The Host Unknown Podcast

This week in InfoSec (08:27)With content liberated from the “today in infosec” twitter account and further afield4th November 2005: Microsoft AntiSpyware was renamed Windows Defender. https://twitter.com/todayininfosec/status/11914785556343234565th November 1993: The Bugtraq mailing list was created by Scott Chasin.In 1995 it became the property of SecurityFocus, in 2002 Symantec acquired SecurityFocus, and the last message was posted to the list on February 25th, 2020, with no explanation from Symantec.Bugtraqhttps://twitter.com/todayininfosec/status/1324497907245109248    Rant of the Week (16:17)Twitter Chief Information Security Officer flies the coopTroubled social media giant Twitter has lost the services of its chief information and security officer to cap off another chaotic week following its acquisition by Elon Musk.Lea Kissner used their former employer’s platform to post: “I've made the hard decision to leave Twitter. I've had the opportunity to work with amazing people and I'm so proud of the privacy, security, and IT teams and the work we've done.”They later posted, “I've loved this job and we got *so* much done, but here we are.”Chief privacy officer Damien Kieran and chief compliance officer Marianne Fogarty are also said to have exited. And, separately, it's reported that the world's richest man has told Twitter staff that work-from-home is banned, and that tweeps need to work 40 or more hours a week from the office from now on.Blue Badge ScamsIf you teach your user base, verification means something specific, it will be hard for them to unlearn it. We learned that it's rare for a verified account trying to phish us. Changing the meaning of the check is a security issue.Blue Badge impersonationsThe new check mark system has resulted in Threat Actors successfully impersonating Twitter and defrauding users out of moneyAlthough the account is now suspended, it rapidly got 35,000+ retweets and 4,990 likes.A simple $8 investment can result in thousands of dollars stolen.Self-certifying complianceThe idea of engineers self-certifying compliance with an FTC consent decree jumped out to me as patently absurd. So I found and read the consent decree. This thread discusses how this policy violates that decree and why I believe these people had no option but to resign.   Billy Big Balls of the Week (27:14)Apple limits AirDrop in China after its use in protestsApple has placed time restrictions on AirDrop wireless file-sharing across iPhones in China after the feature was used by protesters to share images opposing the Chinese government, Bloomberg reports.The “Everyone” option in Airdrop is now limited to a ten-minute window for users in China. After the ten minutes have passed, AirDrop’s device-to-device sharing will switch back to “Contacts Only,” making it harder to distribute content to strangers en masse. These new time restrictions have been introduced by Apple just weeks after the service was used to spread posters opposing president Xi Jinping.The AirDrop restriction was included in the public release of iOS 16.1.1 on Wednesday, despite nothing about it being mentioned in the release notes. 9to5Mac readers were quick to discover that the restrictions seem limited to iPhones purchased in China. Industry News (34:38)Medibank Refuses to Pay Ransom After Data BreachSwiss Re: Cyber-Insurance Industry Must ReformSEC Announces 'Enforcement Action' For SolarWinds Over 2020 HackInstagram Influencer Gets 11 Years for Money LaunderingMedibank Confirms Data Stolen in Breach is Now Available OnlineCouple Get 40 Years for Navy Espionage PlotMalware Redirects 15,000 Sites in Malicious SEO CampaignMajority of Security Managers Lack Threat Intelligence SkillsNew Lenovo Notebook Models Affected By UEFI Firmware Vulnerabilities Tweet of the Week (42:54)https://twitter.com/Ox4d5a/status/1590578121526611968 Come on! Like and bloody well subscribe!

