Episode 144 - The Other Peoples Work Episode
This week in InfoSec (06:13)
With content liberated from the “today in infosec” twitter account and further afield
15th March 2000: The movie "Takedown" was released in France as "Cybertr@que". It is based on the capture of Kevin Mitnick
https://twitter.com/todayininfosec/status/1636083404117557248
16th March 1971: The first computer virus, Creeper, infected computers on the ARPANET, displaying "I'M THE CREEPER : CATCH ME IF YOU CAN." It was named after a villain (the Creeper) from a 1970 episode of "Scooby-Doo, Where Are You!"
https://twitter.com/todayininfosec/status/1636516584394203137
Rant of the Week (13:20)
What happens if you 'cover up' a ransomware infection? For Blackbaud, a $3m charge
Blackbaud has agreed to pay $3 million to settle charges that it made misleading disclosures about a 2020 ransomware infection in which crooks stole more than a million files on around 13,000 of the cloud software slinger's customers.
According to America's financial watchdog, the SEC, Blackbaud will cough up the cash - without admitting or denying the regulator's findings - and will cease and desist from committing any further violations.
"Blackbaud is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the Commission as the company continually improves its reporting and disclosure policies," Tony Boor, the outfit's chief financial officer, told The Register.
"Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimise the risk of cyberattacks in an ever-changing threat landscape," Boor added.
For perspective: the South Carolina-based firm – which provides, among other things, donor management tools to nonprofits – banked $1.1 billion in revenue in 2022, resulting in a $45.4 million loss. This settlement is the least of the biz's concerns, we imagine.
Slap on the wrist
Here's what happened: back in May 2020, Blackbaud experienced a ransomware infection, quietly paid off the crooks, and didn't tell customers about the security breach until July 2020. And when the software company did notify customers, it assured them that the "cybercriminal did not access…bank account information, or social security numbers," according to the SEC order.
By the end of that month, however, the SEC claims that Blackbaud personnel discovered that the miscreants had accessed unencrypted donor bank account information and social security numbers. But the employees allegedly didn't tell senior management about the theft of sensitive customer data because Blackbaud "did not have policies or procedures in place designed to ensure they do so," the court documents say. Make of that what you will.
Billy Big Balls of the Week (23:09)
1st Story (short, follow the link):
Microsoft support 'cracks' Windows for customer after activation fails
In an unexpected twist, a Microsoft support engineer resorted to running an unofficial 'crack' on a customer's Windows PC after a genuine copy of the operating system failed to activate normally. It seems, this isn't the first time either that support professionals have employed such workarounds when under pressure to timely close out support tickets.
A South-Africa based freelance technologist who paid $200 for a genuine copy of Windows 10 was startled to see a Microsoft support engineer "crack" his copy using unofficial tools that bypass the Windows activation process.
2nd Story:
A company who actually followed disclosure requirements (and puts TikTok in the same bucket as Meta and Google):
Cerebral admits to sharing patient data with Meta, TikTok, and Google
Cerebral, a telehealth startup specializing in mental health, says it inadvertently shared the sensitive information of over 3.1 million patients with Google, Meta, TikTok, and other third-party advertisers, as reported earlier by TechCrunch. In a notice posted on the company’s website, Cerebral admits to exposing a laundry list of patient data with the tracking tools it’s been using as far back as October 2019.
The information affected by the oversight includes everything from patient names, phone numbers, email addresses, birth dates, IP addresses, insurance information, appointment dates, treatment, and more. It may have even exposed the answers clients filled out as part of the mental health self-assessment on the company’s website and app, which patients can use to schedule therapy appointments and receive prescription medication.
According to Cerebral, this information got out through its use of tracking pixels, or the bits of code Meta, TikTok, and Google allow developers to embed in their apps and websites. The Meta Pixel, for example, can collect data about a user’s activity on a website or app after clicking an ad on the platform, and even keeps track of the information a user fills out on an online form. While this lets companies, like Cerebral, measure how users interact with their ads on various platforms and track the steps they take afterward, it also gives Meta, TikTok, and Google access to this information, which they can then use to gain insight into their own users.
Industry News (32:43)
UK's New Privacy Bill Could Mean More Work for Firms
Blackbaud Settles $3m Charge Over Ransomware Attack
MI5 Launches New Agency to Tackle State-Backed Attacks
Humans Still More Effective Than ChatGPT at Phishing
Tick APT Group Hacked East Asian DLP Software Firm
Humans Still More Effective Than ChatGPT at Phishing
NCSC Calms Fears Over ChatGPT Threat
UK Joins US, Canada, Others in Banning TikTok From Government Devices
US Government IIS Server Breached via Telerik Software Flaw
Tweet of the Week (40:30)
https://twitter.com/william_whyte/status/1635198775152234496
https://twitter.com/J4vv4D/status/1636055929199140864?s=20
Come on! Like and bloody well subscribe!
