The Host Unknown Podcast

This week in InfoSec: (The one and only):23rd August 2006: SpoofCard confirmed that Paris Hilton was among the terminated customers, and that Lindsay Lohan was among those whose voicemail accounts were broken into. SpoofCard said it had implemented controls to prevent recurrences.Paris Hilton: Master Hacker?https://twitter.com/todayininfosec/status/129721363805972889626th August 2008: It was reported that a laptop on the International Space Station was infected by removable media containing the http://W32.Gammima.AG worm.Space. Where you don't want to be dealing with malware.Malware detected at the International Space Stationhttps://twitter.com/todayininfosec/status/1298690676448735232 Rant of the Week:Block sued after ex-staffer siphons customer dataBlock – the digital payments giant formerly known as Square – faces allegations it failed to take adequate measures to protect customers' personal information.A lawsuit, filed Tuesday in a federal district in Oakland, California, on behalf of two users of Cash App, operated by Block subsidiary Cash App Investing, claims the company failed to implement reasonable security. As a result, a former employee was able to download internal reports containing personal information after leaving the firm.Coincidentally, Twitter – another venture co-founded by Block Head Jack Dorsey – was accused of subpar security by its former security chief in a recent whistleblower complaint.Block disclosed the December 10, 2021 data theft on April 4, 2022, and stated it was contacting 8.2 million current and former customers about the privacy snafu. The biz said, "a former employee downloaded certain reports of its subsidiary Cash App Investing LLC … that contained some US customer information."The employee had access to those reports while employed but in this instance downloaded the files after leaving the company. The data obtained included customers' full name and brokerage account numbers, and in some cases, brokerage portfolio values, brokerage portfolio holdings and/or stock trading activity for one trading day.As far as the litigants are concerned, Block didn't meet its security obligations, failed to notify customers in a timely manner, provided too little information about the incident, and failed to offer credit or identity monitoring services. Billy Big Balls:Lloyd's to exclude certain nation-state attacks from cyber insurance policiesLloyd's of London insurance policies will stop covering losses from certain nation-state cyber attacks and those that happen during wars, beginning in seven months' time.In a memo sent to the company's 76-plus insurance syndicates, underwriting director Tony Chaudhry said Lloyd's remains "strongly supportive" of cyber attack coverage. However, as these threats continue to grow, they may "expose the market to systemic risks that syndicates could struggle to manage," he added [PDF], noting that nation-state-sponsored attacks are particularly costly to cover.Because of this, all standalone cyber attack policies must include "a suitable clause excluding liability for losses arising from any state-backed cyberattack," Chaudhry wrote. These changes will take effect beginning March 31, 2023 at the inception or renewal of each policy.At a minimum – key word: minimum – these policies must exclude losses arising from a war, whether declared or not, if the policy doesn't already have a separate war exclusion. They must also at least exclude losses from nation-state cyber attacks that "significantly impair the ability of a state to function or that significantly impair the security capabilities of a state." Industry News: Counterfeit Android Devices Revealed to Contain Backdoor Designed to Hack WhatsApp Ex-Security Chief Accuses Twitter of Cybersecurity Negligence Facebook Bug Causes Users’ Feeds to Be Spammed Plex Suffers Data Breach, Warns Users to Reset Passwords Scammers Create 'AI Hologram' of C-Suite Crypto Exec Workplace Stress Worse than Cyber-Attack Fears for Security Pros US Firm Pays $16m to Settle Healthcare Fraud Claims Talos Renews Cybersecurity Support For Ukraine on Independence Day Microsoft Attributes New Post-Compromise Capability to Nobelium Tweet of the Week:https://twitter.com/J4vv4D/status/1562775110544949248?s=20  Come on! Like and bloody well subscribe!

