Episodes

  • Episode 203 - The Too Soon Episode

    Episode 203 - The Too Soon Episode
    Sep 24 2024
    This week in InfoSec (10:44)With content liberated from the “today in infosec” twitter account and further afield18th September 2001: The Nimda worm was released. Utilising 5 different infection vectors, it became the most widespread virus/worm after only 22 minutes.https://twitter.com/todayininfosec/status/1836495262409175187 17th September 2014: Apple announced that the iOS 8 operating system (used on iPhone and iPad) would be architected to prevent it from being technically feasible for the company to extract data from customer devices. A day later Google made a similar announcement pertaining to Android.With iOS 8 Update, Apple Will No Longer Provide User Data to Policehttps://twitter.com/todayininfosec/status/1836071319030374437 Rant of the Week (17:50)No way? Big Tech's 'lucrative surveillance' of everyone is terrible for privacy, freedomBuried beneath the endless feeds and attention-grabbing videos of the modern internet is a network of data harvesting and sale that's perhaps far more vast than most people realise, and it desperately needs regulation. That's the conclusion the FTC made after spending nearly four years poring over internal data from nine major social media and video streaming corporations in the US.These internet behemoths are collecting vast amounts of data, both on and off their services, and the handling of such data is "woefully inadequate," particularly around data belonging to children and teenagers, the FTC said. Billy Big Balls of the Week (28:06)LinkedIn started harvesting people's posts for training AI without asking for opt-inLinkedIn started harvesting user-generated content to train its AI without asking for permission, angering netizens.Microsoft’s self-help network on Wednesday published a "trust and safety" update in which senior veep and general counsel Blake Lawit revealed LinkedIn's use of people's posts and other data for both training and using its generative AI features.In doing so, he said the site's privacy policy had been updated. We note this policy links to an FAQ that was updated sometime last week also confirming the automatic collecting of posts for training – meaning it appears LinkedIn started gathering up content for its AI models, and opting in users, well before Lawit’s post and the updated privacy policy advised of the changes today. Industry News (35:07) Over Half of Breached UK Firms Pay RansomICO Acts Against Sky Betting and Gaming Over CookiesAT&T Agrees $13m FCC Settlement Over Cloud Data BreachEuropol Taskforce Disrupts Global Criminal Network Through Supply Chain AttackGoogle Street View Images Used For Extortion Scams8000 Claimants Sue Outsourcing Giant Capita Over 2023 Data BreachWestern Agencies Warn Risk from Chinese-Controlled BotnetGoing for Gold: HSBC Approves Quantum-Safe Technology for Tokenized BullionsCybersecurity Skills Gap Leaves Cloud Environments Vulnerable Tweet of the Week (42:39)https://twitter.com/ProfWoodward/status/1837084678836171089 Come on! Like and bloody well subscribe!
    Show More Show Less
    47 mins
  • Episode 202 - The Dog Eating Episode

