serves up tougher recipe for consent banners

The UK's Information Commissioner's Office (ICO) is getting tough on website design, insisting that opting out of cookies must be as simple as opting in.

At question are advertising cookies, where users should be able to "Accept All" advertising cookies or reject them. Users will still see adverts regardless of their selection, but rejecting advertising cookies means ads must not be tailored to the person browsing.

However, the ICO noted that: "Some websites do not give users fair choices over whether or not to be tracked for personalized advertising." This is despite guidance issued in August regarding harmful designs that can trick users into giving up more personal information than intended.

A few months on, the ICO has upped the ante. It has now given 30 days' notice to companies running many of the UK's most visited sites that they must comply with data protection regulations or face enforcement action.

Industry News (26:16) 

Cybersecurity Executive Pleads Guilty to Hacking Hospitals

Regulator Issues Privacy Ultimatum to UK’s Top Websites

Microsoft Launches Defender Bug Bounty Program

Why Ensuring Supply Chain Security in the Space Sector is Critical

British Library: Ransomware Attack Led to Data Breach

North Korea Blamed For CyberLink Supply Chain Attacks

US Seizes $9m From Pig Butchering Scammers

North Korean Software Supply Chain Threat is Booming, UK and South Korea Warn

InfectedSlurs Botnet Resurrects Mirai With Zero-Days

Tweet of the Week (32:28)

https://twitter.com/MichaelaOkla/status/1721715089970274542

Come on! Like and bloody well subscribe!

6:48 This week in InfoSec  

With content liberated from the “today in infosec” twitter account and further afield

1. 15th November 1994: The earliest known example of the Good Times email hoax virus was posted to the TECH-LAW mailing list. Variants of the hoax spread for several years. In 1997, Cult of the Dead Cow (cDc) claimed responsibility for initiating the hoax..

https://twitter.com/todayininfosec/status/1724867863725412627

1. 12th November 2012: John McAfee went into hiding because his neighbor, Gregory Faull, was found dead from a gunshot. Belize police wanted him to come in for questioning, but he fled to Guatemala where he was then arrested. He was never charged, though he lost a $25 million wrongful death suit. 

https://twitter.com/todayininfosec/status/1723790884053938623

11:57 Rant of the Week

Clorox CISO flushes self after multimillion-dollar cyberattack

The Clorox Company's chief security officer has left her job in the wake of a corporate network breach that cost the manufacturer hundreds of millions of dollars.

 18:15 Billy Big Balls

BlackCat plays with malvertising traps to lure corporate victims

Ads for Slack and Cisco AnyConnect actually downloaded Nitrogen malware

AlphV files SEC complaint

Affiliates of ransomware gang AlphV (aka BlackCat) claimed to have compromised digital lending firm MeridianLink – and reportedly filed an SEC complaint against the fintech firm for failing to disclose the intrusion to the US watchdog.

First reported by DataBreaches, the break-in apparently happened on November 7. AlphaV’s operatives claimed they did not encrypt any files but did steal some data – and MeridianLink was allegedly aware of the intrusion the day it occurred.

24:15 Industry news

MPs Dangerously Uninformed About Facial Recognition – Report

Cyber-Attack Could Have “Devastating” Impact on Aussie Exports

NCSC: UK Facing “Enduring and Significant” Cyber-Threat

UK Privacy Regulator Issues Black Friday Smart Device Warning

US Government Unveils First AI Roadmap For Cybersecurity

European Police Take Down $9m Vishing Gang

BlackCat Ransomware Group Reports Victim to SEC

Russian Hacking Group Sandworm Linked to Unprecedented Attack on Danish Critical Infrastructure

Cyber-Criminals Exploit Gaza Crisis With Fake Charity

30:56 Tweet of the Week

https://twitter.com/FadzaiVeanah/status/1724825417196904743

Come on! Like and bloody well subscribe!