This week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield18th August 2003: The Nachi worm began infecting Windows computers to remove the Blaster worm and patch the vulnerability Nachi and Blaster exploited. Yes, you read that right. Yes, this happened. Gotta love it!https://twitter.com/todayininfosec/status/116314272574033100817th August 2007: Drew Curtis, founder of http://Fark.com, accused Darrell Phillips, reporter at Fox13, of hacking into the social networking news siteOn getting farked?https://twitter.com/todayininfosec/status/1162868155015761920 Rant of the WeekPC store told it can't claim full cyber-crime insurance after social-engineering attackA Minnesota computer store suing its crime insurance provider has had its case dismissed, with the courts saying it was a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of total losses.SJ Computers alleged in a November lawsuit [PDF] that Travelers Casualty and Surety Co. owed it far more than paid on a claim for nearly $600,000 in losses due to a successful business email compromise (BEC) attack.According to its website, SJ Computers is a Microsoft Authorized Refurbisher, reselling Dell, HP, Lenovo and Acer products, as well as providing tech services including software installs and upgrades.Travelers, which filed a motion to dismiss, said SJ's policy clearly delineated between computer fraud and social engineering fraud. The motion was granted [PDF] with prejudice last Friday. Billy Big Balls of the WeekJanet Jackson music video declared a cybersecurity exploitThe music video for Janet Jackson's 1989 pop hit Rhythm Nation has been recognized as a cybersecurity vulnerability after Microsoft reported it can crash old laptop computers."A colleague of mine shared a story from Windows XP product support," wrote Microsoft blogger Raymond Chen.The story detailed how "a major computer manufacturer discovered that playing the music video for Janet Jackson's Rhythm Nation would crash certain models of laptops."Further investigation revealed that multiple manufacturers' machines also crashed. Sometimes playing the video on one laptop would crash another nearby laptop. This is mysterious because the song isn't actually that bad.Investigation revealed that all the crashing laptops shared the same 5400 RPM hard disk drive."It turns out that the song contained one of the natural resonant frequencies for the model of 5400 RPM laptop hard drives that they and other manufacturers used," Chen wrote.The manufacturer that found the problem apparently added a custom filter in the audio pipeline to detect and remove the offending frequencies during audio playback.CVE-2022-38392 Industry NewsCritical Infrastructure at Risk as Thousands of VNC Instances ExposedThree Extradited from UK to US on $5m BEC ChargesSoftware Patches Flaw on macOS Could Let Hackers Bypass All Security LevelsWater Company Says Supply Safe After Ransom Group ClaimsMicrosoft Disrupts Russian Cyber-Espionage Group SeaborgiumHealthcare Provider Issues Warning After Tracking Pixels Leak Patient DataBug Bounty Giant Slams Quality of Vendor PatchingSuspected Russian Money Launderer Extradited to USHackers Deploy Bumblebee Loader to Breach Target Networks Tweet of the Weekhttps://twitter.com/dildog/status/1560025574437015553 Come on! Like and bloody well subscribe!

This Week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield10th August 1988: 34 years ago today, Dade Murphy aka Zero Cool crashed 1507 computers, causing a 7 point drop in the NY stock exchange. He was 11 and his family was fined $45,000. He was banned from touching a computer until he turned 18.https://twitter.com/hakluke/status/15572420864238714886th August 2014: A hacker announced the theft of 40 GB of data from the maker of FinFisher spyware, then leaked the price list, client list, and more.A Hacker Claims to Have Leaked 40GB of Docs on Government Spy Tool FinFisherTop gov't spyware company hacked; Gamma's FinFisher leakedhttps://twitter.com/todayininfosec/status/115895644924810854411th August 2015: A day after Oracle CSO Mary Ann Davidson posted a blog titled "No, You Really Can’t", security community blowback caused Oracle to remove the post.No, you really can’t (Wayback Machine)Oracle has this Modest Proposal, via its CSOhttps://twitter.com/todayininfosec/status/1293374259637768194 Rant of the WeekMeta's chatbot says the company 'exploits people'Meta's new prototype chatbot has told the BBC that Mark Zuckerberg exploits its users for money.Meta says the chatbot uses artificial intelligence and can chat on "nearly any topic".Asked what the chatbot thought of the company's CEO and founder, it replied "our country is divided and he didn't help that at all".Meta said the chatbot was a prototype and might produce rude or offensive answers."Everyone who uses Blender Bot is required to acknowledge they understand it's for research and entertainment purposes only, that it can make untrue or offensive statements, and that they agree to not intentionally trigger the bot to make offensive statements," said a Meta spokesperson.The chatbot, called BlenderBot 3, was released to the public on Friday.The programme "learns" from large amounts of publicly available language data. Billy Big Balls of the WeekBackground:  Twilio discloses data breach after SMS phishing attack on employees"On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials," Twilio said over the weekend."The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data."The company also revealed the attackers gained access to its systems after tricking and stealing credentials from multiple employees targeted in the phishing incident.To do that, they impersonated Twilio's IT department, asking them to click URLs containing "Twilio," "Okta," and "SSO" keywords that would redirect them to a Twilio sign-in page clone.​The SMS phishing messages baited Twilio's employees into clicking the embedded links by warning them that their passwords had expired or were scheduled to be changed.BBB: Cloudflare: Someone tried to pull the Twilio phishing tactic on us too.  Cloudflare says it was subject to a similar attack to one made on comms company Twilio last week, but in this case it was thwarted by hardware security keys that are required to access applications and services.Twilio reported a breach after employees received phishing text messages claiming to be from the company's IT department. These fooled them into logging into a fake web page designed to look like Twilio's own sign-in page, using pretexts such as claiming they needed to change their passwords. The attackers were then able to use credentials supplied by the victims to log into the real site.According to Cloudflare, it recorded a very similar incident late last month, which could suggest the two attacks may have originated from the same attacker or group.Detailing the incident on its blog, the content delivery network claimed that no Cloudflare systems were compromised, but said it was "a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached." Industry NewsMeta Takes Action Against Cyber Espionage Operations Targeting Facebook in South AsiaNumber of Firms Unable to Access Cyber-Insurance Set to DoubleSmishing Attack Led to Major Twilio BreachHealth Adviser Fined After Illegally Accessing Medical RecordsUS Treasury Sanctions Virtual Currency Mixer For Connections With Lazarus GroupPredator Pleads Guilty After Targeting Thousands of Girls OnlineCyber-criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP ReportsDeathStalker's VileRAT Continues to Target Foreign and Crypto ExchangesSuspected $3m Romance Scammer Extradited to Japan Tweet of the Weekhttps://twitter.com/mttaggart/status/1557399523575508993 Come on! Like and bloody well subscribe!