This week in InfoSec3rd November 2000: A Dutch hacker gained access to Microsoft's network by exploiting a vulnerability Microsoft issued a patch for 10 weeks earlier. The Patch MS Forgot to Applyhttps://twitter.com/todayininfosec/status/132380788942589542425th October 2013: Adobe revealed that a breach of 2.9 million customer accounts made public 3 weeks earlier actually affected 38 million users.Adobe breach THIRTEEN times worse than thought, 38 million users affectedhttps://twitter.com/todayininfosec/status/1323807889425895424   Rant of the WeekGovernment by Gmail catches up with UK minister... who is reappointed anywayThe UK's Home Secretary – the minister in charge of policing and internal security – has been forced to apologize for breaching IT security protocols in government.Suella Braverman, who had already resigned for the breach, was reinstated in the UK's merry-go-round approach to government. She has written to the chair of Parliament's Home Affairs Select Committee to explain her actions and how she planned to avoid repeating them. Billy Big Balls of the Week The Hunter Cat is a bodyguard for your credit card (not an advert)See if this sounds familiar: You are in a weird part of town and get cash from a sketchy ATM. The next day, you pay for gas at a pump-side terminal that doesn’t look quite right.Against such a common problem, what are your options? For the particularly paranoid, enter the Hunter Cat. Pranksters posing as laid-off Twitter employees trick media outlets: ‘Rahul Ligma’A pair of pranksters posing as laid-off Twitter employees tricked multiple media outlets Friday as the public anxiously awaited news on whether Elon Musk had begun axing staffers.CNBC’s Deirdre Bosa interviewed two people who identified themselves as Twitter employees and were seen near the company’s San Francisco headquarters carrying cardboard boxes.Skepticism immediately emerged on social media. One of the pranksters said his name was “Rahul Ligma” — a reference to a popular internet meme — and held a copy of Michelle Obama’s book “Becoming” aloft while speaking to reporters. The other said his name was “Daniel Johnson.”Industry NewsRussia Suspected in Truss Phone Hacking ScandalOpenSSL Security Advisory Downgraded to High SeverityTwitter Verified Status Users Flooded with ScamsMobile Phishing Attacks on Government Staff SoarDropbox Suffers Breach, 130 GitHub Repositories CompromisedAndroid Apps With a Million Downloads Led Users to Phishing SitesThreat Actor "OPERA1ER" Steals Millions from Banks and TelcosUK Security Agency to Scan the Country for BugsBot Warning for Retailers Ahead of Busy Shopping SeasonTweet of the Weekhttps://twitter.com/Joelmpetlin/status/1587417968664752129   Come on! Like and bloody well subscribe!

This week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield29th October 1969: The first message sent over the ARPANET was from Leonard Kleinrock’s UCLA computer, sent by student programmer Charley Kline at 10:30 PM to the second node at Stanford Research Institute’s computer in Menlo Park, California.The message was simply "Lo." But not on purpose.How a simple ‘hello’ became the first message sent via the Internethttps://twitter.com/todayininfosec/status/118931809415140966625th October 2001: Microsoft releases the operating system Windows XP, the successor to both Windows 2000 and Windows ME. Designed to unify the Windows NT line and Windows 95 line of operating systems, Windows XP was not replaced by Microsoft until January 2007 with Windows Vista. However, with a nearly six-year run and the public debacle surrounding the release of Windows Vista, Windows XP remained the world’s most popular operating system until August 2012. Rant of the WeekAn ex-TikTok moderator, who was paid $10 a day and had to scroll through child abuse and gun violence, was required to keep her webcam on all night, report saysA Colombian ex-moderator for TikTok said she was required to keep her webcam on all night, according to a report by The Bureau of Investigative Journalism. TBIJ spoke to nine moderators who shared their experience but requested that their identity remained secret for fear they might lose their jobs, or risk future employment prospects. All names have been changed, according to the outlet.Carolina, a former TikTok moderator who worked remotely for Teleperformance, a Paris-based company offering moderation services and earned $10 a day, said she had to keep her camera continuously on during her night shift, TBIJ reported. The company also told her that no one should be in view of the camera and was only allowed a drink in a transparent cup on her desk.Related: https://www.bbc.com/news/technology-57088382 Facebook moderator: ‘Every day was a nightmare PILOT PROGRAMME FOR FIRST CHARTERED CYBER PROFESSIONALSCIISec and (ISC)² announced as pilot participant partners to assess candidates under the pilot programme.The UK Cyber Security Council has announced it is set to usher in the country’s first chartered cyber professionals through a pilot scheme. The first two specialisms kickstarting the pilot are Cyber Security Governance and Risk Management and Secure System Architecture and Design. The Council has confirmed it will partner with two pilot participant bodies – (ISC)² and The Chartered Institute of Information Security (CIISec) – for the pilot, with the organisations responsible for assessing applications from their membership base, against the Council’s newly established professional standard.   