This Week in InfoSec (05:41) 

2002: In response to a report which insinuated Mac is less vulnerable than Windows, Microsoft suggested few focus on discovering Mac vulnerabilities and that products with more customers will have more vulnerabilities reported.

https://t.co/WOUUDOB0g6

https://x.com/todayininfosec/status/1721895407545143382?s=20

Rant of the Week (11:09)

Photos of naked patients and medical records have been posted online by extortionists who hacked a Las Vegas plastic surgery, driving victims to file a lawsuit claiming not enough care was taken to protect their private information.

https://www.bitdefender.com/blog/hotforsecurity/women-sue-plastic-surgery-after-hack-saw-their-naked-photos-posted-online/

Billy Big Balls of the Week (20:48)

A federal judge on Tuesday refused to bring back a class action lawsuitalleging four auto manufacturers had violated Washington state’s privacy laws by using vehicles’ on-board infotainment systems to record and intercept customers’ private text messages and mobile phone call logs.

https://therecord.media/class-action-lawsuit-cars-text-messages-privacy

Industry News (29:28) 

SentinelOne to acquire cybersecurity consulting firm Krebs Stamos Group

NATO allies express support for collective response to cyberattacks

Council for Scottish islands faces IT outage after ‘incident’

Mortgage giant Mr. Cooper using alternative payment options after cyberattack

Serbian pleads guilty to running ‘Monopoly’ darknet marketplace

Japan Aviation Electronics says servers accessed during cyberattack

Tweet of the Week (42:39)

https://twitter.com/j4vv4d/status/1722916507653394575?s=61&t=0s-EyC1T6uSS3Lo_cyqI4w

Come on! Like and bloody well subscribe!

This week in InfoSec  (07:11)

With content liberated from the “today in infosec” twitter account and further afield

26th October 2006: Christopher Soghoian created a website allowing visitors to generate fake airlines boarding passes. A congressman called for his arrest, his ISP shut down his site, the FBI raided his home, and then the same congressman said DHS should hire him. His career since? Notable.

https://twitter.com/todayininfosec/status/1717530966229475523

24th October 2010: Eric Butler announced Firefox extension Firesheep's release at Toorcon, making HTTP session hijacking on open Wi-Fi trivial. Today >95% of websites have enabled HTTPS and efforts like browser HTTPS-Only mode have largely eliminated the risk. A security industry success! 

https://twitter.com/todayininfosec/status/1716990537171918976

Rant of the Week (16:00)

First Brexit, now X-it: Musk 'considering' pulling platform from EU over probe

Elon Musk is said to be toying with the idea of withdrawing access to X in the European Union rather than go to the effort of complying with the bloc's Digital Services Act.

As The Register reported last week, His Muskiness had a rather public spat on the website with Thierry Breton, EU Commissioner for Internal Market, who was simply reminding social media platforms of their content moderation obligations under the law.

This was particularly in light of renewed hostilities between Israel and Hamas, and the potential disinformation campaigns that had begun swirling online. Meta, TikTok, and YouTube were also sent letters.

"Free speech absolutist" Musk's response was sarcastic and juvenile, the kind of smack talk that would get a teen grounded. It would take a couple of days for the adult in the room, CEO Linda Yaccarino, to get a formal response written.

However, by then the EU had indicated that X was now under investigation on account of its designation as Very Large Online Platform under the Digital Services Act, which means it has to follow rules regarding how it handles illegal content among many other things.

Since Musk increasingly appears to see obeying the law as optional for him, it would be very unlike the X owner to actually do anything, and whispers out of the company seem to support this.

That most watertight of sources, "a person familiar with the matter," told Insider that Musk "has discussed simply removing the app's availability in the region, or blocking users in the European Union from accessing it," much like how Meta's Threads declined to launch in the EU because it was unwilling and/or unable to meet the union's onerous data protection and privacy requirements.

Twitter, which was once intensely moderated, has become a wild west of violence, misinformation, disinformation, racism, and hardcore pornography. Many of the website's rules judging what users can and can't post have been screwed up and tossed in the trash.