This week in InfoSec (9:23)With content liberated from the “today in infosec” twitter account and further afield29th July 1985: An article in the New York Times cited multiple experts who alleged the vote counting systems of Computer Election Systems are vulnerable to tampering.Yep. Election systems vulnerabilities aren't a new phenomenon. Not even close. COMPUTERIZED SYSTEMS FOR VOTING SEEN AS VULNERABLE TO TAMPERINGhttps://twitter.com/todayininfosec/status/115607828460341658230th July 2013: Chelsea Manning was found guilty of espionage, theft, and computer fraud, as well as military infractions. United States v. Manninghttps://twitter.com/todayininfosec/status/12889252894652088346th August 1997: Microsoft Buys $150M of Apple stock.  In an effort to help save Apple Computer and possibly deflect criticism in its own anti-trust trial, Microsoft Corp. buys $150 million in shares of Apple Computer Inc. Apple, which had been struggling to find direction and profits for years, agreed to the boost in funding with terms that dictated cooperation in the design of computers as well as shared patents. Microsoft agreed to continue supporting MS-Office for the Mac for another five years as well.Rant of the Week (18:11)India scraps data protection law in favor of better law coming … sometimeThe government of India has scrapped the Personal Data Protection Bill it's worked on for three years, and announced it will – eventually – unveil a superior bill.The bill, proposed in 2019, would have enabled the government to gather user data from companies while regulating cross-border data flows. It also included restrictions on sharing of personal data without explicit consent, proposed establishment of a new Data Protection Authority within the government, and more.On Wednesday, telecom minister Ashwini Vaishnaw tweeted that the bill was nixed because the Joint Committee of Parliament (JCP) recommended 81 amendments to the Bill's 99 sections."Therefore the bill has been withdrawn and a new bill will be presented for public consultation," said Vaishnaw.and...UK Parliament bins its TikTok account over China surveillance fearsPlan to educate the children turned out to be a 'won't someone think of the children?' momentThe UK's Parliament has ended its presence on TikTok after MPs pointed out the made-in-China social media service probably sends data about its users back to Beijing.The existence of the account saw half a dozen MPs write to the presiding officers of the Houses of Lords and Commons — Lord McFall of Alcluith and Sir Lindsay Hoyle, respectively — to ask for the account to be discontinued."While efforts made to engage young people in the history and functioning of parliament should always be welcomed, we cannot and should not legitimise the use of an app which has been described by tech experts as 'essentially Chinese government spyware'," wrote MPs Nusrat Ghani, Tim Loughton, Sir Iain Duncan Smith, Tom Tugendhat, plus Lord Alton of Liverpool and Baroness Kennedy of the Shaws.Billy Big Balls of the Week (26:21)Ex-T-Mobile US store owner phished staff, raked in $25m from unlocking phonesA now-former T-Mobile US store stole at least 50 employees' work credentials to run a phone unlocking and unblocking service that prosecutors said netted $25 million.Argishti Khudaverdyan, 44, of Burbank, California, was found guilty of 14 criminal charges [PDF] by a US federal jury on Friday.According to the Dept of Justice, Khudaverdyan co-owned a T-Mobile US store in Los Angeles, operating as a business called Top Tier Solutions, for about five months in 2017. T-Mo ended its contract with Khudaverdyan in June 2017 after being sketched out by his suspicious use of the carrier's computer system. It turned out he had been unlocking phones for customers without T-Mobile US's permission so that the devices could be used on different networks.Even after the self-styled un-carrier gave him the boot, he continued his illicit scheme, advertising unlocking and unblocking services through brokers, email spam, and websites that Khudaverdyan and Gharehbagloo controlled, such as unlocks247[.]com and swiftunlocked[.]com.Industry News (33:37)UK’s Top 10 Universities Failing on DMARCThousands of Apps Leaking Twitter API KeysLockBit Ransomware Exploits Windows Defender to Sideload Cobalt Strike PayloadTory Leadership Voting Delayed Over Security ConcernsT-Mobile Retailer Guilty of $25m Fraud Schemexperts Warn of Fake Football Ticket ScamsUkraine Shutters Major Russian Bot FarmUsers Still in the Dark Over $5m Theft From Blockchain Firm SolanaCREST and OWASP Partner on Verification Standard ProgramTweet of the Week (40:16)https://twitter.com/AndrewMohawk/status/1555430194743111683?s=20 Come on! Like and bloody well subscribe!