    Episode 202 - The Dog Eating Episode
    Sep 16 2024
    This week in InfoSec (11:25)With content liberated from the “today in infosec” twitter account and further afield12th September 2014: Stephane Chazelas contacted Bash maintainer Chet Ramey about a vulnerability he dubbed "Bashdoor", which later becoming known as Shellshock. It was publicly disclosed 12 days later.Shellshock was kind of a big deal - and the vuln had been in Bash for 25 years!https://x.com/todayininfosec/status/1834293229472416242 9th September 2001: Mark Curphey started OWASP (the Open Web Application Security Project). In 2023 it was renamed the Open Worldwide Application Security Project.https://x.com/todayininfosec/status/1833191889790480500 Rant of the Week (16:33)WhatsApp's 'View Once' could be 'View Whenever' due to a flawA popular privacy feature in WhatsApp is "completely broken and can be trivially bypassed," according to developers at cryptowallet startup Zengo.According to cofounder Tal Be'ery, his team was building a web interface when they discovered a flaw in WhatsApp's View Once. While the feature was supposed to be limited to platforms where the necessary controls could be enforced, such as mobile clients, the WhatsApp API server didn't properly enforce it.The server would still send these messages to other platforms, but they couldn't be viewed - unless someone fiddled with the code."The View [O]nce media messages are technically the same as regular media messages, only with the “view once” flag set," the technical explanation states."Which means it’s the virtual equivalent of putting a note on the picture that says 'don’t look.' All that is required for attackers to circumvent it, is merely to set this flag to false and the media become regular and can be downloaded, forwarded and shared." Billy Big Balls of the Week (27:10)Australia’s government spent the week boxing Big TechThe fun started on Monday when prime minister Anthony Albanese announced his intention to introduce a minimum age for social media, with a preference for the services to be off limits until kids turn 16."I want kids to have a childhood," the PM urged. "I want them off their devices … I want them to have real experiences with real people."Albanese promised legislation to enact the rule will be tabled before Australia's next election, due by 2025. Opposition leader Peter Dutton broadly supported the proposal, which is pitched at parents who are tired of having to protect their kids online. Industry news (34:34)DoJ Distributes $18.5m to Western Union Fraud VictimsPoland's Supreme Court Blocks Pegasus Spyware ProbeUK Recognizes Data Centers as Critical National InfrastructureMastercard Acquires Global Threat Intelligence Firm Recorded Future for $2.65bnTfL Confirms Customer Data Breach, 17-Year-Old Suspect ArrestedIrish Data Protection Regulator to Investigate Google AIMicrosoft Vows to Prevent Future CrowdStrike-Like OutagesRecord $65m Settlement for Hacked Patient PhotosMalicious Actors Spreading False US Voter Registration Breach Claims Tweet of the Week (41:57)https://x.com/MikeTalonNYC/status/1834311262563377553 Come on! Like and bloody well subscribe!
    Show More Show Less
    45 mins
  • Episode 201 - The Difficult 201st Podcast

    Episode 201 - The Difficult 201st Podcast
    Sep 9 2024
    This week in InfoSec (13:08) With content liberated from the “today in infosec” twitter account and further afield3rd September 2014: Twitter launched its bug bounty program via the HackerOne platform, stating it would award at least $140 for vulnerabilities found in http://x.com/ or its Android or iOS apps.$140? 140 was the max tweet length. $1.6 million has been paid out since inception.https://twitter.com/XSecurity/status/507220774336225280https://x.com/todayininfosec/status/183140868660414060230th August 2014: A user of the message board 4chan posted leaked nude photos of Jennifer Lawrence, Kate Upton, Kirsten Dunst, and other celebrities. Several years later 4 people were sentenced for crimes related to the hacking of Apple iCloud accounts of dozens of targeted individuals.Apple knew of iCloud API weakness months before celeb photo leak brokehttps://x.com/todayininfosec/status/1830016468328575386 Rant of the Week (19:09)'Error' causes Alexa to endorse Kamala Harris, refuse to discuss TrumpIt would be perfectly reasonable to expect Amazon's digital assistant Alexa to decline to state opinions about the 2024 presidential race, but up until recently, that assumption would have been incorrect.When asked to give reasons to vote for former President Donald Trump, Alexa demurred, according to a video from Fox Business. "I cannot provide responses that endorse any political party or its leader," Alexa responded. When asked the same about Vice President Kamala Harris, the Amazon AI was more than willing to endorse the Democratic candidate. "There are many reasons to vote for Kamala Harris," Alexa said. Among the reasons given was that Harris has a "comprehensive plan to address racial injustice," that she promises a "tough on crime approach," and that her record on criminal justice and immigration reform make her a "compelling candidate." Billy Big Balls of the Week (26:45)Examples of Google Employees Trying to Avoid Creating Evidence in Antitrust CaseIn its antitrust case against Google, the Federal Government filed a list of chats it had obtained that show Google employees explicitly asking each other to turn off a chat history feature to discuss sensitive subjects, showing repeatedly that Google workers understood they should try to avoid creating a paper trail of some of their activities. The filing came following a hearing in which judge Leonie Brinkema ripped Google for “destroyed” evidence while considering a filing from the Department of Justice asking the court to find “adverse interference” against Google, which would allow the court to assume it purposefully destroyed evidence. Previous filings, including in the Epic Games v Google lawsuit and this current antitrust case, have also shown Google employees purposefully turning history off.The chats show 22 instances in which one Google employee told another Google employee to turn chat history off. In total, the court has dozens of specific employees who have told others to turn history off in DMs or broader group chats and channels. The document includes exchanges like this (each exchange includes different employees)ANDMusician charged with $10M streaming royalties fraud using AI and botsNorth Carolina musician Michael Smith was indicted for collecting over $10 million in royalty payments from Spotify, Amazon Music, Apple Music, and YouTube Music using AI-generated songs streamed by thousands of bots in a massive streaming fraud scheme.According to court documents, Smith fraudulently inflated music streams on digital platforms between 2017 and 2024 with the assistance of an unnamed music promoter and the Chief Executive Officer of an AI music company.He acquired hundreds of thousands of songs generated through artificial intelligence (AI) from a coconspirator and uploaded them to these streaming platforms. He then used automated bots to stream the AI-generated tracks billions of times. Industry News (36:21)South Korea Police Investigates Telegram Over Deepfake PornIrish Wildlife Park Warns Customers to Cancel Credit Cards Following BreachTfL Claims Cyber-Incident is Not Impacting ServicesThree Plead Guilty to Running MFA Bypass SiteCivil Rights Groups Call For Spyware ControlsClearview AI Fined €30.5m by Dutch Watchdog Over Illegal Data CollectionRussian Blamed For Mass Disinformation Campaign Ahead of US ElectionOnlyFans Hackers Targeted With Infostealer MalwareUK Signs Council of Europe AI Convention Tweet of the Week (42:50)https://twitter.com/0xdade/status/1831387831677415923 Come on! Like and bloody well subscribe!
    Show More Show Less
    46 mins
  • Episode 200 - The Bicentennial men Episode