Billy Big Balls of the WeekElon Musk walks into an office with a sink. Apple’s Killing the Password. Here’s Everything You Need to KnowFor years, we’ve been promised the end of password-based logins. Now the reality of a passwordless future is taking a big leap forward, with the ability to ditch passwords being rolled out for millions of people. When Apple launches iOS 16 on September 12 and macOS Ventura next month, the software will include its password replacement, known as passkeys, for iPhones, iPads, and Macs.Passkeys allow you to log in to apps and websites, or create new accounts, without having to create, memorize, or store a password. This passkey, which is made up of a cryptographic key pair, replaces your traditional password and is synced across iCloud’s Keychain. It has the potential to eliminate passwords and improve your online security, replacing the insecure passwords and bad habits you probably have now.Apple’s rollout of passkeys is one of the largest implementations of password-free technology to date and builds on years of work by the FIDO Alliance, an industry group made up of tech’s biggest companies. Apple’s passkeys are its version of the standards created by the FIDO Alliance, meaning they will eventually work with Google, Microsoft, Meta, and Amazon’s systems. Industry NewsDHL Replaces LinkedIn As Most Imitated Brand in Phishing AttemptsICO Warns of "Immature" Biometric TechSee Tickets Discloses Major Card Data BreachLondon's New Cyber Resilience Centre Set to Fight Cybercrime in the CapitalHive Ransomware Group Leaks Data Stolen in Tata Power Cyber-AttackMedibank Backtracks: All Customer Data Was Exposed to HackersGitHub Bug Exposed Repositories to HijackingWhite House Launches Chemical Sector Security SprintLinkedIn Unveils New Security Features to Tackle Fraud National Chief Information Security Officer Tweet of the Weekhttps://twitter.com/codesixonline/status/1585629859052605443 Come on! Like and bloody well subscribe!

This week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield18th October 1985: Nintendo releases the Nintendo Entertainment System (NES) in New York and limited other North American markets. An immediate hit, Nintendo released the game nationwide in February 1986. Along with the NES, Nintendo released eighteen games that day, including: 10-Yard Fight, Baseball, Clu Clu Land, Donkey Kong Jr. Math, Duck Hunt, Excitebike, Golf, Gyromite, Hogan’s Alley, Ice Climber, Kung Fu, Mach Rider, Pinball, Stack-Up, Tennis, Wild Gunman, Wrecking Crew, and Super Mario Bros.14th October 1977: Atari releases their Video Computer System (known as the VCS and later as the Atari 2600). It took two years for the VCS to gain traction, but by 1979 it was the best selling gift of the Christmas season. Once it was established, the Atari VCS took the market by storm, popularized home video gaming, and helped cement the video game movement into mainstream culture. 18th October 1958: William Higinbotham and Robert Dvorak, Sr. show off a tennis simulator game they called Tennis for Two. Developed on a Donner Model 30 analog computer using an oscilloscope, it is the first known electronic game to use a graphical display. Higinbotham and Dvorak developed the game to show off to visitors to the Brookhaven National Laboratory where they worked. The game was only shown off twice, during the laboratory’s annual visitor’s day. While hundreds of visitors lined up to play the game when it was made available, little was known about the game for decades. While somewhat similar in gameplay to the later hit Pong, there is no known direct relationship between the games.14th October 1957: British Computer Society is Founded.  October 14 is the anniversary of the British Computer Society (BCS), founded in 1957. The BCS is one of the several international societies that have an affiliate membership relationship with the IEEE Computer Society. Since 1984 BCS has operated under a Royal Charter which requires it to: "...promote the study and practice of Computing and to advance knowledge therein for the benefit of the public."Rant of the Week The Black Market for Blue Checks Billy Big Balls of the WeekInside the messy fight between Meta and The WireEarlier this year, a new source reached out to journalists at the nonprofit Indian news site The Wire with a tantalizing offer. The source worked at Meta, they told the publication, and wished to share information about the company’s internal workings with reporters.The Wire met with the source, who sought to verify their identity by providing Sen with documents including their work badge and pay slips. Many conversations followed, reporter Jahnavi Sen told Platformer in an interview, and by the fall The Wire trusted the source enough to turn to them while investigating a potential story: the suspicious removal of seven Instagram posts satirizing an official in India’s right-wing government.Meta issued a strong denial to the resulting story, which claimed that the company had given a high-ranking official in the ruling Bharatiya Janata Party the ability to remove Instagram posts at will. What followed has been one of the strangest tech journalism stories in recent memory: The Wire gradually releasing more information about its sources and methods in reporting the story, and Meta leveling unheard-of accusations — supported with evidence — that the documents underpinning the publication’s stories appear to be fabricated. Industry NewsHackney Council Ransomware Attack Cost £12m+   https://drive.google.com/file/d/1g30UrPyEP5YK6HuUtApXHe2MNyseOcM5/viewSpanish Police Bust Region's "Biggest Narco Bank"Amazon Customers Receive Smishing Warning After Receiving Fake TextsWine Merchant Among Aussie Firms Breached, Exposing MillionsEuropean Police Catch Suspected Car HackersDigital Natives Are Undermining Corporate SecurityMoola Market Reveals $9m Crypto ExploitNSA Cybersecurity Director's Six Takeaways From the War in UkraineMicrosoft Misconfiguration Exposes Customer Data Tweet of the Weekhttps://twitter.com/chetdorn/status/1582457548484931587§ Thom's holiday snapshttps://adobe.ly/3EQoxTs  Come on! Like and bloody well subscribe!