This week in InfoSec With content liberated from the “today in infosec” twitter account and further afield25th July 2007: The US Ninth Circuit Court of Appeals ruled that IP addresses and to/from email fields can be monitored without probable cause. Appeals Court Rules No Privacy Interest in IP Addresses, Email To/From Fieldshttps://twitter.com/todayininfosec/status/115479199039704268829th July 2009: The first Security BSides conference was held in Las Vegas in a  3,767 square foot house.http://www.securitybsides.com/w/page/50746315/BSidesHistoryhttps://twitter.com/todayininfosec/status/1156078833277128704 Rant of the WeekHackers scan for vulnerabilities within 15 minutes of disclosureSystem administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed.According to Palo Alto's 2022 Unit 42 Incident Response Report, hackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code execution.However, the speed at which threat actors begin scanning for vulnerabilities puts system administrators in the crosshairs as they race to patch the bugs before they are exploited."The 2022 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced," reads a companion blog post.Since scanning isn't particularly demanding, even low-skilled attackers can scan the internet for vulnerable endpoints and sell their findings on dark web markets where more capable hackers know how to exploit them.Then, within hours, the first active exploitation attempts are observed, often hitting systems that never had the chance to patch. Billy Big Balls of the WeekNew ‘Robin Banks’ phishing service targets BofA, Citi, and Wells FargoA new phishing as a service (PhaaS) platform named 'Robin Banks' has been launched, offering ready-made phishing kits targeting the customers of well-known banks and online services.The targeted entities include Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Lloyds Bank, the Commonwealth Bank in Australia, and Santander.Additionally, Robin Banks offers templates to steal Microsoft, Google, Netflix, and T-Mobile accounts.According to a report by IronNet, whose analysts discovered the new phishing platform, Robin Banks is already being deployed in large-scale campaigns that started in mid-June, targeting victims via SMS and email. LockBit 3.0 introduces the first ransomware bug bounty programWith the release of LockBit 3.0, the operation has introduced the first bug bounty program offered by a ransomware gang, asking security researchers to submit bug reports in return for rewards ranging between $1,000 and $1 million."We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million," reads the LockBit 3.0 bug bounty page.However, this bug bounty program is a bit different than those commonly used by legitimate companies, as helping the criminal enterprise would be illegal in many countries.Furthermore, LockBit is not only offering bounties for rewards on vulnerabilities but is also paying bounties for "brilliant ideas" on improving the ransomware operation and for doxxing the affiliate program manager.The following are the various bug bounty categories offered by the LockBit 3.0 operation:Web Site Bugs: XSS vulnerabilities, mysql injections, getting a shell to the site and more, will be paid depending on the severity of the bug, the main direction is to get a decryptor through bugs web site, as well as access to the history of correspondence with encrypted companies.Locker Bugs: Any errors during encryption by lockers that lead to corrupted files or to the possibility of decrypting files without getting a decryptor.Brilliant ideas: We pay for ideas, please write us how to improve our site and our software, the best ideas will be paid. What is so interesting about our competitors that we don't have?Doxing: We pay exactly one million dollars, no more and no less, for doxing the affiliate program boss. Whether you're an FBI agent or a very clever hacker who knows how to find anyone, you can write us a TOX messenger, give us your boss's name, and get $1 million in bitcoin or monero for it.TOX messenger: Vulnerabilities of TOX messenger that allow you to intercept correspondence, run malware, determine the IP address of the interlocutorand other interesting vulnerabilities.Tor network: Any vulnerabilities which help to get the IP address of the server where the site is installed on the onion domain, as well as getting root access to our servers, followed by a database dump and onion domains.The $1,000,000 reward for identifying the affiliate manager, known as LockBitSupp, was previously offered on the XSS hacking forum in April. Industry NewsNo More Ransom Has Helped Over 1.5m VictimsUS Doubles Reward for Info on North Korean HackersCriminals Use Malware as Messaging Bots to Steal DataCyber-Criminal Offers 5.4m Twitter Users’ DataEuropean Police Arrest 100 Suspects in BEC CrackdownSocial Media Accounts Hijacked to Post Indecent ImagesHackers Change Tactics for New Post-Macro EraRansomware Group Demands £500,000 From SchoolSpanish Police Arrest Alleged Radioactive Monitoring HackersTweet of the Weekhttps://twitter.com/danielmakelley/status/1550884696355225601 Come on! Like and bloody well subscribe!

