The Host Unknown Podcast (Host Unknown, Thom Langford, Andrew Agnes, Javvad Malik)
Explore every episode of The Host Unknown Podcast
| Pub. Date | Title | Duration | |
|---|---|---|---|
| 25 Feb 2023 | Episode 141 - You know why this is late | 00:49:21 | |
This week in Infosec 20th February 2003: Alan Giang Tran, former network admin for 2 companies, was arrested after allegedly destroying data on the companies' networks. Two months later he pleaded guilty to a federal charge of intentionally causing damage to a protected computer. Man arrested for allegedly shutting down employers' computers https://twitter.com/todayininfosec/status/1627748857856593931 18th February 2008: 2013: Burger King's Twitter account was compromised, had its name changed to McDonalds, and shared offensive tweets. Burger King Twitter Account Hacked https://twitter.com/todayininfosec/status/1627115690577608707
Rant of the Week Accidental WhatsApp account takeovers? It's a thing A stranger may be receiving your private WhatsApp messages, and also be able to send messages to all of your contacts – if you have changed your phone number and didn't delete the WhatsApp account linked to it. Your humble vulture heard this bizarre tale of inadvertent WhatsApp account hijacking from a reader, Eric, who told us this happened to his son, Ugo. "This is a massive privacy violation," Eric said. "My son had long-lasting access to that person's private messages as well as group messages, both personal and work related." The security hole stems from wireless carriers' practice of recycling former customers' phone numbers and giving them to new customers. WhatsApp acknowledges that this can happen, but says it's extremely rare.
Billy Big Balls GoDaddy: Hackers stole source code, installed malware in multi-year breach Web hosting giant GoDaddy says it suffered a breach where unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment in a multi-year attack. While GoDaddy discovered the security breach following customer reports in early December 2022 that their sites were being used to redirect to random domains, the attackers had access to the company's network for multiple years. The company says that previous breaches disclosed in November 2021 and March 2020 are also linked to this multi-year campaign.
Industry News Norway Seizes Millions in North Korean Crypto FBI "Contains" Cyber-Incident on its Network GoDaddy Announces Source Code Stolen and Malware Installed in Breach Ransomware Gang Seeks to Exploit Victims' Insurance Coverage City Fund Managers Jailed for $8m Fraud Hydrochasma Group Targets Asian Medical and Shipping Sectors Phishing Sites and Apps Use ChatGPT as Lure ICO Calls on Accountants to Improve SME Data Protection Hackers Use S1deload Stealer to Target Facebook, YouTube Users
Tweet of the Week 
https://twitter.com/unusual_whales/status/1628898963087851521?s=20
Come on! Like and bloody well subscribe! | |||
| 03 Feb 2023 | Episode 138 - The Good Furniture Guide Episode | 00:50:27 | |
This week in InfoSec (11:52) With content liberated from the “today in infosec” twitter account and further afield 31st January 1995: AT&T and VLSI Protect Against Eavesdropping AT&T Bell Laboratories and VLSI Technology announce plans to develop strategies for protecting communications devices from eavesdroppers. The goal would be to prevent problems such as insecure cellular phone lines and Internet transmissions by including security chips in devices. 30th January 1982: First Computer Virus Written Richard Skrenta writes the first PC virus code, which is 400 lines long and disguised as an Apple II boot program called “Elk Cloner“.
Rant of the Week (18:22) Anker finally comes clean about its Eufy security cameras First, Anker told us it was impossible. Then, it covered its tracks. It repeatedly deflected while utterly ignoring our emails. So shortly before Christmas, we gave the company an ultimatum: if Anker wouldn’t answer why its supposedly always-encrypted Eufy cameras were producing unencrypted streams — among other questions — we would publish a story about the company’s lack of answers. It worked. In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player. But Anker says that’s now largely fixed. Every video stream request originating from Eufy’s web portal will now be end-to-end encrypted — like they are with Eufy’s app — and the company says it’s updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request. That’s not all Anker is disclosing today. The company has apologized for the lack of communication and promised to do better, confirming it’s bringing in outside security and penetration testing companies to audit Eufy’s practices, is in talks with a “leading and well-known security expert” to produce an independent report, is promising to create an official bug bounty program, and will launch a microsite in February to explain how its security works in more detail. Those independent audits and reports may be critical for Eufy to regain trust because of how the company has handled the findings of security researchers and journalists. It’s a little hard to take the company at its word!
Billy Big Balls of the Week (31:34) FBI says it ‘hacked the hackers’ of a ransomware service, saving victims $130 million The Department of Justice announced this week that FBI agents successfully disrupted Hive, a notorious ransomware group, and prevented $130 million worth of ransom campaigns that targets no longer need to consider paying. While claiming the Hive group has been responsible for targeting over 1,500 victims in over 80 countries worldwide, the department now reveals it had infiltrated the group’s network for months before working with German and Netherlands officials to shut down Hive servers and websites this week. “Simply put, using lawful means, we hacked the hackers,” Deputy Attorney General Lisa Monaco remarked during a press conference. The FBI claims that by covertly hacking into Hive servers, it was able to quietly snatch up over 300 decryption keys and pass them back to victims whose data was locked up by the group. US Attorney General Merrick Garland said in his statement that in the last few months, the FBI used those decryption keys to unlock a Texas school district facing a $5 million ransom, a Louisiana hospital that had been asked for $3 million, and an unnamed food services company that faced a $10 million ransom.
Industry News (37:32) Thriving Dark Web Trade in Fake Security Certifications Almost all Organizations are Working with Recently Breached Vendors Google Fi Confirms Data Breach, Hints At Link to T-Mobile Hack City of London on High Alert After Ransomware Attack Researchers Warn of Crypto Scam Apps on Apple App Store Lazarus Group Attack Identified After Operational Security Fail Women in CyberSecurity Calls for Participants for New Measuring Inclusion Workshops Arnold Clark Confirms Customer Data Compromised in Breach Threat Actors Use ClickFunnels to Bypass Security Services
Tweet of the Week (45:41)  https://twitter.com/StateOfLinkedIn/status/1621258534062006276 Come on! Like and bloody well subscribe! | |||
| 17 Jul 2020 | Episode 15 - Barely Adequate friend | 01:00:54 | |
Tweet of the Week https://news.sky.com/story/twitter-accounts-of-obama-biden-musk-and-others-hacked-in-apparent-bitcoin-scam-12029394 https://javvadmalik.com/2020/07/16/twittersupport-a-lesson-in-incident-response-comms/ Billy Big Balls Industry News Rant of the Week https://twitter.com/TriciaKicksSaaS/status/1283721814896771072?s=20 Oh, and Carole Baskin as well. Come on! Like and bloody well subscribe! | |||
| 27 Nov 2023 | Episode 175 - The Sam Altman Free Episode | 00:35:51 | |
This week in InfoSec (06:40) 23rd November 2011: KrebsonSecurity reported that Apple took over 3 years to fix the iTunes software update process vulnerability which the FinFisher remote spying Trojan exploited. Evilgrade toolkit author Francisco Amato had reported it to Apple in 2008. Apple Took 3+ Years to Fix FinFisher Trojan Hole https://twitter.com/todayininfosec/status/1727687798017106025 12th November 2009: John Matherly announced the public beta launch of Shodan (@shodanhq) - the first search engine for internet-connected devices. https://twitter.com/todayininfosec/status/1727462790330232951
Rant of the Week (10:51) Former infosec COO pleads guilty to attacking hospitals to drum up business An Atlanta tech company's former COO has pleaded guilty to a 2018 incident in which he deliberately launched online attacks on two hospitals, later citing the incidents in sales pitches. Under a plea deal he signed last week, Vikas Singla, a former business leader at network security vendor Securolytics – a provider to healthcare institutions, among others – admitted that in September 2018 he rendered the Ascom phone system of Gwinnett Medical Center inoperable. Gwinnett Medical Center operates hospitals in Duluth and Lawrenceville and the deliberate disablement of the Ascom phone system meant the main communication line between doctors and nurses was unavailable to them. More than 200 phones were taken offline, which were used for internal communications, including "code blue" incidents that often relate to cardiac or respiratory emergencies.
Billy Big Balls of the Week (18:52) UK's cookie crumble: Data watchdog serves up tougher recipe for consent banners The UK's Information Commissioner's Office (ICO) is getting tough on website design, insisting that opting out of cookies must be as simple as opting in. At question are advertising cookies, where users should be able to "Accept All" advertising cookies or reject them. Users will still see adverts regardless of their selection, but rejecting advertising cookies means ads must not be tailored to the person browsing. However, the ICO noted that: "Some websites do not give users fair choices over whether or not to be tracked for personalized advertising." This is despite guidance issued in August regarding harmful designs that can trick users into giving up more personal information than intended. A few months on, the ICO has upped the ante. It has now given 30 days' notice to companies running many of the UK's most visited sites that they must comply with data protection regulations or face enforcement action.
Industry News (26:16) Cybersecurity Executive Pleads Guilty to Hacking Hospitals Regulator Issues Privacy Ultimatum to UK’s Top Websites Microsoft Launches Defender Bug Bounty Program Why Ensuring Supply Chain Security in the Space Sector is Critical British Library: Ransomware Attack Led to Data Breach North Korea Blamed For CyberLink Supply Chain Attacks US Seizes $9m From Pig Butchering Scammers North Korean Software Supply Chain Threat is Booming, UK and South Korea Warn InfectedSlurs Botnet Resurrects Mirai With Zero-Days
Tweet of the Week (32:28)  https://twitter.com/MichaelaOkla/status/1721715089970274542 Come on! Like and bloody well subscribe! | |||
| 09 Dec 2022 | Episode 132 - The Dan Cuthbert Keynote Episode | 00:52:06 | |
This week in InfoSec (11:40) With content liberated from the “today in infosec” twitter account and further afield 7th December 1999: RIAA Sues Napster The Recording Industry Association of America sues the peer-to-peer file sharing service Napster alleging copyright infringement for allowing users to download copyrighted music for free. The RIAA would eventually win injunctions against Napster forcing the service to suspend operations and eventually file bankruptcy. In the end the RIAA and its members would settle with Napster’s financial backers for hundreds of millions of dollars. While the case was ostensibly about copyright violations, the bigger picture for the RIAA was also about control. The recording industry in general was caught with its pants down when it came to digital music and the Internet. They were not prepared for the sudden popularity of digital music downloads that Napster introduced and were not ready with a model to monetise downloaded music. This lawsuit, along with future lawsuits targeting individuals, was intended to squash the practice of downloading music as much as it was to recover compensation. However, the practice of downloading music could not be stopped as other non-centralised peer-to-peer file sharing services popped up in place of Napster. 4th December 2001: Goner Worm Hits the Internet Disguised as a screen saver and spread through an infected user’s Microsoft Outlook e-mail software, the Goner worm spreads through the Internet at a pace second only to the Love Bug virus the previous year. Goner was estimated to cause about $80 million dollars in damage.
Rant of the Week (20:41) Egad, did Apple do something right? End-to-end encryption for (most) iCloud services Apple says it will provide end-to-end encryption for most iCloud services, having abandoned its previously announced – and then quietly shelved – plan to check the legality of on-device photos prior to cloud synchronisation. Cupertino announced three security enhancements on Wednesday, one of which it calls Advanced Data Protection. "Advanced Data Protection is Apple's highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices," explained Ivan Krstić, Apple’s head of security engineering and architecture, in a canned statement. Apple already offers end-to-end (E2E) encryption by default for 14 iCloud services, including passwords in iCloud Keychain and Health data. But the iBiz has not made E2E encryption broadly available for iCloud, preferring instead to retain access to a significant amount of the customer data on company servers. That has suited law enforcement authorities, who continue to worry aloud about being left in the dark by encryption.
Billy Big balls of the Week (31:57) Brief update on last week's story: San Francisco terminates explosive killer cop bots San Francisco legislators this week changed course on their killer robot policy, banning the police from using remote-control bots fitted with explosives. For now. On Tuesday, the city's Board of Supervisors voted unanimously to explicitly prohibit lethal force by police robots following a public backlash and worldwide media attention. Under a previously approved policy, SF police robots under human control could have used explosives to kill suspects. The droids were not allowed to use guns. States label TikTok 'a malicious and menacing threat' Two more US states have launched aggressive action against made-in-China social media app TikTok. Texas on Wednesday banned the app from government devices, with governor Greg Abbott ordering [PDF] the ban "to protect sensitive information and critical infrastructure from TikTok." "TikTok harvests vast amounts of data from its users' devices – including when, where, and how they conduct internet activity – and offers this trove of potentially sensitive information to the Chinese government," Abbott wrote. Which is tame compared to the actions and language used by Indiana's attorney-general, who has decided to sue the Chinese social media platform – twice! TikTok's Chinese analog, Douyin, contains many more safeguards – including required youth modes, real name authentications, bans on minors viewing live broadcasts, prevention of salacious material and restrictions on how long and when minors can access the app. Chinese users under the age of 14 are limited to 40 minutes of daily use, between 0600 and 2200. Users in the US have no limit and spend an average of 99 minutes per day on TikTok, according to the office of the AG. "In short, TikTok poses known risks to young teens that TikTok's parent company itself finds inappropriate for Chinese users who are the same age," argues the complaint.
Industry News (38:41) Gen Z Internet Users "Normalize" Cybercrime - Report Swiss Government Wants to Implement Mandatory Duty to Report Cyber-Attacks Supply Chain Web Skimming Attacks Hit Dozens of Sites Russia's VTB Bank Suffers its Biggest Ever DDoS ICO Fines Rogue Nuisance Callers £500,000 UK Government Department Using Unsupported Applications, Reveals Watchdog NZ Privacy Commissioner Investigates Mercury IT Ransomware Attack Pet Dog Unmasks Drug Trafficker on Encrypted Chat Apple Introduces New Data Protections to Increase Cloud Security
Tweet of the Week (46:07)  https://twitter.com/_noid_/status/1600135215225053184  https://twitter.com/jomc/status/1600637738352627713
Come on! Like and bloody well subscribe! | |||
| 28 May 2021 | Episode 57 - The Deleted Show Notes Episode | 00:59:13 | |
This Week in InfoSec  20th May 1993: Neil Woods (24) and Karl Strickland (22) became the first people imprisoned under the UK's 1990 Computer Misuse Act. https://twitter.com/todayininfosec/status/1395711166580731908 22nd May 1991: Michael John Lauffenburger's logic bomb was set to detonate on a system at General Dynamics. He'd implemented it 2 months prior. Lauffenburger later pleaded guilty to a misdemeanor charge of computer tampering. https://twitter.com/todayininfosec/status/1396858379285549059
Rant of the Week Citizen is an app where users report "incidents" in their neighborhoods and, based on those reports and police scanner transcriptions, the app sends "real-time safety alerts" to users about crime and other incidents happening near where a user is located. It is essentially a mapping app that allows users to both report and learn about crime (or what users of the app perceive to be crime) in their neighborhood. CITIZEN CEO OFFERED TO PERSONALLY FUND LA ARSON MANHUNT — FOR THE WRONG PERSON More on Citizen Shithousery: Leaked Emails Show Crime App Citizen Is Testing On-Demand Security Force Citizen data scraped and dumped on dark web
Billy Big Balls of the Week Nigerian cyber criminals target Texas unemployment system Cyber criminals use Gmail feature to register the same email address multiple times
Industry News Telemarketing Fraudster Jailed for 10 Years Ransomware Gang Gifts Decryption Tool to HSE Air India: Supplier Breach Hit 4.5 Million Passengers Amex Fined After Sending Over Four Million Spam Emails FBI Employee Indicted Over Illegal Document Removal Europe’s Top Human Rights Court Rules UK Mass Surveillance Illegal Influencers Offered Money to Vilify Vaccine Chinese Phishing Attack Targets High-Profile Uyghurs
Tweet of the Week  Students Stuff the Context Box https://twitter.com/todayininfosec/status/1395843517189132300 Come on! Like and bloody well subscribe! | |||
| 10 Feb 2023 | Episode 139 - No Burt Bacharach Wrote The Tunes | 00:46:07 | |
This week in InfoSec (09:53) With content liberated from the “today in infosec” twitter account and further afield 10th February 199 Deep Blue Defeats Kasparov In the first game of a six game match, IBM's Deep Blue chess computer defeated world champion Garry Kasparov. No computer had ever won a game against a world champion in chess. Kasparov would eventually win the series 4-2, but would lose to Deep Blue in a re-match a year later. Dennis Michael Moran (aka Coolio) performed a smurf attack against Yahoo's routers, causing its websites to be inaccessible for hours. Conversations on an IRC channel led to him being identified and convicted for a series of DDoS and website defacement crimes.
Rant of the Week (16:34) Want to delete your Twitter DMs? Good luck with that People make requests to delete their private messages, but Twitter ignores them. Twitter’s direct messages have always been a security liability. The DMs you send to friends and Internet strangers aren’t end-to-end encrypted, making your conversations potentially accessible if Twitter suffers a data breach, or to company staffers with the right permissions to access them. Both scenarios are arguably more likely in Elon Musk’s version of Twitter, where key security and data protection staff have departed. Since Musk acquired Twitter and started laying off thousands of employees at the start of November, remodelling the firm in his vision, multiple waves of tweeters have abandoned the platform. When they do, they often try to download their Twitter archive and delete DMs. In the chaos, the process has often been glitchy. However, in Europe, people have turned to the continent’s GDPR data laws, which give people rights over how their information is collected, stored, and used. This includes the right to have data deleted. However, Twitter’s response to these requests, which have been seen by Wired, appears to show the platform ignoring detailed asks to delete DMs and just point people to generic guidance that doesn’t explain whether Twitter deletes your DMs from its servers. And now Europe’s data regulators are getting involved. ADDITIONAL RANT: Twitter redefines what makes a tweet with supersized 4,000-character limit Following up after launching Twitter Blue in three more countries this morning, the platform has made a big change to tweets this afternoon. The new max for Twitter Blue subscribers in the US has been supersized all the way up to 4,000 characters. Twitter announced the launch of the new character max through both its main account and Twitter Blue profile. The latter shared this: “need more than 280 characters to express yourself? we know that lots of you do… and while we love a good thread, sometimes you just want to Tweet everything all at once. we get that. so we’re introducing longer Tweets! you’re gonna want to check this out. tap this ” Who can write 4,000-character tweets? While access to writing 4,000 character tweets is limited to Twitter Blue subscribers in the US at launch, anyone can read them. Fortunately, the 280-character limit will still apply when viewing tweets in your timeline, you’ll have to tap a show more link on ones that make use of the new long-form option to read the whole tweet.
Billy Big Balls of the Week (27:32) In Paris demo, Google scrambles to counter ChatGPT but ends up embarrassing itself  On Wednesday, Google held a highly anticipated press conference from Paris that did not deliver the decisive move against ChatGPT and the Microsoft-OpenAI partnership that many pundits expected. Instead, Google ran through a collection of previously announced technologies in a low-key presentation that included losing a demonstration phone. The demo, which included references to many products that are still unavailable, occurred just hours after someone noticed that Google's advertisement for its newly announced Bard large language model contained an error about the James Webb Space Telescope. After Reuters reported the error, Forbes noticed that Google's stock price declined nearly 7 percent, taking about $100 billion in value with it. Alphabet shares dive after Google AI chatbot Bard flubs answer in ad LONDON, Feb 8 (Reuters) - Alphabet Inc (GOOGL.O) lost $100 billion in market value on Wednesday after its new chatbot shared inaccurate information in a promotional video and a company event failed to dazzle, feeding worries that the Google parent is losing ground to rival Microsoft Corp (MSFT.O). Alphabet shares slid as much as 9% during regular trading with volumes nearly three times the 50-day moving average. They pared losses after hours and were roughly flat. The stock had lost 40% of its value last year but rallied 15% since the beginning of this year, excluding Wednesday's losses.
Industry News (34:20) Stalkerware Developer Hit with $400K Fine Drugs Labs Busted After Encrypted Chat App Takedown UK Metal Engineering Firm Vesuvius Hit by Cyber-Attack Cyber Insurance, A Must-Have for Small Businesses Regulator Halts AI Chatbot Over GDPR Concerns UK Politician's Email Hacked by Suspected Russian Threat Actors New Info-Stealer Discovered as Russia Prepares Fresh Offensive Trio Arrested in COVID PPE Fraud Probe US and UK Sanction Seven Russian Cyber-Criminals
Tweet of the Week (41:08)  https://twitter.com/CarlZha/status/1623867611674202112 Come on! Like and bloody well subscribe! | |||
| 08 Oct 2021 | Episode 76 - Our Best Episode Ever | 00:49:32 | |
This Week in InfoSec (08:01) With content liberated from the “today in infosec” Twitter account 8th September 2009: FBI director Robert Mueller disclosed that his wife banned him from banking online after he nearly fell for an email phishing scam. Wife bans FBI head from online banking https://twitter.com/todayininfosec/status/1314002293226905600 3rd October 2017: A week after he retired as the result of Equifax's data breach, former CEO Richard F. Smith told members of Congress one person in the IT department was at fault. Equifax Breach Caused by Lone Employee’s Error, Former C.E.O. Says How the Equifax hack happened, and what still needs to be done https://twitter.com/todayininfosec/status/1312589059559170050
Rant of the Week (16:35) IKEA: Cameras were hidden in the ceiling above warehouse toilets for 'health and safety' IKEA has removed hidden security cameras from its warehouse in Peterborough, England, after an employee spotted one in the ceiling void while using the toilet.
As Seen on TikTok (24:59) Facebook rendered spineless by buggy audit code that missed catastrophic network config error Facebook has admitted buggy auditing code was at the core of Tuesday’s six-hour outage – and revealed a little more about its infrastructure to explain how it vanished from the internet. As described by rey.nbows on TIK TOK
Industry News (34:18) Facebook Whistleblower to Testify Before Senate Pandora Spills Secrets of Super Rich DeepMind Technologies Sued Over Data Sharing Facebook Blames Global Outage on Configuration Error Text Message Giant Reveals Five-Year Breach Squid Game Scenes Cut Over Data Exposure NCSC: Revoke Admin Access for BYOD Users Immediately Infosec Experts: Twitch Breach “As Bad as it Gets” US Creates National Cryptocurrency Enforcement Team
Tweet of the Week (42:42)  https://twitter.com/cybersecstu/status/1446104732578328583  https://twitter.com/SmashinSecurity/status/1445520598017314826
The Box © Charlie Langford Come on! Like and bloody well subscribe! | |||
| 04 Jun 2021 | Episode 58 - Ha Ha Ha | 00:59:58 | |
This week in Infosec Liberated from the “today in infosec” Twitter account 1st June 1864: The first record of electronic spam was broadly revealed. A recipient was so infuriated by the dentist's poppycock that he composed a letter to the editor of The Times about the telegram, begging the newspaper to kindly demand a stop to the nonsense.  https://twitter.com/todayininfosec/status/1399864377415712773 28th May 2014: The TrueCrypt website unexpectedly announced that the development of TrueCrypt had ended and that the tool wasn't secure. The Fall of TrueCrypt and Rise of VeraCrypt https://twitter.com/todayininfosec/status/1266260968004136962
Rant of the Week Deadline draws near to avoid auto-joining Amazon's mesh network Sidewalk Owners of Amazon Echo assistants and Ring doorbells have until June 8 to avoid automatically opting into Sidewalk, the internet giant's mesh network that taps into people's broadband and may prove to be a privacy nightmare. 'A stalker can abuse it to stalk people better. There are no mitigations mentioned' Sidewalk privacy and security whitepaper by Amazon
Bill Big Balls of the Week Antivirus that mines Ethereum sounds a bit wrong, right? Norton has started selling it NortonLifeLock, the company that offers the consumer products Broadcom didn’t want when it bought Symantec, has started to offer Ethereum mining as a feature of its Norton 360 security suite.
Industry News NCSC: Act Now to Protect Streaming Accounts Interpol Seizes $83 Million Headed for Online Scammers Meat Processing Giant JBS Pulls IT Plug After Cyber-Attack Scripps Notifying 147K People of Data Breach Teen Crashes Florida School District’s Network Sextortion Lands Inmate in Federal Prison Battle for the Galaxy: 6 Million Gamers Hit by Data Leak Ransomware Disrupts Largest Ferry Service in Massachusetts Mandiant to Re-Emerge After $1.2 Billion FireEye Sale
Tweet of the Week  https://twitter.com/Cyber_Cox/status/1400082437095387137  https://twitter.com/ryanaraine/status/1399724475092983812?s=20
(Edited 00:18 7the June 2020 to seed Apple Podcast update.) Come on! Like and bloody well subscribe! | |||
| 29 Jul 2022 | Episode 114 - BACK OFF THE MIC JAV! | 00:47:30 | |
This week in InfoSec With content liberated from the “today in infosec” twitter account and further afield 25th July 2007: The US Ninth Circuit Court of Appeals ruled that IP addresses and to/from email fields can be monitored without probable cause. Appeals Court Rules No Privacy Interest in IP Addresses, Email To/From Fields https://twitter.com/todayininfosec/status/1154791990397042688 29th July 2009: The first Security BSides conference was held in Las Vegas in a 3,767 square foot house. http://www.securitybsides.com/w/page/50746315/BSidesHistory https://twitter.com/todayininfosec/status/1156078833277128704
Rant of the Week Hackers scan for vulnerabilities within 15 minutes of disclosure System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed. According to Palo Alto's 2022 Unit 42 Incident Response Report, hackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code execution. However, the speed at which threat actors begin scanning for vulnerabilities puts system administrators in the crosshairs as they race to patch the bugs before they are exploited. "The 2022 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced," reads a companion blog post. Since scanning isn't particularly demanding, even low-skilled attackers can scan the internet for vulnerable endpoints and sell their findings on dark web markets where more capable hackers know how to exploit them. Then, within hours, the first active exploitation attempts are observed, often hitting systems that never had the chance to patch.
Billy Big Balls of the Week New ‘Robin Banks’ phishing service targets BofA, Citi, and Wells Fargo A new phishing as a service (PhaaS) platform named 'Robin Banks' has been launched, offering ready-made phishing kits targeting the customers of well-known banks and online services. The targeted entities include Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Lloyds Bank, the Commonwealth Bank in Australia, and Santander. Additionally, Robin Banks offers templates to steal Microsoft, Google, Netflix, and T-Mobile accounts. According to a report by IronNet, whose analysts discovered the new phishing platform, Robin Banks is already being deployed in large-scale campaigns that started in mid-June, targeting victims via SMS and email.
LockBit 3.0 introduces the first ransomware bug bounty program With the release of LockBit 3.0, the operation has introduced the first bug bounty program offered by a ransomware gang, asking security researchers to submit bug reports in return for rewards ranging between $1,000 and $1 million. "We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million," reads the LockBit 3.0 bug bounty page. However, this bug bounty program is a bit different than those commonly used by legitimate companies, as helping the criminal enterprise would be illegal in many countries. Furthermore, LockBit is not only offering bounties for rewards on vulnerabilities but is also paying bounties for "brilliant ideas" on improving the ransomware operation and for doxxing the affiliate program manager. The following are the various bug bounty categories offered by the LockBit 3.0 operation: Web Site Bugs: XSS vulnerabilities, mysql injections, getting a shell to the site and more, will be paid depending on the severity of the bug, the main direction is to get a decryptor through bugs web site, as well as access to the history of correspondence with encrypted companies. Locker Bugs: Any errors during encryption by lockers that lead to corrupted files or to the possibility of decrypting files without getting a decryptor. Brilliant ideas: We pay for ideas, please write us how to improve our site and our software, the best ideas will be paid. What is so interesting about our competitors that we don't have? Doxing: We pay exactly one million dollars, no more and no less, for doxing the affiliate program boss. Whether you're an FBI agent or a very clever hacker who knows how to find anyone, you can write us a TOX messenger, give us your boss's name, and get $1 million in bitcoin or monero for it. TOX messenger: Vulnerabilities of TOX messenger that allow you to intercept correspondence, run malware, determine the IP address of the interlocutorand other interesting vulnerabilities. Tor network: Any vulnerabilities which help to get the IP address of the server where the site is installed on the onion domain, as well as getting root access to our servers, followed by a database dump and onion domains. The $1,000,000 reward for identifying the affiliate manager, known as LockBitSupp, was previously offered on the XSS hacking forum in April.
Industry News No More Ransom Has Helped Over 1.5m Victims US Doubles Reward for Info on North Korean Hackers Criminals Use Malware as Messaging Bots to Steal Data Cyber-Criminal Offers 5.4m Twitter Users’ Data European Police Arrest 100 Suspects in BEC Crackdown Social Media Accounts Hijacked to Post Indecent Images Hackers Change Tactics for New Post-Macro Era Ransomware Group Demands £500,000 From School Spanish Police Arrest Alleged Radioactive Monitoring Hackers Tweet of the Week  https://twitter.com/danielmakelley/status/1550884696355225601 Come on! Like and bloody well subscribe! | |||
| 22 Jul 2022 | Episode 113 - Did you hear That? | 00:52:57 | |
This week in InfoSec (10:25) With content liberated from the “today in infosec” twitter account and further afield 17th July 1997: Major Disruption in Sending Most E-Mail Messages. A programming error temporarily threw the Internet into disarray in a preview of the difficulties that inevitably accompany a world dependent on e-mail, the World Wide Web, and other electronic communications. At 2:30 a.m. Eastern Daylight Time, a computer operator in Virginia ignored alarms on the computer that updated Internet address information, leading to problems at several other computers with similar responsibilities. The corruption meant most Internet addresses could not be accessed, resulting in millions of unsent e-mail messages. 15th July 1999: DilDog of Cult of the Dead Cow confirmed official Back Orifice 2000 CD-ROMs distributed during DEF CON 4 days prior were infected with the destructive CIH virus. Initially, cDc blamed pirated copies as the source, later discovering a duplicating machine had been infected. https://twitter.com/todayininfosec/status/1283523195371282434 19th July 1985: Chase Manhattan Bank discovered a message in one of its computer systems from Lord Flathead. The message said that unless he was given free use of the computer, he would destroy records in the system. Lord Flathead? He founded Myspace 18 years later! https://www.nytimes.com/1985/10/19/business/chase-computer-raided-by-youths-officials.html https://twitter.com/todayininfosec/status/1153507276629504006
Rant of the Week (16:28) (CNN)The US Secret Service produced an "initial set of documents" to the House select committee investigating the January 6, 2021, insurrection on Tuesday, in response to a subpoena last week that was issued amid reports of potentially missing text messages from the day of the insurrection. However, Tuesday's document production didn't include any of the potentially missing texts from January 5 and 6, 2021, a Secret Service official told CNN. That's because the agency still has not been able to recover any records that were lost during a phone migration around that time, the official said. “The USSS didn’t just delete texts after knowing they were evidence in a federal probe; it didn’t just lie about why/how the texts were deleted; the texts were so *professionally* deleted they can’t be recovered.” https://twitter.com/SethAbramson/status/1549488007614529538
Billy Big Balls of the Week (24:07) Glassdoor ordered to reveal identity of negative reviewers to New Zealand toymaker A California court has ordered employer-rating site Glassdoor to hand over the identities of users who claimed they had negative experiences working for New Zealand toy giant Zuru. In a decision that could prompt unease for online platforms that rely on anonymity to attract candid reviews, Glassdoor was ordered to provide the information so Zuru could undertake defamation proceedings against the reviewers in New Zealand.
Industry News (33:26) TikTok Engaging in Excessive Data Collection CISA Set to Open London Office New MacOS Backdoor Communicates Via Public Cloud DOJ Recovers $500K Paid to North Korean Ransomware Actors Legal Experts Concerned Over New UK Digital Reform Bill Romanian Man Accused of Distributing Gozi Virus Extradited to US Unpatched Flaws in Popular GPS Devices Allow Adversaries to Disrupt and Track Vehicles UK Regulator Issues Record Fines as Financial Crime Surges Magecart Supply Chain Attacks Hit Hundreds of Restaurants
Tweet of the Week (45:58)  https://twitter.com/hela_luc/status/1549326122067890177 Come on! Like and bloody well subscribe! | |||
| 08 Sep 2023 | Episode 166 - The Potato Quality Episode | 00:48:13 | |
This week in InfoSec (11:51) With content liberated from the “today in infosec” twitter account and further afield 6th September 1987: Thomas Haynie was accused of intentionally jamming Playboy's satellite network with a text-only message. Haynie was an uplink engineer at the Christian Broadcasting Network and was on duty at the time of the jamming. He received 3 years of probation. CBN engineer denies pre-empting soft-porn movies https://twitter.com/todayininfosec/status/1302620593322438656
Rant of the Week (20:12) If you like to play along with the illusion of privacy, smart devices are a dumb idea Depressingly predictable research from Which? serves as another reminder, if one was needed, that furnishing your home with internet-connected "smart" devices could be a dumb idea if you'd rather try to preserve your privacy. The consumer rights organization's analysis of a number of IoT products – from speakers and security cameras to TVs and washing machines – found that they all demand customer data above and beyond what is needed for the product to perform its function, and then distribute that information to a horde of faceless corporations. Consumer campaign group Which? pointed out that this means consumers are not only in many cases paying thousands for the product itself, with all its "smart" connected bells and whistles, but continue to pay in the form of their personal data. The outfit broke down what information is required to set up an account with the product manufacturers, what permissions the associated apps request, and what customer activity companies are tapping into. Spoiler alert: it's all for ads and marketing. Disturbingly, every single brand examined required both exact and approximate location data – as though your fancy washing machine needed to "know" where it is to clean your clothes.
Billy Big Balls of the Week (28:52) Guy who ran Bitcoins4Less tells Feds he had less than zero laundering protections A California man has admitted he failed to bake anti-money laundering protections into his cryptocurrency exchange, thus allowing scammers and drug traffickers to launder millions of dollars through the service. Charles James Randol, 33, who is now due to be sentenced, faces a maximum of five years in federal prison and three years supervised release, plus a fine of up to $250,000 or twice the total illicit proceeds from the scams, whichever amount is greater. Randol provided cryptocurrency exchange services in various ways, including via the post, ATMs, and occasionally in person, prosecutors told a Los Angeles federal court on Tuesday. The Santa Monica man would handle crypto-cash transactions exceeding $10,000 without knowing who his customers were – folks known only as "Puppet Shariff," "White Jetta," "Aaavvv," "Aaaa," and "Yogurt Monster," for example – which is hardly in line with regulatory requirements. To stay on the right side of American law, Randol should have verified and recorded their identities. In his plea agreement, the cryptocurrency dealer admitted to three in-person transactions between October 2020 to January 2021 in which he gave an undercover FBI agent a total of $273,940 in cash for Bitcoin, and kept a four percent commission fee. Randol "did not request a name, proof of identity, social security number, or any other information about [the undercover agent] or the source of the funds being exchanged," the plea agreement says. [Good comment]: Working for an American financial institution, we must go through mandatory AML (anti money laundering) training each year, and the consequences for the firm if an audit finds a violation tend to be in the high 6-digit payouts. With that in mind, a kid operating a blatantly open money laundering gig takes a proportionally much smaller punishment (assuming white-glove inmates usually manage to leave the can way before their time is served)]
Industry News (36:14) UK Electoral Commission Fails Cybersecurity Test Amid Data Breach Crypto Casino Stake.com Back Online After $40m Heist UK Government Backs Down on Anti-Encryption Stance Hundreds of Scam Pages Uncovered in Major Investment Fraud Campaign Think Tank Urges Labour to Promote “Securonomics” Agenda Chinese Hacker Steals Microsoft Signing Key, Spies on US Government IBM Reports Patient Data Breach at Johnson & Johnson Subsidiary UK and US Sanction 11 Russians Tied to Conti/TrickBot Ransomware Zero-Day Flaw Exposes Atlas VPN User IPs
Tweet of the Week (44:39)  https://twitter.com/KimZetter/status/1699546860187472034 Come on! Like and bloody well subscribe! | |||
| 07 May 2022 | Episode 102 - End of an Era | 00:44:08 | |
This Week in Infosec (09:52) With content liberated from the “today in infosec” Twitter account and further afield [None]
Rant of the Week (10:59)  https://twitter.com/johnjhacking/status/1520877711094394884?s=21&t=nryrC32Sfqnyb1x0_0K2YA Full story: https://twitter.com/johnjhacking/status/1521629688120156160?s=21&t=nryrC32Sfqnyb1x0_0K2YA
Billy Big balls of the Week (19:45) The Indian government has issued new directives requiring organizations to report cybersecurity incidents to CERT-IN within six hours, even if those incidents are port or vulnerability scans of computer systems. This requirement was promoted by India's Computer Emergency Response Team (CERT-In), who states it has identified specific gaps causing difficulties in security incident analysis and response, and to address them, it needs to impose more aggressive measures.