This week in InfoSecOctober 12 1988  (a mere 34 years ago) Hailed by Steve Jobs as a computer “five years ahead of its time”, NeXT, Inc. introduces their NeXT Computer. Due to its cube-shaped case, the computer was often referred to as “The Cube” or “The NeXT Cube”, which led to the subsequent model offically being named “NeXTcube“. The new computer introduced several innovations to personal computers, such as including an optical storage disk drive, a built-in digital signal processor for voice recognition, and an object-oriented development environment that was truly years ahead of its time.While not a commercial success, the NeXT Computer and the technology developed for it have a long and storied history. Tim Berners-Lee developed the first world wide web server and web browser on a NeXT computer, crediting the NeXT development tools for allowing him to rapidly develop the now ubiquitous Internet system. After Apple purchased NeXT in 1997, they used the operating system of the NeXT computers to form the base of Mac OS X. Eventually Apple’s iOS, which runs the iPhone and iPad, was itself based upon Mac OS X and hence draws its lineage to NeXT. Finally, the object-oriented development environment that Berners-Lee used to create the World Wide Web is the forerunner of the development environment that today’s programmers use to develop iPhone and iPad Apps. If it wasn’t for the NeXT Computer back in 1988, Thom may not have his iPhone pro max 14 today. RANT of the Weekhttps://www.infosecurity-magazine.com/news/claroty-found-cryptographic-keys/Claroty Found Hardcoded Cryptographic Keys in Siemens PLCs Using RCE Team82, the research arm of New York-based industrial cybersecurity firm Claroty, revealed on October 11, 2022, that they managed to extract heavily guarded, hardcoded cryptographic keys embedded within SIMATIC S7-1200/1500s, a range of Siemens programmable logic computers (PLCs), and TIA Portal, Siemens’ automated engineering software platform.They deployed a new remote code execution (RCE) technique targeting the central processing units (CPUs) of SIMATIC S7-1200 and S7-1500 PLCs, for which they used a vulnerability uncovered in previous research on Siemens PLCs (CVE-2020-15782) that enabled them to bypass native memory protections on the PLC and gain read/write privileges.They were able not only to extract the internal, heavily guarded private key used across the Siemens product lines but also to implement the full protocol stack, encrypt and decrypt protected communications and configurations.“An attacker can use these keys to perform multiple advanced attacks against Siemens SIMATIC devices and the related TIA Portal, while bypassing all four of its access-level protections. [They] could [also] use this secret information to compromise the entire SIMATIC S7-1200/1500 product line in an irreparable way,” Team82 warned in the research paper.CVE-2022-38465 has been assigned to the new vulnerability found by Team82, and given a CVSS v3 score of 9.3.Team82 disclosed all technical information to Siemens, which released new versions of the affected PLCs and engineering workstation that address this vulnerability, urging users to move to current versions.In its advisory, Siemens also provided a series of key protection updates, workarounds and mitigations.This disclosure has led to the introduction of a new TLS management system in TIA Portal v17, ensuring that configuration data and communications between Siemens PLCs and engineering workstations is encrypted and confidential. Billy Big Balls of the Weekhttps://www.bleepingcomputer.com/news/security/police-arrest-teen-for-using-leaked-optus-data-to-extort-victims/Police arrest teen for using leaked Optus data to extort victimsThe Australian Federal Police (AFP) have arrested a 19-year old in Sydney for allegedly using leaked Optus customer data for extortion.More specifically, the suspect used 10,200 records leaked last month by the Optus hackers and contacted victims over SMS to threaten that their data would be sold to other hackers unless they paid AUD 2,000 ($1,300) within two days.The scammer used a Commonwealth Bank of Australia account to receive the ransom money. The AFP identified the account and obtained from the bank information about the holder.According to the AFP, the arrested young man allegedly sent blackmailing messages to 93 individuals whose personal information was exposed Optus data leak. None of them paid the