This week in InfoSec (10:25)With content liberated from the “today in infosec” twitter account and further afield17th July 1997: Major Disruption in Sending Most E-Mail Messages.  A programming error temporarily threw the Internet into disarray in a preview of the difficulties that inevitably accompany a world dependent on e-mail, the World Wide Web, and other electronic communications.At 2:30 a.m. Eastern Daylight Time, a computer operator in Virginia ignored alarms on the computer that updated Internet address information, leading to problems at several other computers with similar responsibilities. The corruption meant most Internet addresses could not be accessed, resulting in millions of unsent e-mail messages.15th July 1999: DilDog of Cult of the Dead Cow confirmed official Back Orifice 2000 CD-ROMs distributed during DEF CON 4 days prior were infected with the destructive CIH virus. Initially, cDc blamed pirated copies as the source, later discovering a duplicating machine had been infected.https://twitter.com/todayininfosec/status/128352319537128243419th July 1985: Chase Manhattan Bank discovered a message in one of its computer systems from Lord Flathead. The message said that unless he was given free use of the computer, he would destroy records in the system. Lord Flathead? He founded Myspace 18 years later!https://www.nytimes.com/1985/10/19/business/chase-computer-raided-by-youths-officials.htmlhttps://twitter.com/todayininfosec/status/1153507276629504006 Rant of the Week (16:28)Secret Service gives thousands of documents to January 6 committee, but hasn't yet recovered potentially missing texts(CNN)The US Secret Service produced an "initial set of documents" to the House select committee investigating the January 6, 2021, insurrection on Tuesday, in response to a subpoena last week that was issued amid reports of potentially missing text messages from the day of the insurrection.However, Tuesday's document production didn't include any of the potentially missing texts from January 5 and 6, 2021, a Secret Service official told CNN. That's because the agency still has not been able to recover any records that were lost during a phone migration around that time, the official said.“The USSS didn’t just delete texts after knowing they were evidence in a federal probe; it didn’t just lie about why/how the texts were deleted; the texts were so *professionally* deleted they can’t be recovered.”https://twitter.com/SethAbramson/status/1549488007614529538 Billy Big Balls of the Week (24:07)Glassdoor ordered to reveal identity of negative reviewers to New Zealand toymakerA California court has ordered employer-rating site Glassdoor to hand over the identities of users who claimed they had negative experiences working for New Zealand toy giant Zuru.In a decision that could prompt unease for online platforms that rely on anonymity to attract candid reviews, Glassdoor was ordered to provide the information so Zuru could undertake defamation proceedings against the reviewers in New Zealand. Industry News (33:26)TikTok Engaging in Excessive Data CollectionCISA Set to Open London OfficeNew MacOS Backdoor Communicates Via Public CloudDOJ Recovers $500K Paid to North Korean Ransomware ActorsLegal Experts Concerned Over New UK Digital Reform BillRomanian Man Accused of Distributing Gozi Virus Extradited to USUnpatched Flaws in Popular GPS Devices Allow Adversaries to Disrupt and Track VehiclesUK Regulator Issues Record Fines as Financial Crime SurgesMagecart Supply Chain Attacks Hit Hundreds of Restaurants Tweet of the Week (45:58)https://twitter.com/hela_luc/status/1549326122067890177 Come on! Like and bloody well subscribe!