    Episode 200 - The Bicentennial men Episode
    Sep 2 2024
    This week in InfoSec (07:42)With content liberated from the “today in infosec” twitter account and further afield29th August 1990: The UK's Computer Misuse Act 1990 went into effect, introducing 3 criminal offences related to unauthorised access and modification of "computer material".https://twitter.com/todayininfosec/status/1829252932178719161 27th August 1999: One of the first companies to offer a dedicated web application firewall (WAF) was Perfecto Technologies with its AppShield product. But it didn't use the terminology "WAF", instead describing it as "a plug and play" Internet application security solution."https://twitter.com/todayininfosec/status/1828483993001492969 Rant of the Week (13:25) Watchdog warns FBI is sloppy on secure data storage and destructionThe FBI has made serious slip-ups in how it processes and destroys electronic storage media seized as part of investigations, according to an audit by the Department of Justice Office of the Inspector General.Drives containing national security data, Foreign Intelligence Surveillance Act information and documents classified as Secret were routinely unlabeled, opening the potential for it to be either lost or stolen, the report [PDF] addressed to FBI Director Christopher Wray states.Ironically, this lack of identification might be considered a benefit, given the lax security at the FBI's facility used to destroy such media after they have been finished with.The OIG report notes that it found boxes of hard drives and removable storage sitting open and unattended for "days or even weeks" because they were only sealed once the boxes were full. This potentially allows any of the 395 staff and contractors with access to the facility to have a rummage around. Billy Big Balls of the Week (22:01)Deadbeat dad faked his own death by hacking government databasesA US man has been sentenced to 81 months in jail for faking his own death by hacking government systems and officially marking himself as deceased.The US Department of Justice on Tuesday detailed the case of Jesse Kipf, 39, who was sent down for computer fraud and aggravated identity theft.In January 2023, Kipf used the credentials of a physician to access Hawaii's Death Registry System and create a "case" that recorded his own death."Kipf then completed a State of Hawaii Death Certificate Worksheet, assigned himself as the medical certifier for the case and certified his death, using the digital signature of the doctor," the DoJ wrote. The paperwork was all correct, so many government databases listed Kipf as deceased.But he was very much alive and enjoying the fact that his "death" meant he didn't have to make child support payments or catch up on those he'd already missed. Evidence presented in court included internet search histories recorded on a laptop, with Kipf looking up terms including "Remove California child support for deceased." Industry News (28:13)Uber Hit With €290m GDPR FineFBI Flawed Data Handling Raises Security ConcernsMicrosoft 365 Copilot Vulnerability Exposes User Data RisksMoney Laundering Dominates UK Fraud CasesRansomware Attacks Exposed 6.7 Million Records in US SchoolsIT Engineer Charged For Attempting to Extort Former EmployerSurge in New Scams as Pig Butchering DominatesUnpatched CCTV Cameras Exploited to Spread Mirai VariantNorth Korean Hackers Launch New Wave of npm Package Attacks Tweet of the Week (36:20)https://x.com/fesshole/status/1828921760147767400 Come on! Like and bloody well subscribe!
    Show More Show Less
    39 mins
  • Episode 199 - The Holiday Is Over Episode