Industry News (27:49) HHS Information Security Program 'Not Effective' SIM Fraud Solution Sparks Privacy Fears Groundbreaking Cybersecurity Book Published GitHub to Enforce Two-Factor Authentication Hunter Biden Laptop Repairman Sues Over Hacker Allegations NHS Inboxes Hijacked to Send 1000+ Malicious Emails Microsoft, Apple and Google Team Up on Passwordless Standard Ukrainians DDoS Russian Vodka Supply Chains Special Police Constable Used Encrypted Chat to Post Child Abuse Content
Tweet of the Week (39:24)  https://twitter.com/joehelle/status/1521241363785953280?s=21&t=nryrC32Sfqnyb1x0_0K2YA  https://twitter.com/soychotic/status/1520126831478951936?s=20&t=hpsXh46fM3YmrHtbI3mkuw Come on! Like and bloody well subscribe! | |||
| 08 Dec 2023 | Episode 177 - The Are We Doing This Episode | 00:39:57 | |
This week in InfoSec (07:51) With content liberated from the “today in infosec” twitter account and further afield 5th December 2011: Fyodor reported that CNET's http://Download.com had been wrapping its Nmap downloads in a trojan installer...in order to monetize spyware and adware. CNET quickly stopped, then resumed within days, it affected other downloads, and was a debacle. Download.com Caught Adding Malware to Nmap & Other Software https://twitter.com/todayininfosec/status/1732073893912047860 4th December 2013: Troy Hunt launched the site "Have I Been Pwned? (HIBP)". At launch, passwords from the Adobe, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures breaches were indexed. Today? Billions of compromised records from hundreds of breaches. Search your email addresses for free. https://twitter.com/todayininfosec/status/1731673318560801228
Rant of the Week (13:29) It's ba-ack... UK watchdog publishes age verification proposals The UK's communications regulator has laid out guidance on how online services might perform age checks as part of the Online Safety Act. The range of proposals from Ofcom are likely to send privacy activists running for the hills. These include credit card checks, facial age estimation, and photo ID matching. The checks are all in the name of protecting children from the grot that festoons large swathes of the world wide web. However, service providers will likely be stuck between a rock and a hard place in implementing the guidance without also falling foul of privacy regulations. For example, Ofcom notes the following age checks as potentially "highly effective":
It doesn't take a genius to imagine how a determined teenager might circumvent many of these restrictions, nor the potential privacy nightmare inherent in many of them if an adult is forced to share this level of info when accessing age-restricted sites.
Billy Big Balls of the Week (23:12) WhatsApp's New Secret Code Feature Lets Users Protect Private Chats with Password Meta-owned WhatsApp has launched a new Secret Code feature to help users protect sensitive conversations with a custom password on the messaging platform. The feature has been described as an "additional way to protect those chats and make them harder to find if someone has access to your phone or you share a phone with someone else." Secret Code builds on another feature called Chat Lock that WhatsApp announced in May, which moves chats to a separate folder of their own such that they can be accessed only upon providing their device password or biometrics. By setting a unique password for these locked chats that are different from the password used to unlock the phone, the aim is to give users an additional layer of privacy, WhatsApp noted. "You'll have the option to hide the Locked Chats folder from your chatlist so that they can only be discovered by typing your secret code in the search bar," it added. The development comes weeks after WhatsApp introduced a "Protect IP Address in Calls" feature that masks users' IP addresses to other parties by relaying the calls through its servers.
Sellafield Accused of Covering Up Major Cyber Breaches Porn Age Checks Threaten Security and Privacy, Report Warns US Federal Agencies Miss Deadline for Incident Response Requirements Disney+ Cyber Scheme Exposes New Impersonation Attack Tactics Police Arrest 1000 Suspected Money Mules Deutsche Wohnen Ruling Set to Drive Up GDPR Fines Cambridge Hospitals Admit Two Excel-Based Data Breaches Governments Spying on Apple and Google Users, Says Senator Liability Fears Damaging CISO Role, Says Former Uber CISO
Tweet of the Week  https://twitter.com/MalwareJake/status/1732463774949310547 Come on! Like and bloody well subscribe! | |||
| 18 Sep 2020 | Episode 24 - Andy Has a Broken Microphone | 00:57:28 | |
It's definitely episode 24 and don't let anyone tell you otherwise. This week in Infosec 17th Sept 2003: Court documents were unsealed which showed that Melissa virus author David Smith began working with the FBI within weeks of his 1999 arrest http://web.archive.org/web/20030922234951/http://ap.tbo.com/ap/breaking/MGA2Q265QKD.html 18th Sept 2014: Apple announced that the iOS 8 operating system (used on iPhone and iPad) would encrypt data by default for the first time. A day later Google made a similar announcement pertaining to Android. Tweet of the Week This weeks Tweet of the Week is from the second best Infosec Podcast after we discovered they crowdsource their content (which is why it’s probably better than ours): https://twitter.com/SmashinSecurity/status/1305801947149225986?s=20 Billy Big Balls of the Week Best security blog post you'll ever read - better than 90% of blackhat / defcon talks “When you browse Instagram and find former Australian Prime Minister Tony Abbott's passport number” Industry News Zero Trust Adoption Increases During Lockdown #GartnerSEC: Professionals Survived #COVID19 as Businesses Relied on Security #GartnerSEC: Top Projects for 2020 Include Authentication, Risk Management and Cloud #GartnerSEC: Five Steps to Ensuring Board Engagement #GartnerSEC: #COVID19 Created New Roles, More Data Collection and Flexible Businesses #GartnerSEC: Rewrite Recruitment Strategies to Fit New Roles and Career Paths Outbound Email Errors Cause 93% Increase in Breaches #GartnerSEC: Top Trends for Risk and Security Include Cloud, Automation and Privacy #GartnerSEC: How Midsized Enterprises Can Recover from Ransomware DDoS Attacks Hit 1 Tbps in 2020 Universities Face Increase in Ransomware Attacks as Students Return Rant of the Week First rule of twitter - rather than just praise someone and applaud them for good work... make it all about you 
Novi Sad, Serbian Gangster (not for the faint of heart... unpleasantness abounds) https://newsbeezer.com/serbiaeng/the-novi-sad-attacker-is-the-director-of-the-company-that-founded-the-maxbet-bookmakers/ 
Come on! Like and bloody well subscribe! | |||
| 29 Jan 2023 | Episode 137 - The Beep Beep Boop Boop Episode | 00:48:44 | |
This week in InfoSec 10:35) With content liberated from the “today in infosec” twitter account and further afield 16th January 1983: Lotus 1-2-3 Goes on Sale The Lotus Development Corporation releases Lotus 1-2-3 for IBM computers. While not the first spreadsheet program, Lotus was able to develop 1-2-3 because the creators of VisiCalc, the first spreadsheet, did not patent their software. 1-2-3 outsold VisiCalc by the end of the year and 2 years later Lotus bought out the assets of VisiCalc and hired its main creator as a consultant. 25th January 1979: Robot Kills Auto Worker Robert Williams of Michigan was the first human to be killed by a robot. He was 25 years old. The accident at the Ford Motor Company resulted in a $10 million dollar lawsuit. The jury deliberated for two-and-a-half hours before announcing the decision against Unit Handling Systems, a division of Litton Industries. It ordered the manufacturer of the one-ton robot that killed Williams to pay his family $10 million. The robot was designed to retrieve parts from storage, but its work was deemed too slow. Williams was retrieving a part from a storage bin when the robot's arm hit him in the head, killing him instantly. In the suit, the family claimed the robot had no safety mechanisms, lacking even a warning noise to alert workers that it was nearby. 21st January 1981: It Could Go at Least 88 MPH Production of the iconic DeLorean DMC-12 sports car begins in Dunmurry, Northern Ireland. While not truly a technological achievement, the DeLorean became known as a symbol of the high-tech 1980’s. Daves - https://twitter.com/HackingDave/status/1458576672341516290?s=20&t=SfemFgw0mfQ_eeuljrj6EA
Rant of the Week (18:35) MSG probed over use of facial recognition to eject lawyers from show venues The operator of Madison Square Garden and Radio City Music Hall is being probed by New York's attorney general over the company's use of facial recognition technology to identify and exclude lawyers from events. AG Letitia James' office said the policy may violate civil rights laws. Because of the policy, lawyers who work for firms involved in litigation against MSG Entertainment Corp. can be denied entry to shows or sporting events, even when they have no direct involvement in any lawsuits against MSG. A lawyer who is subject to MSG's policy may buy a ticket to an event but be unable to get in because the MSG venues use facial recognition to identify them. In December, attorney Kelly Conlon was denied entry into Radio City Music Hall in New York when she accompanied her daughter's Girl Scout troop to a Rockettes show. Conlon wasn't personally involved in any lawsuits against MSG but is a lawyer for a firm that "has been involved in personal injury litigation against a restaurant venue now under the umbrella of MSG Entertainment," NBC New York reported. James' office sent a letter Tuesday to MSG Entertainment, noting reports that it "used facial recognition software to forbid all lawyers in all law firms representing clients engaged in any litigation against the Company from entering the Company's venues in New York, including the use of any season tickets." "We write to raise concerns that the Policy may violate the New York Civil Rights Law and other city, state, and federal laws prohibiting discrimination and retaliation for engaging in protected activity," Assistant AG Kyle Rapiñan of the Civil Rights Bureau wrote in the letter. "Such practices certainly run counter to the spirit and purpose of such laws, and laws promoting equal access to the courts: forbidding entry to lawyers representing clients who have engaged in litigation against the Company may dissuade such lawyers from taking on legitimate cases, including sexual harassment or employment discrimination claims." The AG's office also said it is concerned that "facial recognition software may be plagued with biases and false positives against people of color and women." The letter asked MSG Entertainment to respond by February 13 "to state the justifications for the Company's Policy and identify all efforts you are undertaking to ensure compliance with all applicable laws and that the Company's use of facial recognition technology will not lead to discrimination."
Billy Big Balls of the Week (32:11) DoNotPay Retires 'Robot Lawyer' Before It Even Has Its First Case If you’ve been fantasizing about the day when artificial intelligence could get you out of paying traffic tickets, you’ll just have to keep dreaming. DoNotPay has backed out of its plans to use an AI-powered “robot lawyer” to council a defendant through a courtroom hearing in real time. The reason why? Well, apparently the law got in the way of the robot’s lawyering. The company’s founder and CEO, Joshua Browder, first announced the news in a Wednesday tweet. “After receiving threats from State Bar prosecutors, it seems likely they will put me in jail for 6 months if I follow through with bringing a robot lawyer into a physical courtroom,” he wrote. In a phone call with Gizmodo, Browder reiterated his view that, were he to follow-through on his initial promises, he’d likely end up with a prison sentence.
Industry News (36:28) WhatsApp Hit with €5.5m fine for GDPR Violations New Cheats May Emerge After Riot Games Hack Regulator Stress Test Highlights Cyber Insurance Concerns Ticketmaster Claims Bot Attack Disrupted Taylor Swift Tour Sales Yahoo Overtakes DHL As Most Impersonated Brand in Q4 2022 North Korean Group TA444 Shows 'Startup' Culture, Tries Numerous Infection Methods NCSC: Iranian and Russian Groups Targeting Government, Activists and Journalists With Spearphishing Zacks Investment Research Confirms Breach Affecting 820,000 Customers Iranian Group Cobalt Sapling Targets Saudi Arabia With New Persona https://scambusters.org/scambusters19.html < 1997 Yahoo award scam
Tweet of the Week (44:18)  https://twitter.com/cybergibbons/status/1618672522853240833 Come on! Like and bloody well subscribe! | |||
| 21 May 2021 | Episode 56 - The Post Birthday Blues | 01:00:23 | |
This Week in InfoSec Liberated from the “today in infosec” Twitter account: 15th May 1998: The first issue of Bruce Schneier's (@schneierblog) monthly Crypto-Gram internet newsletter was published. And The Secret Story of Non-Secret Encryption is a pretty pretty pretty pretty...good read. https://www.schneier.com/crypto-gram/archives/1998/0515.html https://www.schneierfacts.com/ https://twitter.com/sirjester/status/867809572173602817 https://twitter.com/todayininfosec/status/1393708868304359426 22nd May 2010: A Floridian man named Laszlo Hanyecz, received what he thought was a “free lunch”. https://bitcointalk.org/index.php?topic=137.0 Bitcoin Pizza Day: Why Bitcoiners Are Celebrating Today By Eating Pizza
Rant of the Week We'd love to report on the outcome of the CREST exam cheatsheet probe, but the UK infosec body won't publish it https://www.theregister.com/2021/05/17/crest_not_publishing_cert_exam_cheat_report/
Billy Big Balls of the Week The Military Is Creating a ‘Gig Eagle’ App to Uber-ize Its Workforce “We are creating a gig economy for the Department of Defense,” said one official.
Industry News Rapid7 Source Code Accessed in Cyber-attack Quarter of CISOs Self-Medicate as Pandemic Stress Spikes US Sentences Cyber-Stalker Who Sent Sex Workers to Family’s Home Toshiba Business Reportedly Hit by DarkSide Ransomware Cybercrime Forum Bans Ransomware Activity AXA Faces DDoS After Ransomware Attack Families of Missing Persons Receive Fake Ransom Demands DarkSide Gang Retires on $90mUSPS Reportedly Uses Clearview AI to Spy on Americans
Tweet of the Week  https://twitter.com/WeldPond/status/1395151316809306114  https://twitter.com/GossiTheDog/status/1395502236101451777 Come on! Like and bloody well subscribe! | |||
| 05 Feb 2021 | Episode 41 - Mixing It Up | 01:01:27 | |
Nobody will look at Javvad in the eye again without seeing that image. It could be worse, you could have seen it live like Andy and Thom had to. This week in InfoSec (Liberated from the “today in infosec” twitter account): 3rd February 2007: A former Coca-Cola secretary to a executive was convicted after stealing documents and unlaunched product samples, then conspiring with coworkers to sell them to Pepsi, which warned Coca-Cola. https://www.thestar.com/business/2007/02/03/former_coke_secretary_convicted_in_spy_case.html https://edition.cnn.com/2007/LAW/05/23/coca.cola.sentencing/ https://twitter.com/todayininfosec/status/1224522561653919744 1st February 1952: A new method for tracking down users of unlicensed television sets was unveiled in the UK. http://news.bbc.co.uk/onthisday/hi/dates/stories/february/1/newsid_2521000/2521357.stm 5th February 1953: Sweet rationing ends in Britain Children all over Britain have been emptying out their piggy-banks and heading straight for the nearest sweet-shop as the first unrationed sweets went on sale today. Toffee apples were the biggest sellers, with sticks of nougat and liquorice strips also disappearing fast. http://news.bbc.co.uk/onthisday/hi/dates/stories/february/5/newsid_2737000/2737731.stm
Rant of the Week The Biggest Threat to Facebook Isn’t Apple, It’s Mark Zuckerberg During Facebook's earnings call, the company's founder and CEO, Mark Zuckerberg, made a point of talking about the risk Apple's upcoming iOS 14 changes pose to Facebook's business. Those changes will require apps to ask permission before they are able to track users across apps and the internet. For Facebook, a company whose entire business model is built on the ability to track users, collect their data, and then sell targeted ads based on all of that information, losing the ability to track users could be a real problem. The thing is, Apple isn't stopping any app from tracking any user. It's only requiring that apps ask permission first. The real problem is that now everyone will be given a choice about whether to let Facebook track them, and the company logically assumes that most people will opt out. Suddenly people will be confronted with the reality that Facebook isn't free at all--it's just that most people weren't aware of the cost.
Tweet of the Week  https://twitter.com/TatianaDior/status/1357178566413287426 Almost ran: https://twitter.com/fs0c131y/status/1356291273255227392?s=20
Industry News Apprenticeships Could Solve Cyber-Skills Crisis, Say Experts Global Government Outsourcer Serco Hit by Ransomware Trickbot Trojan Back from the Dead in New Campaign Man Charged in $11m Crypto Scheme that Featured Steven Seagal Social Media Oversharing Exposes 80% of Office Workers Data on Thousands of Foxtons Customers Posted Online Over Three Million US Drivers Exposed in Data Breach US Shipping Giant Loses $7.5m in Ransomware Attack Three More Vulnerabilities Found in SolarWinds Products
Javvad’s Weekly Stories Foxtons rejects claims of slow reaction to data leak SMS Bandits owner arrested for carrying out large-scale phishing scams Ransomware attack disrupts UKRI services and web assets
Billy Big Balls Ransomware: A company paid millions to get their data back, but forgot to do one thing. A cautionary tale shows how organisations that fall foul of ransomware should concentrate on finding how it happened before anything else A company that fell victim to a ransomware attack and paid cyber criminals millions for the decryption key to restore their network fell victim to the exact same ransomware gang under two weeks later after failing to examine why the attack was able to happen in the first place.
The Little People Want to star in The Little People? Have an opinion you want to share, but don't have the social media clout to be heard? Send us a 30-60 second voice recording and we might even play it on the show. theveryfinechaps@hostunknown.tv Come on! Like and bloody well subscribe! | |||
| 11 Mar 2022 | Episode 96 - We Don't Know What She Has But They Are Colossal | 00:49:26 | |
This Week in InfoSec (08:22) With content liberated from the “today in infosec” Twitter account and further afield 6th March 1992: The Michelangelo virus, so-named because it activates on March 6, the birthday of Michelangelo, begins infecting computers. The virus will also make news in 1993. It was one of the earliest viruses to receive widespread media attention and also one of the first to prompt widespread hysteria. The irony of the name of the virus was that nothing in the virus’ code referenced Michelangelo. It is possible the virus author, who was never identified, did not know March 6th was Michelangelo’s birthday! 9th March 1999: United States Vice President Al Gore gives an interview on CNN’s Late Edition in which he states, “During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our country’s economic growth and environmental protection, improvements in our educational system.” This is the infamous statement which will be widely misquoted as “I invented the Internet.”
Rant of the Week (13:59) Most Orgs Would Take Security Bugs Over Ethical Hacking Help A new survey suggests that security is becoming more important for enterprises, but they’re still falling back on old “security by obscurity” ways. Enterprises are putting greater stock in cybersecurity, but outdated “security by obscurity” is still prevailing as companies wrestle with security awareness and shy away from bug-bounty programs. That’s according to new survey data from HackerOne, which found that a full 65 percent of organizations surveyed claimed that they “want to be seen as infallible.” However, just as many – 64 percent – said they practice a culture of security through obscurity, where secrecy is used as the primary method of protecting sensitive systems and assets.
Carole's Colossal Cahones (24:49) When Pigs Cry: Tool decodes the Emotional Lives of Swine https://www.nytimes.com/2022/03/09/science/pigs-oinks-grunts.html
Industry News (30:31) Dirty Pipe Exploit Rings Alarm Bells in the Linux Community Chinese APT41 Group Compromises Six US Government Networks Prison for Man Who Scammed US Government to Buy Pokémon Card UK Announces New Rules to Tackle Surging Online Scam Adverts Over 90% of Exposed Russian Cloud Databases Compromised AI Accountability Framework Created to Guide Use of AI in Security Conti Group Spent $6m on Salaries, Tools and Services in a Year
Tweet of the Week (39:33)  https://twitter.com/achornback/status/1501677184515256321?s=12 
Come on! Like and bloody well subscribe! | |||
| 05 Mar 2024 | Episode 186 | 00:40:14 | |
This week in InfoSec (06:53) With content liberated from the “today in infosec” twitter account and further afield 1st March 1988: The MS-DOS boot sector virus "Ping-Pong" was discovered at the Politecnico di Torino (Turin Polytechnic University) in Italy. The virus would show a small ball bouncing around the screen in both text mode (ASCII character "•") and graphical mode. https://twitter.com/todayininfosec/status/1763540406443163705 26th February 2004: Antivirus firm F-Secure apologized for sending the Netsky.B virus to 1000s of its UK customers & partners via a mailing list. The unknown sender sent it through the email list server, which didn't scan for viruses. And there was no business reason to accept external emails. https://twitter.com/todayininfosec/status/1762092359313936553
Rant of the Week (11:48) Meta's pay-or-consent model hides 'massive illegal data processing ops': lawsuit Consumer groups are filing legal complaints in the EU in a coordinated attempt to use data protection law to stop Meta from giving local users a "fake choice" between paying up and consenting to being profiled and tracked via data collection.
Billy Big Balls of the Week (20:16) Fox News 'hacker' turns out to be journalist whose lawyers say was doing his job A Florida journalist has been arrested and charged with breaking into protected computer systems in a case his lawyers say was less "hacking," more "good investigative journalism." Tim Burke was arrested on Thursday and charged with one count of conspiracy, six counts of accessing a protected computer without authorization, and seven counts of intercepting or disclosing wire, oral or electronic communications for his supposed role in the theft of unedited video streams from Fox News.
Industry News (27:48) UK Unveils Draft Cybersecurity Governance Code to Boost Business Resilience 34 Million Roblox Credentials Exposed on Dark Web in Three Years Biden Bans Mass Sale of Data to Hostile Nations US Government Warns Healthcare is Biggest Target for BlackCat Affiliates Savvy Seahorse Targets Investment Platforms With DNS Scams Pharma Giant Cencora Reports Cybersecurity Breach UK Home Office Breached Data Protection Law with Migrant Tracking Program, ICO Finds Five Eyes Warn of Ivanti Vulnerabilities Exploitation, Detection Tools Insufficient Biden Warns Chinese Cars Could Steal US Citizens' Data
Tweet of the Week (35:17)  https://twitter.com/_FN8_/status/1762583435745402951 Come on! Like and bloody well subscribe! | |||
| 29 Apr 2022 | Episode 101 - My Brain Hurts | 00:50:03 | |
This Week in InfoSec (09:26) With content liberated from the “today in infosec” Twitter account and further afield 26th April 2013: LivingSocial informed its employees that 50 million users' names, emails, dates of birth, and SHA1 hashed passwords were compromised. https://twitter.com/todayininfosec/status/1519039747301199872 26th April 1999: The first known virus to target the flash BIOS of a PC, the CIH/Chernobyl Virus triggers on this day, erasing hard drives and disabling PCs primarily in Asia and Europe. One of the most destructive viruses in history, Turkey and South Korea alone reported 300,000 infected systems.
As Seen on Reddit (23:29) My thoughts on a decade of Cyber Security: 10 Lessons I’ve learned Reddit user u/CrowGrandFather has spent more than a decade in the Cyber Security Industry and has come up with 10 lessons he learned along the way. 1. Cyber is risk and nothing else 2. No one cares about your stats 3. Understand that not everyone is as smart as you 4. Stop with the playbooks 5. Read the news for your boss 6. Blackhat is mostly pointless 7. Location, Location, Location 8. You’re probably doing threat intelligence wrong 9. Don’t write to be understood, write so that you can’t possibly be misunderstood 10. Make friends with your Marketing team [That was this week's As seen on Reddit]
Industry News (42:07) LinkedIn Becomes the Most Impersonated Brand for Phishing Attacks Costa Rica Refuses to Pay Cyber Ransom Bored Ape Yacht Club Customers Lose $3m in NFT Scam French Hospitals Cut Internet Connection After Data Raid Security Teams Should Be Addressing Quantum Cyber-Threats Now Private Investigator Admits Role in Hedge Fund Hack UK Schools Can Sign-Up to Free Government-Grade Security Coca-Cola Investigates Data Breach Claim Crypto Trading Fund Partners Accused of Fraud
Tweet of the Week (45:00)  https://twitter.com/austinpeay/status/1519397653305561088  https://twitter.com/austinpeay/status/1519399475785125889 Come on! Like and bloody well subscribe! | |||
| 05 Aug 2022 | Episode 115 - We're All Going On a Summer Holiday | 00:43:50 | |
This week in InfoSec (9:23) With content liberated from the “today in infosec” twitter account and further afield 29th July 1985: An article in the New York Times cited multiple experts who alleged the vote counting systems of Computer Election Systems are vulnerable to tampering. Yep. Election systems vulnerabilities aren't a new phenomenon. Not even close. COMPUTERIZED SYSTEMS FOR VOTING SEEN AS VULNERABLE TO TAMPERING https://twitter.com/todayininfosec/status/1156078284603416582 30th July 2013: Chelsea Manning was found guilty of espionage, theft, and computer fraud, as well as military infractions. https://twitter.com/todayininfosec/status/1288925289465208834 6th August 1997: Microsoft Buys $150M of Apple stock. In an effort to help save Apple Computer and possibly deflect criticism in its own anti-trust trial, Microsoft Corp. buys $150 million in shares of Apple Computer Inc. Apple, which had been struggling to find direction and profits for years, agreed to the boost in funding with terms that dictated cooperation in the design of computers as well as shared patents. Microsoft agreed to continue supporting MS-Office for the Mac for another five years as well. Rant of the Week (18:11) India scraps data protection law in favor of better law coming … sometime The government of India has scrapped the Personal Data Protection Bill it's worked on for three years, and announced it will – eventually – unveil a superior bill. The bill, proposed in 2019, would have enabled the government to gather user data from companies while regulating cross-border data flows. It also included restrictions on sharing of personal data without explicit consent, proposed establishment of a new Data Protection Authority within the government, and more. On Wednesday, telecom minister Ashwini Vaishnaw tweeted that the bill was nixed because the Joint Committee of Parliament (JCP) recommended 81 amendments to the Bill's 99 sections. "Therefore the bill has been withdrawn and a new bill will be presented for public consultation," said Vaishnaw. and... UK Parliament bins its TikTok account over China surveillance fears Plan to educate the children turned out to be a 'won't someone think of the children?' moment The UK's Parliament has ended its presence on TikTok after MPs pointed out the made-in-China social media service probably sends data about its users back to Beijing. The existence of the account saw half a dozen MPs write to the presiding officers of the Houses of Lords and Commons — Lord McFall of Alcluith and Sir Lindsay Hoyle, respectively — to ask for the account to be discontinued. "While efforts made to engage young people in the history and functioning of parliament should always be welcomed, we cannot and should not legitimise the use of an app which has been described by tech experts as 'essentially Chinese government spyware'," wrote MPs Nusrat Ghani, Tim Loughton, Sir Iain Duncan Smith, Tom Tugendhat, plus Lord Alton of Liverpool and Baroness Kennedy of the Shaws. Billy Big Balls of the Week (26:21) Ex-T-Mobile US store owner phished staff, raked in $25m from unlocking phones A now-former T-Mobile US store stole at least 50 employees' work credentials to run a phone unlocking and unblocking service that prosecutors said netted $25 million. Argishti Khudaverdyan, 44, of Burbank, California, was found guilty of 14 criminal charges [PDF] by a US federal jury on Friday. According to the Dept of Justice, Khudaverdyan co-owned a T-Mobile US store in Los Angeles, operating as a business called Top Tier Solutions, for about five months in 2017. T-Mo ended its contract with Khudaverdyan in June 2017 after being sketched out by his suspicious use of the carrier's computer system. It turned out he had been unlocking phones for customers without T-Mobile US's permission so that the devices could be used on different networks. Even after the self-styled un-carrier gave him the boot, he continued his illicit scheme, advertising unlocking and unblocking services through brokers, email spam, and websites that Khudaverdyan and Gharehbagloo controlled, such as unlocks247[.]com and swiftunlocked[.]com. Industry News (33:37) UK’s Top 10 Universities Failing on DMARC Thousands of Apps Leaking Twitter API Keys LockBit Ransomware Exploits Windows Defender to Sideload Cobalt Strike Payload Tory Leadership Voting Delayed Over Security Concerns T-Mobile Retailer Guilty of $25m Fraud Scheme xperts Warn of Fake Football Ticket Scams Ukraine Shutters Major Russian Bot Farm Users Still in the Dark Over $5m Theft From Blockchain Firm Solana CREST and OWASP Partner on Verification Standard Program Tweet of the Week (40:16)  https://twitter.com/AndrewMohawk/status/1555430194743111683?s=20 Come on! Like and bloody well subscribe! | |||
| 22 Jan 2021 | Episode 39 - A New Hope | 01:01:27 | |
This week in Infosec Liberated from the “today in infosec” twitter account: 19th January 1986: The first PC virus appeared. It was a boot sector virus called Brain, which spread via infected floppy disks to computers running MS-DOS. It was written by 2 brothers in Pakistan to protect their medical software from piracy. They later even licensed Brain.  https://www.theregister.com/2006/01/19/pc_virus_at_20/ https://twitter.com/todayininfosec/status/1351695480791715840 Worth mentioning Mikko Hyponnen ‘s TED talk on when he went to Pakistan to meet the brothers https://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net 18th January 2011: Andrew Auernheimer and Daniel Spitler were arrested by FBI agents for hacking into AT&T's servers and downloading customer info in 2010. There's a lot more to the story - either you know it or you should research it. https://twitter.com/todayininfosec/status/1351277900834742274
Rant of the Week Google threatens to pull out of Australia https://www.bbc.co.uk/news/world-australia-55760673
Tweet of the Week  https://twitter.com/DanRaywood/status/1351555439612354562  Defining what disinformation is, the role it played in the attack on the Capitol, social media as a vessel to deliver messages, etc. https://twitter.com/washingtonpost/status/1351985551419863040
Industry News NSA: DNS over HTTPS Provides “False Sense of Security” Leaked #COVID19 Vaccine Data “Manipulated” to Mislead Public Environmental Regulator Suffers Ransomware Blow GDPR Fines Surge 39% Over Past Year Despite #COVID19 Cloud Config Error Exposes X-Rated College Pics Coin-Mining Malware Volumes Soar 53% in Q4 2020 Malwarebytes: SolarWinds Hackers Read Our Emails Interpol: Dating App Victims Lured into Investment Scams Threat Actor Dumps 1.9 Million Pixlr Records Online
Javvad’s Weekly Stories Nada. Nothing. Niet. Non.
Billy Big Balls of the Week Aditya Singh: Man found 'living in airport for three months' over Covid fears A man too afraid to fly due to the pandemic lived undetected in a secure area of Chicago's international airport for three months, US prosecutors say. Aditya Singh, 36, was arrested on Saturday after airline staff asked him to produce his identification. He pointed to a badge, but it allegedly belonged to an operations manager who reported it missing in October. Police say Mr Singh arrived on a flight from Los Angeles to O'Hare International Airport on 19 October. https://www.bbc.co.uk/news/world-us-canada-55702003
Thom's Podcasting Desk 
Other Stories Go read this report about the US military endangering passenger jets by blocking GPS GPS jamming can shut off a pilot’s access to navigation — or worse https://www.theverge.com/2021/1/21/22242761/us-military-gps-jamming-tests-airplane-danger
Ubiquiti, maker of prosumer routers and access points, has had a data breach The email encourages users to change their passwords
In hidden message on White House website, Biden calls for coders
Bugs in Signal, other video chat apps allowed attackers to listen in on users https://www.helpnetsecurity.com/2021/01/21/bugs-video-chat-apps/
Come on! Like and bloody well subscribe! | |||
| 17 Dec 2021 | Episode 86 - The Oh So Christmas Special | 00:50:23 | |
This Week in InfoSec With content liberated from the “today in infosec” twitter account 16th December 1988: 25-year-old computer hacker Kevin Mitnick was charged for crimes including theft of software from DEC (Digital Equipment Corporation), including VMS source code and allegedly causing $4 million in damages to DEC. Ex-Computer Whiz Kid Held on New Fraud Counts https://twitter.com/todayininfosec/status/1471639991008825344 15th December 1994: Netscape Communications Corporation releases Netscape Navigator 1.0, the world’s first commercially developed web browser, although this particular version was free for non-commercial use. 15th December 1995: Developed by researchers at Digital Equipment Research Laboratories, the AltaVista search engine is launched. It was the first worldwide web search service to gain significant popularity. One of the most popular search engines in the early world wide web, Google didn’t overtake AltaVista until 2001. AltaVista was eventually purchased by Yahoo! in 2003.
Rant of the Week (15:49) Thom starts but quickly hands the baton Jav who takes a clear lead on this weeks rant... about Andy. This is Andy's response: Songs that build up tension and stumble forward: Songs that skip a beat
Billy Big Balls of the Week (21:34) National Lottery scratch card fraud: Men jailed over £4m jackpot claim I talk about the time Thom went solo with (TL)2 ventures and highlights how going solo is a brave move for someone in a cushy CISO job.
Industry News (28:23) Hackers Target India’s Prime Minister “Worst-Case Scenario” Log4j Exploits Travel the Globe Christmas Payroll Fears After Ransomware Hits Software Provider Grindr Fined €6.5m for Selling User Data Without Explicit Consent Log4j Looms Large Over Patch Tuesday France Orders Clearview AI to Delete Data Regulator: Venues Must Protect User Privacy During #COVID19 Checks All Change at the Top as New Ransomware Groups Emerge US and Australia Enter CLOUD Act Agreement
Tweet of the Week ( 38:09)  https://twitter.com/GeekChickUK/status/541242616407687168?s=20  
Come on! Like and bloody well subscribe! | |||
| 11 Feb 2022 | Episode 92 - Just The Two Of Us | 00:46:47 | |
This Week in InfoSec (04:44) February 5th 2009 Come on Kaspersky, if you think you’re hard enough.. February 5th 2009 The Sophos snowball fight February 9th 2009 Hacked road sign warns of British invasion
Rant of the Week (16:01) Hackers are hitting Britain where it hurts by targeting some of its favourite savoury snacks, with the likes of Hula Hoops, KP Nuts, Butterkist popcorn and Nik Naks in their cyber sights. Hackers hold Hula Hoops hostage in cyber-raid on Britain's KP Snacks | Reuters
Billy Big Balls of the Week (22:48) A woman accused of laundering billions of dollars in stolen cryptocurrency alongside her husband may end up becoming better known for her excruciating music career as a self-styled “raunchy rapper” called Razzlekhan.
Industry News (29:50) DDoS Attacks Hit All-time High Californian College Attacked with Ransomware SANS Institute Launches Nationwide Scholarship Program ICO Hit by 2650% Rise in Email Attacks Almost $1.3bn Paid to Ransomware Actors Since 2020 CISOs Reveal Biggest Challenges for Security Teams
Tweet of the Week (38:58) https://twitter.com/d0rkph0enix/status/1491914588811501568
Come on! Like and bloody well subscribe! | |||
| 09 Jun 2023 | Episode 155 - The Really Late Show | 00:51:26 | |
This week in InfoSec (10:21) With content liberated from the “today in infosec” twitter account and further afield 8th June 1989: The beta release of the Bourne Again SHell (Bash) was announced as version 0.99. 2 months later Shellshock was introduced into the Bash source code and persisted in subsequent versions for over 25 years. v0.99 release announcement https://twitter.com/todayininfosec/status/1666487525320318988 3rd June 1983: Would You Like to Play a Game? The science fiction film WarGames is released. Notable for bringing the hacking phenomena to the attention of the American public, it ignites a media sensation regarding the hacker sub-culture. The film’s NORAD set is the most expensive ever built at the time at a cost of $1 million dollars. Not widely known is that the movie studio provided the film’s star, Matthew Broderick, with the arcade games Galaga and Galaxian so he could get first-hand experience before shooting the film’s arcade scenes.