Billy Big Balls of the Week (26:45)

‘How not to hire a North Korean plant posing as a techie’ guide updated by US and South Korean authorities

US and South Korean authorities have updated their guidance on how to avoid hiring North Korean agents seeking work as freelance IT practitioners

Thousands of North Korean techies are thought to prowl the world’s freelance platforms seeking work outside the Republic. Kim Jong Un’s regime uses the workers to earn hard currency, and infiltrate organizations they work for to steal secrets and plant malware. The FBI has previously warned employers to watch for suspicious behavior such as logging in from multiple IP addresses, working odd hours, and inconsistencies in name spellings across different online platforms.

The updated advice adds other indicators that freelancer you are thinking about hiring could be a North Korean plant, including:

• Repeated requests for prepayment followed by “anger or aggression when the request is denied”;
• Threats to release proprietary source codes if additional payments are not made;
• Using a freight forwarder’s address as the destination for a company laptop rather than a home address, and changing that address frequently;
• Evading in-person meetings or requests for drug tests;
• Changing payment methods or accounts on freelance-finder platforms;
• Having multiple online profiles for the same identity with different pictures, or online profiles with no picture.

The updated guidance suggests requiring recruitment companies to document their background checking processes, to be sure that they can screen out North Korean stooges. 

Conducting your own due diligence on workers suggested by recruiters is also recommended.

Industry News (33:45)

Okta Breached Via Stolen Credential

Generative AI Can Save Phishers Two Days of Work

AI to Create Demand for Digital Trust Professionals, ISACA Survey Finds

AWS: Security Not a Priority For a Third of SMBs

Humans Need to Rethink Trust in the Wake of Generative AI

UK Parliament Opens Inquiry into Cyber-Resilience

CISA Releases Cybersecurity Toolkit For Healthcare

Europol: Police Must Start Planning For Post-Quantum Future

UK IT Pros Express Concerns About C-Suite’s Generative AI Ambitions

NADINE DORRIES: I Googled my name, and learnt all about Big Tech!

https://www.dailymail.co.uk/debate/article-12663701/NADINE-DORRIES-Googled-learnt-Big-Tech.html

https://twitter.com/AdamBienkov/status/1716735397802233947

“Nadine Dorries, who until last year was in charge of digital regulation in the UK, says tech executives have “big dials” which they deliberately use to “nudge opinion ever leftwards” and suggests this was somehow hidden from her when she met them”

Tweet of the Week (41:05)

https://twitter.com/gcluley/status/1717433320823218640

Come on! Like and bloody well subscribe!

This week in InfoSec  (09:48)

With content liberated from the “today in infosec” twitter account and further afield

8th October 2018: Google announced that it exposed the private info of hundreds of thousands of Google+ users between 2015 and 2018, only disclosing it 7 months after discovery because it was reported by The Wall Street Journal. Social network Google+ launched in 2011 and closed in 2019. 

Google hid major Google+ security flaw that exposed users’ personal information

https://twitter.com/todayininfosec/status/1711159728552685667

16th October 1983: FBI agents raided homes of "young electronics buffs known as 'hackers'" in 6 states as part of an investigation of unauthorized intrusions into scores of large commercial and DoD computers. These teens included Lord Flathead - real name Tom Anderson, future MySpace founder.

https://twitter.com/todayininfosec/status/1712593589237076056

Rant of the Week (15:44)

Everest cybercriminals offer corporate insiders cold, hard cash for remote access

The Everest ransomware group is stepping up its efforts to purchase access to corporate networks directly from employees amid what researchers believe to be a major transition for the cybercriminals.

In a post at the top of its dark web victim blog, Everest said it will offer a "good percentage" of the profits generated from successful attacks to those who assist in its initial intrusion.

The group also promised to offer partners "full transparency" regarding the nature of each operation, as well as confidentiality about their role in the attack.

Everest is specifically looking for access to organizations based in the US, Canada, and Europe, and would accept remote access by a variety of means including TeamViewer, AnyDesk, and RDP.