    Episode 199 - The Holiday Is Over Episode
    Aug 27 2024
    This week in InfoSec (06:43)With content liberated from the “today in infosec” twitter account and further afield18th August 2004: Text messages sent to promote the video game "Resident Evil: Outbreak" stated "Outbreak: I'm infecting you with t-virus". This scared recipients, who were only about 7% less technologically savvy than mobile phone users today.https://x.com/todayininfosec/status/1825257955878641888 20th August 2003: Philippe Oechslin shared his technique he called "rainbow tables" during a talk at the 23rd annual crypto conference, Crypto 2003.It became a popular approach for cracking password hashes. Today it's less widely used due to adoption of practices that reduce its efficacy.https://x.com/todayininfosec/status/1825865870716870802 Rant of the Week (10:59)This uni thought it would be a good idea to do a phishing test with a fake Ebola scareUniversity of California Santa Cruz (UCSC) students may be relieved to hear that an emailed warning about a staff member infected with the Ebola virus was just a phishing exercise.The message, titled "Emergency Notification: Ebola Virus Case on Campus," went out to the university community on Sunday, August 18. It began, "We regret to inform you that a member of our staff, who recently returned from South Africa, has tested positive for the Ebola virus."The message went on to say that the university has initiated a contact tracing protocol and asks message recipients to "Please Log In to the Access Information Page for more details" – the very activity phishing messages attempt to encourage in order to capture login credentials.The simulated attack was similar to an actual phishing message sent on August 1, 2024, as shown on the UCSC Phish Bowl, a collection of real and test phishing attempts.But the one sent on Sunday was intended to raise awareness of phishing rather than to actually steal information.In that, it succeeded. The message prompted the UCSC Student Health Center to publish a notice about a "Phishing email with misleading health information."On Monday, Brian Hall, chief information security officer for UCSC, sent out an apology to the university community. Billy Big Balls of the Week (18:20)Russia tells citizens to switch off home surveillance because the Ukrainians are comingRussia's Ministry of Internal Affairs is warning residents of under-siege regions to switch off home surveillance systems and dating apps to stop Ukraine from using them for intel-gathering purposes.Residents of the Bryansk, Kursk, and Belgorod regions were issued with the warnings amid what seems like Russia being thoroughly rattled by Ukraine's incursion into the country's southwest."The enemy is massively identifying IP ranges in our territories and connecting to unprotected video surveillance cameras remotely, viewing everything from private yards to roads and highways of strategic importance," said the ministry, according to Russian newswire Interfax. "In this regard, if there is no urgent need, it is better not to use video surveillance cameras."It is highly discouraged to use online dating services. The enemy actively uses such resources for the covert collection of information."These warnings were just two of many included in a public memo aimed at protecting the identities of high-value Russian individuals, including military personnel, law enforcement agents, and nuclear energy workers. Industry News (24:51)Iran Behind Trump Campaign Hack, US Government ConfirmsNew DNS-Based Backdoor Threat Discovered at Taiwanese UniversityMost Ransomware Attacks Now Happen at NightCISA to Get New Headquarters as $524M Contract AwardedAustralia Calls Off Clearview AI Investigation Despite Lack of ComplianceBackdoor in Mifare Smart Cards Could Open Doors Around the WorldSecurity Flaws in UK Political Party Donation Platforms ExposedCompany Fined $1m for Fake Joe Biden AI CallsFAA Admits Gaps in Aircraft Cybersecurity Rules: New Regulation Proposed Tweet of the Week (32:19)https://x.com/anon_opin/status/1826015107857416458?s=46&t=1-Sjo1Vy8SG7OdizJ3wVbg Come on! Like and bloody well subscribe!
    Show More Show Less
    36 mins
  • Episode 198