This Week in InfoSec (08:09)With content liberated from the “today in infosec” twitter account and further afield12th July 2008: NextGenHacker101 taught us "how to view someone's IP address and connection speed!" Tracer-tee! Naive? Troll? You decide. Painfully hilarious. https://youtu.be/SXmv8quf_xMhttps://twitter.com/todayininfosec/status/1414224928413454341  13th July 2001: Code Red Worms its Way into the Internet.  The Code Red worm is released onto the Internet. Targeting Microsoft’s IIS web server, Code Red had a significant effect on the Internet due to the speed and efficiency of its spread. Much of this was due to the fact that IIS was often enabled by default on many installations of Windows NT and Windows 2000. However, Code Red also affected many other systems with web servers, mostly by way of side-effect, exacerbating the overall impact of the worm, ensuring its place in history among the many malware outbreaks infecting Windows systems in the late 1990’s and early 2000’s.7th July 1936: A Whole New Way to Drive a Screw: Several US patents are issued for the Phillips-head screw and screwdriver to inventor Henry F. Phillips. Phillips founded the Phillips Screw Company to license his patents. One of the first customers was General Motors for its Cadillac assembly-lines. By 1940, 85% of U.S. screw manufacturers had a license for the design. Rant of the Week (16:00)BMW starts selling heated seat subscriptions for $18 a monthBMW is now selling subscriptions for heated seats in a number of countries — the latest example of the company’s adoption of microtransactions for high-end car features.A monthly subscription to heat your BMW’s front seats costs roughly $18, with options to subscribe for a year ($180), three years ($300), or pay for “unlimited” access for $415.It’s not clear exactly when BMW started offering this feature as a subscription, or in which countries, but a number of outlets this week reported spotting its launch in South Korea.BMW has slowly been putting features behind subscriptions since 2020, and heated seats subs are now available in BMW’s digital stores in countries including the UK, Germany, New Zealand, and South Africa. It doesn’t, however, seem to be an option in the US — yet. Billy Big Balls of the Week (26:48)Hackers stole $620 million from Axie Infinity via fake job interviewsThe hack that caused Axie Infinity losses of $620 million in crypto started with a fake job offer from North Korean hackers to one of the game’s developers.The attack happened in March 2022 and pushed into the ground the then massively popular and quickly-growing game from Sky Mavis.By April 2022, the FBI was able to link the attack to the Lazarus and APT38 hackers, two groups who are often involved in cryptocurrency heists for the North Korean government.In a recent report from news publication on digital assets The Block, sources with knowledge about the attack said that the threat actors contacted staff at Sky Mavis over LinkedIn, posing as a company looking to hire them.One senior engineer at Axie Infinity showed interest in the fake job offer, due to the very generous salary, and went through multiple rounds of interviews.At one point, the engineer received a PDF file with details about the job. However, the document was the hackers' way into the Ronin systems - the Ethereum-linked sidechain that supports the Axie Infinity non-fungible token-based online video game.The employee downloaded and opened the file on the company’s computer, initiating an infection chain that enabled the hackers to penetrate Ronin’s systems and corrupt four token validators and one Axie DAO validator. Industry News (32:08)Majority Want Limitations on Social Media ContentSpike in Amazon Prime Scams ExpectedAerojet Rocketdyne Pays $9m Settlement Over Whistleblower AllegationsCyber Insurers Looking for New Risk Assessment ModelsMicrosoft Details How Phishing Campaign Bypassed MFAHavanaCrypt Ransomware Masquerades as a Fake Google UpdateCritical Industries Failing at IIoT/OT SecurityICO Calls for Review of Government “Private” MessagingState-Sponsored Hackers Targeting Journalists Tweet of the Week (38:48)https://twitter.com/cyb3rops/status/1547263760678756353 Come on! Like and bloody well subscribe!

This Week in InfoSec (08:04)With content liberated from the “today in infosec” twitter account and further afield8th July 2011: Space Rogue broadcast the final HNNCast. And with that, the Hacker News Network came to an end. Final broadcast: https://www.facebook.com/78983739181/videos/10150254277486182/ https://youtu.be/UdKyDqU1p-41st July 1979: The first Sony Walkman, the TPS-L2, goes on sale in Japan. It would go on sale in the US about a year later. By allowing owners to carry their personal music with them, the Walkman and their iconic headphones introduce a revolution in listening habits and popular culture at large. Rant of the Week (17:12)Rogue HackerOne employee steals bug reports to sell on the sideA HackerOne employee stole vulnerability reports submitted through the bug bounty platform and disclosed them to affected customers to claim financial rewards.The rogue worker had contacted about half a dozen HackerOne customers and collected bounties “in a handful of disclosures,” the company said on Friday.HackerOne is a platform for coordinating vulnerability disclosures and intermediating monetary rewards for the bug hunter submitting the security reports.On June 22, HackerOne responded to a customer request to investigate a suspicious vulnerability disclosure through an off-platform communication channel from someone using the handle “rzlr.”The customer had noticed that the same security issue had been previously submitted through HackerOne.Bug collisions, where multiple researchers find and report the same security issue, are frequent; in this case, the genuine report and the one from the threat actor shared obvious similarities that prompted a closer look.HackerOne’s investigation determined that one of its employees had access to the platform for over two months, since they joined the company on April 4th until June 23, and contacted seven companies to report vulnerabilities already disclosed through its system. Billy Big Balls of the Week (23:42)Apple’s new Lockdown Mode defends against government spywareApple announced that a new security feature known as Lockdown