Rant of the Week (17:16) Barracuda Urges Replacing — Not Patching — Its Email Security Gateways It’s not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes. Barracuda tells its ESG owners to 'immediately' junk buggy kit
Billy Big Balls of the Week (24:45) US govt now bans TikTok from contractors' work gear BYODALAINGTI (as long as it's not got TikTok installed) The US federal government's ban on TikTok has been extended to include devices used by its many contractors - even those that are privately owned. The bottom line: if some electronics are used for government work, it better not have any ByteDance bits on it. The interim rule was jointly issued by NASA, the Department of Defense and the General Services Administration, which handles contracting for US federal agencies. The change amends the Federal Acquisition Regulation to prohibit TikTok, any successor application, or any software produced by TikTok's Beijing-based parent ByteDance from being present on contractor devices. "This prohibition applies to devices regardless of whether the device is owned by the government, the contractor, or the contractor's employees. A personally-owned cell phone that is not used in the performance of the contract is not subject to the prohibition," the trio said in their update notice published in the Federal Register. The rule would apply to all contracts, even those below the "simplified acquisition threshold" of $250,000, purchases of commercial and off-the-shelf equipment, and commercial services so get ready to wipe those company phones, cloud services providers and MSPs that do business with Uncle Sam. AND British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attack British Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app. Microsoft reckons the Russian Clop ransomware crew stole the information. British Airways, the BBC, and Boots were not hit directly. Instead, payroll services provider Zellis on Monday admitted its MOVEit installation had been exploited, and as a result "a small number of our customers" – including the aforementioned British trio – had their information stolen. Zellis claims to be the largest payroll and human resources provider in the UK, and its customers include Sky, Harrods, Jaguar, Land Rover, Dyson, and Credit Suisse. In a statement posted on its website, Zellis blamed the MOVEit vulnerability for the security breach, and noted "all Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate."
Industry News (34:33) Clop Ransom Gang Breaches Big Names Via MOVEit Flaw FBI Warns of Surge in Deepfake Sextortion Attempts Cisco Counterfeiter Pleads Guilty to $100m Scheme Cyber Extortionists Seek Out Fresh Victims in LatAm and Asia Lazarus Group Blamed for Atomic Wallet Heist Interpol: Human Trafficking is Fueling Fraud Epidemic Microsoft Brings OpenAI Tech to US Agencies Pharmaceutical Giant Eisai Hit By Ransomware Incident Espionage Attacks in North Africa Linked to "Stealth Soldier" Backdoor
Tweet of the Week (43:58)  https://twitter.com/elonmusk/status/1666964082363371520  https://twitter.com/sawaba/status/1666930930714279942 https://www.forbes.com/lists/most-cybersecure-companies/ Come on! Like and bloody well subscribe! | |||
| 09 Sep 2022 | Episode 120 - The End of an Era | 00:48:26 | |
This week in InfoSec With content liberated from the “today in infosec” twitter account and further afield 6th September 2011: Luis Mijangos received a 6 year prison sentence. His crimes included sextortion, stealing financial info, and webcam monitoring. California's "Sextortion" Hacker Sentenced to Prison https://twitter.com/todayininfosec/status/1302770088471298049 3rd September 1995: The online auction site, eBay, is launched as “AuctionWeb” by Pierre Omidyar. The first item sold, a broken laser pointer, wasn’t actually intended to sell, but rather to test the new site, itself started as a hobby. Surprised that the item sold for $14.83, Omidyar contacted the buyer to make sure he knew the laser pointer was broken, to which was replied, “I’m a collector of broken laser pointers.” From that first $14.83, Omidyar is now worth billions of dollars.
Rant of the Week Halfords slapped on wrist for breaching email marketing laws Bike and car accessory retailer Halfords has found itself in the wrong lane with Britain’s data watchdog for sending hundreds of thousands of unsolicited marketing emails to members of the public. According to the Information Commissioner’s Office, it fined the business £30,000 for dispatching 498,179 messages to folk that hadn’t provided consent - equating to a £0.06 penalty per each email. The decision relates to a direct marketing mailer that Halfords sent electronically on July 28, 2020 concerning a ‘Fix Your Bike’ government voucher scheme. This gave recipients up to £50 toward the cost of repairing a cycle in any approved retailer in the UK. Unsurprisingly, Halfords' marketing email urged the individuals to book a free bike assessment and redeem their voucher in store, meaning this was marketing designed to generate income for the company. As such, the advertising of the service meant Halfords couldn’t rely on ‘legitimate interest’ to send the mail, which the ICO said it had done.
Billy Big Balls of the Week How the ‘man in black’ was exposed by the Russian women he terrorised A Russian police officer's takeaway food order was the breakthrough clue which helped a group of women, who had been terrorised by him, reveal his true identity. The women, mostly aged between 19 and 25, had attended a rally in Moscow in March against Russia's invasion of Ukraine. They were quickly rounded up by officers and put in the back of a police van. Most of them didn't know each other, but despite the circumstances the atmosphere was upbeat. They even set up a Telegram group chat as they travelled across the city to Brateyevo police station. What happened next was far worse than they anticipated. Over the next six hours they suffered verbal and physical abuse that, in some cases, amounted to torture - one woman says she was repeatedly starved of oxygen when a plastic bag was put over her head. The abuse was carried out by the same unnamed plain-clothes officer - tall, athletic, dressed in a black polo neck. In their group chat, they gave him the nickname the "man in black". Two of the women, Marina and Alexandra, secretly recorded audio on their phones. In one, the officer can be heard shouting about his "total impunity". But if his aim was to intimidate them into silence, he would fail.
Industry News KeyBank's Customer Information Stolen By Hackers Via Third-party Provider London's Biggest Bus Operator Hit by Cyber "Incident" Meta Fined $400m in Ireland For Children's Privacy Breach Interpol Busts Asian Sextortion Syndicate UK Privacy Regulator Fines Halfords for Spam Deluge InterContinental Hotels Confirms Cyber-Attack After Two-Day Outage NATO-Member Albania Cut Ties With Iran Over Cyber-Attack The North Face Warns of Major Credential Stuffing Campaign Researchers Reveal New Iranian Threat Group APT42
Tweet of the Week  https://twitter.com/SwiftOnSecurity/status/1567378788991868928  https://twitter.com/ememess/status/1567544425869606913 Come on! Like and bloody well subscribe! | |||
| 04 Dec 2020 | Episode 35 - The Triple Unicorn | 00:55:23 | |
The penultimate episode of the year, so only one more to go until you have the full set for 2020. This week in Infosec (Liberated from the “today in infosec” twitter account):
https://trove.nla.gov.au/newspaper/article/126161975  https://twitter.com/todayininfosec/status/1334231500448034824?s=20
The hackers did not come across any sensitive information, but changed the appearance of the website.  https://www.flashback.se/artikel/2637/pepsi-cola-hackade http://www.zone-h.org/mirror/id/18675231?hz=1 https://www.securityfocus.com/news/389
Tweet of the Week https://twitter.com/BriannaWu/status/1333150373599715329?s=19 
Billy Big Balls https://www.vice.com/en/article/4ad3jm/watch-google-hacker-ha-26-iphones-with-zero-day-exploit Watch This Google Hacker Pwn 26 iPhones With a 'WiFi Broadcast Packet of Death' A Google security researcher found bugs that allowed him to take over nearby iPhones with a Raspberry Pi and just $100 in WiFi gear.
Industry News Experts Call for Online Fake News to Be Addressed as #COVID19 Vaccine Emerges How to Reduce Fake News in Online Advertising Remote Workers Admit Lack of Security Training #thinkcybersec: Reconsider Hiring Strategies to Meet 2021’s Digital Challenges #thinkcybersec: Don’t Presume Legacy Tech is a Negative Thing Salesforce Set to Acquire Slack for $27bn Native Cloud Security Controls Still “Not Good Enough” #WebSummit: Companies of the Future Should Focus on Data Privacy Rather than Data Collection
Jav’s industry news Microsoft’s New Productivity Score And Workplace Tracking: Here’s The Problem There’s no vaccine for ransomware Remote Workers Admit Lack of Security Training Microsoft 365: Corporate Privacy Invader Masked As A Collaboration Tool? NHS Error Exposes Data on Hundreds of Patients and Staff Sales of CEO email accounts may give cyber criminals access to the "crown jewels" of a company
Infosec Stig is moving on from 17th December: https://www.infosecurity-magazine.com/editorial/final-shot-farewell/
Rant of the week Microsoft has apologised for enabling a feature, “productivity score”, which critics said was tantamount to workplace surveillance. The company says it will now make changes to the service, which lets IT administrators “help their people get the most” from its products, in order to limit the amount of information about individual employees that is shared with managers.
The Little People Is it Leslie Show or William Lau? @lausecurity Come on! Like and bloody well subscribe! | |||
| 14 Jan 2022 | Episode 88 - Only 345 Days Until Christmas | 00:41:34 | |
This week in Infosec (06:30) With content liberated from the “today in infosec” twitter account 12th January 1981: Time Magazine published "Superzapping in Computer Land". Its primary focus was four 13-year-olds from New York City who broke into 2 computer networks and destroyed 1 million bits of data. Yes, a whopping 0.125 MB. Have a read of the article. Superzapping in Computer Land - The ride of the "Dalton Gang" https://twitter.com/todayininfosec/status/1481352763476832256 13th January 1989: The “Friday the 13th” virus strikes hundreds of IBM computers in Britain. This is one of the most famous early examples of a computer virus making headlines. THE EXECUTIVE COMPUTER; Friday the 13th: A Virus Is Lurking
Rant of the Week (13:43) Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps Users of popular open-source libraries 'colors' and 'faker' were left stunned after they saw their applications, using these libraries, printing gibberish data and breaking. Some surmised if the NPM libraries had been compromised, but it turns out there's much more to the story. The developer of these libraries intentionally introduced an infinite loop that bricked thousands of projects that depend on 'colors' and 'faker.'
Billy Big Balls of the Week (23:18) Info-saturated techie builds bug alert service that phones you to warn of new vulns An infosec pro fed up of having to follow tedious Twitter accounts to stay on top of cybersecurity developments has set up a website that phones you if there's a new vuln you really need to know about.
Industry News (30:37) FlexBooker Reveals Major Customer Data Breach Forensics Expert Kept Murder Snaps on PC Romance Scammers Stole £92m From Victims Last Year European Union to Launch Supply Chain Attack Simulation Europol Ordered to Delete Vast Trove of Personal Information Teen Makes Tesla Hacking Claim Two Years for Man Who Used RATs to Spy on Women and Children FCC Proposes Stricter Data Breach Reporting Requirements New "Undetected" Backdoor Runs Across Three OS Platforms
Tweet of the Week (38:32)  https://twitter.com/dominotree/status/1481646565869584385?s=21 Come on! Like and bloody well subscribe! | |||
| 03 Dec 2021 | Episode 84 - The New Tiger King | 00:38:20 | |
This Week in InfoSec (06:57) With content liberated from the “today in infosec” twitter account 4th December 2013: Troy Hunt launched the site "Have I Been Pwned? (HIBP)". At launch, passwords from the Adobe, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures breaches were indexed. https://twitter.com/todayininfosec/status/1335020238765744129 1st December 1996: America Online launches a new subscription plan offering their subscribers unlimited dial-up Internet access for $19.95/month. Previously, AOL charged $9.95/month for 5 hours of usage. The new plan brought in over one million new customers to AOL within weeks and daily usage doubled among subscribers (to a whole 32 minutes per day!).
Billy Big Balls of the Week (16:06)
Industry News (21:15) Clearview AI to be Fined $22.6m for Breaching UK Data Protection Laws Cyber Essentials Set for Major Update in 2022 Texas School District to Scan Children's Devices MI6 Boss: Digital Attack Surface Growing "Exponentially" Organizations Now Have 76 Security Tools to Manage Twitter to Remove Private Media Russian Bulletproof Hosting Kingpin Gets Five Years Police Arrest 1800 in Major Money Laundering Crackdown Phishing Scam Targets Military Families
Tweets of the Week (29:50)  https://twitter.com/j_opdenakker/status/1466380453036838913  https://twitter.com/bettersafetynet/status/1466460853105053699
Come on! Like and bloody well subscribe! | |||
| 17 Mar 2023 | Episode 144 - The Other Peoples Work Episode | 00:43:17 | |
This week in InfoSec (06:13) With content liberated from the “today in infosec” twitter account and further afield 15th March 2000: The movie "Takedown" was released in France as "Cybertr@que". It is based on the capture of Kevin Mitnick https://twitter.com/todayininfosec/status/1636083404117557248
16th March 1971: The first computer virus, Creeper, infected computers on the ARPANET, displaying "I'M THE CREEPER : CATCH ME IF YOU CAN." It was named after a villain (the Creeper) from a 1970 episode of "Scooby-Doo, Where Are You!" https://twitter.com/todayininfosec/status/1636516584394203137
Rant of the Week (13:20) What happens if you 'cover up' a ransomware infection? For Blackbaud, a $3m charge Blackbaud has agreed to pay $3 million to settle charges that it made misleading disclosures about a 2020 ransomware infection in which crooks stole more than a million files on around 13,000 of the cloud software slinger's customers. According to America's financial watchdog, the SEC, Blackbaud will cough up the cash - without admitting or denying the regulator's findings - and will cease and desist from committing any further violations. "Blackbaud is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the Commission as the company continually improves its reporting and disclosure policies," Tony Boor, the outfit's chief financial officer, told The Register. "Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimise the risk of cyberattacks in an ever-changing threat landscape," Boor added. For perspective: the South Carolina-based firm – which provides, among other things, donor management tools to nonprofits – banked $1.1 billion in revenue in 2022, resulting in a $45.4 million loss. This settlement is the least of the biz's concerns, we imagine. Slap on the wrist Here's what happened: back in May 2020, Blackbaud experienced a ransomware infection, quietly paid off the crooks, and didn't tell customers about the security breach until July 2020. And when the software company did notify customers, it assured them that the "cybercriminal did not access…bank account information, or social security numbers," according to the SEC order. By the end of that month, however, the SEC claims that Blackbaud personnel discovered that the miscreants had accessed unencrypted donor bank account information and social security numbers. But the employees allegedly didn't tell senior management about the theft of sensitive customer data because Blackbaud "did not have policies or procedures in place designed to ensure they do so," the court documents say. Make of that what you will.
Billy Big Balls of the Week (23:09) 1st Story (short, follow the link): Microsoft support 'cracks' Windows for customer after activation fails In an unexpected twist, a Microsoft support engineer resorted to running an unofficial 'crack' on a customer's Windows PC after a genuine copy of the operating system failed to activate normally. It seems, this isn't the first time either that support professionals have employed such workarounds when under pressure to timely close out support tickets. A South-Africa based freelance technologist who paid $200 for a genuine copy of Windows 10 was startled to see a Microsoft support engineer "crack" his copy using unofficial tools that bypass the Windows activation process. 2nd Story: A company who actually followed disclosure requirements (and puts TikTok in the same bucket as Meta and Google): Cerebral admits to sharing patient data with Meta, TikTok, and Google Cerebral, a telehealth startup specializing in mental health, says it inadvertently shared the sensitive information of over 3.1 million patients with Google, Meta, TikTok, and other third-party advertisers, as reported earlier by TechCrunch. In a notice posted on the company’s website, Cerebral admits to exposing a laundry list of patient data with the tracking tools it’s been using as far back as October 2019. The information affected by the oversight includes everything from patient names, phone numbers, email addresses, birth dates, IP addresses, insurance information, appointment dates, treatment, and more. It may have even exposed the answers clients filled out as part of the mental health self-assessment on the company’s website and app, which patients can use to schedule therapy appointments and receive prescription medication. According to Cerebral, this information got out through its use of tracking pixels, or the bits of code Meta, TikTok, and Google allow developers to embed in their apps and websites. The Meta Pixel, for example, can collect data about a user’s activity on a website or app after clicking an ad on the platform, and even keeps track of the information a user fills out on an online form. While this lets companies, like Cerebral, measure how users interact with their ads on various platforms and track the steps they take afterward, it also gives Meta, TikTok, and Google access to this information, which they can then use to gain insight into their own users.
Industry News (32:43) UK's New Privacy Bill Could Mean More Work for Firms Blackbaud Settles $3m Charge Over Ransomware Attack MI5 Launches New Agency to Tackle State-Backed Attacks Humans Still More Effective Than ChatGPT at Phishing Tick APT Group Hacked East Asian DLP Software Firm Humans Still More Effective Than ChatGPT at Phishing NCSC Calms Fears Over ChatGPT Threat UK Joins US, Canada, Others in Banning TikTok From Government Devices US Government IIS Server Breached via Telerik Software Flaw
Tweet of the Week (40:30)  https://twitter.com/william_whyte/status/1635198775152234496 https://twitter.com/J4vv4D/status/1636055929199140864?s=20 Come on! Like and bloody well subscribe! | |||
| 28 Jul 2023 | Episode 162 - The Do Not Google It Episode | 00:48:46 | |
This week in InfoSec (05:54) With content liberated from the “today in infosec” twitter account and further afield 18th July 2011: Microsoft Hotmail announced that it would be banning very common passwords such as "123456" and "ilovecats". https://twitter.com/todayininfosec/status/1416957326205100035 27th July 1990: The case of United States v. Riggs was decided. Robert J. Riggs (Prophet) had stolen the E911 file from BellSouth, then co-defendant Craig Neidorf (Knight Lightning) had published it in Phrack. The file was neither valuable nor confidential. https://twitter.com/todayininfosec/status/1287768573310533633
Rant of the Week (16:59) VirusTotal: We're sorry someone fat-fingered and exposed 5,600 users VirusTotal today issued a mea culpa, saying a blunder earlier this week by one of its staff exposed information belonging to 5,600 customers, including the email addresses of US Cyber Command, FBI, and NSA employees. The unintentional leak was due to the layer-eight problem; human error. On June 29, an employee accidentally uploaded a .csv file of customer info to VirusTotal itself, said Emiliano Martinez, tech lead of the Google-owned malware analysis site. "This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators," Martinez wrote in a Friday disclosure. "We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting." The employee had this list in the first place because the customer data was "critical to their role," we're told. For those who don't know: VirusTotal allows netizens to – among other things – upload files, or submit a URL to one, and the site runs the material through various malware-scanning engines to see if anything malicious is detected or identified. Premium subscribers can also download uploaded samples, and thus that's how the uploaded .csv file of customer info was accidentally leaked. https://www.bbc.co.uk/news/uk-politics-66333488
Billy Big Balls of the Week (24:01) Crooks pwned your servers? You've got four days to tell us, SEC tells public companies Public companies that suffer a computer crime likely to cause a "material" hit to an investor will soon face a four-day time limit to disclose the incident, according to rules approved today by the US Securities and Exchange Commission. The SEC proposed the changes last March, and on Wednesday the financial watchdog voted to adopt the requirements [PDF]. The rules, which take effect 30 days after being signed into the Federal Register later this year, will require publicly traded firms to openly disclose in a new section (Item 1.05) of Form 8-K any cybersecurity incident that has a material impact on their business. Companies must make this determination "without reasonable delay," according to the new rules. If they decide a security breach is material, then they have four days to submit an Item 1.05 Form 8-K report detailing the material impact of the incident's "nature, scope, and timing," plus any impact or likely impact on the business. Those 8-K forms are made public by the SEC. It is that time of the show where we head to our news sources over at the Infosec PA newswire who have been very busy bringing us the latest and greatest security news from around the globe!
Industry News (30:05) Booz Allen Pays $377m to Settle Government Fraud Case Cyber-Attack Strikes Norwegian Government Ministries Industry Coalition Calls For Enhanced Network Resilience Dark Web Markets Offer New FraudGPT AI Tool Group-IB Founder Sentenced in Russia to 14 Years for Treason SEC Wants Cyber-Incident Disclosure Within Four Days Supply Chain Attack Hits NHS Ambulance Trusts NCSC Publishes New Guidance on Shadow IT OpenAI, Microsoft, Google and Anthropic Form Body to Regulate AI
Tweet of the Week (42:02)  https://twitter.com/hilare_belloc/status/1683797122628321280 Come on! Like and bloody well subscribe! | |||
| 07 May 2021 | Episode 54 - A Life Half Lived | 00:52:05 | |
This Week in InfoSec Liberated from the “today in infosec” Twitter account 4th May 1990: Robert Tappan Morris was sentenced to 3 years probation, fined $10,000, and ordered to perform 400 hours of community service. Why? For releasing the Morris worm in 1988, then becoming the first person convicted under the then-new Computer Fraud and Abuse Act (CFAA). https://en.wikipedia.org/wiki/Morris_worm https://twitter.com/todayininfosec/status/1257352370335465472 4th May 2000: The ILOVEYOU worm spread worldwide, infecting an estimated 10% of the Internet-connected computers. Its author was never prosecuted because the Philippines didn’t have any relevant laws. He was recently tracked down and interviewed about the worm: https://www.bbc.com/news/amp/technology-52458765 https://twitter.com/todayininfosec/status/1257833516454211584
A little Billy Bonus...  https://www.linkedin.com/feed/update/urn:li:activity:6794950191586836480/ A Little Cheap Plug:
Rant of the Week Twitter introduced a tip jar - except, when you use paypal to send the tip, it sends your registered address too! Noice.  It’s not really an issue with twitter - more of a feature of PayPal cos that's how it sends receipts for goods and services. This threat exists with all users of PayPal. Not just tip jar. But this isn’t really a rant about privacy or tipjar… let’s talk about Whitney Merrill’s tweet…. https://twitter.com/wbm312/status/1390444554587832324?s=20  
Billy Big Balls of the Week Dashcam footage showed the moment a gang of armed robbers in South Africa attempted a cash-in-transit heist by chasing and firing shots into a bulletproof security vehicle. Members of a private security company were transporting money in a truck in the northern city of Pretoria on April 22 when they were attacked. In the three-minute video, a security officer is seen driving with a colleague. Both men are wearing bulletproof vests. https://twitter.com/Abramjee/status/1388194148210167810 https://www.insider.com/watch-video-shows-armored-cars-crew-in-daring-escape-under-fire-2021-5 
Industry News British Prime Minister’s Cell Phone Number Exposed Shoppers Choose Guest Checkouts Over Security Fears Misconfigs and Unpatched Bugs Top Cloud Native Security Incidents Cyber-Attack on Belgian Parliament Researcher Claims Peloton APIs Exposed All Users Data Homecoming Queen Hacker to be Tried as an Adult CaptureRx Data Breach Impacts Healthcare Providers Financial Firms Report Puzzling 30% Drop in Breaches as Incidents Rise
Tweet of the Week  https://edition.cnn.com/2021/05/05/entertainment/tiger-king-carole-baskin-crypto-coin/index.html https://twitter.com/carole_baskin/status/1389662255747325955 https://twitter.com/krypt3ia/status/1389948564411932676 Come on! Like and bloody well subscribe! | |||
| 26 Mar 2021 | Episode 48 - The Biggest Loser | 01:02:23 | |
The Biggest Loser, Week 0  Andy is running a book if you are interested in a little flutter on who will be the healthiest in the next six months. Jav issues an apology to our listeners for misinformation and to Andy for correcting him when he stated the opposite had occurred: https://mashable.com/article/joe-biden-green-screen-conspiracy-debunked/?europe=true Evil Knievel: https://twitter.com/little_birdy__/status/1373722427126116352?s=21 Andy *Bathes in the glory of a heartfelt apology from Jav* Jav spoke at Infosecurity Conference and Thom spoke at The SASIG https://www.infosecurity-magazine.com/news/imos21-overcoming-defenders-dilemma/ Thom mentions the Nextdoor supplemental episode released midweek and how we could have saved many more people from the Royal Mail text scam had we not run out of time: https://www.standard.co.uk/business/royal-mail-text-scam-victim-banking-security-checks-b925810.html
This week in Infosec (Liberated from the “today in infosec” twitter account):
https://twitter.com/todayininfosec/status/1243040970741956610
“While we had provided access to the mirror for a couple dozen people over the last ten years, we think it may be beneficial to be public. Some defacers from back then want a trip down nostalgia lane. We still have reporters doing in-depth research on various topics that request access to dig up historical citations. It stands to reason more might be interested in revisiting the 'good old days' and the content that would lead us to over one million hits a few days. With that, the doors are open again. We hope you enjoy”. https://attrition.org/news/content/21-03-21.001.html
Rant of the Week Daniel Kelley, Associate Director, Center for Technology and Society at Anti-Defamation League Today we're releasing our annual nationally representative survey of hate and harassment on social media. In a year where tech companies made bold statements about their efforts to address hate on their platforms, Americans' experience of harassment remained constant. 41% of Americans experienced harassment online according to this year's survey, with 27% experiencing severe harassment, which includes stalking, sustained harassment, physical threats, sexual harassment, doxing and swatting. Overwhelmingly, the platform where Americans experience harassment was Facebook- 75% of Americans who were harassed reported being harassed on Facebook with the next highest being Twitter at 24%  https://www.adl.org/online-hate-2021 https://www.linkedin.com/posts/activity-6780520538549882880-ZmYD/ 
Billy Big Balls of the Week Story of Helen Bevan, Chief Transformation Officer at the NHS, had her two Twitter accounts, with nearly 140,000 followers, stolen by hackers and used to promote fake PlayStation 5 sales. She now has the accounts back but has received dozens of messages from people who fell for the scam. Ms Bevan also paid money to someone who said they could help - but they turned out to be a scammer too. She said she wanted to highlight the importance of extra security measures. NHS Horizons chief transformation officer Ms Bevan mistakenly thought she had activated two-factor authentication (2FA), which requires account-holders to use two methods to log in, the second often involving a code sent by text or email. https://www.bbc.co.uk/news/technology-56456002 https://twitter.com/HelenBevanTweet/status/1372955366212898816 She’s got an easy out if she doesn’t want to upset this guy: 
Industry News Russian Man Pleads Guilty in Tesla Extortion Plot UK Govt Department Loses 306 Mobiles and Laptops in Two Years Delhi Police Bust Call Center Scammers Fired IT Contractor Jailed for Retaliatory Cyber-Attack UK Govt Department Loses 306 Mobiles and Laptops in Two Years Firms Urged to Patch as Attackers Exploit Critical F5 Bugs Drug Maker to Pay $50m for Destroying Data FatFace Faces Customer Anger After Controversial Breach Response Half of UK Firms Suffer Cyber-Skills Gaps
Javvad’s Weekly Stories
Tweet of the Week  https://twitter.com/ParikPatelCFA/status/1375096656933306369 https://www.wired.co.uk/article/suez-canal-ship-stuck-ever-given 
Come on! Like and bloody well subscribe! | |||
| 08 Apr 2022 | Episode 100 - Can We Go Home Now | 00:46:34 | |
This Week In InfoSec (10:15) With content liberated from the “today in infosec” twitter account and further afield 1st April 1998: Hackers changed the MIT home page to read "Disney to Acquire MIT for $6.9 Billion". https://twitter.com/todayininfosec/status/1245550127806201857 MIT says "Disney buys MIT" hack revealed by low price 1st April 2004: The now ubiquitous Gmail service is launched as an invitation-only beta service. At first met with skepticism due to it being launched on April Fool’s Day, the ease of use and speed that Gmail offered for a web-based email service quickly won converts. The fact that Gmail was invitation-only for a long time helped fuel a mystique that those who had a Gmail address were hip and uber-cool.
Rant of the Week: (16:25) Bank had no firewall license, intrusion or phishing protection – guess the rest An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees. 
Billy Big Balls of the Week (23:20) Bearded Barbie hackers catfish high ranking Israeli officials The Hamas-backed hacking group tracked as 'APT-C-23' was found catfishing Israeli officials working in defense, law, enforcement, and government agencies, ultimately leading to the deployment of new malware. The campaign involves high-level social engineering tricks such as creating fake social media profiles and a long-term engagement with the targets before delivering spyware.
Industry News (30:50) Scottish Power Parent Company Hit by Data Breach Trezor Customers Phished After MailChimp Compromise Cadbury Warns of Easter Egg Scam Jail Releases 300 Suspects Due to Computer "Glitch" WhatsApp 'Voice Message' Is an Info-Stealing Phishing Attack Germany Shuts Down Russian Darknet Marketplace Hydra Attack on Ukraine Telecoms Provider Caused by Compromised Employee Credentials Block Warns Eight Million Customers of Insider Breach Employee Info Among 13 Million Records Leaked by Fox News
Tweet of the Week (41:50)  https://twitter.com/_sn0ww/status/1511857122966835200 Come on! Like and bloody well subscribe! | |||
| 05 May 2023 | Episode 150 - Yet Another Intern | 00:50:34 | |
Vote for us here! -> https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform This week in InfoSec (08:15) With content liberated from the “today in infosec” twitter account and further afield 3rd May 1978: Earliest known case of spam. Gary Thuerk, a marketing representative for Digital Equipment Corporation, sends out an e-mail promoting an open house for the company’s latest computer systems to 393 recipients on the ARPANET, a precursor to the modern Internet. While this number sounds small by today’s standards, this was all the ARPANET users on the west coast of the United States. Given that this was an unsolicited commercial e-mail, it is now considered the first of its kind. In other words, the first spam message well before the term was coined. It brought a quick and negative response from many users and Thuerk was warned by ARPANET administrators that mass mailings were not an acceptable use of the network. The backlash notwithstanding, the open house was largely successful with over $12 million dollars of DEC equipment being sold. I guess it was better to ask forgiveness than permission in this case! https://nakedsecurity.sophos.com/2008/05/27/spamreg-or-spam-whats-in-a-name/ according to Hormel’s SPAM® FAQ, the name was dreamt up by a chap called Ken who received a $100 prize for his efforts. Hormel says that we have to thank him that we’re not all eating Crinkycrinky or Canned Flappertanknibbles. 29th April 2004: The Sasser worm is released into the wild, infecting over 1 million Windows XP and Windows 2000 computers worldwide. Although the worm did not have an intentionally destructive payload, it caused many computers to slow down or crash and reboot repeatedly along with clogging up network traffic. Among the effects of the worm, the British coast guard had to resort to paper maps for the day, a French news agency lost satellite communication for hours, Delta Airlines had to delay or cancel many flights, and the University of Missouri had to disconnect its network from the Internet. (GC: Memories of Sasser? 🙂) Author Sven Jaschan. German kid. Also created the Netsky worm. Bragged about it to his schoolmates. Following his arrest, Microsoft said that they had received tip-offs from more than one source, and that the $250,000 reward for identifying the author of the Netsky worm would be shared between them. https://en.wikipedia.org/wiki/Sven_Jaschan Got off very lightly as he was underage when the virus was written - just given 30 hours community service. No fine. Went to work the next day as normal.... which was as a developer for a German cybersecurity company called SecurePoint. In retaliation, the anti-virus company Avira officially halted its cooperation with Securepoint.
Rant of the Week (17:12) Cloudflare Q1 Earnings Call Transcript https://www.linkedin.com/posts/mattfivesixpartners_pretty-brutal-takedownthrowing-under-the-activity-7058819871119175681--ULh/?utm_source=share&utm_medium=member_ios
Billy Big Balls of the Week (28:46) graham@grahamcluley.com Feel free to talk about anything you want which might fall into the category of big ball energy as you don’t need to be spoon fed like the other muppets I work with. Joe Sullivan. https://www.washingtonpost.com/technology/2023/05/04/sullivan-sentencing-uber-executive/
Industry News (37:56) UK Gun Owners May Be Targeted After Rifle Association Breach T-Mobile Reveals Second Breach of the Year Hackers Exploit High Severity Flaw in TBK DVR Camera System Bitmarck Halts Operations Due to Cybersecurity Breach Dark Web Bust Leads to Arrest of 288 Suspects Three-Quarters of Firms Predict Breach in Coming Year Apple and Google Unveil Industry Specification For Unwanted Tracking US Authorities Dismantle Dark Web "Card Checking" Platform Consumer Group Slams Bank App Fraud Failings
Tweet of the Week (46:48) https://twitter.com/joshlemon/status/1654268564160020482
Vote for us here! -> https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Come on! Like and bloody well subscribe! | |||
| 05 Feb 2024 | Episode 182 - The Tallest & Shortest Episode | 00:47:27 | |
This week in InfoSec (08:19) With content liberated from the “today in infosec” twitter account and further afield 31st Jan 2011 (13 years ago): Chris Russo reported a vulnerability to dating website PlentyOfFish's CEO Markus Frind's wife. Yada yada yada Markus Frind then accused Russo of extortion and emailed Russo's mother. https://krebsonsecurity.com/2011/01/plentyoffish-com-hacked-blames-messenger/
Rant of the Week (13:56) The TikTok Hearing Revealed That Congress Is the Problem For some, the job on Thursday was casting the hearing's only witness, TikTok CEO Shou Zi Chew, as a stand-in for the Chinese government—in some cases, for communism itself—and then belting him like a side of beef. More than a few of the questions lawmakers put to Chew were vague, speculative, and immaterial to the allegations against his company. But the members of Congress asking those questions feigned little interest in Chew’s responses anyway. Attempts by Chew, a 40-year-old former Goldman Sachs banker, to elaborate on TikTok’s business practices were frequently interrupted, and his requests to remark on matters supposedly of considerable interest to members of Congress were blocked and occasionally ignored. These opportunities to get the CEO on record, while under oath, were repeatedly blown in the name of expediency and for mostly theatrical reasons. Chew, in contrast, was the portrait of patience, even when he was being talked over. Even when some lawmakers began asking and, without pause, answering their own questions. The hearing might’ve been a flop, had lawmakers planned to dig up new dirt on TikTok, which is owned by China-based ByteDance, or even hash out what the company could do next to allay their concerns. But that wasn't the aim. The House Energy and Commerce Committee was gathered, it said, to investigate “how Congress can safeguard American data privacy and protect children from online harms.” And on that, the hearing revealed plenty.
Billy Big Balls of the Week (23:41) ICBC Partners Wary to Resume Trading With Bank After Cyberattack Industrial & Commercial Bank of China Ltd., the world’s largest lender by assets, has been unable to convince some market participants that it’s safe to reconnect their computer networks to the bank’s US unit after a ransomware attack disrupted its systems, according to people familiar with the matter. The attack, which was claimed by the Russia-linked LockBit cybercrime and extortion gang earlier this month, impeded trading in the $26 billion Treasury market and, the people said, it has left users of the bank’s US arm skittish about trading with the bank. For its part, ICBC has told users that its US division is back online and operational, the people said. One person familiar with the hack and investigation said a reason the bank could get back online quickly was that a key part of its trading system was unaffected by the attack — a server that was more than 20 years old, made by now-defunct IT equipment maker Novell Inc.. That server contained much of the bank’s trading data and capabilities and is so old that LockBit’s ransomware didn’t work on it, the person said.
Industry News (35:28) US Agencies Failure to Oversee Ransomware Protections Threaten White House Goals US Thwarts Volt Typhoon Cyber Espionage Campaign Through Router Disruption Interpol-Led Initiative Targets 1300 Suspicious IPs Ivanti Releases Zero-Day Patches and Reveals Two New Bugs Pump-and-Dump Schemes Make Crypto Fraudsters $240m Google’s Bazel Exposed to Command Injection Threat
Tweet of the Week (41:51)  https://x.com/MikeIrvo/status/1752123455125016839?s=20 Come on! Like and bloody well subscribe! | |||
| 21 Jan 2022 | Episode 89 - Normal Audio is Resumed | 00:50:11 | |
This Week in InfoSec (06:23) With content liberated from the “Today in InfoSec” twitter account and further afield 19th January 1999: The Happy99 worm first appeared. It invisibly attached itself to emails, displayed fireworks to hide the changes being made, and wished the user a happy New Year. It was the first of a wave of malware that struck Microsoft Windows computers over the next several years, costing businesses and individuals untold amounts of money to resolve. 19th January 1999: RIM introduces the BlackBerry. The original BlackBerry devices were not phones, but instead were the first mobile devices that could do real-time e-mail. They looked like big pagers. It is alleged the name “BlackBerry” came from the similarity that the buttons on the original device had to the surface of a blackberry fruit. London riots: how BlackBerry Messenger played a key role
Rant of the Week (18:01) Singapore gives banks two-week deadline to fix SMS security A widespread phishing operation targeting Southeast Asia's second-largest bank – Oversea-Chinese Banking Corporation (OCBC) – has prompted the Monetary Authority of Singapore (MAS) to introduce regulations for internet banking that include use of an SMS Sender ID registry. Singapore banks have two weeks to remove clickable links in text messages or e-mails sent to retail customers. Furthermore, activation of a soft token on a mobile device will require a 12-hour cooling off period, customers must be notified of any request to change their contact details, and fund transfer threshold will by default be set to SG$100 ($74) or lower. MAS has also offered a vague directive requiring banks to issue more scam education alerts, and to do so more often.