ransom, though.The suspect now faces charges for:Using a telecommunication network with the intent to commit a serious offense (blackmail), contrary to section 474.14 (2) of the Criminal Code Act 1995 (Cth), punishable by up to 10 years of imprisonmentDealing with identification information, contrary to section 192K of the Crime Act 1900 (NSW), punishable by a maximum of 7 years in prisonThe hackers behind the Optus breach have not been identified but AFP's investigation is still underway as part of "Operation Hurricane.""The Hurricane investigation is a high priority for the AFP, and we are aggressively pursuing all lines of inquiry to identify those behind this attack," stated Assistant Commissioner Gough.Announcing the international operation was apparently enough to discourage the threat actors from continuing their extortion, even leading to them declaring that all data stolen from Optus had been deleted.Two days ago, Optus published an update on the results of its ongoing internal investigation, confirming that 9.8 million customers were variably impacted, and 2.1 million of them had their government ID numbers compromised.Many of these people will need new IDs issued now. The Australian government is demanding Optus to cover the costs for this process. Industry NewsLloyd's of London cuts off network after dodgy activity detectedMalicious WhatsApp Mod Spotted Infecting Android DevicesChinese APT WIP19 Targets IT Service Providers and TelcosBudworm Espionage Group Returns, Targets US State LegislatureIP Cameras, VoIP and Video Conferencing Revealed as Riskiest IoT DevicesUK Government Urges Action to Enhance Supply Chain SecuritySingtel's Australian IT Firm Dialog Suffers Data Breach#DTX2022: Cyber Needs to Redress the Defensive-Offensive Balance Following Russia-Ukraine Lloyd's of London says no evidence found of data compromise from cyberattack Tweet of the Weekhttps://twitter.com/SwiftOnSecurity/status/1579575774784688128 Come on! Like and bloody well subscribe!

From @HostUnknownTVThis week in Infosec2nd October 1998: BUTTSniffer Beta 0.9 was released by Cult of the Dead Cow. Developed by DilDog.The big question is "When can we expect the long-awaited version 1.0 release?" 24 years is kind of a long wait. https://twitter.com/todayininfosec/status/1312179619659874305  3rd October 2017: A week after he retired as the result of Equifax's data breach, former CEO Richard F. Smith told members of Congress one person in the IT department was at fault.https://twitter.com/todayininfosec/status/1312589059559170050 Billy Big Ranty Balls Tweet of the WeekFormer Uber CSO convicted for covering up massive 2016 data theftJoe Sullivan, Uber's former chief security officer, has been found guilty of illegally covering up the theft of Uber drivers and customers' personal information.Sullivan, previously a cybercrime prosecutor for the US Department of Justice, was charged two years ago with obstruction of justice and misprision – concealing a felony from law enforcement. He was convicted on both counts today.On November 21, 2017, Uber CEO Dara Khosrowshahi issued a statement acknowledging that in late 2016, miscreants had broken into the app giant's infrastructure and made off with 57 million customer and driver records. Sullivan, along with Craig Clark, legal director of security and law enforcement, were fired as a result.Sullivan, according to court documents, learned of the theft in November 2016, about ten days after he had provided testimony to the US Federal Trade Commission about a 2014 cyberattack on Uber. Concerned that another data security breach would harm the company, Sullivan tried to cover up that 2016 heist by trying to pass off a ransom payment, made to the thieves to recover the data, as a bug bounty award. Industry NewsT: Kardashian Charged by SEC After Crypto PostA: Malicious Tor Browser Installers Spread Via Darknet Video on YouTubeJ: New Initiative Aims to Strengthen UK's Nuclear Cybersecurity PostureT: Landmark US-UK Data Access Agreement BeginsA: Ransomware Group Bypasses "Enormous" Range of EDR ToolsJ: Australia's Data Breaches Continue With Telstra's Third-Party Supplier HackedT: Retailer Easylife Fined £1.5m for Data Protection BreachesA: US Healthcare Giant CommonSpirit Hit by Possible RansomwareJ: Uber's Former Security Chief Convicted of 2016 Data Breach Cover-Up Tweet of the Week:https://twitter.com/HackingDave/status/1578064952400781316 Come on! Like and bloody well subscribe!