Billy Big Balls of the Week (22:23)

Chinese citizens feel their government is doing a fine job with surveillance

Chinese residents are generally comfortable with widespread use of surveillance technology, according to a year-long project conducted by the Australian Strategic Policy Institute (ASPI) and an unnamed non-government research partner.

The project mainly investigated how state surveillance is conducted by Beijing and how the population of the People's Republic of China (PRC) perceives it. For the investigation, the researchers conducted media analysis, and an online survey of over 4,000 Chinese citizens.

Most respondents ranked their trust in central government positively – at an average of 7.3 on a scale out of 10. Businesses received a 6.7 rating. When it came to surveillance – by video, audio or internet activity – roughly half said they were comfortable.

As part of the project, ASPI provided a tool that could be considered quite subversive in China: an interactive website that provided access to uncensored non-Beijing information about deployed surveillance technologies and the agencies that run them. It consisted of five educational modules with quizzes at the end.

The website content was shaped by the survey results and reached over 55,000 users over the course of four months. It covered facial recognition, Wi-Fi probes, DNA surveillance, database management and surveillance cameras.

Industry News (28:08)

AWS to Mandate Multi-Factor Authentication from 2024

Blackbaud Settles Ransomware Breach Case For $49.5m

DNA Tester 23andMe Hit By Credential Stuffing Campaign

MGM Resorts Reveals Over $100M in Costs After Ransomware Attack

Air Europa Asks Customers to Cancel Cards After Breach

US Smashes Annual Data Breach Record With Three Months Left

European Police Hackathon Hunts Down Traffickers

Chinese APT ToddyCat Targets Asian Telecoms, Governments

California Enacts “Delete Act” For Data Privacy

Tweet of the Week (36:01) 

https://twitter.com/ireteeh/status/1712408097170325968

Come on! Like and bloody well subscribe!

This week in InfoSec (08:56)

With content liberated from the “today in infosec” twitter account and further afield

2006: The http://wikileaks.org domain name was registered, though the first document wasn't posted to WikiLeaks until December.

Assange taken from Ecuador embassy in April 2019, since been staying at his majesty’s pleasure at Belmarsh.

2005: The Samy worm, the first self-propagating cross-site scripting worm, was released onto the mega-popular MySpace by 19-year-old Samy Kamkar (

@samykamkar

He's since made numerous impactful security and privacy field contributions. 

https://en.m.wikipedia.org/wiki/Samy_Kamkar

https://en.wikipedia.org/wiki/Samy_(computer_worm)

The worm itself was relatively harmless; it carried a payload that would display the string "but most of all, samy is my hero" on a victim's MySpace profile page as well as send Samy a friend request. When a user viewed that profile page, the payload would then be replicated and planted on their own profile page continuing the distribution of the worm. MySpace has since secured its site against the vulnerability.[1]

2017: A week after he retired as the result of Equifax's data breach, former CEO Richard F. Smith told members of Congress one person in the IT department was at fault. 

https://www.nytimes.com/2017/10/03/business/equifax-congress-data-breach.html

It took 960 hours (40 days) between Equifax finding out about the breach and warning the public.  Millions of people’s data in US, UK, and elsewhere stolen.

Three Equifax execs sold $1.8 million of stock days after breach discovery

Rant of the Week (17:16) 

https://www.theregister.com/2023/10/04/onedrive_to_acquire_copilot_skills/

Microsoft is to overhaul OneDrive in a move that will bring Copilot to the cloud storage service and herd users towards the tool's web interface.

Inevitably, Copilot skills are due to arrive in OneDrive. Microsoft hopes these will help users find files and stay organized. Worryingly, in the example given, Copilot can move files around and create folders depending on its interpretation of the user's instructions. What could possibly go wrong?

Billy Big Balls of the Week (26:06)

EXCLUSIVE A four-hour system interruption in September at the Veterans Affairs Medical Center in Kansas City, Missouri has been attributed to a cat jumping on a technician's keyboard.

So we're told by a source, who heard the tale on one of the regular weekday calls held by the US government department with its CIO, during which recent IT problems are reviewed. We understand that roughly 100 people – contractors, vendors, and employees – participate in these calls at a time.