Mode will roll out with iOS 16, iPadOS 16, and macOS Ventura to protect high-risk individuals like human rights defenders, journalists, and dissidents against targeted spyware attacks.Once enabled, the Lockdown Mode will provide Apple customers with messaging, web browsing, and connectivity protections designed to block mercenary spyware (like NSO Group's Pegasus) used by government-backed hackers to monitor their Apple devices after infecting them with malware.Attackers' attempts to compromise Apple devices using zero-click exploits targeting messaging apps such as WhatsApp and Facetime or web browsers will get automatically blocked, seeing that vulnerable features like link previews will be disabled. Industry News (33:14)TikTok CEO Addresses US Security ConcernSoftware Supply Chain Attack Hits Thousands of AppsHive Ransomware Upgraded to Rust to Deliver More Sophisticated EncryptionAPT Hacker Group Bitter Continues to Attack Military Targets in BangladeshNorth Korean Hackers Target US Health Providers With 'Maui' RansomwareMarriott Plays Down 20GB Data BreachFBI and MI5 Bosses Warn of “Massive” China ThreatMicrosoft Updates Windows 11 Subsystem for Android to Introduce Support For VPN-Assigned IPsApple Announces 'Lockdown Mode' to Protect Journalists, Human Rights Workers From Spyware Tweet of the Week (44:33)https://twitter.com/alxbrsn/status/1544707673282723840Ubisoft Accidentally Leaks Hundreds of Customer E-mail Addresses in Watch Dogs Marketing Snafu Come on! Like and bloody well subscribe!

This week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield28th June 2000: The Pikachu virus began spreading. It is believed to be the first virus targeting children, incorporating Pikachu from the Pokémon series. https://en.m.wikipedia.org/wiki/Pikachu_virushttps://twitter.com/todayininfosec/status/127743365251989913729th June 2007: Nearly 6 months after it was introduced, Apple’s highly-anticipated iPhone goes on sale. Generally downplayed by Old Word Technology pundits after its introduction, the iPhone was greeted by long lines of buyers around the country on that first day. Quickly becoming an overnight phenomenon, one million iPhones were sold in only 74 days. Since those early days, the ensuing iPhone models have continued to set sales records and have completely changed not only the smartphone and technology industries, but the world as well.26th June 1997: The US Supreme Court ruled the Communications Decency Act unconstitutional on a 7-2 vote. The act, passed by both houses of Congress, sought to control the content of the Internet in an effort to keep pornography from minors. In an opinion written by Justice John Paul Stevens, the Supreme Court ruled the act a violation of free speech as guaranteed by the US Constitution.  Rant of the WeekQuick mention just to get the blood boiling: India extends deadline for compliance with infosec logging rules by 90 daysIndia's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.FBI warning: Crooks are using deepfake videos in interviews for remote gigsDeepfakes and Stolen PII Utilized to Apply for Remote Work PositionsThe US FBI issued a warning on Tuesday that it was has received increasing numbers of complaints relating to the use of deepfake videos during interviews for tech jobs that involve access to sensitive systems and information.The deepfake videos include a video image or recording convincingly manipulated to misrepresent someone as the "applicant" for jobs that can be performed remotely. The Bureau reports the scam has been tried on jobs for developers, "database, and software-related job functions". Some of the targeted jobs required access to customers' personal information, financial data, large databases and/or proprietary information."In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually," said the FBI in a public service announcement. Billy Big Balls of the WeekTrio accused of selling $88m of pirated Avaya licensesRogue insider generated keys, resold them to blow the cash on gold, crypto, and more, prosecutors sayThree people accused of selling pirate software licenses worth more than $88 million have been charged with fraud.The software in question is built and sold by US-based Avaya, which provides, among other things, a telephone system called IP Office to small and medium-sized businesses. To add phones and enable features such as voicemail, customers buy the necessary software licenses from an Avaya reseller or distributor. These licenses are generated by the vendor, and once installed, the features are activated.In charges unsealed on Tuesday, it is alleged Brad Pearce, a 46-year-old long-time Avaya customer service worker, used his system administrator access to generate license keys tens of millions of dollars without permission. Each license could sell for $100 to thousands of dollars.Pearce, of Oklahoma, then sold those licenses to Jason Hines, 42, of New Jersey, and others who sold them onto resellers and customers worldwide, prosecutors claimed. Pearce's wife, Dusti, 44, is accused of handling the finances and accounting in this alleged criminal caper.On top of this, Pearce is accused of using his admin privileges to get into internal accounts of former Avaya workers to generate more software keys. He allegedly covered up his tracks by altering information in the accounts over many years.Great balls but the bigger balls was from this article on the World Economic Forum:How aligning cybersecurity with strategic objectives can protect your businessAll filler with no thriller!Cybersecurity is not a technical problem, it’s a business problemBridge the communications divideRelationships may be damaged, not brokenCulture of Cybersecurity! Industry NewsSnoopers’ Charter Ruled Partially UnlawfulRansomware Suspected in Wiltshire Farm Foods AttackFBI: Beware Deepfakes Used to Apply for Remote JobsAmazon Fixes High Severity Vulnerability in Amazon Photos Android AppUkrainian Cops Bust Multimillion-Dollar Phishing GangNevadan Arrested for Alleged $45m Metaverse Investment FraudInfo-Stealing Campaign Targeted Home Workers for Two YearsNorth Korea's Lazarus Group Suspected of $100m Harmony HackFormer Canadian Government IT Worker Pleads Guilty Over NetWalker Ransomware Attacks Tweet of the Weekhttps://twitter.com/Cannibal/status/1542597532869570560 Come on! Like and bloody well subscribe!