Billy Big Balls of the Week (25:49) Freight trains loaded with valuable merchandise sitting on apparently unguarded tracks make for awfully inviting targets. For months, Union Pacific freight trains have been getting systematically robbed in the Los Angeles area, according to local news reports, as thieves target valuable merchandise and online orders from retailers like Amazon sitting on delayed trains. Superyacht Security: The 10 Best Ways To Protect From Pirates And Paparazzi
Industry News (33:12) European Regulators Hand Out €1.1bn in GDPR Fines NCA: Kids as Young as Nine Have Launched DDoS Attacks Government to Regulate Crypto Advertising in New Crack Down Man Charged with Smuggling Tech Exports to Iran Researchers Hack Olympic Games App Red Cross: Supply Chain Data Breach Hit 500K People Eleven Arrested in Bust of Prolific Nigerian BEC Gang Twitter Mentions More Effective Than CVSS at Reducing Exploitability Biden Signs Memo to Boost National Cybersecurity
Tweet of the Week (42:00)  https://twitter.com/blkcybersources/status/1483826713561862159?s=21 https://twitter.com/BLKCybersources/status/1483826713561862159/photo/1 Come on! Like and bloody well subscribe! | |||
| 13 Nov 2020 | Episode 32 - Let's Just Eat Some Haribo! | 00:58:12 | |
Haribo feature heavily this week, with Andy and Jav fighting over how much and how they should be delivered. This Week in InfoSec (Liberated from the “today in infosec” twitter account): 5th November 1993: The Bugtraq mailing list was created by Scott Chasin. In 1995 it became the property of SecurityFocus, in 2002 Symantec acquired SecurityFocus, and the last message was posted to the list on February 25th, 2020, with no explanation from Symantec. https://en.m.wikipedia.org/wiki/Bugtraq https://twitter.com/todayininfosec/status/1324497907245109248?s=20 13th November 2012: John McAfee went into hiding because his neighbor Gregory Faull was found dead from a gunshot the day before. Belize police wanted McAfee to come in for questioning, but McAfee stated the police were “out to get him”. https://www.theguardian.com/world/2012/nov/14/john-mcafee-hiding-businessman-murder https://twitter.com/todayininfosec/status/1326993312247656451?s=20
Billy Big Balls Chris Nikic becomes first person with Down's syndrome to finish an Ironman triathlon https://www.bbc.co.uk/sport/triathlon/54869998 Please consider donating here: https://www.charityextra.com/noahsarkmoments
Rant of the Week Ransomware Group Turns to Facebook Ads https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads Mark Zuckerberg defends not suspending Steve Bannon from Facebook https://www.theguardian.com/technology/2020/nov/12/mark-zuckerberg-steve-bannon-facebook-fauci-ban 
Industry News Has the Rise of Identity Seen the Death of Anonymity? Price Dropped on Hacked Educational RDP Details Malicious Use of SSL Increases as Attackers Deploy Hidden Attacks #EdgeLive: DDoS Attacks Are Evolving into Extortion-Led RDoS Campaigns #EdgeLive: Stopping API Attacks with Bot Mitigation Top Ten: Things Learned from the (ISC)2 Workforce Study #EdgeLive: Phishing Attacks Now Targeting Enterprise Specifics PSD2 Faces Further Delays as UK Lags Behind European Compliance Recommendations Accepted in Advancement for EU Data Protection Transfers
Tweet of the Week https://twitter.com/phil_branigan1/status/1324761080762163203?s=20  But also a story brought to our attention by @mat: Google Photos is ending unlimited storage and people are not happy https://mashable.com/article/google-photos-ends-unlimited-free-storage/?europe=true  https://twitter.com/mat/status/1326593729860231168?s=20
The Little People The marvellously moustachioed Christian Toon Come on! Like and bloody well subscribe! | |||
| 16 Sep 2022 | Episode 121 - The Live One | 00:50:03 | |
This week in InfoSec With content liberated from the “today in infosec” twitter account and further afield 9th September 1947: An error in the Mark II computer at Harvard University was due to a moth trapped in a relay. The moth was attached to the log book with notation "first actual case of bug being found." https://twitter.com/todayininfosec/status/1303717480423133186 11th September 1992: The movie "Sneakers" was released. With a budget of $35 million, it grossed $105 million at the box office. A hacker movie classic! Bishop, Whistler, Cosmo, and Mother! https://twitter.com/todayininfosec/status/1304574876922019841
Rant of the Week Google and Meta fined over $70m for privacy violations in Korea South Korea's Personal Information Protection Commission (PIPC) has issued two large fines for privacy violations: a $50 million penalty for Google and $22 million for Meta. The PIPC's beef is that neither Google nor Meta properly obtain consent or inform users on how they collect and use data, particularly with regards to behavioural information used to predict interests for marketing and advertising purposes. The data watchdog claims Google hides the setting screen to agree or disagree to collection methods and sets the default to "agree" while Meta only asks for agreement when a user creates an account and does so in unclear ways. AND / OR A surveillance artist shows how Instagram magic is made When traveller Daniele Brito posed in front of the Temple Bar in Dublin, Ireland in late August, she likely didn’t realize the camera was watching her. Yes, there was the one pointed at her, capturing a photograph that would later be shared to Brito’s more than 2,700 followers on Instagram. But there was at least one other one observing her: a surveillance camera stationed on the corner opposite the bar.
Billy Big Balls of the Week Chess player denies using anal beads to cheat in match against world champion: ‘This is not a joke’ A chess underdog who unexpectedly beat a champion player has been accused of using anal beads to cheat his way to victory. Yes, we know – you probably never expected to see “chess” and “anal beads” in the same sentence, but here we are. The furore kicked off when Norwegian chess champion Magnus Carlsen announced he was withdrawing from the Sinquefield Cup, a lucrative tournament which attracts some of the world’s best chess players. Carlsen posted on Twitter to say he was leaving the tournament, but gave no explanation why. The Hans Niemann story from reddit Chess player Hans Niemann denies using sex toy to help him beat grand champion Vibrating Butt Toys Are Exactly What Chess Needs
Industry News Cops Raid Suspected Fraudster Penthouses US Treasury Sanctions Iranian Minister Over Hacking of Govt and Allies Hackers Steal Steam Credentials With 'Browser-in-the-Browser' Technique iOS 16 Launches With Lockdown Mode, Spyware Protection, Safety Check Vulnerabilities Found in Airplane WiFi Devices, Passengers' Data Exposed Cybercrime Forum Admins Steal from Site Users User Alert as Phishing Campaigns Exploit Queen's Passing YouTube Users Targeted By RedLine Self-Spreading Stealer Notepad++ Plugins Allow Attackers to Infiltrate Systems, Achieve Persistence
Tweet of the Week  https://twitter.com/SecurityAura/status/1570232260485386242
The Joseph Carson Talk Tweet Thread https://twitter.com/J4vv4D/status/1569704538252214274?s=20 Come on! Like and bloody well subscribe! | |||
| 25 Aug 2023 | Episode 164 - The Two Weeks Late Episode | 00:53:40 | |
This week in InfoSec (14:00) With content liberated from the “today in infosec” twitter account and further afield 18th August 2003: The Nachi worm began infecting Windows computers with the goal of REMOVING the Blaster worm and patching the vulnerability exploited by both worms. Worm aims to eradicate Blaster https://twitter.com/todayininfosec/status/1692616573524050259 26th August 2008: It was reported that a laptop on the International Space Station was infected by removable media containing the http://W32.Gammima.AG worm. Space. Where you don't want to be dealing with malware. Malware detected at the International Space Station https://twitter.com/todayininfosec/status/1298690676448735232
Rant of the Week (19:02) Cellebrite asks cops to keep its phone hacking tech ‘hush hush’ For years, cops and other government authorities all over the world have been using phone hacking technology provided by Cellebrite to unlock phones and obtain the data within. And the company has been keen on keeping the use of its technology “hush hush.” As part of the deal with government agencies, Cellebrite asks users to keep its tech — and the fact that they used it — secret, TechCrunch has learned. This request concerns legal experts who argue that powerful technology like the one Cellebrite builds and sells, and how it gets used by law enforcement agencies, ought to be public and scrutinized. [That was this weeks Rant of the week]
Billy Big Balls of the Week (28:35) Two teens were among those behind the Lapsus$ cyber-crime spree, jury finds Two teenage members of the chaotic Lapsus$ cyber-crime gang helped compromise computer systems of Uber and Nvidia, and also blackmailed Grand Theft Auto maker Rockstar Games among other high-profile victims, a jury has decided. At Southwark Crown Court in London, England, on Wednesday, Arion Kurtaj, 18, and a 17-year-old male who because of his age cannot be identified for legal reasons were found to have committed various crimes. Kurtaj was held in custody while the other was released on bail; both await sentencing. This was an unusual case in that the jury was told not to find Kurtaj, who is autistic, guilty or not guilty as psychiatrists had earlier assessed that he was unfit to stand trial. Instead, the panel was asked to decided whether or not he did the things he was accused of. The two teens, along with other Lapsus$ members, also broke into and attempted to extort telecoms giant BT, Microsoft, Samsung, Vodafone, fintech firm Revolut, and Okta during their crime spree between 2021 and 2022.
Industry News (36:23) UK’s AI Safety Summit Scheduled For Early November Police Insider Tipped Off Criminal Friend About EncroChat Bust Tesla: Insiders Responsible For Major Data Breach Cyber-Attack on Australian Utility Firm Energy One Spreads to UK Systems Experian Pays $650,000 to Settle Spam Claims WinRAR Vulnerability Affects Traders Worldwide Sensitive Data of 10 Million at Risk After French Employment Agency Breach Data of 2.6 Million Duolingo Users Leaked on Hacking Forum FBI Flags $40M Crypto Cash-Out Plot By North Korean Hackers
Tweet of the Week (47:47)  https://twitter.com/securityweekly/status/1694705119793746015 Come on! Like and bloody well subscribe! | |||
| 28 Oct 2022 | Episode 126 - Don't Worry Its Organic | 00:59:13 | |
This week in InfoSec With content liberated from the “today in infosec” twitter account and further afield 29th October 1969: The first message sent over the ARPANET was from Leonard Kleinrock’s UCLA computer, sent by student programmer Charley Kline at 10:30 PM to the second node at Stanford Research Institute’s computer in Menlo Park, California. The message was simply "Lo." But not on purpose. How a simple ‘hello’ became the first message sent via the Internet https://twitter.com/todayininfosec/status/1189318094151409666 25th October 2001: Microsoft releases the operating system Windows XP, the successor to both Windows 2000 and Windows ME. Designed to unify the Windows NT line and Windows 95 line of operating systems, Windows XP was not replaced by Microsoft until January 2007 with Windows Vista. However, with a nearly six-year run and the public debacle surrounding the release of Windows Vista, Windows XP remained the world’s most popular operating system until August 2012.
Rant of the Week A Colombian ex-moderator for TikTok said she was required to keep her webcam on all night, according to a report by The Bureau of Investigative Journalism. TBIJ spoke to nine moderators who shared their experience but requested that their identity remained secret for fear they might lose their jobs, or risk future employment prospects. All names have been changed, according to the outlet. Carolina, a former TikTok moderator who worked remotely for Teleperformance, a Paris-based company offering moderation services and earned $10 a day, said she had to keep her camera continuously on during her night shift, TBIJ reported. The company also told her that no one should be in view of the camera and was only allowed a drink in a transparent cup on her desk. Related: https://www.bbc.com/news/technology-57088382 Facebook moderator: ‘Every day was a nightmare
PILOT PROGRAMME FOR FIRST CHARTERED CYBER PROFESSIONALS CIISec and (ISC)² announced as pilot participant partners to assess candidates under the pilot programme. The UK Cyber Security Council has announced it is set to usher in the country’s first chartered cyber professionals through a pilot scheme. The first two specialisms kickstarting the pilot are Cyber Security Governance and Risk Management and Secure System Architecture and Design. The Council has confirmed it will partner with two pilot participant bodies – (ISC)² and The Chartered Institute of Information Security (CIISec) – for the pilot, with the organisations responsible for assessing applications from their membership base, against the Council’s newly established professional standard.
Billy Big Balls of the Week Elon Musk walks into an office with a sink. Apple’s Killing the Password. Here’s Everything You Need to Know For years, we’ve been promised the end of password-based logins. Now the reality of a passwordless future is taking a big leap forward, with the ability to ditch passwords being rolled out for millions of people. When Apple launches iOS 16 on September 12 and macOS Ventura next month, the software will include its password replacement, known as passkeys, for iPhones, iPads, and Macs. Passkeys allow you to log in to apps and websites, or create new accounts, without having to create, memorize, or store a password. This passkey, which is made up of a cryptographic key pair, replaces your traditional password and is synced across iCloud’s Keychain. It has the potential to eliminate passwords and improve your online security, replacing the insecure passwords and bad habits you probably have now. Apple’s rollout of passkeys is one of the largest implementations of password-free technology to date and builds on years of work by the FIDO Alliance, an industry group made up of tech’s biggest companies. Apple’s passkeys are its version of the standards created by the FIDO Alliance, meaning they will eventually work with Google, Microsoft, Meta, and Amazon’s systems.
Industry News DHL Replaces LinkedIn As Most Imitated Brand in Phishing Attempts ICO Warns of "Immature" Biometric Tech See Tickets Discloses Major Card Data Breach London's New Cyber Resilience Centre Set to Fight Cybercrime in the Capital Hive Ransomware Group Leaks Data Stolen in Tata Power Cyber-Attack Medibank Backtracks: All Customer Data Was Exposed to Hackers GitHub Bug Exposed Repositories to Hijacking White House Launches Chemical Sector Security Sprint LinkedIn Unveils New Security Features to Tackle Fraud
National Chief Information Security Officer
Tweet of the Week  https://twitter.com/codesixonline/status/1585629859052605443 Come on! Like and bloody well subscribe! | |||
| 04 Aug 2023 | Episode 163 - The Sombre Episode | 00:52:09 | |
This week in InfoSec (11:56) With content liberated from the “Today in Infosec” Twitter account and further afield 4th August 1998: Microsoft published a critical security bulletin MS98-010, titled 'Information on the "Back Orifice" Program'. Microsoft Security Bulletin MS98-010 - Critical https://twitter.com/todayininfosec/status/1423037189714219020 27th July 2000: In security bulletin MS00-047, Microsoft thanked PGP's COVERT Labs and Sir Dystic of Cult of the Dead Cow for reporting NetBIOS vulnerabilities Patch Available for 'NetBIOS Name Server Protocol Spoofing' Vulnerability https://twitter.com/todayininfosec/status/1287934373019385861
Rant of the Week (18:31) Brit healthcare body rapped for WhatsApp chat sharing patient data Staff at NHS Lanarkshire - which serves over half a million Scottish residents - used WhatsApp to swap photos and personal info about patients, including children's names and addresses. Following a probe, the UK Information Commissioner's Office (ICO) has now issued a heavily redacted official reprimand to the organization, which oversees three hospitals plus clinics and more across rural and urban Lanarkshire in the Central Lowlands of Scotland. It said a group chat created in March 2020 – just as the UK government issued the first COVID lockdown – was in breach of Article 58 of the UK GDPR. Information was shared between 26 staff for more than two years – from 1 April 2020 to 25 April 2022 – over hundreds of entries within the WhatsApp group that included adult and child patients' names, plus hundreds of patients' phone numbers, many dates of birth, and at least 28 home addresses, "15 images, three videos, and four screenshots." Some of this info included clinical information, and therefore "special category" data in breach of Article 9 of the UK GDPR. Yes, on their actual work phones, using software provided via NHS portal. The staffers were using copies of WhatsApp downloaded directly via NHS Lanarkshire's portal on their work phones, it emerged, but someone, whose name was redacted, was added to the group "in error." That "unauthorised individual" was given access to "four students' names and student numbers, one child's name, and two children's names and addresses." The ICO noted that since WhatsApp stated it was an encrypted platform, staff thought it would be secure. This, the watchdog said, "demonstrates that information governance expectations regarding WhatsApp were not understood by staff involved in the WhatsApp Group."
Billy Big Balls of the Week (31:21) [The fact the government doesn’t even try to hide what they do and gaslight the country by saying it would be the worst intelligence failure of their time is a BBB move to me - but I’ll let Jav decide 😀] White House: Losing Section 702 spy powers would be among 'worst intelligence failures of our time' The White House has weighed in on the Section 702 debate, urging lawmakers to reauthorize, "without new and operationally damaging restrictions," the controversial snooping powers before they expire at the end of the year. Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows the American government to monitor electronic communications of foreign persons outside of the United States [PDF], and people they confer with, including US persons. While it's supposed to be used as an intelligence tool — to prevent terrorist attacks or track down similar targets — it's also at times abused to conduct warrantless snooping on Americans including protesters, campaign donors, and elected officials. The controversial law, introduced in 2008, is up for renewal at the end of the year, and the US intelligence community has been frantically lobbying to keep these surveillance powers. FBI Director Chris Wray said last week that Section 702 data was responsible for "97 percent of our raw technical reporting on cyber actors." Now the White House has thrown its weight behind its intel services, arguing that curbing the legislation or letting it drop would be "one of the worst intelligence failures of our time." Despite unanimously recommending that Congress renew Section 702, the PIAB's report [PDF] does acknowledge that "complacency, a lack of proper procedures, and the sheer volume of Section 702 activity led to FBI's inappropriate use" of the surveillance powers to query US persons
Industry News (37:04) NHS Staff Reprimanded For WhatsApp Data Sharing Canon Inkjet Printers Expose Wi-Fi Threat AI-Enhanced Phishing Driving Ransomware Surge Hundreds of Citrix Endpoints Compromised With Webshells Cocaine Smugglers that Posed as PC Sellers Jailed Humans Unable to Reliably Detect Deepfake Speech Menlo Leverages Advanced Technology to Combat Surging Browser Threats Microsoft Teams Targeted in Midnight Blizzard Phishing Attacks Hacktivist Collective “Mysterious Team Bangladesh” Revealed
Noteworthy mention: Security Serious Unsung Heroes Awards 2023 Open for Nominations
Tweet of the Week (47:23)  https://twitter.com/Sheriffie/status/1686864006160711680 Come on! Like and bloody well subscribe! | |||
| 25 Feb 2022 | Episode 94 - Lost Sole Founder Reward If Found | 00:48:02 | |
This Week in InfoSec (11:37) With content liberated from the “today in infosec” twitter account and further afield 23rd February 2005: The discovery of the first mobile phone virus, Cabir, is accounced. Specifically, Cabir is a worm which infects phones running the Symbian OS. Whenever an infected phone is activated, the message “Caribe” is displayed. Infected phones also attempts to spread the virus through Bluetooth signals.
Billy Big Balls (21:51)  https://nypost.com/2022/02/24/ukrainian-women-say-russian-troops-are-flirting-with-them-on-tinder/ From Russia with lust. Russian soldiers poised to invade Ukraine have bombarded women on the other side of the border with Tinder messages Tuesday, according to the Sun. Dasha Synelnikova’s app lit up with matches from soldiers named Andrei, Alexander, Gregory, Michail and “Black” some 20 miles away, the report said. “I actually live in Kyiv but changed my location settings to Kharkiv after a friend told me there were Russian troops all over Tinder,” Synelnikova, a 33-year-old video producer, told the outlet. Many would-be paramours reportedly flirted with treachery as they gave away their military positions while forces assembled north of Kharkiv prepared for what appeared to be an imminent attack, according to Ukrainian military intelligence officials. “One muscular guy posed up trying to look sexy in bed posing with his pistol. Another was in full Russian combat gear and others just showed off in tight stripy vests,” Synelnikova told the British paper. 
Rant of the Week (28:57) A War in Europe Is Being Documented One Social Media Post at a Time The rest of the world watches Russia's invasion into Ukraine through the lens of Twitter and Tiktok.
Industry News (35:28) Banking World Rocked After Leak Exposes 18,000 Credit Suisse Accounts Teen Framed for Cybercrime Files Lawsuit US Receives Ransomware Warning EU Deploys Cyber Response Unit to Ukraine Ofcom Set to Crack Down on Phone Fraud Vishing Makes Phishing Campaigns Three-Times More Successful Nonprofits Form Cyber Coalition Ukraine Attacked with ‘Wiper’ Malware
Tweet of the Week (44:10)  https://twitter.com/dcuthbert/status/1496935547171835911 Come on! Like and bloody well subscribe! | |||
| 25 Mar 2022 | Episode 98 - The Statin-Free Show | 00:42:38 | |
Links https://www.theguardian.com/uk/canoe Authentication oufit Okta investigating Lapsus$ breach report Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal Netflix to Charge Password Sharers Background Check Company Sued Over Data Breach Okta Confirms 2.5% of Customers Impacted by Lapsus Breach Medical Service Leaks 12,000 Sensitive Patient Images West Blocks Russia's Access to Weather Data Fastest Ransomware Encrypts 100k Files in Four Minutes US Indicts Russian Over "Carding Shop" Okta CSO: Lapsus Incident Was “Embarrassing” Indian Police Bust Online Helicopter Scam Tweet of the week https://twitter.com/aschmelyun/status/1506960015063625733
Come on! Like and bloody well subscribe! | |||
| 10 Nov 2023 | Episode 173 - The Are We Still Doing This Episode | 00:48:04 | |
This Week in InfoSec (05:41) 2002: In response to a report which insinuated Mac is less vulnerable than Windows, Microsoft suggested few focus on discovering Mac vulnerabilities and that products with more customers will have more vulnerabilities reported. https://t.co/WOUUDOB0g6  https://x.com/todayininfosec/status/1721895407545143382?s=20
Rant of the Week (11:09) Photos of naked patients and medical records have been posted online by extortionists who hacked a Las Vegas plastic surgery, driving victims to file a lawsuit claiming not enough care was taken to protect their private information. https://www.bitdefender.com/blog/hotforsecurity/women-sue-plastic-surgery-after-hack-saw-their-naked-photos-posted-online/
Billy Big Balls of the Week (20:48) A federal judge on Tuesday refused to bring back a class action lawsuitalleging four auto manufacturers had violated Washington state’s privacy laws by using vehicles’ on-board infotainment systems to record and intercept customers’ private text messages and mobile phone call logs. https://therecord.media/class-action-lawsuit-cars-text-messages-privacy
Industry News (29:28) SentinelOne to acquire cybersecurity consulting firm Krebs Stamos Group NATO allies express support for collective response to cyberattacks Council for Scottish islands faces IT outage after ‘incident’ Mortgage giant Mr. Cooper using alternative payment options after cyberattack Serbian pleads guilty to running ‘Monopoly’ darknet marketplace Japan Aviation Electronics says servers accessed during cyberattack
Tweet of the Week (42:39) https://twitter.com/j4vv4d/status/1722916507653394575?s=61&t=0s-EyC1T6uSS3Lo_cyqI4w
Come on! Like and bloody well subscribe! | |||
| 15 Jul 2024 | Episode 198 | 00:43:48 | |
This week in InfoSec (10:28) 10th July 1999 - Cult of the Dead Cow (cDc) member DilDog debuted the program Back Orifice 2000 (BO2k) at DEF CON 7. It was the successor to Back Orifice, released by cDc a year prior. DilDog proclaimed it "a remote administration tool for corporate America". https://twitter.com/todayininfosec/status/1811133606015983680 9th July 1981 - The game that launched two of the most famous characters in video game history is released for sale. Donkey Kong was created by Nintendo, a Japanese playing card and toy company turned fledgling video game developer, who was trying to create a hit game for the North American market. Unable at the time to acquire a license to create a video game based on the Popeye character, Nintendo decides to create a game mirroring the characteristics and rivalry of Popeye and Bluto. Donkey Kong is named after the game’s villain, a pet gorilla gone rogue. The game’s hero is originally called Jumpman, but is retroactively renamed Mario once the game becomes popular and Nintendo decides to use the character in future games. Due to the similarity between Donkey Kong and King Kong, Universal Studios sued Nintendo claiming Donkey Kong violated their trademark. Kong, however, is common Japanese slang for gorilla. The lawsuit was ruled in favor of Nintendo. The success of Donkey Kong helped Nintendo become one of the dominant companies in the video game market.
Rant of the Week (15:55) Palestinians say Microsoft unfairly closing their accounts Palestinians living abroad have accused Microsoft of closing their email accounts without warning - cutting them off from crucial online services. They say it has left them unable to access bank accounts and job offers - and stopped them using Skype, which Microsoft owns, to contact relatives in war-torn Gaza. Microsoft says they violated its terms of service - a claim they dispute.
Billy Big Balls of the Week (27:39) Scalpers Work With Hackers to Liberate Ticketmaster's ‘Non-Transferable’ Tickets A lawsuit filed in California by concert giant AXS has revealed a legal and technological battle between ticket scalpers and platforms like Ticketmaster and AXS, in which scalpers have figured out how to extract “untransferable” tickets from their accounts by generating entry barcodes on parallel infrastructure that the scalpers control and which can then be sold and transferred to customers. By reverse-engineering how Ticketmaster and AXS actually make their electronic tickets, scalpers have essentially figured out how to regenerate specific, genuine tickets that they have legally purchased from scratch onto infrastructure that they control. In doing so, they are removing the anti-scalping restrictions put on the tickets by Ticketmaster and AXS. 'Gay furry hackers' breach conservative US think tank behind Project 2025 A collective of self-described "gay furry hackers" have released 2GB of data lifted from the Heritage Foundation, the conservative think-tank behind Project 2025 - a set of proposals that would bring the USA closer to being an authoritarian state. The hacktivist group, known as SiegedSec, has been running a campaign it calls "OpTransRights," targeting (mostly government) websites to disrupt efforts to enact or enforce anti-trans and anti-abortion laws.
Industry News (33:26) 10 Billion Passwords Leaked on Hacking Forum Crypto Thefts Double to $1.4 Billion, TRM Labs Finds Russia Blocks VPN Services in Information Crackdown Ticketmaster Extortion Continues, Threat Actor Claims New Ticket Leak Cyber-Attack on Evolve Bank Exposed Data of 7.6 Million Customers Most Security Pros Admit Shadow SaaS and AI Use Russian Media Uses AI-Powered Software to Spread Disinformation Smishing Triad Targets India with Fraud Surge Fraud Campaign Targets Russians with Fake Olympics Tickets
Tweet of the Week (41:18)  https://x.com/dennishegstad/status/1810044171765645568 Come on! Like and bloody well subscribe! | |||
| 19 Feb 2024 | Episode 184 - The Bee in the Bonnet Episode | 00:44:23 | |
This week in InfoSec (08:40) With content liberated from the “today in infosec” twitter account and further afield 14th February 2001: In a presentation at Black Hat Windows Security Conference 2001, Andrey Malyshev of ElcomSoft shared that Microsoft Excel uses a default encryption password of "VelvetSweatshop". 
https://twitter.com/todayininfosec/status/1757782275406622835 16th February 2004: The Netsky worm first appeared. It spread via an email attachment which after opened would search the computer for email addresses then email itself to those addresses. Its dozens of variants accounted for almost a quarter of malware detected in 2004.  https://twitter.com/todayininfosec/status/1758497889972576608
Rant of the Week (5:10) Air Canada must pay damages after chatbot lies to grieving passenger about discount Air Canada must pay a passenger hundreds of dollars in damages after its online chatbot gave the guy wrong information before he booked a flight. Jake Moffatt took the airline to a small-claims tribunal after the biz refused to refund him for flights he booked from Vancouver to Toronto following the death of his grandmother in November last year. Before he bought the tickets, he researched Air Canada's bereavement fares – special low rates for those traveling due to the loss of an immediate family member – by querying its website chatbot. The virtual assistant told him that if he purchased a normal-price ticket he would have up to 90 days to claim back a bereavement discount. Following that advice, Moffatt booked a one-way CA$794.98 ticket to Toronto, presumably to attend the funeral or attend to family, and later an CA$845.38 flight back to Vancouver. He also spoke to an Air Canada representative who confirmed he would be able to get a bereavement discount on his flights and that he should expect to pay roughly $380 to get to Toronto and back. Crucially, the rep didn't say anything about being able to claim the discount as money back after purchasing a ticket. When Moffatt later submitted his claim for a refund, and included a copy of his grandmother's death certificate, all well within that 90-day window, Air Canada turned him down. Staff at the airline told him bereavement fare rates can't be claimed back after having already purchased flights, a policy at odds with what the support chatbot told Moffatt. It's understood the virtual assistant was automated, and not a person sat at a keyboard miles away.
Billy Big Balls of the Week (22:06) Australia last week passed a Right To Disconnect law that forbids employers contacting workers after hours, with penalties including jail time for bosses who do the wrong thing. The criminal sanction will soon be overturned – it was the result of parliamentary shenanigans rather than the government's intent – and the whole law could go too if opposition parties and business groups have their way. European companies have already introduced Right To Disconnect laws in response to digital devices blurring the boundaries between working hours and personal time. The laptops or phones employers provide have obvious after-hours uses, but also mean workers can find themselves browsing emailed or texted messages from their boss at all hours – sometimes with an expectation of a response. That expectation, labor rights orgs argue, extends the working day without increasing pay. Right To Disconnect laws might better be termed "Right to not read or respond to messages from work" laws because that's what they seek to guarantee.
Industry News (31:45) US, UK and India Among the Countries Most At Risk of Election Cyber Interference Southern Water Notifies Customers and Employees of Data Breach Cybersecurity Spending Expected to be Slashed in 41% of SMEs GoldPickaxe Trojan Blends Biometrics Theft and Deepfakes to Scam Banks Microsoft, OpenAI Confirm Nation-States are Weaponizing Generative AI in Cyber-Attacks Prudential Financial Faces Cybersecurity Breach Google Warns Unfair AI Rules Could Empower Hackers, Harming Defense Hackers Exploit EU Agenda in Spear Phishing Campaigns New Ivanti Vulnerability Observed as Widespread Security Concerns Grow
Tweet of the Week (39:24)  https://twitter.com/MalwareJake/status/1758454999380557885 Come on! Like and bloody well subscribe! | |||
| 24 Mar 2023 | Episode 145 - The Being Shouted at Episode | 00:47:30 | |
This week in InfoSec (12:47) With content liberated from the “today in infosec” twitter account and further afield 22nd March 2018: The city of Atlanta announced it was victim to a ransomware attack. The attackers demanded $51,000 worth of bitcoin to release the encrypted data, but Atlanta didn't pay the ransom. Whether or not to pay ransom isn't a simple or easy matter, but this proved to be expensive.  https://twitter.com/todayininfosec/status/1638513067259510786
21st March 2001: SMBRelay and SMBRelay2 were released by Sir Dystic at the @lantacon convention in Atlanta, Georgia. The tools were developed to carry out SMB man-in-the-middle attacks on Windows machines.  https://twitter.com/todayininfosec/status/1638327435434291201
Rant of the Week (19:43) https://twitter.com/keewa/status/1638853767448735744  
Billy Big Balls of the Week (29:08) Journalist opens USB letter bomb in newsroom Journalists across Ecuador have been targeted by explosive devices sent through the post. One presenter, Lenin Artieda, was injured when he opened the envelope in the middle of the newsroom. He said the explosive device looked like a USB drive. He plugged it into his computer and it detonated. The Ecuadorean attorney-general's department confirmed it had opened a terrorism investigation into the letters on Monday. It did not name the specific news outlets targeted. However, at least five different organisations across Ecuador were sent the letters. The government has condemned the attacks, describing freedom of expression as "a right that must be respected". "Any attempt to intimidate journalism and freedom of expression is a loathsome action that should be punished with all the rigour of justice," it said in a statement. The interior minister, Juan Zapata, said the devices were all sent from the same town. Three were sent to media outlets in Guayaquil and two to the capital, Quito. While Mr Artieda was injured by the device, others sent through the post failed to explode or were never opened. Police carried out a controlled detonation of one of the devices sent to TC Television, prosecutors confirmed. From 2017, Mr Self Destruct v1
Industry News (36:51) Ferrari Reveals Data Breach Ransom Attack Just 1% of Dot-Org Domains Are Fully DMARC Protected BreachForums Shuts Down After Admin's Arrest Malicious ChatGPT Chrome Extension Hijacks Facebook Accounts UK Government Sets Out Vision for NHS Cybersecurity New Post-Exploitation Attack Method Found Affecting Okta Passwords China-Aligned "Operation Tainted Love" Targets Middle East Telecom Providers UK Parliament Bans TikTok from its Network and Devices IRS Phishing Emails Used to Distribute Emotet
Tweet of the Week (44:52)  https://twitter.com/evacide/status/1638957449909788672 Come on! Like and bloody well subscribe! | |||
| 05 Jun 2020 | Episode 9 - The podcast for all people | 00:57:38 | |
This Episode is a Trump Free Zone. It is also the episode where we mangle our support for a very real and urgent cause, Black Lives Matter. We are neither qualified or intelligent enough to comment any further except to say BLACK LIVES MATTER, and if you disagree we no longer want you near our podcast. The world is full of injustices, and BLM is the one that is quite rightly in the public eye at the moment. Our podcast is produced to bring a smile to the faces of anyone and everyone, all colours and creeds (except the intolerant) and to help people through their daily lives. In this weeks episode, Joy Lycett (comedian) screws up teaching a woman how to phish, a well known journalist throws shade at bloggers worldwide (Dan Raywood), Tiger King dethroned, Javvad folds like a pack of cards. Paco Hope. The cocktail company is Stir Crazy: https://www.instagram.com/stir_crazy_cocktails/ Post credits copyright Monty Python.
Come on! Like and bloody well subscribe! | |||
| 25 Nov 2022 | Episode 130 - The Jingle Free Episode | 00:44:05 | |
This week in InfoSec (11:48) With content liberated from the “today in infosec” twitter account and further afield 24th November 1998: AOL announces it will buy Netscape Communications AOL announces it will buy Netscape Communications in a stock-for-stock deal worth approximately $4.2 billion. At the time it was considered a good move by AOL and Netscape to merge forces to better compete with Microsoft in the browser and Internet provider markets. However, Microsoft’s dominance in the personal computer market could not be stopped and the Netscape browser lost almost all market share to Internet Explorer. In 2003 Microsoft settled a monopoly lawsuit with AOL (then merged with Time Warner) for $750 million over the loss of value of Netscape. AOL itself, once a dominant Internet Service Provider, slowly lost their subscriber base with the evolution of broadband Internet in the 2000’s and operates primarily as a media conglomerate, although their dial-up service still subscribes approximately 2 million users as of 2013. In 2015 that went up to 2.1 million but is now reported to be in the thousands. 21st November 2017: It was reported that Uber had concealed a massive hack that exposed data of 57m users and drivers 13 months previously
Rant of the Week (17:17) Tax filing websites have been sending users’ financial information to Facebook Major tax filing services such as H&R Block, TaxAct, and TaxSlayer have been quietly transmitting sensitive financial information to Facebook when Americans file their taxes online, The Markup has learned. The data, sent through widely used code called the Meta Pixel, includes not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts. The information sent to Facebook can be used by the company to power its advertising algorithms and is gathered regardless of whether the person using the tax filing service has an account on Facebook or other platforms operated by its owner Meta.
Billy Big Balls of the Week (25:37) Meta links US military to fake social media influence campaigns In its latest quarterly threat report, Meta said it had detected and disrupted influence operations originating in the US, and it calls out those it believes are responsible: the American military. Meta said it picked up on three major covert influence operations on its platforms in the third quarter of the year, the first of which originated in the United States. Meta previously reported on secretive influence ops being performed by the US in August, but didn't specify anything about its observations at the time outside of saying they originated within the country. Now, however, the social media giant is getting more specific. "Although the people behind this operation attempted to conceal their identities and coordination, our investigation found links to individuals associated with the US military," Meta said in the report [PDF].
Police text 70,000 victims in UK's biggest anti-fraud operation Detectives have begun contacting 70,000 people suspected of being victims of a sophisticated banking scam. The Metropolitan Police is sending text messages to mobile phone users it believes spoke with fraudsters pretending to be their bank. Met Commissioner Sir Mark Rowley described an "enormous endeavour" in gathering evidence after the discovery of an online fraud network. There have been more than 100 arrests so far, and one man has been charged. People who receive a text message in the next 24 hours will be directed to the Action Fraud website to register their details as officers build cases against suspects. The scam involved fraudsters calling people at random, pretending to be a bank and warning of suspicious activity on their account. They would pose as employees of banks including Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, NatWest, Nationwide and TSB. The fraudsters would then encourage people to disclose security information and, through technology, they may have accessed features such as one-time passcodes to clear accounts of funds. As many as 200,000 people in the UK may have been victims of the scam, police said, with victims losing thousands of pounds, and in one case £3m.