On a mid-September call, one of the participants explained that while a technician was reviewing the configuration of a server cluster, their cat jumped on the keyboard and deleted it. Or at least that's their story.

Kurt DelBene, assistant secretary for information and technology and CIO at the Department of Veterans Affairs, is said to have responded on the call with words to the effect that: "This is why I have a dog." There was laughter and not much more – it was a short incident report.

https://www.theregister.com/2023/10/05/hospital_cat_incident/

Industry News (31:30)

Apple Issues Emergency Patches for More Zero-Day Bugs

Record Numbers of Ransomware Victims Named on Leak Sites

CISA and NSA Tackle IAM Security Challenges in New Report

Scammers Impersonate Companies to Steal Cryptocurrency from Job Seekers

Critical Glibc Bug Puts Linux Distributions at Risk

US Government Proposes SBOM Rules for Contractors

China Poised to Disrupt US Critical Infrastructure with Cyber-Attacks, Microsoft Warns

GoldDigger Android Trojan Drains Victim Bank Accounts

LightSpy iPhone Spyware Linked to Chinese APT41 Group

Tweet of the Week (40:56)

https://twitter.com/infosecmo/status/1709289777973883000?s=61&t=UAjRqPj0iqNyKsG8ZaAiig

Come on! Like and bloody well subscribe!

This week in InfoSec (08:45)

With content liberated from the “today in infosec” twitter account and further afield

25th September 1986: "The Hacker Manifesto" was published by The Mentor (Loyd Blankenship) in issue 7 of the hacker zine Phrack. It was originally titled "The Conscience of a Hacker". 

Phrack #7

https://twitter.com/todayininfosec/status/1706364950623515017  

26th September 1988: Time Magazine published the article "Technology: Invasion of the Data Snatchers - A 'virus' epidemic strikes terror in the computer world". The 9 page article is an interesting glimpse into the state of malware risk, response, and fears 35 years ago.

Technology: Invasion of the Data Snatchers

https://twitter.com/todayininfosec/status/1706690706863952278

Rant of the Week (13:54) 

After failing at privacy, again, Google is working to keep Bard chats out of Search

Google's Bard chatbot is currently being re-educated to better understand privacy.

In July, Bard gained the ability to share conversations with other people using a unique public link. Unfortunately, Google Search has indexed those shared links, making them more widely available and discoverable than Bard patrons might expect.

[Open the story and read from there - it’s much easier 🙂]

At least such oversights don't happen all that often at Google, which has a 33-page privacy policy [PDF] detailing how much the company values user privacy. Apart from an $100 million biometric privacy settlement with Illinois in April 2022, an $85 million location data settlement with Arizona in October 2022, a $391.5 million privacy settlement in November 2022 with a 40-state coalition of Attorneys General, and $29.5 million to settle location tracking claims in Indiana and Washington DC, you have to back all the way to 2019 – when the FTC settled with Google and YouTube for gathering kids info without consent – to find substantive privacy issues at the 25-year-old search advertising biz.

Frankly, the presence of Bard chats in Google Search barely rates on a list of text ads giant's greatest privacy misses, which includes Street View cars collecting sensitive data from Wi-Fi networks and combining its ad data with Google user's personal data.

Billy Big Balls of the Week (22:46)

China's national security minister rates fake news among most pressing cyber threats

This story in a meme:

Chinese minister for national security Chen Yixin has penned an article rating the digital risks his country faces and rated network security incidents as the most realistic source of harm to the Chinternet – both in terms of attacks and the dissemination of fake news.

The new article reiterates Xi Jinping's thoughts on network and cyber power, which boil down to a recognition of the internet's central role in almost all aspects of modern life and the subsequent need for security and governance.

In China governance includes restrictions on free speech and detection and deletion of information felt to be incorrect. Or as minister Chen put it, after machine translation: "The internet has increasingly become the source, conductor, and amplifier of various risks. A small incident can become a whirlpool of public opinion. Some rumours can easily turn a 'storm in a teacup' into a 'tornado' in real society."