This week in InfoSec (06:37)With content liberated from the “today in infosec” twitter account and further afield27th September, 1998: For some peculiar reason, Google has at times chosen the date of September 27th as their birthday, even though it is more officially September 4th or 7th. Google has no explanation for celebrating their birthday on different days over the years other than to say:Google opened its doors in September 1998. The exact date when we celebrate our birthday has moved around over the years, depending on when people feel like having cake.27th September 1997: Just a little over two weeks after naming Steve Jobs interim CEO, Apple launches their “Think Different” ad campaign. Designed to reintroduce the Apple brand, the campaign was nearly universally praised by the press, general public, and advertising industry, winning several awards along the way. Looking back in context, Think Different was the symbolic start of Apple’s resurgence from near-collapse in the 1990’s into the most valuable company in the world.27th September 1996: Hacker Mitnick Indicted on Charges.  Kevin Mitnick, 33, was indicted on charges resulting from a 2 ½-year hacking spree. Police accused the hacker, who called himself "Condor," of stealing software worth millions of dollars from major computer corporations. The maximum possible sentence for his crimes was 200 years. Rant of the Week (12:07)Microsoft warns of North Korean crew posing as LinkedIn recruitersMicrosoft has claimed a North Korean crew poses as LinkedIn recruiters to distribute poisoned versions of open source software packages.The state-sponsored group has been around since 2009 and was allegedly behind the 2014 attack on Sony Pictures in retaliation for the controversial Seth Rogen comedy The Interview.Dubbed "ZINC", the threat actors have previously run long-term phishing schemes targeting media, defence and aerospace, and IT services organizations in the US, UK, India, and Russia. Billy Big Balls of the Week (20:28)Ever suspected bankers could just use WhatsApp comms? $1.8b says you're rightEver given a colleague a quick Signal call so you can sidestep a monitored workplace app? Well, we'd hope you're not in a highly regulated industry like staff at eleven of the world's most powerful financial firms, who yesterday were fined nearly $2 billion for off-channel comms. Industry News (26:50)Ransomware Affiliates Adopt Data DestructionReasonLabs Unveils Multimillion Dollar Global Credit Card ScamFitbit Increases Security Requirements, Mandates Google Login From 2023Alleged Optus Hacker Apologizes, Deletes Customers' Exposed DataICO Reprimands UK Organizations for GDPR FailingsHacker Breaches Fast Company Apple News Account, Sends Racist MessagesIRS Warns of "Industrial Scale" Smishing SurgeMobile, Cloud and Email Are Top Threat Vectors For 2023LeakBase: India Swachhata Platform Breached, 16 Million User PII Records Exposed Tweet of the Week (34:45)https://twitter.com/inversecos/status/1575606074635214848    Come on! Like and bloody well subscribe!