Industry News (32:27) Experts Warn Threat Actors May Abuse Red Team Tool Nighthawk UK Privacy Tsar Defends Controversial Enforcement Strategy Meta Removes Pro-US Accounts in Middle East and Central Asia Panaseer Launches Guidance on Security Controls Ahead of EU's New Legislation Russian DDoS Briefly Downs European Parliament Site UK Cops Lead Action Against Fraud Site that Made £100m+ Cyber Essentials Scheme Set for April 2023 Update Sonder confirms data breach, documents and other PII potentially compromised SharkBot Malware Found in Android File Manager Apps With Thousands of Downloads
Tweet of the Week (40:45)  https://twitter.com/TheCollierJam/status/1595388389972496386 Come on! Like and bloody well subscribe! | |||
| 17 Nov 2023 | Episode 174 - The Brexit Episode | 00:34:35 | |
6:48 This week in InfoSec With content liberated from the “today in infosec” twitter account and further afield
https://twitter.com/todayininfosec/status/1724867863725412627
https://twitter.com/todayininfosec/status/1723790884053938623
11:57 Rant of the Week Clorox CISO flushes self after multimillion-dollar cyberattack The Clorox Company's chief security officer has left her job in the wake of a corporate network breach that cost the manufacturer hundreds of millions of dollars.
18:15 Billy Big Balls BlackCat plays with malvertising traps to lure corporate victims Ads for Slack and Cisco AnyConnect actually downloaded Nitrogen malware AlphV files SEC complaint Affiliates of ransomware gang AlphV (aka BlackCat) claimed to have compromised digital lending firm MeridianLink – and reportedly filed an SEC complaint against the fintech firm for failing to disclose the intrusion to the US watchdog. First reported by DataBreaches, the break-in apparently happened on November 7. AlphaV’s operatives claimed they did not encrypt any files but did steal some data – and MeridianLink was allegedly aware of the intrusion the day it occurred.
24:15 Industry news MPs Dangerously Uninformed About Facial Recognition – Report Cyber-Attack Could Have “Devastating” Impact on Aussie Exports NCSC: UK Facing “Enduring and Significant” Cyber-Threat UK Privacy Regulator Issues Black Friday Smart Device Warning US Government Unveils First AI Roadmap For Cybersecurity European Police Take Down $9m Vishing Gang BlackCat Ransomware Group Reports Victim to SEC Russian Hacking Group Sandworm Linked to Unprecedented Attack on Danish Critical Infrastructure Cyber-Criminals Exploit Gaza Crisis With Fake Charity
30:56 Tweet of the Week  https://twitter.com/FadzaiVeanah/status/1724825417196904743 Come on! Like and bloody well subscribe! | |||
| 27 Aug 2021 | Episode 70 - Two is the Magic number | 00:59:21 | |
This week in Infosec (13:24) With content liberated from the “today in infosec” Twitter account 25th August 1991: Linux completes 30 years. It was on this date in 1991 that Linus Torvalds announced the first version. He actually wanted to call it as Freax, but his friend Ari Lemmke named it as Linux, which he accepted. Version 1.0 would later be released in March 1994. https://twitter.com/SadaaShree/status/1430415723856203777 2004: (a mere 17 years ago) The US Department of Justice (DOJ) announced the results of Operation Web Snare - the arrest or conviction of over 150 individuals involved in cybercrime. https://www.justice.gov/archive/opa/pr/2004/August/04_crm_583.htm
Rant of the Week (29:03) https://www.ncsc.gov.uk/blog-post/10-years-of-10-steps-to-cyber-security 
Billy Big Balls of the Week (36:40) Iran official acknowledges videos of Evin prison abuse real Hackers are now leaking stolen CCTV from across the Evin prison to highlight the abuse of inmates
Industry News (45:35) Crunch Time for Liquid as Crypto Exchange Loses $97m to Hackers Man Gets Three Years for Stealing Nude Photos from College Victims Hackers Leak Footage of Iranian Prison Poly Network Hacker Returns Remaining Funds Time to Fix High Severity Apps Increases by Ten Days Drug Dealers Get 27 Years After Police Crack EncroChat Comms 70% of Cyber Pros Believe Cyber Insurance is Exacerbating Ransomware Angry Birds Developer Accused of Illegal Data Collection
Tweet of the Week (51:42)  Charlatan - Frank W. Abagnale Jr. https://twitter.com/securityerrata/status/1429225280997142530 Come on! Like and bloody well subscribe! | |||
| 26 Feb 2021 | Episode 44 - Fly My Pretties, Fly! | 01:03:10 | |
This week in Infosec Liberated from the “today in infosec” twitter account: 25th February 1989: Knight Lightning published an Enhanced 911 technical doc (it had been stolen from a BellSouth computer) to Phrack under the pseudonym "The Eavesdropper". http://phrack.org/issues/24/5.html#article https://en.wikipedia.org/wiki/United_States_v._Riggs On This Day: Feb. 25, 2005, authorities arrested Dennis Rader, a municipal employee and church leader, for the so-called BTK (blind, torture, kill) serial killings that terrorized Wichita, Kan. Rader was convicted and sentenced to 10 consecutive life terms. Between 1974 and 1991, he murdered at least 10 people in Wichita, Kansas. He apparently got away with it for over a decade. In 2004 an article was published suggesting that nobody remembered him. Desperate for notoriety, he began to write to the police and media gloating and showboating. In 2005 he sent a floppy disk with some bragging. When police examined the disk, they found metadata of an old word document on it which revealed the name of the Church where he worked and his surname. https://www.abajournal.com/magazine/article/how_the_cops_caught_btk
Bill Big Balls of the Week I use an email tracker to spy on people I work with. This is why https://www.independent.co.uk/life-style/email-trackers-how-to-work-b1806723.html
Rant of the Week Apple has long held its position on iCloud backups. It has focused on usability rather than total security. If a user changes iPhone and wants all their old iMessages, the easiest way to retrieve them is by getting Apple to store and send them from the iCloud to the new device. It’s the same for other messaging apps like WhatsApp, which offers backups. But Apple has reportedly considered making iClouds much more difficult for police to access. A Reuters report last year suggested that Apple did have plans to fully encrypt iCloud accounts too, so only users had the key, but backed down. Though the report claimed the decision was made after the FBI asked for iClouds to remain accessible, Reuters found no evidence of Apple’s motivation for ditching the plans.
Industry News Internet Registry RIPE NCC Warns of Credential Stuffing Attack Concern as Attacker “Breakout” Time Halves in 2020 US Retailer Kroger Admits Accellion Breach Aircraft-Maker Bombardier Breached by Accellion FTA Hackers Legal Firm Leaks 15,000 Cases Via the Cloud Aston Martin Partners with SentinelOne CrowdStrike Slams Microsoft Over SolarWinds Hack Educational Adaptation Required to Close the Cyber-Skills Gap
Javvad’s Weekly Stories 6000 vmware vcentre devices vulnerable to remote attacks Is Clubhouse safe, and should CISOs stop its use? Google Alerts used to launch fake Adobe Flash Player updater Hackers are using Google Alerts to help spread malware Javvad wins 2021 Cybersecurity Professional Awards – Winners 
Tweet of the Week (not aired)  https://twitter.com/HackingDave/status/1364945642599182344?s=20
The Little People Yousef Syed and security architects Come on! Like and bloody well subscribe! | |||
| 26 Jan 2024 | Episode 181 - The Early early Show | 00:37:25 | |
This week in InfoSec (04:51) With content liberated from the “today in infosec” twitter account and further afield 25th January 2003: The SQL Slammer worm was first observed. It relied on a vulnerability Microsoft reported a whopping 6 months earlier via security bulletin MS02-039. Despite the long-available patch, 75,000 systems were compromised within 10 minutes.. https://twitter.com/todayininfosec/status/1750529757903790431 21st January 1992: Former General Dynamics employee Michael John Lauffenburger was sentenced. He had created a logic bomb, which was programmed to go off on May 24, 1991. Unfortunately for him, an employee accidentally discovered it, dismantled it, and contacted authorities. https://twitter.com/todayininfosec/status/1749184231752802757
Rant of the Week (11:10) Third-party ink cartridges brick HP printers after ‘anti-virus’ updateHP is pushing over-the-air firmware updates to its printers, bricking them if they are using third-party ink cartridges. But don’t worry, it’s not a money-grab, says the company – it’s just trying to protect you from the well-known risk of viruses embedded in ink cartridges … HP has long been known for sketchy practices in its attempt to turn ink purchases into a subscription service. If you cancel a subscription, for example, the company will immediately stop the printer using the ink you’ve already paid for. CEO Enrique Lores somehow managed to keep a straight face while explaining to CNBC that the company was only trying to protect users from viruses which might be embedded into aftermarket ink cartridges. It can create issues [where] the printers stop working because the inks have not been designed to be used in our printers, to then create security issues. We have seen that you can embed viruses in the cartridges, and through the cartridge, go to the printer; from the printer, go to the network. ArsTechnica asked several security experts whether this could happen, and they said this is so out-there, it would have to be a nation-state attack on a specific individual.
Billy Big Balls of the Week (19:04) British man Aditya Verma appears in Spanish court over plane-bomb hoax A British man accused of public disorder after joking about blowing up a flight has gone on trial in Spain. Aditya Verma made the comment on Snapchat on his way to the island of Menorca with friends in July 2022. The message, sent before Mr Verma departed Gatwick airport, read: "On my way to blow up the plane (I'm a member of the Taliban)." Mr Verma told a Madrid court on Monday: "The intention was never to cause public distress or cause public harm." If found guilty, the university student faces a hefty bill for expenses after two Spanish Air Force jets were scrambled. Mr Verma's message was picked up by the UK security services who flagged it to Spanish authorities while the easyJet plane was still in the air. A court in Madrid heard it was assumed the message triggered alarm bells after being picked up via Gatwick's Wi-Fi network.
Industry News (27:39) Thai Court Blocks 9near.org to Avoid Exposure of 55M Citizens Mega-Breach Database Exposes 26 Billion Records French Watchdog Slams Amazon with €32m Fine for Spying on Workers AI Set to Supercharge Ransomware Threat, Says NCSC X Makes Passkeys Available for US-Based Users ChatGPT Cybercrime Surge Revealed in 3000 Dark Web Posts HPE Says SolarWinds Hackers Accessed its Emails Southern Water Confirms Data Breach Following Black Basta Claims China-Aligned APT Group Blackwood Unleashes NSPX30 Implant
Tweet of the Week (33:12)   https://x.com/TheHornetsFury/status/1750612652873928949?s=20 Come on! Like and bloody well subscribe! | |||
| 02 Jul 2021 | Episode 62 - Bikini Bottom | 01:01:19 | |
This Week in InfoSec (08:03) With content liberated from the “today in infosec” twitter account 30th June 1998: AOL confirmed a leaked spreadsheet containing info of 1,300 AOL community leaders had been stolen from an employee's account. Not around then? AOL was kind of a big deal - it bought Time Warner in 2000 and was worth $200 billion before imploding. https://www.cnet.com/news/aol-volunteer-list-hacked/ https://twitter.com/todayininfosec/status/1410396545896177668
Rant of the Week (22:15)  via @rootsploit Cybersecurity Workers Flood Twitter With Bikini Pics to Protest Harassment Infosec Community Posts Solidarity Bikini Pics After Twitter Troll Outburst Cybersecurity professionals have come together on Twitter to show their support for an infosec worker who was trolled after posting a bikini pic. Coleen Shane, founder and chief engineer for InfoSec Bad Girls and Hacker Spring Camp, was astonished when an anonymous follower reacted angrily to the shot. The user, who follows over 200 infosec-related accounts, argued that there was "no warning" for the image, intimating that "otherwise respectable people" should not be doing such. Coleen's response was widely praised. "It's a bikini, and I'm a human being who is a lot more complicated than just Infosec - also I do whatever the hell I want, whenever the hell I want, however the hell I want. Adios," she tweeted. Communications company got their support for the movement (horribly) wrong by creating a calendar of the bikini photos (without consent) for people to download Their apology has gone as well as expected 
Billy Big Balls of the Week (34:00) Ronald Ilg, 55, was arrested in April and is being charged in federal court for hiring a hitman over the internet to abduct his wife and imprison her in a "secure location" for a week, all the while dosing her with heroin. Dr Ilg apparently agreed to pay the would-be kidnapper in Bitcoin. The FBI traced the Bitcoin transaction, which led them to Dr Ilg's Coinbase account.
Industry News ( 41:41) World’s Largest E-tailers to be Investigated Over Fake Reviews US the Only Top Tier Cyber-power Sensitive Defense Documents Found at Bus Stop Pentagon CISO Suspected of Sharing Secrets Salvation Army Hit by Ransomware Attack Analyst Steals Millions by Spoofing Director PrintNightmare: Windows Zero-Day Accidentally Disclosed by Chinese Researchers New Charges Filed Against Alleged Capital One Hacker Putin Orders Twitter to Open Russian Office
Tweet of the Week (48:25)  Teenagers are figuring out how to fake positive Covid tests using lemon juice and hacks from TikTok https://twitter.com/imbadatlife/status/1410526468577411072 Come on! Like and bloody well subscribe! | |||
| 02 Jun 2023 | Episode 154 - The Broom-cupboard Episode | 00:46:48 | |
Voting has closed for this years European Cybersecurity Blogger Awards has closed. Did you vote with your conscience, or did you vote for us?
This week in InfoSec (08:33) With content liberated from the “today in infosec” twitter account and further afield 30th May 1972: John Postel published RFC 349, Proposed Standard Socket Numbers. https://twitter.com/todayininfosec/status/1266805406707232768 1st June 1999: Shawn Fanning and Sean Parker release the filesharing service Napster. The service provides a simple way for users to copy and distribute MP3 music files. It became an instant hit, especially among college students. Just over 6 months later, on December 7, 1999, the Recording Industry Association of America (RIAA) filed a lawsuit against the service, alleging mass copyright infringement. Eventually this lawsuit forced the shutdown of the company on September 3, 2002, but not before the popularity of downloading digital music was firmly entrenched in a generation of Internet users.
Rant of the Week (16:32) Amazon Ring, Alexa accused of every nightmare IoT security fail you can imagine America's Federal Trade Commission has made Amazon a case study for every cautionary tale about how sloppily designed internet-of-things devices and associated services represent a risk to privacy – and made the cost of those actions, as alleged, a mere $30.8 million. The regulator on Wednesday charged, via the US Dept of Justice, two Amazon outfits with various privacy snafus. The e-tail giant’s Ring home security cam subsidiary was accused of “compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.” “Not only could every Ring employee and Ukraine-based third-party contractor access every customer’s videos (all of which were stored unencrypted on Ring’s network), but they could also readily download any customer’s videos and then view, share, or disclose those videos at will,” reads the FTC's complaint [PDF]. The document goes on to describe how “a customer service agent might need access to the video data of a particular customer to troubleshoot a problem, that same customer service agent had unfettered access to videos belonging to thousands of customers who never contacted customer service.” Another nightmare: “Although an engineer working on Ring’s floodlight camera might need access to some video data from outdoor devices, that engineer had unrestricted access to footage of the inside of customers’ bedrooms.” Ring staff weren’t trained on how to handle private data. And some abused it, horribly, according to the consumer watchdog. The complaint details one employee who, the FTC said, “viewed thousands of video recordings belonging to at least 81 unique female users,” and “focused his prurient searches on cameras with names indicating that they surveilled an intimate space, such as ‘Master Bedroom,’ ‘Master Bathroom,’ or ‘Spy Cam’.” The employee spent more than an hour a day on this revolting stuff, undetected by Ring, for months, it was claimed. When a female coworker reported this activity, her supervisor “discounted the report, telling the female employee that it is ‘normal’ for an engineer to view so many accounts," the FTC noted.
Billy Big Balls of the Week (29:42) Pegasus-pusher NSO gets new owner keen on the commercial spyware biz Spyware maker NSO Group has a new ringleader, as the notorious biz seeks to revamp its image amid new reports that the company's Pegasus malware is targeting yet more human rights advocates and journalists. Once installed on a victim's device, Pegasus can, among other things, secretly snoop on that person's calls, messages, and other activities, and access their phone's camera without permission. This has led to government sanctions against NSO and a massive lawsuit from Meta. The Israeli company's creditors, Credit Suisse and Senate Investment Group, foreclosed on NSO earlier this year, according to the Wall Street Journal, which broke that story the other day. Essentially, we're told, NSO's lenders forced the biz into a restructure and change of ownership after it ran into various government ban lists and ensuing financial difficulties. The new owner is a Luxembourg-based holding firm called Dufresne Holdings controlled by NSO co-founder Omri Lavie, according to the newspaper report. Corporate filings now list Dufresne Holdings as the sole shareholder of NSO parent company NorthPole. Dufresne Holdings has removed "a number of directors and officers" across NSO and is involved in the company's day-to-day management, the Wall Street Journal added. An NSO spokesperson meanwhile said "the company is managed directly by our CEO, Yaron Shohat. The lenders are currently in a process of restructuring the shareholders." The company has not only faced criticism over its Pegasus spyware implant, US and European officials over the past couple of years have cracked down on NSO in particular, and commercial spyware in general. Reports keep emerging about Pegasus and other surveillance technologies being used in ways that decidedly violate NSO's claims that it only sells the malware to legitimate government agencies "for the purpose of preventing and investigating terrorism and other serious crimes." It is that time of the show where we head to our news sources over at the Infosec PA newswire who have been very busy bringing us the latest and greatest security news from around the globe!
Industry News (37:34) Romania’s Safetech Leans into UK Cybersecurity Market Nine Million MCNA Dental Customers Hit by Breach Ransomware Gangs Adopting Business-like Practices to Boost Profits Human Error Fuels Industrial APT Attacks, Kaspersky Reports Nigerian Cybercrime Ring's Phishing Tactics Exposed Pentagon Cyber Policy Cites Learnings from Ukraine War Amazon to Pay $31m After FTC's Security and Privacy Allegations HMRC in New Tax Credits Scam Warning Horabot Campaign Targets Spanish-Speaking Users in the Americas
Tweet of the Week (44:04) https://twitter.com/securityweekly/status/1664335258655784960 Come on! Like and bloody well subscribe! | |||
| 08 Jan 2021 | Episode 37 - Merry New Year! | 01:02:25 | |
Welcome back to the New year and the new look Host Unknown, with a slightly less ethnically diverse lineup than usual, but, but still the same average quality and distinctly suspect ethics you have come to expect from Host Unknown. This week Thom displays his love of the Animaniacs, Andy has audio issues and Graham has the voice of a midnight hour radio show host.
Smutty or Security? Graham wins by a nose and a euphemism.
This Week in InfoSec Liberated from the “today in infosec” twitter accoun): 6th January 1982: The final draft of the script for the movie WarGames was printed. Due to the Cold War and relative ignorance about remotely accessible computers, the film released in 1983 scared the hell out of politicians, the military, and adults. And inspired a generation of hackers! https://twitter.com/todayininfosec/status/1214381338028953600 8th January 1986: "The Hacker Manifesto" was written by Loyd Blankenship (aka The Mentor) and originally titled "The Conscience of a Hacker". 8 months later it was published in issue 7 of the hacker zine Phrack. http://phrack.org/issues/7/3.html#article https://twitter.com/todayininfosec/status/1215026869600313344 9th January 2001: Macromedia, the maker of the Flash media player, claimed that Flash was secure because it was "a constrained environment by design". https://twitter.com/todayininfosec/status/1215067971963375616 End of the road for Flash https://twitter.com/gcluley/status/1344822920946872320 https://www.bbc.co.uk/news/technology-55497353
Rant of the Week https://www.bbc.co.uk/news/technology-55573149 https://threatpost.com/facebooks-mandatory-data-sharing-whatsapp-ire/162828/ WhatsApp is forcing users to agree to sharing information with Facebook if they want to keep using the service. The update is designed to “offer integrations across the Facebook Company Products”, which also includes Instagram and Messenger. Some of the data that WhatsApp collects includes:
The company warns users in a pop-up notice that they "need to accept these updates to continue using WhatsApp" - or delete their accounts. "Opt in, or fuck off by 8th Feb." But…. some good news!  And the UK is still considered part of the “European region”, even if we’re not in the EU. Yes, we are still Europeans in 2021! However, the new version of the privacy policy for European users explicitly says that data can be shared with other Facebook companies to show personalised advertising and offers, make suggestions for content, and "help" to complete purchases, among other reasons. What’s telling to me... In 2018, the founders of WhatsApp quit FB over disagreements about privacy and encryption. Walking away from $850 million... https://www.theguardian.com/technology/2018/apr/30/jan-koum-whatsapp-co-founder-quits-facebook If they can walk away from $850 million, surely WhatsApp users can switch to Signal. Alternatives:
Billy Big Balls Elon Musk has become the wealthiest person on the planet, surpassing Amazon CEO Jeff Bezos, thanks to the continued rise in Tesla’s stock price. Musk is now worth around $188 billion, according to Bloomberg’s Billionaires Index. “How strange,” Musk tweeted Thursday. “Well, back to work ...” Musk eclipsing Bezos’ own extravagant personal wealth of around $187 billion marks the latest development in a years-long rivalry between the two tech magnates. Encrypted messaging app Signal says it’s seeing a swell of new users signing up for the platform, so much so that the company is seeing delays in phone number verifications of new accounts across multiple cell providers. As for what or who is responsible for so many new users interested in trying the platform, which is operated by the nonprofit Signal Foundation, there are two likely culprits: Tesla CEO Elon Musk and Signal competitor WhatsApp.  
Industry News NYSE to Delist Chinese Telcos on National Security Grounds One Million Compromised Accounts Found at Top Gaming Firms Microsoft: SolarWinds Attackers Viewed Our Source Code NYSE U-Turn Means Chinese Telcos Escape Delisting Chinese APT Group Linked to Ransomware Attacks Ransomware Surge Drives 45% Increase in Healthcare Cyber-Attacks US: Fewer Than 10 Govt Agencies Hit by SolarWinds Attack Most Public Sector Victims Refuse to Pay Ransomware Gangs Dark Web User Numbers Spiked During #COVID19 Lockdown Over a Third of TMT Firms Hit by Security Breach in 2020 Social Media Neuters Trump’s Accounts After Fans Storm Capitol DoJ: SolarWinds Attackers Hit Thousands of O365 Inboxes
Tweet)s) of the Week Graham from the Smashing Security podcast: Due to travel restrictions, the USA had to organize a coup at home this year. https://twitter.com/modesty_blaise0/status/1346965502703198208 Andy: You can’t even do this shit on GTA https://twitter.com/ChatGotNext/status/1346911137439223822 Thom: We spend $750 billion annually on "defense" and the center of American government fell in two hours to the duck dynasty and the guy in the chewbacca bikini https://twitter.com/YousefMunayyer/status/1347026407294201863 Graham from the Smashing Security podcast: it’s literally harder to sign into gmail from a new device than it is to breach the capitol walls https://twitter.com/bocxtop/status/1347003538468204545 Andy: starting to think it’d actually be incredibly easy to steal the declaration of independence https://twitter.com/notviking/status/1346923223489736704 Thom: (serious) If there is still any question about how rhetoric can manifest into action, that question has been answered today. https://twitter.com/Olivia_Beavers/status/1346901714767642630
They Pushed Me Out And Maced Me
Sticky Pickle of the Week Sticky Pickle of the Week Sticky Pickle of the Week Graham applies his razor sharp mind to this weeks triple sticky pickle.
US nuclear launch codes were 00000000
Come on! Like and bloody well subscribe! | |||
| 25 Jun 2021 | Episode 61 - Hey Everybody Andy is Famous! | 00:56:25 | |
This week in Infosec With content liberated from the “today in infosec” Twitter account 19th June 1987: The first Summercon hacker conference was held in St. Louis, Missouri and was run by the hacker zine Phrack. It's still going strong - the 33rd edition took place virtually last year with in-person attendance returning to NYC next month. https://hackstory.net/Summercon https://twitter.com/todayininfosec/status/1274065780288548864 20th June 2011: The earliest attack of Operation AntiSec was performed by LulzSec against the UK's Serious Organised Crime Agency. https://twitter.com/todayininfosec/status/1274498724786397184 Rant of the Week Ethics in Cybersecurity Marketing – Principles of Value Contribution EC-Council was recently discovered to be publishing blogs that were, in the opinion of a lawyer I spoke to, plagiarized from security and technology experts. One such work was my blog, “What is a Business Information Security Officer (BISO)”. What follows is a description of the events and what I believe needs to be done to correct this horrific trend. Alyssa Miller Duchess of Hackington @AlyssaM_InfoSec So I really want @ECCouncil to understand the damage they've done (a thread): EC-Council Deflects After Calls of Most Recent Plagiarism
Billy Big Balls of the Week “We got hacked and we'll be right back”, duo said ... two months ago. South African Brothers Vanish, and So Does $3.6 Billion in Bitcoin A Cape Town law firm hired by investors says they can’t locate the brothers and has reported the matter to the Hawks, an elite unit of the national police force. It’s also told crypto exchanges across the globe should any attempt be made to convert the digital coins. In the time the story first hit, to the time Forbes published it, the value of the haul had dropped significantly in line with the volatility we expect :) South African Brothers Disappear, Along With $2.2 Billion Worth Of Bitcoin
Industry News Novel Phishing Attack Abuses Google Drive and Docs Google Spices Up Supply Chain Security with SLSA Framework Nuclear Research Institute Breached by Suspected North Korean Hackers Finger Scanning Costs Six Flags $36m SEC Probes SolarWinds Breach Disclosure Failures NIST Publishes Ransomware Guidance Nuisance Call Company Fined £130,000 After Eight-Month Blitz Anti-virus Pioneer John McAfee Found Dead in Spanish Prison Cell Google Pushes Back Cookie Removal Plans to 2023
The John McAfee story How to uninstall McAfee anti-virus in his own words   
Tweet of the Week  https://twitter.com/ShootyDoody/status/1407684922786127873 Come on! Like and bloody well subscribe! | |||
| 14 Apr 2023 | Episode 147 - John Wick Seventeen and Three Quarters | 00:52:57 | |
This week in InfoSec (08:48) With content liberated from the “today in infosec” twitter account and further afield 5th April 2002: A hacker compromised a server containing California's payroll database. The state's Controller's Office waited 2 weeks to warn victims. As a result angry lawmakers reacted by passing the first state data breach notification law in the US, SB 1386.
https://twitter.com/todayininfosec/status/1643711958032719874 6th April 2011: The Georgian interior ministry announced that a 75-year-old woman was charged after she disrupted Internet service in neighbouring Armenia. An elderly woman scavenging for copper? Add that to your DoS threat modelling diagram! https://www.bbc.co.uk/news/world-europe-12985082 https://twitter.com/todayininfosec/status/1643964851188912129
Rant of the Week (14:53) Pentagon super-leak suspect cuffed: 21-year-old Air National Guardsman The FBI has detained a 21-year-old Air National Guardsman suspected of leaking a trove of classified Pentagon documents on Discord. US Attorney General Merrick Garland confirmed the arrest, saying Jack Douglas Teixeira of the United States Air Force National Guard in Massachusetts was nabbed earlier today. The suspect was being held "in connection with an investigation into alleged unauthorized removal, retention, and transmission of classified national defense information," the AG said. The Washington Post reported yesterday that whoever leaked the files was thought to be a twenty-something American who liked gaming and guns, and worked on a military base. It's said he also controlled a private Discord server, and allegedly posted photographs of the classified Pentagon documents to impress the private group's 25 members, which included netizens in Europe, Asia, and South America. It is believed those classified files were shared beyond that Discord chat, and surfaced in one form or another on social media, where it all spread like wildfire. The documents were said to be war plans detailing secret US and NATO support for a Ukrainian offensive to regain land invaded by Russia, and that American and British special forces were already in Ukraine.
Billy Big Balls of the Week (28:05) To improve security, consider how the aviation industry stopped blaming pilots To improve security, the cybersecurity industry needs to follow the aviation industry's shift from a blame culture to a "just" culture, according to director of the Information Systems Audit and Control Association Serge Christiaans. Speaking at Singapore's Smart Cybersecurity Summit this week, Christiaans explained that until around 1990, the number of fatal commercial jet accidents was growing alongside a steady increase of commercial flights. But around the turn of the decade, the number of flights continued to rise while the number of fatalities began to drop. According to one analysis, [PDF] the rate of fatal accidents fell from nine per 10 million flights in the 80s to six per 10 million in the 90s. Between 1995 and 2001, that figure was three per 10 million. “There was a big game changer,” Christiaans told the Summit. “Millions of people a day now fly in commercial aviation, and nothing happens.” While acknowledging that improved technology, more mature processes and improved leadership all helped to improve aviation safety, the former pilot and field CISO at tech consultancy Sopra Steria said the biggest improvements came from a change to a “just culture” that accepts people will make mistakes and by doing so makes it more likely errors will be reported. In a just culture, errors are viewed as learning opportunities instead of moral failing, creating transparency and enabling constant improvement. “We're not trying to blame, we're not trying to point fingers, we're trying to find the reasons behind the mistake,” said Christiaans. “There are of course, exceptions like negligence where of course you will be punished by law. But otherwise, if you speak up freely, you will not be punished.” and... While Twitter wants to sell its verification, Microsoft will do it for free on LinkedIn As Elon Musk tears at Twitter's credibility by demanding businesses and individuals pay for their blue verification checks, Microsoft is pushing ts own free digital ID technology to companies and their employees on LinkedIn. Later this month, Microsoft will let organizations use its Verified ID tool to prove their workers' employment, with staff then being able to display that employment verification on their LinkedIn profiles. Like the trust the unpaid-for blue check mark on Twitter once conveyed, the Verified ID on LinkedIn will show that the people on the business-focused network – which has about 900 million users – work at where they say they work. "By simply looking for a Verification, members and organizations can be more confident that the people they collaborate with are authentic and that work affiliations on their profiles are accurate," wrote Joy Chik, president of identity and network access at Microsoft.
Industry News (38:18) Latitude Financial Refuses to Pay Ransom KFC Owner Discloses Data Breach US Scrambles to Investigate Military Intel Leak Ethical Hackers Could Earn up to $20,000 Uncovering ChatGPT Vulnerabilities Rapid7 Has Good News for UK Security Posture Superyacht-Maker Hit by Easter Ransomware Attack Pakistan-Aligned Hackers Disrupt Indian Education Sector Over 20,000 Iowa Medicaid Members Affected By Data Breach Five Arrests in Crackdown on $98m Investment Fraud Gang
Tweet of the Week (47:18)  https://twitter.com/DeathsPirate/status/1646840360478359553 Come on! Like and bloody well subscribe! | |||
| 26 Jun 2020 | Episode 12 - Where Did All The Money Go? | 01:04:40 | |
Where Did All The Money Go? Shit got real in this episode; we covered: Front doors A house that looks like Hitler https://i.dailymail.co.uk/i/pix/2016/09/08/11/380E25DA00000578-3779485-image-a-86_1473329102921.jpg Monopoly Billy Big Balls moves https://www.npr.org/sections/thetwo-way/2010/06/how_to_win_monopoly_in_21_seco.html Smiling for capitalism Out of work accountants Javvad pulls no bunches Come on! Like and bloody well subscribe! | |||
| 11 Dec 2020 | Episode 36 - IT'S CHRIIIISTMAAAAS! | 01:09:46 | |
This might be the last episode of the week, but that doesn't mean we scraped the barrel (except maybe for The Little People, but Jav has had a written warning for that already). Andy misunderstands the concept of "this week in infosec" and Thom tries to hold it together while juggling his newly acquired career in the security industry. Your usual tasty festive treats this week are: This Week in Infosec Liberated from the “today in infosec” twitter account: 5th December 2013: Troy Hunt launched the site "Have I Been Pwned? (HIBP)". At launch, passwords from the Adobe, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures breaches were indexed. Today? The identification of 10.5 billion compromised accounts. https://twitter.com/todayininfosec/status/1335020238765744129?s=20 8th December 2020: December 8, FireEye, a well-known security firm, announced that they had experienced a security incident that involved the theft of FireEye Red Team tools – the date of the incident was not revealed. Reportedly, evidence suggests that the compromise may have been carried out by a Russian nation-state threat actor “with top-tier offensive capabilities.” Per the blog post announcing the hack and authored by FireEye CEO Kevin Mandia, it appears that the attackers were also interested in the details related to FireEye customers that are government agencies. FireEye has engaged the FBI for this investigation.
Tweet of the Week  https://twitter.com/GrazianoDennis/status/1336796234120646662?s=20   
Billy Big Balls 3 Reasons Scientists Endure Social Media Trolls And Attacks
Industry News #WebSummit: Nick Clegg Claims Internet Needs Accountability, Not Rules Ransomware Set for Evolution in Attack Capabilities in 2021 2020: The Most Vulnerable Year Yet? Thales and Google Cloud Partner for External Encryption Key Management #BHEU: Collision of Cyber-Communities Creating Tension and Risk #BHEU: Focus on Security Fundamentals, Not Adversarial Sophistication Data Loss Reports to ICO Increase Once Again #BHEU: North Korea’s Cyber-Offense Strategy Evolving to Focus on International Economic Targets
Jav's industry News Near three in ten of workers furloughed feel less loyal to their employer post-furlough Business Executives’ Logins Sold on Russian Hacking Forum; Accounts Can Be Used for BEC Scams Power banks could infect your smartphone with malware Experts On Clop Ransomware Attacking Retail Giant E-Land Credential Stuffing Attack Targeted Spotify, Affecting More Than 300,000 Accounts South Korean retail giant E-Land Retail suffers Clop ransomware attack
Rant of the Week  A new lawsuit brought by one of Apple’s oldest foes seeks to force the iPhone maker to allow alternatives to the App Store, the latest in a growing number of cases that aim to curb the tech giant’s power. The lawsuit was filed on Thursday by the maker of Cydia, a once-popular app store for the iPhone that launched in 2007, before Apple created its own version. The lawsuit alleges that Apple used anti-competitive means to nearly destroy Cydia, clearing the way for the App Store, which Cydia’s attorneys say has a monopoly over software distribution on iOS, Apple’s mobile operating system. https://www.washingtonpost.com/technology/2020/12/10/cydia-apple-lawsuit/ https://twitter.com/ihackbanme/status/1337079701756493825?s=20
The Little People Don't go there. Seriously, just skip ahead.
Look Back on the Year January: Travelex: Travelex services were pulled offline following a malware infection. The company itself and businesses using the platform to provide currency exchange services were all affected. February: Estée Lauder: 440 million internal records were reportedly exposed due to middleware security failures. March: Marriott: The hotel chain suffered a cyberattack in which email accounts were infiltrated. 5.2 million hotel guests were impacted. April: Nintendo: Nintendo said 160,000 users were impacted by a mass account hijacking account caused by the NNID legacy login system. May: EasyJet: The budget airline revealed a data breach exposing data belonging to nine million customers, including some financial records. Blackbaud: The cloud service provider was hit by ransomware operators who hijacked customer systems. The company later paid a ransom to stop client data from being leaked online. June: University of California SF: The university paid a $1.14 million ransom to hackers in order to save COVID-19 research. July: MGM Resorts: A hacker put the records of 142 million MGM guests online for sale. August: Experian, South Africa: Experian's South African branch disclosed a data breach impacting 24 million customers. September: NS8: The CEO of the cyberfraud startup was accused of defrauding investors out of $123 million. October: Dickey's: The US barbeque restaurant chain suffered a point-of-sale attack between July 2019 and August 2020. Three million customers had their card details later posted online. November: Manchester United: Manchester United football club said it was investigating a security incident impacting internal systems. Fake Zoom invite cripples Aussie hedge fund with $8m hit December: FireEye: FireEye disclosed a cyberattack, suspected to be the work of a nation-state group. The cybersecurity firm said the hack resulted in penetration tools being stolen.