This week in InfoSec (12:04)With content liberated from the “today in infosec” twitter account and further afield24th June 1998: The NSA published the Skipjack encryption algorithm used by the Clipper chip, after the algorithm was declassified.Clipper Chiphttps://twitter.com/todayininfosec/status/127588206375369932824th June 2012: In the wake of the Flashback botnet which targeted Macs, Apple removed a statement from its website bragging that OS X isn't susceptible to viruses.Apple removes claim that ‘Macs don’t get PC viruses’https://twitter.com/todayininfosec/status/1275969494330949632 Rant of the Week (19:12)Government employees banned from using VPNs in IndiaIn the latest chapter of India's ongoing battle against online privacy software, government employees are now barred from using third-party VPN services.The new directive came following the decision of some of the best VPNs to shut down their Indian servers amid privacy concerns over new data law. So far, ExpressVPN, Surfshark and NordVPN have all announced they will physically leave the country before CERT-in directives come into force on June 27.All this was discovered because:Indian government issues confidential infosec guidance to staff – who leak itIndia's government last week issued confidential information security guidelines that calls on the 30 million plus workers it employs to adopt better work practices – and as if to prove a point, the document quickly leaked on a government website.The document, and the measures it contains, suggest infosec could be somewhat loose across India's government sector."The increasing adoption and use of ICT has increased the attack surface and threat perception to government, due to lack of proper cyber security practices followed on the ground," the document opens. Billy Big Balls of the Week (28:13)Amazon can't channel the dead, but its deepfake voices take a close secondIn the latest episode of Black Mirror, a vast megacorp sells AI software that learns to mimic the voice of a deceased woman whose husband sits weeping over a smart speaker, listening to her dulcet tones.Only joking – it's Amazon, and this is real life. The experimental feature of the company's virtual assistant, Alexa, was announced at an Amazon conference in Las Vegas on Wednesday.Rohit Prasad, head scientist for Alexa AI, described the tech as a means to build trust between human and machine, enabling Alexa to "make the memories last" when "so many of us have lost someone we love" during the pandemic.In an explanatory video, Amazon showed a child asking: "Alexa, can Grandma finish reading me The Wizard of Oz?" at which point the assistant's normally artificial voice shifted gears into a softer, more natural timbre. The point being that it's supposed to convincingly sound like the kid's grandma. Industry News (36:07)BRATA Android Malware Group Now Classified As Advanced Persistent ThreatFormer Amazon Worker Convicted of Capital One Data BreachGoogle Chrome Extensions Could Be Used to Track Users OnlineNew DFSCoerce NTLM Relay Attack Enables Hackers to Perform Windows Domain TakeoverCloudflare Outage Knocks Hundreds of Websites OfflineUS Bank Data Breach Impacts Over 1.5 Million CustomersEuro Cops Dismantle Multimillion-Dollar Phishing GangYodel Cyber Incident Disrupts UK DeliveriesLess Than Half of Organizations Have Open Source Security Policy Cloudflare lava lamps:https://www.cloudflare.com/en-gb/learning/ssl/lava-lamp-encryption/Michael Reeves goldfish tradinghttps://youtu.be/USKD3vPD6ZA Tweet of the Week (44:01)https://twitter.com/InfosecEditor/status/1539992708617568261https://twitter.com/mattjay/status/1539776073180893189   Come on! Like and bloody well subscribe!