Chen's article rates "increasingly fierce competition between great powers in cyberspace" as the most significant competitive threat China faces in the digital domain. He accused rivals of using "so-called 'risk removal' as an excuse and using ideology as a standard to create technology 'small circles' such as 'Clean Network' and 'Chip Alliance,' and even expanded the use of policy tools such as export controls, security reviews, and restricted exchanges."

The minister argues such initiatives are motivated by other nations' desire to cement technology leadership positions and build monopolies, rather than genuine concerns.

Industry News (30:07)

UK-US Confirm Agreement for Personal Data Transfers

US Government IT Staffer Arrested on Espionage Charges

Half of Cyber-Attacks Go Unreported

NCSC Launches Cyber Incident Exercise Scheme

Attacks on European Financial Services Double in a Year

Regulator Warns Breaches Can Cost Lives

US and Japan Warn of Chinese Router Attacks

US Lawmaker: Government Shutdown Will Leave Americans Exposed to Cyber-Attacks

Booking.com Customers Targeted in Major Phishing Campaign

Tweet of the Week (37:51)

https://twitter.com/SoVeryBritish/status/1707463344016306453

Come on! Like and bloody well subscribe!

This week in InfoSec (09:32)

With content liberated from the “today in infosec” twitter account and further afield

18th September 2001: The Nimda worm was released. Utilising 5 different infection vectors, it became the most widespread virus/worm after only 22 minutes. $ echo "admin" | rev nimda  

https://twitter.com/todayininfosec/status/1703760366688211041

16th September 2008: 20-year-old David Kernell compromised the Yahoo! email account of US vice presidential candidate Sarah Palin, then posted her emails to 4chan. 2 years later he was found guilty and sentenced to a year in prison. At age 30 he died of complications related to MS.

https://twitter.com/todayininfosec/status/1703169477548884296

Rant of the Week (14:55)

[We’re sympathetic of companies who get hacked and what they have to deal with, but there comes a time when they’re repeatedly hacked and you have to ask questions]:

T-Mobile app glitch let users see other people's account info

T-Mobile customers said they could see other peoples' account and billing information after logging into the company's official mobile application.

According to user reports on social media, the exposed information included customers' names, phone numbers, addresses, account balances, and credit card details like the expiration dates and the last four digits.

As first reported by The Verge, some of the customers affected by this issue could see the sensitive information of multiple other people while logged into their own accounts.

While a massive number of reports started surfacing earlier today on Reddit and Twitter, some T-Mobile customers also claimed that they've been experiencing this throughout the last two weeks.

"Reported this issue when it first popped up here on Reddit over 2 weeks ago and sent pics of the other person's info to their security team. No response, but wow, just wow," one customer said.

Nine data breaches since 2018

In May, T-Mobile disclosed the second data breach since the start of 2023 after hundreds of customers had their personal information exposed between late February and March after attackers hacked into the carrier's systems.

In January, the mobile carrier revealed another data breach after the sensitive info of 37 million customers was stolen using one of its Application Programming Interfaces (APIs).

Since 2018, T-Mobile has been hit by seven other data breaches:

• In August 2018, attackers accessed the data of around 3% of all T-Mobile customers.
• In 2019, T-Mobile exposed the account info of an undisclosed number of prepaid customers.
• In March 2020, T-Mobile employees were affected by a breach exposing their personal and financial information.
• In December 2020, threat actors accessed customer proprietary network info (phone numbers, call records).
• In February 2021, an internal T-Mobile app was accessed by unknown attackers without authorization.
• In August 2021, hackers brute-forced their way through T-Mobile's network following a breach of one of its testing environments.
• In April 2022, the notorious Lapsus$ extortion gang breached T-Mobile's network using stolen credentials.

Billy Big Balls of the Week  (23:31)

Singapore may split liability for phishing losses between banks and victims

Singapore officials announced on Monday that next month they will deliver a consultation paper detailing a split liability scheme that will mean both consumers and banks are on the hook for financial losses flowing from scams.