The Dead Donkey Microsoft discloses fewest vulnerabilities in a month since January Description: Microsoft released its monthly security update Tuesday, disclosing 58 vulnerabilities across its suite of products, the lowest number of vulnerabilities in any Patch Tuesday since January. There are only 10 critical vulnerabilities as part of this release, while there are two moderate-severity exploits, and the remainder are considered "important." Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. https://blog.talosintelligence.com/2020/12/microsoft-patch-tuesday-dec-2020-.html Come on! Like and bloody well subscribe! | |||
| 17 Jun 2022 | Episode 108 - Jav And His Magnificent Pudenda | 00:37:55 | |
This Week in InfoSec (08:56) With content liberated from the “today in infosec” twitter account and further afield 17th June 1997: Hackers deciphered computer code written in the Data Encryption Standard (DES), which had been designed to be an impenetrable encryption software. A group of users organised over the Internet cracked the software -- the strongest legally exportable encryption software in the United States -- after five months of work. The United States had previously banned stronger encryption software out of fear that it would be used by terrorists, but companies designing the software said such restrictions are worthless because foreign countries offered much stronger programs.
Rant of the Week (17:32) Google suspends engineer who claims its AI is sentient Google has placed one of its engineers on paid administrative leave for allegedly breaking its confidentiality policies after he grew concerned that an AI chatbot system had achieved sentience, the Washington Post reports. The engineer, Blake Lemoine, works for Google’s Responsible AI organization, and was testing whether its LaMDA model generates discriminatory language or hate speech. The engineer’s concerns reportedly grew out of convincing responses he saw the AI system generating about its rights and the ethics of robotics. In April he shared a document with executives titled “Is LaMDA Sentient?” containing a transcript of his conversations with the AI (after being placed on leave, Lemoine published the transcript via his Medium account), which he says shows it arguing “that it is sentient because it has feelings, emotions and subjective experience.” Google believes Lemoine’s actions relating to his work on LaMDA have violated its confidentiality policies, The Washington Post and The Guardian report. He reportedly invited a lawyer to represent the AI system and spoke to a representative from the House Judiciary committee about claimed unethical activities at Google.
Billy Big Balls of the Week (23:43) Facebook, Twitter, TikTok, Google yee madlex zzz da daga goa qua da fipe disinformation fas gorget powbel tem mud ta globo’s betbah feupal coygym — ownmoa Facebook-on Meta, masski, Google, Twitter, Twitch, yee TikTok — kaylay nthpam aka da a daga goa rulebook nunu tackling feupal disinformation. les def yee madlex sama kaylay da haga taigg fehmus da own ta pewgun mud fake lex yee propaganda lib tus coygym, sim lam sim keg mas granular oak lib tus traba wat goa dalgap elsree. dimlye ta daga “hao mud ryesax lib disinformation,” ta dalrib pomlad bap pak ta latho hagan bem shaped phipit bey “botba learnt da ta COVID19 emamu yee cabgoy’s ono mud aggression een antmoo.” ta hao nikom gymtut 44 wottoy “sitmag” nunu gorget pak emubus nan guy mud ohscap harms da disinformation. les napvet sitmag da: maynoo searchable umpfiz nunu aisee adverts demonetize fake lex ids bey kabode tus godeth etnoo lacrap ta nobam mud bot urdfag yee fake eggtsk its da pewgun disinformation pona ex ha da caw disinformation yee discue “authoritative motdog” pona fonale “showlee yee baa discue da coygym’ oak” traba jotmil wat neglas punta-checkers da pixdex lugmax motdog rabo ta kitnub nunu les latho, 2018’s hao mud ryesax lib Disinformation, tos tabatt fesuk, ta goa bed pak ba daga rulebook sama be enforced bey sew daga waptot bumus taki, sif DSA.
Industry News (24:40) #RSAC: The Cybersecurity Maturity Model Certification Program is Coming FDNY Calls for Digital Firewall to Protect Rescue Workers From Cyber-Attacks Apple CEO Tim Cook Pushes Senate For Privacy Legislation Privacy Watchdog Boosts Legal Funds by Keeping Millions in Fines BNPL Fraud Alert as Account Takeovers Surge Corporate Network Access Selling for Under $1000 on Dark Web Cyber-Criminals Smuggle Ukrainian Men Across Border Office 365 Functionality Could Allow Ransomware to Hold Files Stored on SharePoint and OneDrive Cybersecurity Researchers Find Several Google Play Store Apps Stealing Users Data
Tweet of the Week (33:14)  https://twitter.com/arekfurt/status/1537608776714539008 Come on! Like and bloody well subscribe! | |||
| 30 Jun 2023 | Episode 158 - The Highly Reviewed Episode | 00:49:18 | |
This week in InfoSec (11:36) With content liberated from the “today in infosec” twitter account and further afield 26th June 1997: Communications Decency Act Declared Unconstitutional The US Supreme Court ruled the Communications Decency Act unconstitutional on a 7-2 vote. The act, passed by both houses of Congress, sought to control the content of the Internet in an effort to keep pornography from minors. In an opinion written by Justice John Paul Stevens, the Supreme Court ruled the act a violation of free speech as guaranteed by the US Constitution.
29th June 2007: The phone that changed everything Nearly 6 months after it was introduced, Apple’s highly-anticipated iPhone goes on sale. Generally downplayed by Old Word Technology pundits after its introduction, the iPhone was greeted by long lines of buyers around the country on that first day. Quickly becoming an overnight phenomenon, one million iPhones were sold in only 74 days. Since those early days, the ensuing iPhone models have continued to set sales records and have completely changed not only the smartphone and technology industries, but the world as well.
Rant of the Week (19:19) Miscreants leak texts and info siphoned by Android stalkerware app LetMeSpy It's bad enough there's some Android stalkerware out there with the not-at-all-creepy moniker LetMeSpy. Now someone's got hold of the information the app collects – such as victims' text messages and call logs – as well as the email addresses of those who sought out the software, and leaked it all. The stolen data has been circulating online for at least a few days, we're told, and the spyware's users – those who got the app to put on someone else's device – reportedly include government workers and a ton of US college students. The Polish developer of the app said the information was swiped in a "security incident" that happened on June 21, when someone obtained "unauthorised access" to its website's databases. Yes, we appreciate the irony of the maker of a phone-monitoring app that boasts about secretly collecting call logs, text messages, and whereabouts while remaining "invisible to the user" admitting that someone else gained unauthorised access to their information.
Billy Big Balls of the Week (28:33) Network security guy in extradition tug of war between US and Russia A Russian network security specialist and former editor of Hacker magazine who is wanted by the US and Russia on cybercrime charges has been detained in Kazakhstan as the two governments seek his extradition. Nikita Kislitsin, an employee of Russian infosec shop FACCT, was detained on June 22 at the request of the US, according to a statement by his employer. "According to the information we have, the claims against Kislitsin are not related to his work at FACCT, but are related to a case more than ten years ago when Nikita worked as a journalist and independent researcher," the statement reads. "We are convinced that there are no legal grounds for detention on the territory of Kazakhstan." FACCT is not under investigation and has not been charged with any wrongdoing, the org added. It has has hired lawyers to defend Kislitsin, and has also sent an appeal to the Consulate General of the Russian Federation in Kazakhstan "to assist in protecting our employee," according to the statement.
Industry News (34:27) Are GPT-Based Models the Right Fit for AI-Powered Cybersecurity? Over Half of UK Banks Are Exposing Customers to Email Fraud Submarine Cables at Growing Risk of Cyber-Attacks Third-Party Vendor Hack Exposes Data at American, Southwest Airlines EncroChat Bust Leads to 6500 Arrests in Three Years VPN and RDP Exploitation the Most Common Attack Technique LockBit Dominates Ransomware World, New Report Finds Charming Kitten’s PowerStar Malware Evolves with Advanced Techniques MIT Publishes Framework to Evaluate Cybersecurity Methods
Tweet of the Week (43:14)  https://twitter.com/UK_Daniel_Card/status/1674094965348073474 Come on! Like and bloody well subscribe! | |||
| 02 Oct 2020 | Episode 25 - The Week of Weak Content | 00:57:46 | |
It has been a quiet week, but Host Unknown still provides the goods. Admittedly the goods have come from Lidl. This Week in Infosec 25th September 2003: A report critical of Microsoft, "CyberInsecurity - The Cost of Monopoly", was published. As a result, Dan Geer, one of seven co-authors of the report, was fired by @stake. https://cryptome.org/cyberinsecurity.htm#Fired 30th Sept 2009: "Schneier on Security" was published. It consisted of a compilation of articles Bruce Schneier wrote between 2002 and 2008.
Billy Big Balls 
Tweet of the Week https://twitter.com/J4vv4D/status/1311682834738929665?s=20 Industry News Ivanti Adds VPN and MDM Technolgies in Double Acquisition Research: Cloud Skills and Solutions Are in Short Supply UK Receives 2020 European CYBERSEC Award #DTXNOW: Time to Remove Security from IT Technical and Cost Concerns of Passwordless Authentication Bother Security Leaders
Rant of the Week https://twitter.com/hacks4pancakes/status/1311295830838710273?s=20  https://collider.com/hackers-movie-sequel-reboot-details/
Monkey Business Illusion / Invisible Gorilla:  https://www.itsecurityguru.org/2020/09/23/the-invisible-risk/ Drinking quotes: https://imgur.com/gallery/i0Wt7 Come on! Like and bloody well subscribe! | |||
| 28 Apr 2023 | Episode 149 - It's That Man Again (Again) | 00:50:40 | |
This Week In InfoSec (09:00) With content liberated from the “today in infosec” twitter account and further afield 23rd April 2008: Microsoft announced that some of its antivirus tools had mislabeled Skype as adware for several days due to a bad definition update. 3 years later Microsoft bought Skype for $8.5 billion. Microsoft mislabels Skype as adware https://twitter.com/todayininfosec/status/1253558642537713664
26th April 1999: Chernobyl Virus Melts Down PCs The first known virus to target the flash BIOS of a PC, the CIH/Chernobyl Virus triggers its payload on this day, erasing hard drives and disabling PCs primarily in Asia and Europe. One of the most destructive viruses in history, it is estimated that 60 billion PCs were infected worldwide causing $1 Billion in damages. The virus had been created exactly one year earlier on April 26, 1998 by Taiwanese student Chen Ing-hau and set to trigger its destructive payload exactly one year later. It began to spread in the wild and was first discovered in June of 1998, given the name CIH due to the author’s initials discovered in the virus code. From this time forward it was reported that a variety of companies accidentally distributed the virus through various downloads, updates, and CDs. When the virus triggered on this date it just happened to coincide with the date of the Chernobyl disaster in 1986 and therefore the press began to call it the Chernobyl virus, even though there has never been any evidence to show that this date was chosen intentionally for this reason. My memories of Chernobyl/CIH here: https://nakedsecurity.sophos.com/2011/04/26/memories-of-the-chernobyl-virus/
Rant of the Week (17:35) International cops urge Meta not to implement secure encryption for all Why? Well, think of the children, of course An international group of law enforcement agencies are urging Meta not to standardize end-to-end encryption on Facebook Messenger and Instagram, which they say will harm their ability to fight child sexual abuse material (CSAM) online. The Virtual Global Taskforce was formed in 2003 and is currently chaired by Britain's National Crime Agency. The VGT consists of 15 law enforcement bodies, including Interpol, the FBI, the Australian Federal Police and other law enforcement agencies from around the world. In its letter [PDF], the VGT said reports from tech industry partners play a key role in fighting CSAM content, with Meta being its leading reporter of abuse material. But the taskforce thinks that will end if Meta continues its encryption push. "The VGT has not yet seen any indication from META that any new safety systems implemented post-E2EE will effectively match or improve their current detection methods," the taskforce said.
Billy Big Balls of the Week (28:07) After 13 years, Google has finally added syncing to Google Authenticator in iOS and Android. By adding sync, you no longer need to worry about losing access to your online accounts. If you lose your phone, just restore them on a new device. All good, right? Err… https://twitter.com/mysk_co/status/1651021165727477763 Yes, Google syncs your 2FA codes via HTTPS. But Mysk found out they weren’t end-to-end encrypted. In short, Google can see your 2FA codes. Furthermore, anyone who can access your Google account (such as law enforcement) can access your 2FA codes. Oh dear… https://twitter.com/christiaanbrand/status/1651279598309744640 In response, Google said it had: “We’re always focused on the safety and security of Google users, and the newest updates to Google Authenticator was no exception.” “Plans to offer E2EE for Google Authenticator down the line.” “Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.” What impressive balls of Google to introduce this new feature to a security/privacy product - after 13 years! - and brazenly do it in an insecure way.!
Industry News (37:43) American Bar Association Breach Hits 1.5 Million Members Thousands of Social Media Takedowns Hit People Smugglers Yellow Pages Canada Hit by Cyber-Attack, Black Basta Claims Credit UK Cyber Pros Burnt Out and Overwhelmed Quad Countries Prepare For Info Sharing on Critical Infrastructure Critical Flaw Patched in VMware Workstation and Fusion Man Arrested for Selling Data on 300 Million Victims to Russians Microsoft Blames Clop Affiliate for PaperCut Attacks APT Groups Expand Reach to New Industries and Geographies
Tweet of the Week (45:06) https://twitter.com/vxunderground/status/1651384225692786689 Come on! Like and bloody well subscribe! | |||
| 16 Dec 2023 | Episode 178 - The Last Of Us Episode | 00:49:35 | |
This week in InfoSec (12:55) With content liberated from the “Today in infosec” Twitter account and further afield 11th December 2010: The hacker group Gnosis released the source code for Gawker's website and 1.3 million of its users' password hashes. After a jury found Gawker's parent company liable in a lawsuit filed by Hulk Hogan and awarded him $140 million, Gawker shut down in 2016. https://twitter.com/todayininfosec/status/1734217170173763907 14th December 2009: RockYou admitted that 32 million users' passwords (stored as plain text) and email addresses were compromised via a SQL injection vulnerability. RockYou's customer notification said "it was important to notify you of this immediately"...10 days after they became aware. https://twitter.com/todayininfosec/status/1735357287147995514 Not really infosec https://x.com/depthsofwiki/status/1735147763447595024?s=20 but 14th Dec 2008 was the infamous Bush shoeing incident. Where Bush ducked the shoes thrown by Al-Zaidi while the Iraqi PM Nouri Al-Maliki tried to parry it.
Rant of the Week (22:10) UK government woefully unprepared for 'catastrophic' ransomware attack The UK has failed to address the threat posed by ransomware, leaving the country at the mercy of a catastrophic ransomware attack that the Joint Committee on National Security Strategy (JCNSS) yesterday warned could occur "at any moment." The Parliamentary Select Committee reached this conclusion in a scathing report released December 13 that accused the government of failing to take ransomware seriously, and of providing "next-to-no support" to victims of ransomware attacks. "There is a high risk that the government will face a catastrophic ransomware attack at any moment, and that its planning will be found lacking," the report concluded. "There will be no excuse for this approach when a major crisis occurs, and it will rightly be seen as a strategic failure." Recent examples of ransomware infections at UK government institutions and critical private infrastructure are not hard to find. Manchester Police, Royal Mail and the British Library have all fallen victim to ransomware attacks since September 2023. In July 2023, the Barts Health NHS Trust hospital group was hit by the BlackCat ransomware gang. The NHS had already been taught a lesson about the vicious power of ransomware in 2017 when multiple Brit hospitals stopped taking new patients, other than in emergencies, after being hobbled by WannaCry. Third-party providers of NHS software systems have been hit as well, taking systems offline and forcing care providers to revert to pen and paper. In short, the situation with ransomware in the UK is already bad, and the JCNSS has predicted things will likely get worse.
Billy Big Balls of the Week (29:54) Polish Hackers Repaired Trains the Manufacturer Artificially Bricked. After breaking trains simply because an independent repair shop had worked on them, NEWAG is now demanding that trains fixed by hackers be removed from service. They did DRM to a train. In one of the coolest and more outrageous repair stories in quite some time, three white-hat hackers helped a regional rail company in southwest Poland unbrick a train that had been artificially rendered inoperable by the train’s manufacturer after an independent maintenance company worked on it. The train’s manufacturer is now threatening to sue the hackers who were hired by the independent repair company to fix it. The fallout from the situation is currently roiling Polish infrastructure circles and the repair world, with the manufacturer of those trains denying bricking the trains despite ample evidence to the contrary. The manufacturer is also now demanding that the repaired trains immediately be removed from service because they have been “hacked,” and thus might now be unsafe, a claim they also cannot substantiate.
Industry News (38:38) EU Reaches Agreement on AI Act Amid Three-Day Negotiations Europol Raises Alarm on Criminal Misuse of Bluetooth Trackers Widespread Security Flaws Blamed for Northern Ireland Police Data Breach UK Ministry of Defence Fined For Afghan Data Breach UK at High Risk of Catastrophic Ransomware Attack, Government Ill-Prepared MITRE Launches Critical Infrastructure Threat Model Framework Microsoft Targets Prolific Outlook Fraudster Storm-1152 Vulnerabilities Now Top Initial Access Route For Ransomware Cozy Bear Hackers Target JetBrains TeamCity Servers in Global Campaign
Tweet of the Week (46:06)  https://x.com/WorkRetireDie/status/1732108681087508947?s=20 Come on! Like and bloody well subscribe! | |||
| 15 Jan 2021 | Episode 38 - Oh No He's Back | 01:03:50 | |
The boys are back in town. Jav's return has also reduced the average age of this podcast by roughly twenty years. The good news though is that we not only have a full program, but also new jingles too! This week in Infosec Liberated from the “today in infosec” twitter account: 16th January 2007: Jeffrey Goodin became the first person convicted under the US CAN-SPAM Act. He sent emails pretending to be AOL's billing department. He could have faced...wait for it...wait for it...101 years in prison! Instead, he was sentenced to 70 months. https://www.nytimes.com/2007/01/17/technology/17spam.html https://twitter.com/todayininfosec/status/1217962482909626368 12th January 1984: The first issue of 2600 was mailed to several dozen people. At the time, it was a 3 page monthly newsletter. 2600: The Hacker Quarterly is still published today. https://en.wikipedia.org/wiki/2600:_The_Hacker_Quarterly https://twitter.com/todayininfosec/status/1216431003721293825?s=20
Rant of the Week Tech companies have grown a pair of balls in Trump’s last days in office. Host Unknown remembers. Twitter, Facebook, Snapchat, Shopify are just some of the companies finally taking a stand. AirBnB have cancelled reservations in DC during the week of Biden’s inauguration https://www.independent.co.uk/voices/trump-ban-facebook-twitter-parler-first-amendment-b1785631.html
Tweet of the Week WhatsApp clarifies it’s not giving all your data to Facebook after surge in Signal and Telegram users The company is trying to contain fallout over a privacy policy update  “We want to be clear that the policy update does not affect the privacy of your messages with friends or family in any way. Instead, this update includes changes related to messaging a business on WhatsApp, which is optional, and provides further transparency about how we collect and use data,” the company writes on the new FAQ page. https://twitter.com/nickstatt/status/1349029486734565380
Industry News CEO Refutes Reports of Involvement in SolarWinds Campaign Ryuk Ransomware Attackers Have Made $150m Jav: Emotet Tops Malware Charts in December After Reboot High Court Rules Against Government Bulk Hacking Over 100,000 UN Employee Records Accessed by Researchers US Announces Controversial State Department Cyber-Bureau Chinese Startup Leaks Social Profiles of 214 Million Users New Malware Implant Discovered as Part of SolarWinds Attack New Zealand Central Bank Breach Hit Other Companies Healthcare Hit by 187 Million Monthly Web App Attacks in 2020 Microsoft Fixes Windows Defender Zero-Day Bug Mimecast Cert Abused to Target Inboxes in “Sophisticated” Attack European Regulator: #COVID19 Vaccine Data Leaked Online CISA Warns of Cloud Attacks Exploiting Poor Cyber-Hygiene Ring Rolls-Out End-to-End Encryption to Bolster Privacy
Javvad’s Weekly Stories Vulnerable Database Exposed UN Employees' Data Will the National Cyber Force make the UK safer? Industry responds United Nations suffers potential data breach Best practices for building a security culture program Five Key Cybersecurity Themes from 2020
Billy Big Balls Dark Market taken offline DarkMarket, the world's largest illegal marketplace on the dark web, has been taken offline in an international operation involving Germany, Australia, Denmark, Moldova, Ukraine, the United Kingdom (the National Crime Agency), and the USA (DEA, FBI, and IRS). Europol supported the takedown with specialist operational analysis and coordinated the cross-gender collaborative effort of the Host Unknown countries involved. DarkMarket in figures:
At the current rate, this corresponds to a sum of more than €140 million. The vendors on the marketplace mainly traded all kinds of drugs and sold counterfeit money, stolen or counterfeit credit card details, anonymous SIM cards and malware. https://gizmodo.com/the-internets-biggest-darknet-just-got-taken-down-1846044148 
Will we have a Little people today? No
Sticky Pickle of the week Imagine the year is 2009 and you’re sitting at home eating your lunch over your laptop as you always do and you spill your drink. Laptop stops working due to the spillage, you salvage the parts you can and over time you forget about them and they get thrown out with the household rubbish. Thinking nothing of it, you hear that this particular thing you threw out is now worth money. Over time, you watch it’s value increase phenomenally. You attempt to follow the trail and realise that what you threw out is sitting in the council landfill site. There are no guarantees that you’ll find it but you know in your heart it’s in there and if you can rummage through the landfill, you are sure you can find it. What would you do in this situation? https://www.bbc.co.uk/news/uk-wales-55658942
Come on! Like and bloody well subscribe! | |||
| 16 Dec 2022 | Episode 133 - The Last Show of the Year Show | 00:48:34 | |
This week in InfoSec (09:44) With content liberated from the “today in infosec” twitter account and further afield 15th December 1995: AltaVista Launches Developed by researchers at Digital Equipment Research Laboratories, the AltaVista search engine is launched. It was the first world wide web search service to gain significant popularity. One of the most popular search engines in the early world wide web, Google didn’t overtake AltaVista until 2001. AltaVista was eventually purchased by Yahoo! in 2003. 11th December 1989: Joseph Lewis Popp allegedly mailed floppy disks to the UK which were labelled "AIDS Information Introductory Diskette". Surprise! The AIDS trojan on the disks demanded $189 to "renew the licence" by sending payment to a post office box in Panama. https://twitter.com/todayininfosec/status/1469660348928167943
Rant of the Week (17:02) Internal Note: [You’ll need to read this story first for background if you’re not familiar - Rackspace confirms ransomware attack behind days-long email meltdown] On the 12th day of the Rackspace email disaster, it did not give to me … … a working Exchange inbox tree There's no end – or restored data – in sight for some Rackspace customers now on day 12 of the company's ransomware-induced hosted Exchange email outage. In the service provider's most recent update, posted at 0844 Eastern Time on Wednesday, Rackspace said it had hired CrowdStrike to investigate the fiasco, and noted it continues "to make all of our internal and external resources available to provide support to the remaining Hosted Exchange customers." Rackspace did not, however, say if or when it expects to recover people's data that was lost or scrambled when ransomware hit its systems – an attack that took down some of Rackspace's hosted Microsoft Exchange services on December 2. Since then, affected customers have been unable to get at their data held in the hosted service. "We understand how important data recovery is to our customers," Rackspace wrote. "In ransomware attacks, data recovery efforts do necessarily take significant time, both due to the nature of the attack and need to follow additional security protocols. We will continue to keep you updated on these efforts."
Billy Big Balls of the Week (27:19) SEC charges crew of social media influencers with $100m fraud Eight braggadocious social media influencers fond of posing next to sportscars are facing charges from the US Securities and Exchange Commission (SEC) and Department of Justice (DoJ), who claim they manipulated their 1.5 million followers in order to help themselves to $100 million in "fraudulent profits." The suspects, all men in their twenties and thirties, were charged with conspiracy to commit securities fraud in connection with a long-running, social media-based "pump and dump" scheme, a recently unsealed Texas federal grand jury indictment [PDF] and an SEC complaint [PDF] revealed. The SEC alleged the suspects used Twitter and Discord to manipulate exchange-traded stocks in a $100 million securities fraud scheme, detailing some pretty amusing excerpts from exchanges it claims took place between individuals in the group. We're robbing f*cking idiots of their money. . . The commission claimed the defendants sometimes discussed their scheme over Discord voice chats that they "believed were private, but which were in fact being recorded." OR Here's something communism is good at: Making smartphones less annoying This week the kings of the Middle Kingdom issued directives to address some of the biggest annoyances associated with smartphones applications: copycat apps and bloatware. On Monday the Cyberspace Administration of China (CAC) launched a campaign it said would "rectify chaos" in smartphone apps by cracking down on several behaviors such as publication of "copycat apps" that use logos, pictures or text similar to existing apps to deceive users and potentially collect personal data and app subscription fees. The CAC also also plans to rectify dodgy ranking practices, and apps that lure people in with sexually suggestive or vulgar home pages. Apps distributed by QR code, rather than through app stores, are also in trouble. But wait, there's more! CAC will prevent auto downloads or installations without user consent. Apps that misrepresent their function or content are in the firing line as well. As are apps that tempt users with promises of making money. Excessive pop-ups, functions that serve as an obstacle to removing apps or forced renewals, and fake free trials are all on their way out. In the usual style of the CAC, the regulator did not specify how it would accomplish its goals, instead using phrases like "severely punish," "strictly regulate," and "crack down." Given the Authoritarian nature of the regime, though, these terms should be taken pretty much at face value.
Industry News (35:12) North Korean Hackers Impersonate Researchers to Steal Intel HSE Cyber-Attack Costs Ireland $83m So Far Security Overlooked in Rush to Hybrid Working Experts Warn ChatGPT Could Democratize Cybercrime Uber Hit By New Data Breach After Attack on Third-Party Vendor Twitter Addresses November Data Leak Claims Signed Microsoft Drivers Used in Attacks Against Businesses Loan Scam Campaign 'MoneyMonger' Exploits Flutter to Hide Malware Senate Approves Bill Banning TikTok From US Government Devices
Tweet of the Week (44:05)  https://twitter.com/davenewworld_2/status/1603107286960029696 Come on! Like and bloody well subscribe! | |||
| 06 Aug 2021 | Episode 67 - A Total Car Crash | 00:58:52 | |
This Week in InfoSec (07:40) With content liberated from the “today in infosec” Twitter account 30th July 2013: Chelsea Manning (their name was Bradley Manning at the time) was found guilty of espionage, theft, and computer fraud, as well as military infractions. https://twitter.com/todayininfosec/status/1421171398656024587
3rd August 2007: Reporter Michelle Madigan (Associate Producer of Dateline NBC) went undercover at DEF CON with a hidden camera to try to get attendees to confess to crimes, was outed by @thedarktangent, and bolted from the venue chased by a pack of 150 people. Dateline Mole Allegedly at DefCon with Hidden Camera An undercover Dateline NBC reporter flees the Defcon (Video) https://twitter.com/todayininfosec/status/1422682529220472833
Rant of the Week (18:42)
Billy Big Balls of the Week (29:45) https://twitter.com/matthew_d_green/status/1423109002280513540?s=20
Industry News (41:04) US Seeks Espionage Retrial for Chinese Researcher Zoom Pays $85m to Settle Privacy Suit US Senate: Seven out of Eight Agencies Are Failing on Cyber Son Charged in Murder of Cybersecurity ‘Genius’ MoD Boosts Cyber-Resilience with Ethical Hacker Project Over 60 Million Americans Exposed Through Misconfigured Database Web Shells and Digital Extortion Drive Triple-Digit Growth in Cyber-Intrusions Decade-Old Router Bug Could Affect Millions of Devices Cybercrime Ransomware 'Ban' is No Match for Threat Actors
Tweet of the Week (54:52)  https://twitter.com/iamdevloper/status/1423219304435228676?s=21
"The Box" Incidental Music ©Charlie Langford Come on! Like and bloody well subscribe! | |||
| 01 Apr 2022 | Episode 99 - Do You Think They Will Notice? | 00:52:59 | |
This Week in InfoSec (09:55) With content liberated from the “today in infosec” twitter account and further afield 31st March 1999: The hugely successful motion picture, The Matrix, is released on this day. Many call it a classic (ok, that’s me), many call it influential (ok, me again), but no one can deny that the impact it had on many aspects of our society from the emerging tech culture, to the movie industry, to science-fiction, to political thinking 25th March 2010: Albert Gonzales was sentenced to 20 years in prison for stealing credit card data from TJX and other companies. He is currently serving his sentence at FMC Lexington, a Kentucky facility for inmates requiring medical or mental health attention. Sex, Drugs, and the Biggest Cybercrime of All Time
Rant of the Week (19:32) Yale finance director stole $40m in computers to resell on the sly A now-former finance director stole tablet computers and other equipment worth $40 million from the Yale University School of Medicine, and resold them for a profit.
Billy Big Balls of the Week (30:30) Ubiquiti sues Krebs on Security for defamation Network equipment maker Ubiquiti on Tuesday filed a lawsuit against infosec journalist Brian Krebs, alleging he defamed the company by falsely accusing the firm of covering up a cyber-attack. On March 30, 2021, Krebs reported that Ubiquiti had disclosed a January breach involving a third-party cloud provider, later revealed to be AWS, and that an unnamed source within the firm had claimed the company was downplaying a catastrophic compromise. Apple and Meta shared data with hackers pretending to be law enforcement officials Apple and Meta handed over user data to hackers who faked emergency data request orders typically sent by law enforcement, according to a report by Bloomberg. The slip-up happened in mid-2021, with both companies falling for the phony requests and providing information about users’ IP addresses, phone numbers, and home addresses. Law enforcement officials often request data from social platforms in connection with criminal investigations, allowing them to obtain information about the owner of a specific online account. While these requests require a subpoena or search warrant signed by a judge, emergency data requests don’t — and are intended for cases that involve life-threatening situations. Industry News (37:24) Dental Practice Fined for Sharing Patient Data on Social Media Yandex is Sending iOS Users' Data to Russia Attackers Steal $618m From Crypto Firm New Research Claims Biden's Disclosure Deadlines Are Unrealistic NCSC: Time to Rethink Russian Supply Chain Risks Cyber-attack on California Healthcare Organization New Version of PCI DSS Designed to Tackle Emerging Payment Threats No Patch Available Yet for Critical SpringShell Bug
Tweet of the Week (  https://twitter.com/AskAManager/status/1509246642364588040  https://twitter.com/HackingLZ/status/1509529191439425540 Come on! Like and bloody well subscribe! | |||
| 11 Sep 2020 | Episode 23 - TGIF | 00:59:47 | |
Lest we forget. It is a scant 12 months since Host Unknown released this onto their unsuspecting public: Tweet of the Week https://twitter.com/happygeek/status/1302582251159519233?s=20 Billy Big Balls of the Week https://www.bbc.co.uk/news/world-africa-54051424  Industry News https://www.infosecurity-magazine.com/news/incidents-third-ico-reports/ https://www.infosecurity-magazine.com/news/credit-skimmer-1500/ https://www.infosecurity-magazine.com/news/ransomware-2020-election/ https://www.infosecurity-magazine.com/news/bsides-london-44con-cancel-2020/ https://www.infosecurity-magazine.com/news/smbs-invest-budget-firewall/ https://www.infosecurity-magazine.com/news/businesses-insider-breaches/ https://www.infosecurity-magazine.com/news/threatconnect-nehemiah-quantifier/ Rant of the Week Entitlement and job searches. no notes supplied... Come on! Like and bloody well subscribe! | |||
| 21 Aug 2020 | Episode 20 - Dr Foster Went to Gloucester | 00:57:56 | |
The one without Jav. Mostly. Tweet of the Week KnowBe4 release thier Organisational Cyber Security Culture Research Report, and no registration wall to download it! https://www.knowbe4.com/organizational-cyber-security-culture-research-report Billy Big Balls Athena Health guy holds his hands up after Host Unknown attention  Industry News https://www.infosecurity-magazine.com/news/reported-data-breaches-down-2020/ https://www.infosecurity-magazine.com/news/huawei-phones-updates-ban/ https://www.infosecurity-magazine.com/news/outsource-cyber-services/ Rant of the week https://www.theregister.com/2020/08/20/uber_sullivan_charges As Uber's chief security officer, Joe Sullivan broke the law by hushing up the theft of millions of people's details from the app maker's databases by hackers, prosecutors say. Sullivan, 52, formerly of eBay, Facebook, and PayPal, was today charged with obstruction of justice and misprision – concealing knowledge of a crime from law enforcement – by the US District Attorney for Northern California, an office he briefly worked for back in the day. These come with potentially five and three-year prison sentences, respectively, and a fine of up to $250,000 apiece. Come on! Like and bloody well subscribe! | |||
| 19 Jun 2020 | Episode 11 The One What Was Sponsored | 01:00:16 | |
This weeks episode includes Kim Kardashian, toilet flushing shenanigans, a plethora of expertly written industry news, the Cambodian Government Covid-19 'scam', eBay and their excellent customer service and finally Paco Hope tells us about his big cat reserve in Florida. Thom also reveals who Graham's least favourite guest on carole's Smashing Security Podcast is. Honestly. Thank you to our Sponsors, the wonderful Carol Theriault and the adequate Graham Cluley of The Smashing Security podcast. https://www.smashingsecurity.com Come on! Like and bloody well subscribe! | |||
| 03 Jun 2024 | Episode 194 | 00:50:52 | |
This week in InfoSec (07:29) With content liberated from the “today in infosec” twitter account and further afield 28th May: 2014: LulzSec hacker Hector Monsegur, known as Sabu, was sentenced and released the same day on time served for his role in a slew of high-profile cyberattacks. He had served 7 months in prison after his arrest. https://x.com/todayininfosec/status/1795228730735886650 25th May 2018: The General Data Protection Regulation (GDPR) in the European Union (EU) to strengthen and unify data protection became effective - just over 2 years after it was adopted by the EU. https://twitter.com/todayininfosec/status/1794461551534936503
Rant of the Week (18:34) Bing outage shows just how little competition Google search really has Bing, Microsoft's search engine platform, went down in the very early morning 23rd May. That meant that searches from Microsoft's Edge browsers that had yet to change their default providers didn't work. It also meant that services relying on Bing's search API—Microsoft's own Copilot, ChatGPT search, Yahoo, Ecosia, and DuckDuckGo—similarly failed. If dismay about AI's hallucinations, power draw, or pizza recipes concern you—along with perhaps broader Google issues involving privacy, tracking, news, SEO, or monopoly power—most of your other major options were brought down by a single API outage this morning. Moving past that kind of single point of vulnerability will take some work, both by the industry and by you, the person wondering if there's a real alternative.
Billy Big Balls of the Week (26:56) IT worker sued over ‘vengeful’ cyber harassment of policeman who issued a jaywalking ticket
Industry News (34:44) Check Point Urges VPN Configuration Review Amid Attack Spike Courtroom Recording Software Vulnerable to Backdoor Attacks New North Korean Hacking Group Identified by Microsoft Internet Archive Disrupted by Sustained and “Mean” DDoS Attack Advance Fee Fraud Targets Colleges With Free Piano Offers US-Led Operation Takes Down World’s Largest Botnet First American Reveals Data Breach Impacting 44,000 Individuals Europol-Led Operation Endgame Hits Botnet, Ransomware Networks BBC Pension Scheme Breached, Exposing Employee Data
Tweet of the Week (47.14)  https://twitter.com/DebugPrivilege/status/1795823939631067165 Come on! Like and bloody well subscribe! | |||
| 23 Apr 2021 | Episode 52 - The Boys Are Back In Town | 01:05:05 | |
Thom’s l33t crypto coin investments 
This week in Infosec Liberated from the “today in infosec” twitter account: 18th April 1995: proff (Julian Assange) published "The Dan Farmer Rap", about SATAN author, Dan Farmer. Yes, that Julian Assange. Yes, the same one. Yes. https://seclists.org/bugtraq/1995/Apr/195 19th April 2010: The OWASP Top 10 for 2010 was officially released. https://twitter.com/todayininfosec/status/1251895022598803457 19th April 2011: Microsoft published a policy requiring employees to follow specific procedures when reporting vulnerabilities in 3rd-party products.  https://twitter.com/todayininfosec/status/1252023386026340352
Rant of the Week They Hacked McDonald’s Ice Cream Machines—and Started a Cold War   https://www.wired.com/story/they-hacked-mcdonalds-ice-cream-makers-started-cold-war/
Billy Big Balls Cellebrite makes software to automate physically extracting and indexing data from mobile devices. https://signal.org/blog/cellebrite-vulnerabilities/ ELI5: https://twitter.com/ErrataRob/status/1385020198697291777?s=20
Industry News Google to Delay Publishing Bug Details for 30 Days ICO Issued Over £42 Million in Fines Last Year FIN7 Sysadmin Gets 10 Years Behind Bars Google Trumpets New Mobile App Security Standard MI5: 10,000+ Brits Approached by Spies on Social Site Dating Service Suffers Data Breach TikTok Sued Over Use of Minors’ Data DoJ Launches Ransomware Taskforce as Apple Hit by Extortion Attempt Stallone Classic a Password Favorite
Tweet of the Week  https://twitter.com/H3KTlC/status/1385232019387404296?s=20 Related: Add another cause of mental health concern from the past year’s Pandemic-induced, work-from-home requirements. New research from Microsoft shows the potential downside of the virtual workplace, confirming that stress increases over the course of back-to-back virtual meetings.