    Episode 198
    Jul 15 2024
    This week in InfoSec (10:28)10th July 1999 - Cult of the Dead Cow (cDc) member DilDog debuted the program Back Orifice 2000 (BO2k) at DEF CON 7. It was the successor to Back Orifice, released by cDc a year prior. DilDog proclaimed it "a remote administration tool for corporate America".https://twitter.com/todayininfosec/status/18111336060159836809th July 1981 - The game that launched two of the most famous characters in video game history is released for sale. Donkey Kong was created by Nintendo, a Japanese playing card and toy company turned fledgling video game developer, who was trying to create a hit game for the North American market. Unable at the time to acquire a license to create a video game based on the Popeye character, Nintendo decides to create a game mirroring the characteristics and rivalry of Popeye and Bluto. Donkey Kong is named after the game’s villain, a pet gorilla gone rogue. The game’s hero is originally called Jumpman, but is retroactively renamed Mario once the game becomes popular and Nintendo decides to use the character in future games.Due to the similarity between Donkey Kong and King Kong, Universal Studios sued Nintendo claiming Donkey Kong violated their trademark. Kong, however, is common Japanese slang for gorilla. The lawsuit was ruled in favor of Nintendo. The success of Donkey Kong helped Nintendo become one of the dominant companies in the video game market. Rant of the Week (15:55)Palestinians say Microsoft unfairly closing their accountsPalestinians living abroad have accused Microsoft of closing their email accounts without warning - cutting them off from crucial online services.They say it has left them unable to access bank accounts and job offers - and stopped them using Skype, which Microsoft owns, to contact relatives in war-torn Gaza.Microsoft says they violated its terms of service - a claim they dispute. Billy Big Balls of the Week (27:39)Scalpers Work With Hackers to Liberate Ticketmaster's ‘Non-Transferable’ TicketsA lawsuit filed in California by concert giant AXS has revealed a legal and technological battle between ticket scalpers and platforms like Ticketmaster and AXS, in which scalpers have figured out how to extract “untransferable” tickets from their accounts by generating entry barcodes on parallel infrastructure that the scalpers control and which can then be sold and transferred to customers.By reverse-engineering how Ticketmaster and AXS actually make their electronic tickets, scalpers have essentially figured out how to regenerate specific, genuine tickets that they have legally purchased from scratch onto infrastructure that they control. In doing so, they are removing the anti-scalping restrictions put on the tickets by Ticketmaster and AXS. 'Gay furry hackers' breach conservative US think tank behind Project 2025A collective of self-described "gay furry hackers" have released 2GB of data lifted from the Heritage Foundation, the conservative think-tank behind Project 2025 - a set of proposals that would bring the USA closer to being an authoritarian state.The hacktivist group, known as SiegedSec, has been running a campaign it calls "OpTransRights," targeting (mostly government) websites to disrupt efforts to enact or enforce anti-trans and anti-abortion laws. Industry News (33:26)10 Billion Passwords Leaked on Hacking ForumCrypto Thefts Double to $1.4 Billion, TRM Labs FindsRussia Blocks VPN Services in Information CrackdownTicketmaster Extortion Continues, Threat Actor Claims New Ticket LeakCyber-Attack on Evolve Bank Exposed Data of 7.6 Million CustomersMost Security Pros Admit Shadow SaaS and AI UseRussian Media Uses AI-Powered Software to Spread DisinformationSmishing Triad Targets India with Fraud SurgeFraud Campaign Targets Russians with Fake Olympics Tickets Tweet of the Week (41:18)https://x.com/dennishegstad/status/1810044171765645568 Come on! Like and bloody well subscribe!
    Show More Show Less
    44 mins
  • Episode 197 - The Andy Is Distracted Episode

    Episode 197 - The Andy Is Distracted Episode
    Jul 8 2024

    This week in InfoSec (07:40)

    With content liberated from the “today in infosec” twitter account and further afield

    3 July 1996 - a mere 28 years ago the movie Independence Day was released. In it, Jeff Goldblum and Will Smith fly into an alien vessel in a 50-year-old space junker, then upload a computer virus in less than 5 minutes

    https://twitter.com/todayininfosec/status/1808464060972667170

    Rant of the Week (11:07)

    Cancer patient forced to make terrible decision after Qilin attack on London hospitals

    https://www.theregister.com/2024/07/05/qilin_impacts_patient/

    EXCLUSIVE The latest figures suggest that around 1,500 medical procedures have been canceled across some of London's biggest hospitals in the four weeks since Qilin's ransomware attack hit pathology services provider Synnovis. But perhaps no single person was affected as severely as Johanna Groothuizen.