It is an answer to a common question these days: in a world of rampant payment and transfer scams, who is responsible?

Countries like Australia have also considered shared loss schemes. Meanwhile, the European Commission has proposed a "refund" to victims of certain types of fraud, including authorised push payment scams.

Starting next year, the UK will enforce mandatory reimbursement by banks to scam victims up to one million pounds – with the sending and receiving banks sharing the bill.

Singapore's minister of state Alvin Tan has a different view.

"There are some views that banks can easily absorb losses arising from individual scam cases. However, full restitution without due consideration of culpability is neither fair nor desirable," he told Parliament on Monday.

Industry News (33:01)

Caesars Entertainment Reveals Major Ransomware Breach

Pirated Software Likely Cause of Airbus Breach

TikTok Fined $368m For Child Data Privacy Offenses

Illegal Betting Ring Used Satellite Tech to Get Scoop on Results

Microsoft AI Researchers Leak 38TB of Private Data

Clorox Struggling to Recover From August Cyber-Attack

Threat Actor Claims Major TransUnion Data Breach

Finnish Authorities Shutter Dark Web Drugs Marketplace

International Criminal Court Reveals Security Breach

Tweet of the Week (41:32) 

https://x.com/gabsmashh/status/1704875732282077244?s=20

Come on! Like and bloody well subscribe!

This week in InfoSec (08:18)

With content liberated from the “today in infosec” twitter account and further afield

13th September 2011: Backup tapes containing info on 4.9 million TRICARE military health care customers were stolen from an SAIC employee's parked car which a burglar broke into by breaking a vent window.  

TRICARE Breach Affects 4.9 Million

https://twitter.com/todayininfosec/status/1701936923579732231

12th September 2001: MafiaBoy (Michael Calce) was sentenced in Canada to 8 months of open custody, 1 year of probation, and restricted Internet use for crimes related to DoS attacks he performed against numerous high profile websites at age 15 the year prior.

Cyber Attacks

https://twitter.com/todayininfosec/status/1701628591262302571

Rant of the Week (17:27)

[Responsible disclosure?  Even close competitors share threat intel]:

https://twitter.com/vegasstarfish/status/1702076730075492739 - video in link too

Billy Big Balls of the Week (25:21)

10 years ago, Apple finally convinced us to lock our phones

Every phone you pick up today has a fingerprint scanner, a face scanner, an option for PINs with four, six, or more digits, and often all of them at once. Phones prompt you to set up a scan and a passcode the first time you turn them on, and you’d be hard-pressed to find anyone who doesn’t have some form of security set up.

But go back just 10 years, and the story was very different. Back when our phones were still used almost entirely as phones and not teeny personal computers, most of the “locking” features on mobile devices were designed more to prevent you from butt-dialing anyone than to protect your sensitive information.

It wasn’t until the iPhone 5S came along — 10 years ago this month — that everything changed.

It just goes to show how much of an innovator and an investor in security Apple always has been. 

They removed the headphone jack and called it courage…

Just a couple of days ago they pushed the boundaries of innovation even more and introduced USB C to the latest iphones. Now that’s real courage

Industry News  (34:29)

Ransomware Attack Wipes Out Sri Lankan Government Data

Europol: Financial Crime Makes “Billions” and Impacts “Millions”

Cyber-criminals “Jailbreak” AI Chatbots For Malicious Ends

UK ICO and NCSC Set to Share Anonymized Threat Intelligence

MGM Criticized for Repeated Security Failures

New Microsoft Teams Phishing Campaign Targets Corporate Employees

Lazarus Group Blamed For $53m Heist at CoinEx

Elon Musk in Hot Water With FTC Over Twitter Privacy Issues

Manchester Police Officers’ Data Breached in Third-Party Attack

Tweet of the Week (41:54)

https://x.com/Marlebean/status/1308858471106871298?s=20

Come on! Like and bloody well subscribe!