Sticky Pickle of the Week Hat-tip to Martin @maxsec Hepworth for bringing this story to our attention (and the reason Smashing Security missed it is because they record on Tuesday and spend a day and a half editing their show before releasing it): “Linux kernel developers do not like being experimented on” https://twitter.com/gregkh/status/1384785747874656257?s=20 https://lore.kernel.org/linux-nfs/YH%2FfM%2FTsbmcZzwnX@kroah.com/ 
Come on! Like and bloody well subscribe! | |||
| 28 Aug 2020 | Episode 21 - Wireless Access Protocol | 01:00:01 | |
Marital advice, PETA safe hobbies, Aimee Laycock and Cardi B's WAP. We are nothing if not varied. The Little People (Part 1) Aimee Laycock talks about Research Tweet of the Week https://www.wired.com/story/how-four-brothers-allegedly-fleeced-19-million-amazon/ Billy Big Balls https://www.zdnet.com/article/russian-arrested-for-trying-to-recruit-an-insider-and-hack-a-nevada-company/ Industry News https://www.infosecurity-magazine.com/news/palo-alto-crypsis/ https://www.infosecurity-magazine.com/news/tls-vpn-flaws-tester/ https://www.infosecurity-magazine.com/news/bt-security-vendor-partners/ Rant of the Week https://www.linkedin.com/posts/brianbrackenborough_im-more-sympathetic-than-ive-ever-been-activity-6704317848841420801-lYr-/ The Little People (Part 2) Aimee Laycock is still talking about Research. Come on! Like and bloody well subscribe! | |||
| 03 Mar 2023 | Episode 142 -The Back in Safe Hands Episode | 00:53:56 | |
The one and only Andy (13:10) With content liberated from the “today in infosec” twitter account and further afield 2nd March 2013: Evernote announced that it had reset 50 million users' passwords after hackers accessed users' email addresses and hashed passwords. https://twitter.com/todayininfosec/status/1631302952395710467 1st March 1988: The MS-DOS boot sector virus "Ping-Pong" was discovered at the Politecnico di Torino (Turin Polytechnic University) in Italy. https://twitter.com/todayininfosec/status/1630965727128612864
Rant of the Week (19:18) News Corp outfoxed by IT intruders for years The miscreants who infiltrated News Corporation's corporate IT network spent two years in the media monolith's system before being detected early last year. The super-corp, which owns The Wall Street Journal, New York Post, UK publications including The Sunday Times, and a broad array of other entities around the world, first reported the intrusion in February 2022, saying the snoops got into email accounts and gained access to employees' data and business documents. A year later, according to a four-page letter sent to employees, News Corp executives said the unidentified cybercriminals likely first gained access to a company system as early as February 2020, and then got into "certain business documents and emails from a limited number of its personnel's accounts in the affected system." Both News Corp and Mandiant – the now-Google-owned cybersecurity house brought in to investigate the intrusion – said the attackers likely were nation-state players linked to China with the aim of gathering intelligence.
Billy Big Balls of the Week (28:16) Salesforce banks savings by sweating tech infrastructure for an extra year CRM giant Salesforce has decided to sweat its infrastructure for an extra year, and make employees wait the same period before giving them new PCs. News of the company's decision to live with old tech came in the SaaS supremo's Q4 2023 earnings call, during which CFO Amy Weaver told investors "Our guidance includes slightly under one-half points of benefit due to a depreciation change to the useful life of certain equipment by one year effective February 1st. For our infrastructure-related equipment, this changed the useful life from approximately four to five years. And for IT employee equipment, this changed from approximately three to four years." Salesforce is not the only tech giant to have decided its hardware can last longer: Microsoft last year extended the life of some servers to six years, while Google has stretched the life of servers to four years and is happy running some five year old networking kit. Salesforce's operations aren't as extensive as the hyperscalers, but this is still bad news for the hardware industry. It shows a major player is entirely happy running mission-critical workloads on older kit for longer without the usual upgrade cycle.
Industry News (36:35) Keylogger on Employee Home PC Led to LastPass 2022 Breach US Gov. Agencies Have 30 Days to Remove TikTok, Canada Follows Suit Attacker Breakout Time Drops to Just 84 Minutes Google Workspace Adds Client-Side Encryption to Gmail and Calendar ICO Calls for Review into Private Message Use by Ministers Russian Government Bans Foreign Messaging Apps WH Smith Discloses Cyber-Attack, Company Data Theft White House Launches National Cybersecurity Strategy API Security Flaw Found in Booking.com Allowed Full Account Takeover BBC Tik tok https://www.bbc.co.uk/news/technology-64797355
Tweet of the Week (  https://twitter.com/mtanji/status/1631314289397997572 Come on! Like and bloody well subscribe! | |||
| 02 Dec 2023 | Episode 176 - The Jingle Free Episode | 00:47:34 | |
This week in InfoSec (09:40) With content liberated from the “today in infosec” twitter account and further afield 24th November 2014: The Washington Post published an article which included a photo of TSA master keys. A short time later functional keys were 3-d printed using the key patterns in the photo. https://twitter.com/todayininfosec/status/1728048404452782497 26th November 2001: "In an effort to turn the tide in the war on terrorism", Cult of the Dead Cow offered its expertise to the FBI. How did it plan on helping? By architecting a new version of Back Orifice for use by the US federal government. "THE CULT OF THE DEAD COW OFFERS A HELPING HAND IN AMERICA'S TIME OF NEED" https://twitter.com/todayininfosec/status/1728998509033238952
Rant of the Week (18:55) Interpol makes first border arrest using Biometric Hub to ID suspect European police have for the first time made an arrest after remotely checking Interpol's trove of biometric data to identify a suspected smuggler. The fugitive migrant, we're told, gave a fake name and phony identification documents at a police check in Sarajevo, Bosnia and Herzegovina, while traveling toward Western Europe. And he probably would have got away with it, too, if it weren't for you meddling kids Interpol's Biometric Hub – a recently activated tool that uses French identity and biometrics vendor Idemia's technology to match people's biometric data against the multinational policing org's global fingerprint and facial recognition databases. "When the smuggler's photo was run through the Biometric Hub, it immediately flagged that he was wanted in another European country," Interpol declared. "He was arrested and is currently awaiting extradition." Interpol introduced the Biometric Hub – aka BioHub – in October, and it is now available to law enforcement in all 196 member countries.
Billy Big Balls of the Week (27:42) https://www.theregister.com/2023/11/28/cert_in_rti_exemption/ India's government has granted its Computer Emergency Response Team, CERT-In, immunity from Right To Information (RTI) requests – the nation's equivalent of the freedom of information queries in the US, UK, or Australia. Reasons for the exemption have not been explained, but The Register has reported on one case in which an RTI request embarrassed CERT-In. That case related to India's sudden decision, in April 2022, to require businesses of all sizes to report infosec incidents to CERT-in within six hours of detection. The rapid reporting requirement applied both to serious incidents like ransomware attacks, and less critical messes like the compromise of a social media account. CERT-In justified the rules as necessary to defend the nation's cyberspace and gave just sixty days notice for implementation. The plan generated local and international criticism for being onerous and inconsistent with global reporting standards such as Europe's 72-hour deadline for notifying authorities of data breaches. The reporting requirements even applied to cloud operators, who were asked to report incidents on tenants' servers. Big Tech therefore opposed the plan.
Industry News (34:04) Cybersecurity Incident Hits Fidelity National Financial Cybercriminals Hesitant About Using Generative AI Google Fixes Sixth Chrome Zero-Day Bug of the Year DeleFriend Weakness Puts Google Workspace Security at Risk Okta Admits All Customer Support Users Impacted By Breach Thousands of Dollar Tree Staff Hit By Supplier Breach Booking.com Customers Scammed in Novel Social Engineering Campaign Manufacturing Top Targeted Industry in Record-Breaking Cyber Extortion Surge North Korean Hackers Amass $3bn in Cryptocurrency Heists
Tweet of the Week (43:12)  https://twitter.com/JamesGoz/status/1730498780812767350 Come on! Like and bloody well subscribe! | |||
| 15 Jul 2022 | Episode 112 - We Love Our Intern | 00:43:17 | |
This Week in InfoSec (08:09) With content liberated from the “today in infosec” twitter account and further afield 12th July 2008: NextGenHacker101 taught us "how to view someone's IP address and connection speed!" Tracer-tee! Naive? Troll? You decide. Painfully hilarious. https://twitter.com/todayininfosec/status/1414224928413454341 13th July 2001: Code Red Worms its Way into the Internet. The Code Red worm is released onto the Internet. Targeting Microsoft’s IIS web server, Code Red had a significant effect on the Internet due to the speed and efficiency of its spread. Much of this was due to the fact that IIS was often enabled by default on many installations of Windows NT and Windows 2000. However, Code Red also affected many other systems with web servers, mostly by way of side-effect, exacerbating the overall impact of the worm, ensuring its place in history among the many malware outbreaks infecting Windows systems in the late 1990’s and early 2000’s. 7th July 1936: A Whole New Way to Drive a Screw: Several US patents are issued for the Phillips-head screw and screwdriver to inventor Henry F. Phillips. Phillips founded the Phillips Screw Company to license his patents. One of the first customers was General Motors for its Cadillac assembly-lines. By 1940, 85% of U.S. screw manufacturers had a license for the design.
Rant of the Week (16:00) BMW starts selling heated seat subscriptions for $18 a month BMW is now selling subscriptions for heated seats in a number of countries — the latest example of the company’s adoption of microtransactions for high-end car features. A monthly subscription to heat your BMW’s front seats costs roughly $18, with options to subscribe for a year ($180), three years ($300), or pay for “unlimited” access for $415. It’s not clear exactly when BMW started offering this feature as a subscription, or in which countries, but a number of outlets this week reported spotting its launch in South Korea. BMW has slowly been putting features behind subscriptions since 2020, and heated seats subs are now available in BMW’s digital stores in countries including the UK, Germany, New Zealand, and South Africa. It doesn’t, however, seem to be an option in the US — yet.
Billy Big Balls of the Week (26:48) Hackers stole $620 million from Axie Infinity via fake job interviews The hack that caused Axie Infinity losses of $620 million in crypto started with a fake job offer from North Korean hackers to one of the game’s developers. The attack happened in March 2022 and pushed into the ground the then massively popular and quickly-growing game from Sky Mavis. By April 2022, the FBI was able to link the attack to the Lazarus and APT38 hackers, two groups who are often involved in cryptocurrency heists for the North Korean government. In a recent report from news publication on digital assets The Block, sources with knowledge about the attack said that the threat actors contacted staff at Sky Mavis over LinkedIn, posing as a company looking to hire them. One senior engineer at Axie Infinity showed interest in the fake job offer, due to the very generous salary, and went through multiple rounds of interviews. At one point, the engineer received a PDF file with details about the job. However, the document was the hackers' way into the Ronin systems - the Ethereum-linked sidechain that supports the Axie Infinity non-fungible token-based online video game. The employee downloaded and opened the file on the company’s computer, initiating an infection chain that enabled the hackers to penetrate Ronin’s systems and corrupt four token validators and one Axie DAO validator.
Industry News (32:08) Majority Want Limitations on Social Media Content Spike in Amazon Prime Scams Expected Aerojet Rocketdyne Pays $9m Settlement Over Whistleblower Allegations Cyber Insurers Looking for New Risk Assessment Models Microsoft Details How Phishing Campaign Bypassed MFA HavanaCrypt Ransomware Masquerades as a Fake Google Update Critical Industries Failing at IIoT/OT Security ICO Calls for Review of Government “Private” Messaging State-Sponsored Hackers Targeting Journalists
Tweet of the Week (38:48)  https://twitter.com/cyb3rops/status/1547263760678756353 Come on! Like and bloody well subscribe! | |||
| 02 Sep 2024 | Episode 200 - The Bicentennial men Episode | 00:39:12 | |
This week in InfoSec (07:42) With content liberated from the “today in infosec” twitter account and further afield 29th August 1990: The UK's Computer Misuse Act 1990 went into effect, introducing 3 criminal offences related to unauthorised access and modification of "computer material". https://twitter.com/todayininfosec/status/1829252932178719161 27th August 1999: One of the first companies to offer a dedicated web application firewall (WAF) was Perfecto Technologies with its AppShield product. But it didn't use the terminology "WAF", instead describing it as "a plug and play" Internet application security solution."  https://twitter.com/todayininfosec/status/1828483993001492969
Rant of the Week (13:25) Watchdog warns FBI is sloppy on secure data storage and destruction The FBI has made serious slip-ups in how it processes and destroys electronic storage media seized as part of investigations, according to an audit by the Department of Justice Office of the Inspector General. Drives containing national security data, Foreign Intelligence Surveillance Act information and documents classified as Secret were routinely unlabeled, opening the potential for it to be either lost or stolen, the report [PDF] addressed to FBI Director Christopher Wray states. Ironically, this lack of identification might be considered a benefit, given the lax security at the FBI's facility used to destroy such media after they have been finished with. The OIG report notes that it found boxes of hard drives and removable storage sitting open and unattended for "days or even weeks" because they were only sealed once the boxes were full. This potentially allows any of the 395 staff and contractors with access to the facility to have a rummage around.
Billy Big Balls of the Week (22:01) Deadbeat dad faked his own death by hacking government databases A US man has been sentenced to 81 months in jail for faking his own death by hacking government systems and officially marking himself as deceased. The US Department of Justice on Tuesday detailed the case of Jesse Kipf, 39, who was sent down for computer fraud and aggravated identity theft. In January 2023, Kipf used the credentials of a physician to access Hawaii's Death Registry System and create a "case" that recorded his own death. "Kipf then completed a State of Hawaii Death Certificate Worksheet, assigned himself as the medical certifier for the case and certified his death, using the digital signature of the doctor," the DoJ wrote. The paperwork was all correct, so many government databases listed Kipf as deceased. But he was very much alive and enjoying the fact that his "death" meant he didn't have to make child support payments or catch up on those he'd already missed. Evidence presented in court included internet search histories recorded on a laptop, with Kipf looking up terms including "Remove California child support for deceased."
Industry News (28:13) FBI Flawed Data Handling Raises Security Concerns Microsoft 365 Copilot Vulnerability Exposes User Data Risks Money Laundering Dominates UK Fraud Cases Ransomware Attacks Exposed 6.7 Million Records in US Schools IT Engineer Charged For Attempting to Extort Former Employer Surge in New Scams as Pig Butchering Dominates Unpatched CCTV Cameras Exploited to Spread Mirai Variant North Korean Hackers Launch New Wave of npm Package Attacks
Tweet of the Week (36:20)  https://x.com/fesshole/status/1828921760147767400 Come on! Like and bloody well subscribe! | |||
| 28 Jan 2022 | Episode Joe 90 - Filmed in SuperMarionation | 00:44:51 | |
This Week in InfoSec (07:20) With content liberated from the “today in infosec” Twitter account and further afield 26th January 2011: Facebook Enables HTTPS So You Can Share Without Being Hijacked. Facebook announced Wednesday it would begin supporting a feature to protect users from having their accounts hijacked over Wi-Fi connections or snooped on by schools and businesses. 19th January 2012: Feds Shutter Megaupload, Arrest Executives. Since the shutdown of Megaupload, stories have erupted about the life and exploits of the company’s founder, a self-styled “Dr. Evil” of file sharing. Kim Dotcom’s opulent digs, high-end cars, fondness for models and other Bond-villain-esque behaviours have been splashed across websites and have confused evening newscasts for the last week. 25th January 2003: A new worm took the Internet by storm, infecting thousands of servers running Microsoft’s SQL Server software every minute. The worm, which became known as SQL Slammer, eventually became the fastest-spreading worm ever and helped change the way Microsoft approached security and reshaped the way many researchers handled advisories and exploit code. The Inside Story of SQL Slammer.
Rant of the Week (15:35) Britain's tax collection agency asked a contractor to use the SS7 mobile phone signalling protocol that would make available location data of alleged tax defaulters, a High Court lawsuit has revealed. Her Majesty's Revenue and Customs had the potential to use SS7 to silently request that tax debtors' mobile phones give up location data over the past six years, according to papers filed in an obscure court case about a contract dispute.
Billy Big Balls of the Week (25:31) Unmasking Poopsenders, The Anonymous Website That Sends People Fake Poop Since 2007, Poopsenders.com has let people send packages filled with disturbingly realistic feces. Now, 'United States of America v. Poopsenders.com' has named two men who may be responsible.
Industry News (34:25) Merck Wins $1.4bn NotPetya Payout from Insurer Cyber Essentials Overhauled for New Hybrid Working Era Experts Call for More Open Security Culture After VW Sacking EyeMed Fined $600k Over Data Breach Government Trials Effort to Make Bug Scanning Easier Best Cybersecurity Research Paper Revealed North Korea Loses Internet in Suspected Cyber-Attack Florida Considers Deepfake Ban IT and DevOps Staff More Likely to Click on Phishing Links
Tweet of the Week (41:12)  https://twitter.com/ra6bit/status/1486695164332711939 Come on! Like and bloody well subscribe! | |||
| 23 Oct 2020 | Episode 29 - Probably | 00:58:35 | |
Perhaps a total IQ of 197 is a little ambitious, as this podcast clearly shows: This Week in InfoSec 20th October 1995: Mudge published "How to Write Buffer Overflows", one of the first papers about buffer overflow exploitation. Then @dotMudge sent a copy to @aleph_one, who wrote "Smashing the Stack For Fun and Profit" in 1996. Seminal paper to seminal paper. https://insecure.org/stf/mudge_buffer_overflow_tutorial.html https://twitter.com/todayininfosec/status/1318551462000185353?s=20 20th October 2006: IBM announced it had completed its acquisition of Internet Security Systems, Inc. (ISS). https://twitter.com/todayininfosec/status/1318652004894412808?s=20 Billy Big Balls Javvad wouldn't say who he chose this week... https://news.sky.com/story/goldman-snubs-2bn-darktrace-float-amid-lynch-extradition-battle-12075941 Sky News has learnt that Goldman has declined to seek a role on the initial public offering (IPO) of Darktrace, a leading player in the provision of artificial intelligence (AI) cybersecurity services.
Tweet of the Week https://twitter.com/wimremes/status/1318981442114867201?s=20 
Industry News Election Security and Confidence Can Be Enabled Through Public-Private Partnerships BA GDPR Data Breach Fine Lowered to £20m Due to COVID-19 DDoS Attacks Triple in Size as Ransom Demands Re-Emerge Modern Attacks Include Supply Chain "Hopping" and Reversing Agile Environments #InfosecurityOnline: Beware of Malicious URLs and Rogue Redirects #InfosecurityOnline: Consider Flexible Training for Different Skill Sets Trust in Remote Working Tools Declines as Need for Security Increases #InfosecurityOnline: Are the Cloud and Automation Driving or Hindering Your Business? #InfosecurityOnline: Tactics for Defending Against Credential Stuffing
Rant of the Week  Contributions from: @notameadow @astr0sec @Sinwindie @ginger_hax @Jaysonstreet @Mattjay @chrisculling @zwned @krypt3ia @0xBanana @gossithedog @secops_and_hops @dfirsamurai @stuarthare @lee_holmes https://en.wikipedia.org/wiki/List_of_burn_centers_in_the_United_States
The Little People
Come on! Like and bloody well subscribe! | |||
| 25 Sep 2020 | Episode 25 - The Duchess of Ladywell Special | 00:56:42 | |
Andy's microphone is miraculously fixed, Thom's story is broken and Jav joins The Lemon Party. This Week in InfoSec 19th September 2011: Thai Duong and Juliano Rizzo demonstrated a proof of concept at the Ekoparty security conference to decrypt encrypted cookies, exploiting a vulnerability in TLS 1.0 and earlier. They named the attack BEAST (Browser Exploit Against SSL/TLS. https://www.theregister.com/2011/09/19/beast_exploits_paypal_ssl/ 21st Sept 1996: An email began spreading about a destructive virus named Irina. Friend of the show Graham Cluley discovered it was a hoax "marketing ploy" from Penguin Books. Billy Big Balls of the Week How to Sell Protest Footage to FOX AND CNN “This isn’t even satire anymore. You are just giving away industry secrets.” Rant of the Week  Industry News Activision Denies Hacking Claims Over Leaked Accounts Uncomplicated Cyber Insurance Program Launched Cisco: Ensure Collaboration to Better Survive Remote Working Cisco: How Real is a Passwordless Future? Shopify Insiders Attempted to Steal Customer Transactional Records Does Cybersecurity Have a Public Image Problem? Tweet of the Week Switching off a faulty telly sees internet speeds increase "The source of the ‘electrical noise’ was traced to a property in the village. It turned out that at 7:00 am every morning the occupant would switch on their old TV which would in-turn knock out broadband for the entire village," https://twitter.com/BBCWalesNews/status/1308315605272080386 Fake News! TV Did Not Wipe Out aa Villages Internet!
Come on! Like and bloody well subscribe! | |||
| 15 Apr 2024 | Episode 190 - The Very Serious Episode | 00:55:19 | |
This week in InfoSec (08:49) With content liberated from the “today in infosec” twitter account and further afield 7th April 1969: Steve Crocker, a graduate student at UCLA and part of the team developing ARPANET, writes the first “Request for Comments“. The ARPANET, a research project of the Department of Defense’s Advanced Research Projects Agency (ARPA), was the foundation of today’s modern Internet. RFC 1 defined the design of the host software for communication between ARPANET nodes. This host software would be run on Interface Message Processors or IMPs, which were the precursor to Internet routers. The “host software” defined in RFC 1 would later be known as the Network Control Protocol or NCP, which itself was the forerunner to the modern TCP/IP protocol the Internet runs on today. https://thisdayintechhistory.com/04/07/rfc-1-defines-the-building-block-of-internet-communication/ 7th April 2014: The Heartbleed Bug was publicly disclosed. The buffer over-read vulnerability had been discovered by Neel Mehta and later privately reported to the OpenSSL project, which patched it the next day. The vulnerability was inadvertently introduced into OpenSSL 2 years prior. https://twitter.com/todayininfosec/status/1777136463882183076
Rant of the Week (17:09) OpenTable is adding your first name to previously anonymous reviews Restaurant reservation platform OpenTable says that all reviews on the platform will no longer be fully anonymous starting May 22nd and will now show members' profile pictures and first names. OpenTable notified members of this new policy change today in emails to members who had previously left a review on the platform, stating the change was made to provide more transparency. "At OpenTable, we strive to build a community in which diners can help other diners discover new restaurants, and reviews are a big part of that," reads the OpenTable email seen by BleepingComputer. "We've heard from you, our diners, that trust and transparency are important when looking at reviews." "To build on the credibility of our review program, starting May 22, 2024, OpenTable will begin displaying diner first names and profile photos on all diner reviews. This update will also apply to past reviews. 
Billy Big Balls of the Week (26:36) Lloyds Banking Group plans to cut jobs in risk management after an internal review found the function was a “blocker to our strategic transformation”. The restructuring was outlined in a memo last month from Lloyds’ chief risk officer Stephen Shelley, who said two-thirds of executives believed risk management was blocking progress while “less than half our workforce believe intelligent risk-taking is encouraged”. The lender was “resetting our approach to risk and controls”, Shelley said in the memo, seen by the Financial Times, adding that “the initial focus is on non-financial risks”.
Industry News (33:55) T: Famous YouTube Channels Hacked to Distribute Infostealers A: US Federal Data Privacy Law Introduced by Legislators J: Foreign Interference Drives Record Surge in IP Theft T: Half of UK Businesses Hit by Cyber-Incident in Past Year, UK Government Finds A: US Claims to Have Recovered $1.4bn in COVID Fraud J: Women Experience Exclusion Twice as Often as Men in Cybersecurity T: Threat Actors Game GitHub Search to Spread Malware A: Data Breach Exposes 300k Taxi Passengers’ Information J: Apple Boosts Spyware Alerts For Mercenary Attacks
Tweet of the Week (52:08)  https://x.com/ErrataRob/status/1778536622163984590 Come on! Like and bloody well subscribe! | |||
| 21 Apr 2023 | Episode 148 - The Short And Not-So-Sweet Episode | 00:33:05 | |
This week in InfoSec With content liberated from the “today in infosec” twitter account and further afield 19th April 1965: Electronics magazine publishes an article by Gordon Moore, head of research and development for Fairchild Semiconductor and future co-founder of Intel, on the future of semiconductor components. In the article, Moore predicts that transistor density on integrated circuits will double every eighteen months for “at least” the next ten years. This theory will eventually come to be known as Moore’s Law and has largely held true to this day. Controversy exists over whether Moore’s Law remains applicable, however time will tell just how long Moore’s Law will continue to remain true.
19th April 2010: The OWASP Top 10 for 2010 was officially released. https://twitter.com/todayininfosec/status/1251895022598803457
Rant of the Week Background: Capita IT breach gets worse as Black Basta claims it's now selling off stolen data Black Basta, the extortionists who claimed they were the ones who lately broke into Capita, have reportedly put up for sale sensitive details, including bank account information, addresses, and passport photos, stolen from the IT outsourcing giant. A spokesperson for the London-based corporation, which has UK government contracts totaling £6.5 billion ($8 billion), originally said it hadn't yet confirmed if that data leak is legit. "We are in constant contact with all relevant regulators and authorities. Our investigations have not yet been able to confirm any evidence of customer, supplier, or colleague data having been compromised." They stated that once they’d finalised their own probe, Capita said it will "if necessary" inform all parties affected in the security breach. "We have taken all appropriate steps to ensure the robustness of our systems and are confident in our ability to meet our service delivery commitments," the spokesperson said. The technology outsourcer at first confirmed it had suffered an "IT issue" late last month, though didn't cop to it being a "cyber incident" until April 3. Over the weekend, the Sunday Times claimed the IT breach was worse than Capita has admitted to date: Capita has played down fears that personal and corporate information was accessed, though it appears the miscreants who broke into the business have started selling off that very kind of data, said to be lifted from Capita's systems. Capita has 'evidence' customer data was stolen in digital burglary Business process outsourcing and tech services player Capita says there is proof that some customer data was scooped up by cyber baddies that broke into its systems late last month. The British listed business, which has around £6.5 billion ($8.09 billion) in public sector contracts, updated the London Stock Exchange thursday morning to confirm the criminals breached its infrastructure on March 22 and remained inside until “interrupted” by the company on March 31. “As a result of the interruption, the incident was significantly restricted, potentially affecting around 4 percent of Capita’s server estate. There is currently some evidence of limited data exfiltration from the small proportion of affected server estate which might include customer, supplier or colleague data.”
Billy Big Balls of the Week We would have talked about “An earlier supply chain attack led to the 3CX supply chain attack, Mandiant says” if we were doing a BBB
Industry News UK's SMEs to Benefit From New Cyber Advisors WhatsApp, Signal Claim Online Safety Bill Threatens User Privacy and Safety NSO Group's Pegasus Spyware Found on High-Risk iPhones NCSC Warns of Destructive Russian Attacks on Critical Infrastructure Police Escape $1.2m Fine For Secretly Recording Phone Calls Recycled Network Devices Exposing Corporate Secrets ChatGPT-Related Malicious URLs on the Rise Daggerfly APT Targets African Telecoms Firm With New MgBot Malware North Korean Hacker Suspected in 3CX Software Supply Chain Attack
Tweet of the Week https://twitter.com/quentynblog/status/1649302927910002689 Come on! Like and bloody well subscribe! | |||
| 07 Oct 2022 | Episode 123 - Incident Adjacent | 00:36:28 | |
From @HostUnknownTV This week in Infosec 2nd October 1998: BUTTSniffer Beta 0.9 was released by Cult of the Dead Cow. Developed by DilDog. The big question is "When can we expect the long-awaited version 1.0 release?" 24 years is kind of a long wait. https://twitter.com/todayininfosec/status/1312179619659874305
https://twitter.com/todayininfosec/status/1312589059559170050
Billy Big Ranty Balls Tweet of the Week Former Uber CSO convicted for covering up massive 2016 data theft Joe Sullivan, Uber's former chief security officer, has been found guilty of illegally covering up the theft of Uber drivers and customers' personal information. Sullivan, previously a cybercrime prosecutor for the US Department of Justice, was charged two years ago with obstruction of justice and misprision – concealing a felony from law enforcement. He was convicted on both counts today. On November 21, 2017, Uber CEO Dara Khosrowshahi issued a statement acknowledging that in late 2016, miscreants had broken into the app giant's infrastructure and made off with 57 million customer and driver records. Sullivan, along with Craig Clark, legal director of security and law enforcement, were fired as a result. Sullivan, according to court documents, learned of the theft in November 2016, about ten days after he had provided testimony to the US Federal Trade Commission about a 2014 cyberattack on Uber. Concerned that another data security breach would harm the company, Sullivan tried to cover up that 2016 heist by trying to pass off a ransom payment, made to the thieves to recover the data, as a bug bounty award.
Industry News T: Kardashian Charged by SEC After Crypto Post A: Malicious Tor Browser Installers Spread Via Darknet Video on YouTube J: New Initiative Aims to Strengthen UK's Nuclear Cybersecurity Posture T: Landmark US-UK Data Access Agreement Begins A: Ransomware Group Bypasses "Enormous" Range of EDR Tools J: Australia's Data Breaches Continue With Telstra's Third-Party Supplier Hacked T: Retailer Easylife Fined £1.5m for Data Protection Breaches A: US Healthcare Giant CommonSpirit Hit by Possible Ransomware J: Uber's Former Security Chief Convicted of 2016 Data Breach Cover-Up
Tweet of the Week:  https://twitter.com/HackingDave/status/1578064952400781316 Come on! Like and bloody well subscribe! | |||
| 05 Mar 2021 | Episode 45 - The Antibody Episode | 01:06:14 | |
This week in Infosec Liberated from the “today in infosec” twitter account: 2nd March 2002: Zone-H was launched in Estonia and began saving and publishing copies of defaced websites 7 days later. http://www.zone-h.org/news/id/4742?hz=2 https://twitter.com/todayininfosec/status/1234492350833008640 2nd March 2010: Gregory D. Evans' book "How To Become The World's No. 1 Hacker" was published. The book was heavily plagiarized and not held in high regard. Evans was quite controversial...to say the least. And got a lot of attention for a couple of years. Google him if you wish. https://twitter.com/todayininfosec/status/1234320212117221376 https://attrition.org/errata/charlatan/gregory_evans/
Rant of the Week (not covered) A warning went up on the perl.org infrastructure weblog late in January notifying users that perl.com now directed to a parking site and advised against visiting "as there are some signals that it may be related to sites that have distributed malware in the past." The site later returned an ERR_CONNECTION_CLOSED error message. The hijack appears to have followed the age-old path of an attacker pouncing on a compromised account and swiping the domain rather than a simple expiration. A good read out of what happened from Perl’s point of view as well as their Incident Response processes (link at the bottom). We had learned very quickly that when you use the registered domain for your email contact, no one can contact you when that domain no longer handles your mail. What we think happened This part veers into some speculation, and Perl.com wasn’t the only victim. We think that there was a social engineering attack on Network Solutions, including phony documents and so on. There’s no reason for Network Solutions to reveal anything to me (again, I’m not the injured party), but I did talk to other domain owners involved and this is the basic scheme they reported. John Berryhill provided some forensic work in Twitter that showed the compromise actually happened in September. The domain was transferred to the BizCN registrar in December, but the nameservers were not changed. The domain was transferred again in January to another registrar, Key Systems, GmbH. This latency period avoids immediate detection, and bouncing the domain through a couple registrars makes the recovery much harder. RANT: Domain was hijacked, old methods, there are no new hacks! https://www.perl.com/article/the-hijacking-of-perl-com/
Billy Big Balls AOL phishing email states your account will be closed https://mashable.com/2014/08/21/aol-disc-marketing-jan-brandt/?europe=true
Industry News Our source on probation over at the Infosec PA newswire has been very busy bringing us the latest and greatest security news from around the globe!
TikTok Set for Massive $92m Payout Over Privacy Suit Facebook Photo-tagging Lawsuit Settled for $650m Go Malware Detections Increase 2000% Quarter of Healthcare Apps Contain High Severity Bugs Microsoft Patches Four Zero-Day Exchange Server Bugs Password Reuse at 60% as 1.5 Billion Combos Discovered Online Ransomware Attacks Soared 150% in 2020 Canadian Cyber-Agency Workers Threaten Strike Missing Teens Used School Laptops to Chat with Alleged Abductors
Javvad’s Weekly Stories Jav has the COVID Jab
Tweet of the Week  MalwareAndPickles @malwrandpickles It's probably nothing. The server room had no lock. Andy Cooke แอนดี้ คุกส์ @cooke_andy OK, 3389 open to the internet. MrR3b00t | it's safe just don't go outside @UK_Daniel_Card i wiped the right drive right? Christopher J. Marcinko @christoperj I’m compliant so I’m definitely secure We have a strong password policy "sorry, your password is too long" Rudy Giuliani, professional cyber security expert That does not happen to me. David Robert Newman @davidnewman “I wrote my own crypto libraries” We’re too small to be attacked Client required SolarWinds for security reasons. Our security policy protects against abuse. We have always done this way Paul Stephenson @tupelofortitude Wife found my credit card statement https://twitter.com/Sophos/status/1367082335997427720
The Little People There will no longer be a Little People segment for the foreseeable future.
Sticky Pickle of the Week Imagine you are the CEO of an American based, billion dollar global company. You hit a SNAFU and are called to testify before congress about what happened. Obviously the members of congress will want to know in layman's terms how your IT infrastructure was left so unprotected that it was used to deliver malware to several branches of the federal government as well as a series of high-profile private sector targets? What might be your go-to responses? Correct answer: Blame the intern According to Thompson and current SolarWinds CEO Sudhakar Ramakrishna, an intern who worked at the company posted the “solarwinds123” password on GitHub back in 2017. Security researcher Vinoth Kumar later discovered that the password had been posted publicly since at least June 2018 and informed the company of the leak in 2019, at which point, according to Ramakrishna, it was removed from GitHub. Needless to say, that explanation still leaves a lot of questions unanswered. For instance, was the intern actually responsible for setting the “solarwinds123” password? And, if so, why on earth had the company delegated responsibility for setting such an important password to an intern? Was the password actually changed when the leak was discovered in 2019 or was it just removed from GitHub? And why was there no multifactor authentication protecting that server if it could be used to transfer files onto company servers? It’s a tempting narrative—as the stories about how a massive, complicated breach is the fault of a single actor often are—in which some clueless college student shows up for a summer and sets a dumb password and then carelessly leaves it up in some publicly accessible code on GitHub. Above all, it’s a story that’s easy to understand, especially for members of Congress. For instance, California Rep. Katie Porter pointed out at the hearing, “I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad.” https://slate.com/technology/2021/03/solarwinds-hack-cyber-espionage-intern-password.html Come on! Like and bloody well subscribe! | |||
| 18 Nov 2022 | Episode 129 - The Difficult 129th Album | 00:48:37 | |
This week in InfoSec (07:14) With content liberated from the “today in infosec” twitter account and further afield 12th November 2000 Microsoft Declares Tablets Are the Future Bill Gates demonstrates a functional prototype of a Tablet PC. Microsoft claims “the Tablet PC will represent the next major evolution in PC design and functionality.” However, the Tablet PC initiative never really took off and it wasn't until Apple introduced the iPad in 2010 that tablet computing was widely adopted. 17th November 2018: US President Donald Trump signed a bill into law, approving the creation of the Cybersecurity and Infrastructure Security Agency (CISA). The bill was the CISA Act. Trump signs bill that creates the Cybersecurity and Infrastructure Security Agency https://twitter.com/todayininfosec/status/1328528180500717568
Rant of the Week (18:44) Germany says nein to Qatari World Cup spyware, err, apps World Cup apps from the Qatari government collect more personal information than they need to, according to Germany's data protection agency, which this week warned football fans to only install the two apps "if it is absolutely necessary." Also: consider using a burner phone. The two apps are Ehteraz, a Covid-19 tracker from the Qatari Ministry of Public Health, and Hayya from the government's Supreme Committee for Delivery & Legacy overseeing the Cup locally, which allows ticket holders entry into the stadiums and access to free metro and bus transportation services. Norway's data protection agency, meanwhile, this week said it was "alarmed by the extensive access the apps require" and warned that Qatari authorities likely use the apps to monitors' users location, in addition to snooping through personal data. See also: World Cup apps pose a data security and privacy nightmare
Billy Big Balls of the Week (29:05) Australia to 'stand up and punch back' against cyber crims Australia's government has declared the nation is planning to go on the offensive against international cyber crooks following recent high-profile attacks on local health insurer Medibank and telco Optus. The aggressive posture was expressed in the announcement of a "Joint standing operation" that will see the Australian Federal Police and the Australian Signals Directorate (Australia's GCHQ/NSA analog) run a team with a mission "to investigate, target and disrupt cyber-criminal syndicates with a priority on ransomware threat groups." Minister for Home Affairs and Cyber Security Clare O'Neil said the operation will "scour the world, hunt down the criminal syndicates and gangs who are targeting Australia in cyber-attacks, and disrupt their efforts." "This is Australia standing up and punching back," she said during an interview on local political talking heads program Insiders. "We are not going to sit back while our citizens are treated like this and allow there to be no consequences for that." O'Neill said the operation will "for the first time [be] offensively attacking these people."