This week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield9th September 1947: An error in the Mark II computer at Harvard University was due to a moth trapped in a relay. The moth was attached to the log book with notation "first actual case of bug being found."  https://twitter.com/todayininfosec/status/130371748042313318611th September 1992: The movie "Sneakers" was released. With a budget of $35 million, it grossed $105 million at the box office. A hacker movie classic! Bishop, Whistler, Cosmo, and Mother!https://twitter.com/todayininfosec/status/1304574876922019841Sneakers IMDB Rant of the WeekGoogle and Meta fined over $70m for privacy violations in KoreaSouth Korea's Personal Information Protection Commission (PIPC) has issued two large fines for privacy violations: a $50 million penalty for Google and $22 million for Meta.The PIPC's beef is that neither Google nor Meta properly obtain consent or inform users on how they collect and use data, particularly with regards to behavioural information used to predict interests for marketing and advertising purposes.The data watchdog claims Google hides the setting screen to agree or disagree to collection methods and sets the default to "agree" while Meta only asks for agreement when a user creates an account and does so in unclear ways.AND / ORA surveillance artist shows how Instagram magic is madeWhen traveller Daniele Brito posed in front of the Temple Bar in Dublin, Ireland in late August, she likely didn’t realize the camera was watching her.Yes, there was the one pointed at her, capturing a photograph that would later be shared to Brito’s more than 2,700 followers on Instagram. But there was at least one other one observing her: a surveillance camera stationed on the corner opposite the bar.The FollowerThe Machine Billy Big Balls of the Week Chess player denies using anal beads to cheat in match against world champion: ‘This is not a joke’A chess underdog who unexpectedly beat a champion player has been accused of using anal beads to cheat his way to victory.Yes, we know – you probably never expected to see “chess” and “anal beads” in the same sentence, but here we are.The furore kicked off when Norwegian chess champion Magnus Carlsen announced he was withdrawing from the Sinquefield Cup, a lucrative tournament which attracts some of the world’s best chess players.Carlsen posted on Twitter to say he was leaving the tournament, but gave no explanation why.The Hans Niemann story from redditChess player Hans Niemann denies using sex toy to help him beat grand championVibrating Butt Toys Are Exactly What Chess Needs Industry NewsCops Raid Suspected Fraudster PenthousesUS Treasury Sanctions Iranian Minister Over Hacking of Govt and AlliesHackers Steal Steam Credentials With 'Browser-in-the-Browser' TechniqueiOS 16 Launches With Lockdown Mode, Spyware Protection, Safety CheckVulnerabilities Found in Airplane WiFi Devices, Passengers' Data ExposedCybercrime Forum Admins Steal from Site UsersUser Alert as Phishing Campaigns Exploit Queen's PassingYouTube Users Targeted By RedLine Self-Spreading StealerNotepad++ Plugins Allow Attackers to Infiltrate Systems, Achieve Persistence Tweet of the Weekhttps://twitter.com/SecurityAura/status/1570232260485386242   The Joseph Carson Talk Tweet Threadhttps://twitter.com/J4vv4D/status/1569704538252214274?s=20 Come on! Like and bloody well subscribe!

This week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield6th September 2011: Luis Mijangos received a 6 year prison sentence. His crimes included sextortion, stealing financial info, and webcam monitoring. California's "Sextortion" Hacker Sentenced to Prisonhttps://twitter.com/todayininfosec/status/13027700884712980493rd September 1995: The online auction site, eBay, is launched as “AuctionWeb” by Pierre Omidyar. The first item sold, a broken laser pointer, wasn’t actually intended to sell, but rather to test the new site, itself started as a hobby. Surprised that the item sold for $14.83, Omidyar contacted the buyer to make sure he knew the laser pointer was broken, to which was replied, “I’m a collector of broken laser pointers.” From that first $14.83, Omidyar is now worth billions of dollars. Rant of the WeekHalfords slapped on wrist for breaching email marketing lawsBike and car accessory retailer Halfords has found itself in the wrong lane with Britain’s data watchdog for sending hundreds of thousands of unsolicited marketing emails to members of the public.According to the Information Commissioner’s Office, it fined the business £30,000 for dispatching 498,179 messages to folk that hadn’t provided consent - equating to a £0.06 penalty per each email.The decision relates to a direct marketing mailer that Halfords sent electronically on July 28, 2020 concerning a ‘Fix Your Bike’ government voucher scheme. This gave recipients up to £50 toward the cost of repairing a cycle in any approved retailer in the UK.Unsurprisingly, Halfords' marketing email urged the individuals to book a free bike assessment and redeem their voucher in store, meaning this was marketing designed to generate income for the company. As