    Hanna – the name she goes by – is now missing her right breast after her skin-sparing mastectomy and immediate breast reconstruction surgery was swapped out for a simple mastectomy at the last minute.

    Billy Big Balls of the Week (18:20)

    Ransomware scum who hit Indonesian government apologizes, hands over encryption key

    https://www.theregister.com/2024/07/04/hackers_of_indonesian_government_apologize/

    Industry News (24:28)

    Vinted Fined €2.3m Over Data Protection Failure

    Europol Warns of Home Routing Challenges For Lawful Interception

    Meta Faces Suspension of AI Data Training in Brazil

    New Ransomware Group Phones Execs to Extort Payment

    UK’s NCA Leads Major Cobalt Strike Takedown

    Cyber Extortion Soars: SMBs Hit Four Times Harder

    New RUSI Report Exposes Psychological Toll of Ransomware, Urges Action

    Dozens of Arrests Disrupt €2.5m Vishing Gang

    Health Tech Execs Get Jail Time For $1bn Fraud Scheme

    Tweet of the Week (31:07)

    Come on! Like and bloody well subscribe!
    Show More Show Less
    39 mins
  • Episode 196 - The Nuclear Option Episode

    Episode 196 - The Nuclear Option Episode
    Jul 1 2024

    This Week in InfoSec (12:30)

    With content liberated from the “today in infosec” twitter account and further afield

    24th June 1987: The movie Spaceballs was released. With a budget of $23 million, it grossed $38 million at the box office in North America. Though 37 years have passed, the secret code scene remains a reminder of why security is hard.

    Watch the secret code scene from Spaceballs and weep. Or laugh. Or both. Has much changed when it comes to password security since the movie was released 37 years ago today?

    The 64 second scene: https:///youtu.be/a6iW-8xPw3k

    https://x.com/todayininfosec/status/1805302016451002501

    27th June 2011: Anonymous released its first cache from Operation AntiSec, information from a US anti-cyberterrorism program.

    https://x.com/todayininfosec/status/1806302186487345226

    Rant of the Week (18:15)

    Korean telco allegedly infected its P2P users with malware
    A South Korean media outlet has alleged that local telco KT deliberately infected some customers with malware due to their excessive use of peer-to-peer (P2P) downloading tools.

    The number of infected users of “web hard drives” – the South Korean term for the online storage services that allow uploading and sharing of content – has reportedly reached 600,000.

    Billy Big Balls of the Week (26:33)

    Crypto scammers circle back, pose as lawyers, steal an extra $10M in truly devious plan
    The FBI says in just 12 months, scumbags stole circa $10 million from victims of crypto scams after posing as helpful lawyers offering to recover their lost tokens.

    Between February 2023-2024, scammers were kicking US victims while they were already down, preying on their financial vulnerability to defraud them for a second time in what must be seen as a new low, even for that particular breed of dirtball.

    It's the latest update from the FBI's Internet Crime Complaint Center (IC3) on the ongoing issue which was first publicized in August last year.

    Industry News (34:24)

    US Bans Kaspersky Over Alleged Kremlin Links

    Sellafield Pleads Guilty to Historic Cybersecurity Offenses

    Polish Prosecutors Step Up Probe into Pegasus Spyware Operation

    Credential Stuffing Attack Hits 72,000 Levi’s Accounts

    Google's Naptime Framework to Boost Vulnerability Research with AI

    Fake Law Firms Con Victims of Crypto Scams, Warns FBI

    IT Leaders Split on Using GenAI For Cybersecurity

    Majority of Critical Open Source Projects Contain Memory Unsafe Code

    CISOs Reveal Firms Prioritize Savings Over Long-Term Security

    Tweet of the Week (43:08)

    https://twitter.com/StuAlanBecker/status/1806137799248359443

    Comments: https://twitter.com/derJamesJackson/status/1806307954586538205

    Alternate TotW:

    https://twitter.com/susisnyder/status/1806222280382406836

    Come on! Like and bloody well subscribe!
    Show More Show Less
    49 mins