Industry News (36:10) T: Google to Pay $392m in Landmark Privacy Case A: Billbug Targets Government Agencies in Multiple Asian Countries J: Euro Authorities Warn World Cup Fans Over Qatari Apps T: Majority of Companies Reduce Cybersecurity Staff Over Holidays A: Chinese Spy Gets 20 Years for Aviation Espionage Plot J: US: Iranian Hackers Breached Government with Log4Shell T: More Than Half of Black Friday Spam Emails Are Scams A: Hundreds of Amazon RDS Snapshots Discovered Leaking Users' Data J: Zeus Botnet Suspected Leader Arrested in Geneva
Tweet of the Week (43:30)  https://twitter.com/attritionorg/status/1593487371819192321  https://twitter.com/SoVeryBritish/status/1592554974432866306 Come on! Like and bloody well subscribe! | |||
| 26 Nov 2021 | Episode 83 - The Super Spreader Amateur Hour | 00:49:56 | |
This Week in InfoSec (11:00) With content liberated from the “today in infosec” Twitter account 23rd November 2011: It was reported that Apple took over 3 years to fix the iTunes installer vulnerability which the FinFisher remote spying Trojan exploited. Apple Took 3+ Years to Fix FinFisher Trojan Hole https://twitter.com/todayininfosec/status/1331028461612392448 20th November 2000: eBay cancelled a listing for Kevin Mitnick's Bureau of Prisons inmate ID card due to uncertainty about his right to sell it. This was after an initial claim it was a prohibition from committing a "violent felony" and profiting from it. eBay pulls Kevin Mitnick trinkets: Taking a firm stand against "violent felons" https://twitter.com/todayininfosec/status/1329940298399703042
Rant of the Week (18:50) GoDaddy has admitted to America's financial watchdog that one or more miscreants broke into its systems and potentially accessed a huge amount of customer data, from email addresses to SSL private keys. In a filing on Monday to the SEC, the internet giant said that on November 17 it discovered an "unauthorized third-party" had been roaming around part of its Managed WordPress service, which essentially stores and hosts people's websites. GoDaddy’s chief information security officer Demetrius Comes said his company "immediately began an investigation with the help of an IT forensics firm and contacted law enforcement." Those infosec sleuths, we're told, found evidence that an intruder had been inside part of GoDaddy's website provisioning system, described by Comes as a "legacy code base," since September 6, gaining access using a "compromised password." GoDaddy’s latest rebranding is a break from its sexist past
Billy Big Balls of the Week (28:36) Huge fines and a ban on default passwords in new UK law The government has introduced new legislation to protect smart devices in people's homes from being hacked. Recent research from consumer watchdog Which? suggested homes filled with smart devices could be exposed to more than 12,000 attacks in a single week. Default passwords for internet-connected devices will be banned, and firms which do not comply will face huge fines.
Industry News (34:36) Sky Slow to Fix Bug in Routers Teen Accused of Stealing Bitcoin Worth $36.5M Multiple Bugs Enable Eavesdropping on 37% of Android Phones Apple Sues “State-Sponsored” Spyware Firm NSO Group Malicious JavaScript Loader is a Multi-RAT Dispenser YouTube Live Crypto Scams Made Nearly $9m in October UK Introduces New Cybersecurity Legislation for IoT Devices Ukrainian Cops Bust Mobile Device Hacking Group
Tweet of the Week (43:09)  https://twitter.com/sociosploit/status/1462440968658079763  https://twitter.com/Raspberry_Pi/status/1463803587180511233?s=20 Come on! Like and bloody well subscribe! | |||
| 20 Nov 2020 | Episode 33 - Went Wrong Right From The Beginning | 00:58:12 | |
Join us for possibly the most incompetently performed and produced infosec podcast available today. At least we have some of your favourites to share and enjoy: 
This week in InfoSec (Liberated from the “today in infosec” twitter account): 14th November 1990: During an NBC News broadcast, two computer hackers from the hacker group MOD identified only by the aliases "Acid Phreak", "Phiber Optik" and “Scorpion” took responsibility for posting the "Happy Thanksgiving" message on the Learning Link's system after destroying data on it.  https://twitter.com/todayininfosec/status/1327615750564179970?s=20 16th November 2000: The FBI released a second batch of documents related to its Carnivore email surveillance program as a result of a FOIA request by EPIC. https://www.cnet.com/news/new-documents-shed-more-light-on-fbis-carnivore/ https://twitter.com/todayininfosec/status/1328481891901726721?s=20
Tweet of the Week  https://twitter.com/lapcatsoftware/status/1326990296412991489?s=20 https://9to5mac.com/2020/11/15/apple-explains-addresses-mac-privacy-concerns/
Billy Big Balls of the Week Timothy John Watson of Ransom, West Virginia, was arrested by federal agents this week for selling full-auto AR-15 sears disguised as “portable wall hangers” from a website dubbed portablewallhanger.com (still up as of 11/5 @ 2:07PM). The product is ostensibly designed to hang keys, lanyards, and other small objects in a place where they can be easily accessed because, according to the site, “searching for your keys really sucks!” They even provide a helpful assembly video. https://www.gunsamerica.com/digest/man-selling-full-auto-ar-15-sears-as-portable-wall-hangers/
Industry News IT Leaders Reliant on Data for Threat Insight #ISSE2020: Look to Decentralized (Rather than Legacy) Identity Approvals Employees Have Access to an Average of 10 Million Files #ISSE2020: ‘Real’ Digital Identity Can Exist with New Technology Increase in Ransomware Sophistication and Leverage of Legacy Malware Predicted for 2021 #DxPsummit: Use Quarantine in Your Ransomware Recovery #DxPsummit: How Zoom Met 2020’s Security Challenges MoD Receives Funding Boost and Confirms Increase in Cyber-Spending
Javvad's Weekly Stories Lazarus malware deployed in South Korea supply chain hack Data belonging to 27.7M Texas drivers stolen in latest case of unsecured storage Animal Jam Hacked, 46M Records Roam the Dark Web
Rant of the Week A Muslim prayer app with over 98 million downloads is one of the apps connected to a wide-ranging supply chain that sends ordinary people's personal data to brokers, contractors, and the military. https://www.vice.com/en/article/jgqm5x/us-military-location-data-xmode-locate-x
The Little People Seriously? You honestly thought Jav could get a hot-trick of these together? Jog on! Come on! Like and bloody well subscribe! | |||
| 02 Sep 2022 | Episode 119 - Andy Who? | 00:47:40 | |
This week in InfoSec (09:07) With content liberated from the “today in infosec” twitter account and further afield 30th August 1999: The previously unknown group Hackers Unite claimed responsibility for disclosing a vulnerability in Hotmail that granted access to all of its roughly 50 million users' email accounts. 13 years later Microsoft rebranded Hotmail, renaming it Outlook. https://twitter.com/todayininfosec/status/1300212717656121344 31st August 2014: A user of the message board 4chan posted leaked photos of actress Jennifer Lawrence and numerous other celebrities. Jennifer Lawrence and Other Celebs Hacked as Nude Photos Circulate on the Web https://twitter.com/todayininfosec/status/1300537361676283905
Rant of the Week (20:21) Here's how 5 mobile banking apps put 300,000 users' digital fingerprints at risk Massive amounts of private data – including more than 300,000 biometric digital fingerprints used by five mobile banking apps – have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers. Symantec's Threat Hunter Team said it discovered 1,859 publicly available apps, both Android and iOS, containing baked-in AWS credentials. That means if someone were to look inside the apps, they would have found the credentials in the code, and could potentially have used that to access the apps' backend Amazon-hosted servers and steal users' data. The vast majority (98 percent) were iOS apps. In all, 77 percent of these apps contained valid AWS access tokens that allowed access to private AWS cloud services, the intelligence team noted in research published today.
Billy Big Balls of the Week (28:45) Twitter starts testing an edit button, but you have to pay for it Twitter is now testing its highly requested Edit Tweet feature. After years of memes and jokes, editable tweets will be available to some Twitter Blue subscribers later this month. The feature is currently undergoing “internal testing” and appears to mimic Facebook in its edit style, with a linked edit history for tweets that we saw in leaks earlier this year. “Tweets will be able to be edited a few times in the 30 minutes following their publication,” according to a Twitter blog post. “Edited Tweets will appear with an icon, timestamp, and label so it’s clear to readers that the original Tweet has been modified.”
Industry News (36:45) Cryptominer Disguised as Google Translate Targeted 11 Countries Baker & Taylor's Systems Remain Offline a Week After Ransomware Attack ICO Pursues Traffic Accident Data Thieves UK Imposes Tough New Cybersecurity Rules for Telecom Providers Evil Corp and Conti Linked to Cisco Data Breach, eSentire Suggests Golang-based Malware Campaign Relies on James Webb Telescope's Image Microsoft Finds Account Takeover Bug in TikTok Standards Body Publishes Guidelines for IoT Security Testing Apple Releases Update for iOS 12 to Patch Exploited Vulnerability
Tweet of the Week (43:42)  https://twitter.com/SunTzuCyber/status/1565192484380188672 Come on! Like and bloody well subscribe! | |||
| 03 Sep 2021 | Episode 71 - Thank You For the Music | 00:58:11 | |
This Week in InfoSec With content liberated from the “today in infosec” twitter account 1st September 1997: Nmap was first released as a simple port scanner via an article in issue 51 of Phrack magazine which included the source code. http://phrack.org/issues/51/11.html https://twitter.com/todayininfosec/status/1300864278497558528 31st August 2014: A user of the message board 4chan posted leaked photos of actress Jennifer Lawrence and numerous other celebrities. https://mashable.com/archive/celebrity-nude-photo-hack https://twitter.com/todayininfosec/status/1300537361676283905
Rant of the Week Guntrader site hacked and plotted onto Google Maps 
Billy Big Balls of the Week Scam artists are recruiting English speakers for business email campaigns According to Intel 471, forums are now being used to seek out English speakers, in particular, to bring together teams able to manage both the technical aspects and social engineering elements of a BEC scam. If a scam is to succeed, the target employee must believe communication comes from a legitimate source -- and secondary language use, spelling mistakes, and grammatical issues could all be indicators that something isn't right, in the same way that run-of-the-mill spam often contains issues that alert recipients to attempted fraud. "Actors like those we witnessed are searching for native English speakers since North American and European markets are the primary targets of such scams," the researchers say. In addition, threat actors are also trying to recruit launderers to clean up the proceeds from BEC schemes, often achieved through cryptocurrency mixer and tumbler platforms. One advert spotted by the team asked for a service able to launder up to $250,000. "The BEC footprint on underground forums is not as large as other types of cybercrime, likely since many of the operational elements of BEC use targeted social engineering tactics and fraudulent domains, which do not typically require technical services or products that the underground offers," Intel 471 says. "[...] Criminals will use the underground for all types of schemes, as long as those forums remain a hotbed of skills that can make criminals money."
Industry News Bangkok Airways Admits Attackers Stole Passenger Data Microsoft Cloud Databases Exposed UK Government Considers New Regulations for Video Streaming Platforms Indonesians Told to Delete Unsecured Tracing App Victim of Cyber-Theft Sues Parents of Alleged Culprits Australian Couple Admits “Serious Cyber Hacking Offenses” WhatsApp Fined a Record €225m for GDPR Violations Sacked Employee Deletes 21GB of Credit Union Files UK Researchers Invent Device to Thwart USB Malware
Tweet of the Week  https://twitter.com/JackRhysider/status/1433097343692324864 https://cybarrior.com/blog/2019/04/05/eagle-eye-reverse-lookup-tool-for-social-media-accounts/
"The Box" © Charlie Langford Come on! Like and bloody well subscribe! | |||
| 08 Jul 2022 | Episode 111 - Jav Is In The Top Four | 00:50:27 | |
This Week in InfoSec (08:04) With content liberated from the “today in infosec” twitter account and further afield 8th July 2011: Space Rogue broadcast the final HNNCast. And with that, the Hacker News Network came to an end. Final broadcast: https://www.facebook.com/78983739181/videos/10150254277486182/ 1st July 1979: The first Sony Walkman, the TPS-L2, goes on sale in Japan. It would go on sale in the US about a year later. By allowing owners to carry their personal music with them, the Walkman and their iconic headphones introduce a revolution in listening habits and popular culture at large.
Rant of the Week (17:12) Rogue HackerOne employee steals bug reports to sell on the side A HackerOne employee stole vulnerability reports submitted through the bug bounty platform and disclosed them to affected customers to claim financial rewards. The rogue worker had contacted about half a dozen HackerOne customers and collected bounties “in a handful of disclosures,” the company said on Friday. HackerOne is a platform for coordinating vulnerability disclosures and intermediating monetary rewards for the bug hunter submitting the security reports. On June 22, HackerOne responded to a customer request to investigate a suspicious vulnerability disclosure through an off-platform communication channel from someone using the handle “rzlr.” The customer had noticed that the same security issue had been previously submitted through HackerOne. Bug collisions, where multiple researchers find and report the same security issue, are frequent; in this case, the genuine report and the one from the threat actor shared obvious similarities that prompted a closer look. HackerOne’s investigation determined that one of its employees had access to the platform for over two months, since they joined the company on April 4th until June 23, and contacted seven companies to report vulnerabilities already disclosed through its system.
Billy Big Balls of the Week (23:42) Apple’s new Lockdown Mode defends against government spyware Apple announced that a new security feature known as Lockdown Mode will roll out with iOS 16, iPadOS 16, and macOS Ventura to protect high-risk individuals like human rights defenders, journalists, and dissidents against targeted spyware attacks. Once enabled, the Lockdown Mode will provide Apple customers with messaging, web browsing, and connectivity protections designed to block mercenary spyware (like NSO Group's Pegasus) used by government-backed hackers to monitor their Apple devices after infecting them with malware. Attackers' attempts to compromise Apple devices using zero-click exploits targeting messaging apps such as WhatsApp and Facetime or web browsers will get automatically blocked, seeing that vulnerable features like link previews will be disabled.
Industry News (33:14) TikTok CEO Addresses US Security Concern Software Supply Chain Attack Hits Thousands of Apps Hive Ransomware Upgraded to Rust to Deliver More Sophisticated Encryption APT Hacker Group Bitter Continues to Attack Military Targets in Bangladesh North Korean Hackers Target US Health Providers With 'Maui' Ransomware Marriott Plays Down 20GB Data Breach FBI and MI5 Bosses Warn of “Massive” China Threat Microsoft Updates Windows 11 Subsystem for Android to Introduce Support For VPN-Assigned IPs Apple Announces 'Lockdown Mode' to Protect Journalists, Human Rights Workers From Spyware
Tweet of the Week (44:33)  https://twitter.com/alxbrsn/status/1544707673282723840 Ubisoft Accidentally Leaks Hundreds of Customer E-mail Addresses in Watch Dogs Marketing Snafu Come on! Like and bloody well subscribe! | |||
| 08 May 2024 | Episode 192 - The Unedited Episode | 00:49:24 | |
This week in InfoSec With content liberated from the “today in infosec” twitter account and further afield 27th April 2012: The Information Commissioner's Office (ICO) in the UK issued its first-ever data breach fine to an NHS (National Health Service) organisation, fining Aneurin Bevan Health Board in Wales £70,000. https://www.digitalhealth.net/2012/04/first-nhs-fine-issued-by-ico/
Rant of the Week Dropbox dropped the ball on security, haemorrhaging customer and third-party info Dropbox has revealed a major attack on its systems that saw customers' personal information accessed by unknown and unauthorized entities. The attack, detailed in a regulatory filing, impacted Dropbox Sign – a service it bills as an "eSignature solution [that] lets you send, sign, and store important documents in one seamless workflow, without ever leaving Dropbox." So basically a DocuSign clone. The filing states that management became aware of the incident last week – on April 24 – and "immediately activated our cyber security incident response process to investigate, contain, and remediate the incident." That effort led to the discovery that "the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings."
Billy Big Balls of the Week Chinese government website security is often worryingly bad, say Chinese researchers Five Chinese researchers examined the configurations of nearly 14,000 government websites across the country and found worrying lapses that could lead to malicious attacks, according to a not-yet-peer-reviewed study released last week. The researchers concluded the investigation has uncovered "pressing security and dependency issues" that may not have a quick fix. "Despite thorough analyses, practical solutions to bolster the security of these systems remain elusive," wrote the researchers. "Their susceptibility to cyber attacks, which could facilitate the spread of malicious content or malware, underscores the urgent need for real-time monitoring and malicious activity detection." The study also highlights the need for "stringent vetting and regular updates" of third-party libraries and advocates "a diversified distribution of network nodes, which could substantially augment system resilience and performance." The study will likely not go down well in Beijing, as China's government has urged improvements to government digital services and apps often issues edicts about improving cybersecurity.
Industry News Google Blocks 2.3 Million Apps From Play Store Listing Disinformation: EU Opens Probe Against Facebook and Instagram Ahead of Election NCSC’s New Mobile Risk Model Aimed at “High-Threat” Firms Lawsuits and Company Devaluations Await For Breached Firms UnitedHealth CEO Confirms Breach Tied to Stolen Credentials, No MFA REvil Ransomware Affiliate Sentenced to Over 13 Years in Prison Security Breach Exposes Dropbox Sign Users Indonesia is a Spyware Haven, Amnesty International Finds North Korean Hackers Spoofing Journalist Emails to Spy on Policy Experts
Tweet of the Week  https://twitter.com/summer__heidi/status/1783829402574639187 Come on! Like and bloody well subscribe! | |||
| 16 Jun 2023 | Episode 156 - The Smashing Security Takeover Episode | 00:56:07 | |
This week in InfoSec (12:01) With content liberated from the “today in infosec” twitter account and further afield 12th June 1989: Callers to a Florida probation office were connected to a phone sex line. Southern Bell officials said it was the first time their switching equipment had been reprogrammed by a hacker. https://twitter.com/todayininfosec/status/1668417281112637441 15th June 2004: The first mobile phone virus, Cabir, was discovered. It infected devices running the Symbian OS and spread via Bluetooth. 68% of you are thinking "Symbian OS? Never heard of it." Learn how it got its name and how it spread in a stadium in Finland: https://twitter.com/todayininfosec/status/1669380905662545921
Rant of the Week (21:09) Capita wins £50M fraud reporting contract with City of London cops Capita, which is still dealing with a digital break-in that exposed customers' data to criminals, has scored a £50 million contract with the City of London police to run contact and engagement services for the force's fraud reporting service. The five-year agreement kicks off in 2024 and the territorial cops responsible for law enforcement in the financial district of the capital (aka the "square mile," – the Met looks after Greater London) have an option to extend it for a further two years, should they wish to do so. The work will see Capita provide an "end-to-end customer management process" to potential victims of fraud when they contract the service. The current iteration receives upwards of 350,000 calls and 2.3m unique visits to the website annually. In a statement, Capita pledged to "deploy" its "customer experience model for identifying, managing and monitoring customers using data and specialist coaching to support potential victims of crime." EU boss Breton: There's no Huawei that Chinese comms kit is safe to use in Europe European Commission's own networks to toss Middle Kingdom boxes amid calls for total replacement European commissioner Thierry Breton wants Huawei and ZTE barred throughout the EU, and revealed plans to remove kit made by the Chinese telecom vendors from the Commission's internal networks. "We cannot afford to maintain critical dependencies that could become a weapon against our interests," he declared in a Thursday speech. The Chinese vendors' presence in foreign networks has been a point of concern for years. There are concerns that backdoors in Huawei equipment could allow China to spy on foreign nations, given Chinese law requires local businesses to share info with Beijing. However, Huawei has repeatedly rejected the claims of backdoors, insisted it follows the law of the land wherever it operates, and denied that Chinese laws would see it sell out customers. Those protestations haven't stopped the US, UK, and at least ten EU countries from banning the manufacturer's kit from their networks. ZTE has also run afoul of regulators.
Billy Big Balls of the Week (32:17) US mother gets call from ‘kidnapped daughter’ – but it’s really an AI scam After being scammed into thinking her daughter was kidnapped, an Arizona woman testified in the US Senate about the dangerous side of artificial intelligence technology when in the hands of criminals. Jennifer DeStefano told the Senate judiciary committee about the fear she felt when she received an ominous phone call on a Friday last April. Thinking the unknown number was a doctor’s office, she answered the phone just before 5pm on the final ring. On the other end of the line was her 15-year-old daughter – or at least what sounded exactly like her daughter’s voice.
Industry News (42:07) Data Flows Between UK and US to be Simplified Under New Agreement Ofcom Latest MOVEit Victim as Exploit Code Released GMicrosoft Pays $20m to Settle Another FTC COPPA Case No Zero-Days but PGM Flaws Cause Patch Tuesday Concern MFA Bypass Kits Account For One Million Monthly Messages Europol Warns of Metaverse and AI Terror Threat EU Passes Landmark Artificial Intelligence Act Malicious Actors Exploit GitHub to Distribute Fake Exploits LockBit Makes $91m From US Victims in Two Years
Tweet of the Week (50:49)  https://twitter.com/InfoSecSherpa/status/1062036305146724354  https://twitter.com/fesshole/status/1662495137992175617 Come on! Like and bloody well subscribe! | |||
| 16 Apr 2021 | Episode 51 - Punking the Punkbuster | 01:00:48 | |
We think we sound much better this week, all thanks to Krisp! Tighten up your audio, remove background noise, and annoying work colleagues, all with Krisp. Download it here: https://ref.krisp.ai/u/ue2a67ba76
One advantage of being short is that you get to be in the front of all pictures taken of a group and that is all we have to say about Little People this week.
This week in Infosec Liberated from the “today in infosec” twitter account: 15th April 2000: The RCMP arrested a Canadian juvenile known as MafiaBoy for a DDoS attack against cnn.com. https://twitter.com/todayininfosec/status/1250622615204454400 https://en.wikipedia.org/wiki/Michael_Calce 14th April 2005: It was announced that the National Infrastructure Advisory Council (NIAC) had chosen FIRST to be the custodian of the Common Vulnerability Scoring System (CVSS), the then-emerging standard in vulnerability scoring. https://twitter.com/todayininfosec/status/1250251203390275584 16th April 2014: Host Unknown released their debut music video to great acclaim within the Infosec echo-chamber https://twitter.com/HostUnknownTV/status/456395301159305216 Jav’s proposal for Pulp Security from 2011 (cue Mesirlou clarinet version to avoid copyright infringment notices) Cynic: So tell me more about America. Jester: Well it's the same shit we got here, it's just a little different. Cynic: Example? Jester: Well I mean, you can get encryption products out there. It's legal for you to own it, it's legal for you to install it… but get this. If you try to export it out of the country it's illegal for you to do it. Cynic: Damn man, that's harsh. Jester: You know what they call a router (pronounced rooter) out in the US? Cynic: They don't call it a Rooter? Jester: Nah man, they got their own system, they call it a Router (pronounced rowter) Cynic: haha
Rant of the Week 
Industry News Hackers Hacked as Underground Carding Site is Breached Facebook Removes 16k Groups for Trading Fake Reviews Brits Still Confused by Multi-Factor Authentication Food Shortages at Dutch Supermarkets After Ransomware Outage Cyber-Attack Shutters Half of Tasmania’s Casinos Microsoft Patches Four More Critical Exchange Server Bugs Lawsuit Filed After Facial Recognition Tech Leads to Wrongful Arrest Man Gets 10 Years for Multimillion-Dollar Medicare Fraud Scheme Europe's Data Protection Guardians Green Light EU-UK Data Flows
Javvad’s Weekly Stories  How I pwned an ex-CISO and Smashing Security https://youtu.be/lb5htJmjcFM
Tweet of the Week Robert McArdle - @bobmcardle Director FTR - CyberCrime Research for @TrendMicro. Lecturer in Malware Analysis.  https://twitter.com/bobmcardle/status/1382602129005772801
Sticky Pickle of the Week Your company is looking to promote an upcoming Women in Security webinar and you’re looking to maximise engagement on your social media channels so you come up with a single question which you believe will solicit engagement and believe the structure of the question is in a way that keeps responses on topic: “What according to you are the most common challenges faced by women in the cybersecurity domain?”. Sound good so far? Can you make it simpler by providing multiple choice answers to choose from? It’s not a bad strategy so what are the optional responses to the most common challenges faced by women in the industry are? A: “Only men can do this job” B: “Women can’t handle this job” C: “Women aren’t encouraged enough.” Now the responses you’re receiving to this insightful quiz are not going in the direction you thought they would - what are your next steps? https://www.infosecurity-magazine.com/blogs/the-story-of-the-eccouncil-gender/ Come on! Like and bloody well subscribe! | |||
| 20 Aug 2021 | Episode 69 - Think of a Number Bill and Ted | 00:59:18 | |
This week in Infosec With content liberated from the “today in infosec” twitter account 14th August 2013: Affinity Health Plan was fined $1,215,780 for a HIPAA violation after a photocopier purchased by CBS for an investigatory report in 2010 revealed medical info. At $1.2M, photocopy breach proves costly https://twitter.com/todayininfosec/status/1294252352191565824 17th August 2005: Jason Smathers, a former employee of AOL, was sentenced to 15 months in prison for selling screen names and email addresses of 92 million users to spammers. Ex-AOL worker who stole e-mail list sentenced Jason Smathers: Internet Criminal https://twitter.com/todayininfosec/status/1295500512830394371
The Box incidental music © Charlie Langford
Rant of the Week You can post LinkedIn jobs as almost ANY employer — so can attackers Anyone can create a job listing on the leading recruitment platform LinkedIn on behalf of just about any employer—no verification needed. And worse, the employer cannot easily take these down. Now, that might be nothing new, but the feature and lax verification on career websites pave the ways for attackers to post bogus listings for malicious purposes. The attackers can, for example, use this social engineering tactic to collect personal information and resumes from professionals who believe they are applying to a legitimate company, without realizing their data may be sold or used for phishing scams.
Billy Big Balls of the Week Woman accessed ex-partner’s Alexa to torment his new girlfriend Philippa Copleston-Warren terrified love rival by using smart device to switch lights on and off and tell her to get out of the house Chelsea woman used Alexa to scold ex-lover’s new girlfriend A management consultant from west London accessed the Alexa device at her ex-boyfriend’s home from more than 100 miles away to tell his new partner to get out of the house. Philippa Copleston-Warren, 46, logged into an app linked to smart devices in the victim’s Lincolnshire home, and was able to see her ex’s new girlfriend on the property’s CCTV system. Prosecutors said Copleston-Warren was able to tell the woman “to get out” and used the app to turn the bedside lights on and off. At Isleworth crown court, Copelston-Warren admitted posting a naked photo of her ex-boyfriend on Facebook, accompanying it with the caption: “Do I look fat??? My daily question”. [That was this weeks BILLY BIG BALLS] [SEEN ON REDDIT] Thom: Antivaxers Think Their ‘Pure’ Semen Will Skyrocket in Value I’m going to retire as a “cum cow”
Industry News "Jigsaw Puzzle" Phishing Attacks Use Morse Code to Hide Cadbury Campaigns Against Cyber-bullying Misconfigured Server Leaks US Terror Watchlist Airline Employee Jailed for Spending Passengers’ Money T-Mobile: 49 Million Customers Hit by Data Breach JPMorgan Chase Notifies Customers of Data Breach Coin Ninja CEO Admits Operating Darknet Bitcoin Mixer Women Charged Over Sexually Exploitative Child Modeling Sites
Tweet of the Week  https://twitter.com/Kaipo_Rozwolf/status/1428426623091724289 OnlyFans Will Ban Pornography Starting in October, Citing Need to Comply With Financial Partners
Come on! Like and bloody well subscribe! | |||
| 19 Aug 2022 | Episode 117 - Now With Trigger Warnings | 00:47:30 | |
This week in InfoSec With content liberated from the “today in infosec” twitter account and further afield 18th August 2003: The Nachi worm began infecting Windows computers to remove the Blaster worm and patch the vulnerability Nachi and Blaster exploited. Yes, you read that right. Yes, this happened. Gotta love it! https://twitter.com/todayininfosec/status/1163142725740331008 17th August 2007: Drew Curtis, founder of http://Fark.com, accused Darrell Phillips, reporter at Fox13, of hacking into the social networking news site https://twitter.com/todayininfosec/status/1162868155015761920
Rant of the Week PC store told it can't claim full cyber-crime insurance after social-engineering attack A Minnesota computer store suing its crime insurance provider has had its case dismissed, with the courts saying it was a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of total losses. SJ Computers alleged in a November lawsuit [PDF] that Travelers Casualty and Surety Co. owed it far more than paid on a claim for nearly $600,000 in losses due to a successful business email compromise (BEC) attack. According to its website, SJ Computers is a Microsoft Authorized Refurbisher, reselling Dell, HP, Lenovo and Acer products, as well as providing tech services including software installs and upgrades. Travelers, which filed a motion to dismiss, said SJ's policy clearly delineated between computer fraud and social engineering fraud. The motion was granted [PDF] with prejudice last Friday.
Billy Big Balls of the Week Janet Jackson music video declared a cybersecurity exploit The music video for Janet Jackson's 1989 pop hit Rhythm Nation has been recognized as a cybersecurity vulnerability after Microsoft reported it can crash old laptop computers. "A colleague of mine shared a story from Windows XP product support," wrote Microsoft blogger Raymond Chen. The story detailed how "a major computer manufacturer discovered that playing the music video for Janet Jackson's Rhythm Nation would crash certain models of laptops." Further investigation revealed that multiple manufacturers' machines also crashed. Sometimes playing the video on one laptop would crash another nearby laptop. This is mysterious because the song isn't actually that bad. Investigation revealed that all the crashing laptops shared the same 5400 RPM hard disk drive. "It turns out that the song contained one of the natural resonant frequencies for the model of 5400 RPM laptop hard drives that they and other manufacturers used," Chen wrote. The manufacturer that found the problem apparently added a custom filter in the audio pipeline to detect and remove the offending frequencies during audio playback.
Industry News Critical Infrastructure at Risk as Thousands of VNC Instances Exposed Three Extradited from UK to US on $5m BEC Charges Software Patches Flaw on macOS Could Let Hackers Bypass All Security Levels Water Company Says Supply Safe After Ransom Group Claims Microsoft Disrupts Russian Cyber-Espionage Group Seaborgium Healthcare Provider Issues Warning After Tracking Pixels Leak Patient Data Bug Bounty Giant Slams Quality of Vendor Patching Suspected Russian Money Launderer Extradited to US Hackers Deploy Bumblebee Loader to Breach Target Networks
Tweet of the Week  https://twitter.com/dildog/status/1560025574437015553 Come on! Like and bloody well subscribe! | |||
| 31 Mar 2023 | Episode 146 - The Hungry Hungry Caterpillar | 00:47:02 | |
This Week in InfoSec (08:33) With content liberated from the “today in infosec” twitter account and further afield 29th March 2010: OpenSSL version 1.0.0 was released. It's easy to take for granted how pervasive the open source library is in the myriad of technologies used to transmit data over the internet and other networks. Take a moment to think about it. https://twitter.com/todayininfosec/status/1641215201197412352 25th March 2010: 2010: Albert Gonzalez was sentenced to 20 years in prison for stealing credit card data from TJX and other companies. He is currently serving his sentence at FMC Lexington and is scheduled to be released in less than 4 months. Find an inmate: BOP Register Number 25702-050 https://twitter.com/todayininfosec/status/1639657037935067137
Rant of the Week (13:55) NHS Highland 'reprimanded' by data watchdog for BCC blunder with HIV patients In a classic email snafu NHS Highland sent messages to 37 patients infected with HIV and inadvertently used carbon copy (CC) instead of Blind Carbon Copy meaning the recipients could see each other’s email addresses. This is according to Britain’s data watchdog, the Information Commissioner’s Office, which has “reprimanded” the Health Board, which serves a regional population of some 320,000 people and has an annual operating budget of £780 million ($964 million). The error took place in June 2019 when a member of staff opened the prior group email and copied all those on the list and emailed a newsletter to the the group of 37 “data subjects” - aka patients - without using BCC. Efforts to recall the mail failed. Rather than issuing a £35,000 ($43,000) fine, the ICO is instead taking its “public sector approach” introduced in June 2022: working with senior leaders to “encourage compliance, prevent harms before they occur and learn lessons when things have gone wrong.” The ICO described the email error as a “serious breach of trust.” In a statement, Stephen Bonner, ICO deputy commissioner for regulatory supervision, said of the mistake: “The stakes are just too high. Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organisations dealing with this type of information should take the utmost care with their personal data. “Every HIV service provider in this country should look at this case and see it as a crucial learning experience. We are calling on organisations to raise their data protection standards and put the appropriate measures in place to keep people safe,” he said. The ICO said using BCC incorrectly is within the top 10 “non-cyber breaches, with nearly a thousand reported since 2019.”
Billy Big Balls of the Week (25:06) Microsoft Security Copilot is a new GPT-4 AI assistant for cybersecurity After announcing an AI-powered Copilot assistant for Office apps, Microsoft is now turning its attention to cybersecurity. Microsoft Security Copilot is a new assistant for cybersecurity professionals, designed to help defenders identify breaches and better understand the huge amounts of signals and data available to them daily. Powered by OpenAI’s GPT-4 generative AI and Microsoft’s own security-specific model, Security Copilot looks like a simple prompt box like any other chatbot. You can ask “what are all the security incidents in my enterprise?” and it will summarize them. But behind the scenes, it’s making use of the 65 trillion daily signals Microsoft collects in its threat intelligence gathering and security-specific skills to let security professionals hunt down threats. Microsoft Security Copilot is designed to assist a security analyst’s work rather than replace it — and even includes a pinboard section for co-workers to collaborate and share information. Security professionals can use the Security Copilot to help with incident investigations or to quickly summarize events and help with reporting.
Industry News (33:13) NCA Harvests Info on DDoS-For-Hire With Fake Booter Sites New MacStealer Targets Catalina, Newer MacOS Versions France Bans TikTok, Other 'Fun' Apps From Government Devices ChatGPT Vulnerability May Have Exposed Users’ Payment Information Thieves Steal $9m from Crypto Liquidity Pool NCA Celebrates Multimillion-Pound Fraud Takedowns North Korean Hackers Use Trojanized 3CX DesktopApp in Supply Chain Attacks GCHQ Updates Security Guidance for Boards UK Regulator: HIV Data Protection Must Improve
Tweet of the Week (41:24)  https://twitter.com/TrungTPhan/status/1641480574996217858 Come on! Like and bloody well subscribe! | |||