such, the advertising of the service meant Halfords couldn’t rely on ‘legitimate interest’ to send the mail, which the ICO said it had done. Billy Big Balls of the WeekHow the ‘man in black’ was exposed by the Russian women he terrorisedA Russian police officer's takeaway food order was the breakthrough clue which helped a group of women, who had been terrorised by him, reveal his true identity. The women, mostly aged between 19 and 25, had attended a rally in Moscow in March against Russia's invasion of Ukraine. They were quickly rounded up by officers and put in the back of a police van.Most of them didn't know each other, but despite the circumstances the atmosphere was upbeat. They even set up a Telegram group chat as they travelled across the city to Brateyevo police station.What happened next was far worse than they anticipated.Over the next six hours they suffered verbal and physical abuse that, in some cases, amounted to torture - one woman says she was repeatedly starved of oxygen when a plastic bag was put over her head.The abuse was carried out by the same unnamed plain-clothes officer - tall, athletic, dressed in a black polo neck. In their group chat, they gave him the nickname the "man in black".Two of the women, Marina and Alexandra, secretly recorded audio on their phones. In one, the officer can be heard shouting about his "total impunity".But if his aim was to intimidate them into silence, he would fail. Industry NewsKeyBank's Customer Information Stolen By Hackers Via Third-party ProviderLondon's Biggest Bus Operator Hit by Cyber "Incident"Meta Fined $400m in Ireland For Children's Privacy BreachInterpol Busts Asian Sextortion SyndicateUK Privacy Regulator Fines Halfords for Spam DelugeInterContinental Hotels Confirms Cyber-Attack After Two-Day OutageNATO-Member Albania Cut Ties With Iran Over Cyber-AttackThe North Face Warns of Major Credential Stuffing CampaignResearchers Reveal New Iranian Threat Group APT42 Tweet of the Weekhttps://twitter.com/SwiftOnSecurity/status/1567378788991868928https://twitter.com/ememess/status/1567544425869606913 Come on! Like and bloody well subscribe!

This week in InfoSec (09:07)With content liberated from the “today in infosec” twitter account and further afield30th August 1999: The previously unknown group Hackers Unite claimed responsibility for disclosing a vulnerability in Hotmail that granted access to all of its roughly 50 million users' email accounts.13 years later Microsoft rebranded Hotmail, renaming it Outlook.Hotmail Hackers: 'We Did It'https://twitter.com/todayininfosec/status/130021271765612134431st August 2014: A user of the message board 4chan posted leaked photos of actress Jennifer Lawrence and numerous other celebrities.Jennifer Lawrence and Other Celebs Hacked as Nude Photos Circulate on the Webhttps://twitter.com/todayininfosec/status/1300537361676283905 Rant of the Week (20:21)Here's how 5 mobile banking apps put 300,000 users' digital fingerprints at riskMassive amounts of private data – including more than 300,000 biometric digital fingerprints used by five mobile banking apps – have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers.Symantec's Threat Hunter Team said it discovered 1,859 publicly available apps, both Android and iOS, containing baked-in AWS credentials. That means if someone were to look inside the apps, they would have found the credentials in the code, and could potentially have used that to access the apps' backend Amazon-hosted servers and steal users' data. The vast majority (98 percent) were iOS apps.In all, 77 percent of these apps contained valid AWS access tokens that allowed access to private AWS cloud services, the intelligence team noted in research published today. Billy Big Balls of the Week (28:45)Twitter starts testing an edit button, but you have to pay for itTwitter is now testing its highly requested Edit Tweet feature. After years of memes and jokes, editable tweets will be available to some Twitter Blue subscribers later this month. The feature is currently undergoing “internal testing” and appears to mimic Facebook in its edit style, with a linked edit history for tweets that we saw in leaks earlier this year.“Tweets will be able to be edited a few times in the 30 minutes following their publication,” according to a Twitter blog post. “Edited Tweets will appear with an icon, timestamp, and label so it’s clear to readers that the original Tweet has been modified.” Industry News (36:45)Cryptominer Disguised as Google Translate Targeted 11 CountriesBaker & Taylor's Systems Remain Offline a Week After Ransomware AttackICO Pursues Traffic Accident Data ThievesUK Imposes Tough New Cybersecurity Rules for Telecom ProvidersEvil Corp and Conti Linked to Cisco Data Breach, eSentire SuggestsGolang-based Malware Campaign Relies on James Webb Telescope's ImageMicrosoft Finds Account Takeover Bug in TikTokStandards Body Publishes Guidelines for IoT Security TestingApple Releases Update for iOS 12 to Patch Exploited Vulnerability Tweet of the Week (43:42)https://twitter.com/SunTzuCyber/status/1565192484380188672 Come on! Like and bloody well subscribe!