The Host Unknown Podcast

This week in InfoSec (11:36) With content liberated from the “today in infosec” twitter account and further afield26th June 1997: Communications Decency Act Declared UnconstitutionalThe US Supreme Court ruled the Communications Decency Act unconstitutional on a 7-2 vote. The act, passed by both houses of Congress, sought to control the content of the Internet in an effort to keep pornography from minors. In an opinion written by Justice John Paul Stevens, the Supreme Court ruled the act a violation of free speech as guaranteed by the US Constitution. 29th June 2007: The phone that changed everythingNearly 6 months after it was introduced, Apple’s highly-anticipated iPhone goes on sale. Generally downplayed by Old Word Technology pundits after its introduction, the iPhone was greeted by long lines of buyers around the country on that first day. Quickly becoming an overnight phenomenon, one million iPhones were sold in only 74 days. Since those early days, the ensuing iPhone models have continued to set sales records and have completely changed not only the smartphone and technology industries, but the world as well. Rant of the Week (19:19)Miscreants leak texts and info siphoned by Android stalkerware app LetMeSpyIt's bad enough there's some Android stalkerware out there with the not-at-all-creepy moniker LetMeSpy. Now someone's got hold of the information the app collects – such as victims' text messages and call logs – as well as the email addresses of those who sought out the software, and leaked it all.The stolen data has been circulating online for at least a few days, we're told, and the spyware's users – those who got the app to put on someone else's device – reportedly include government workers and a ton of US college students.The Polish developer of the app said the information was swiped in a "security incident" that happened on June 21, when someone obtained "unauthorised access" to its website's databases.Yes, we appreciate the irony of the maker of a phone-monitoring app that boasts about secretly collecting call logs, text messages, and whereabouts while remaining "invisible to the user" admitting that someone else gained unauthorised access to their information. Billy Big Balls of the Week (28:33)Network security guy in extradition tug of war between US and RussiaA Russian network security specialist and former editor of Hacker magazine who is wanted by the US and Russia on cybercrime charges has been detained in Kazakhstan as the two governments seek his extradition.Nikita Kislitsin, an employee of Russian infosec shop FACCT, was detained on June 22 at the request of the US, according to a statement by his employer."According to the information we have, the claims against Kislitsin are not related to his work at FACCT, but are related to a case more than ten years ago when Nikita worked as a journalist and independent researcher," the statement reads."We are convinced that there are no legal grounds for detention on the territory of Kazakhstan."FACCT is not under investigation and has not been charged with any wrongdoing, the org added. It has has hired lawyers to defend Kislitsin, and has also sent an appeal to the Consulate General of the Russian Federation in Kazakhstan "to assist in protecting our employee," according to the statement. Industry News (34:27) Are GPT-Based Models the Right Fit for AI-Powered Cybersecurity?Over Half of UK Banks Are Exposing Customers to Email FraudSubmarine Cables at Growing Risk of Cyber-AttacksThird-Party Vendor Hack Exposes Data at American, Southwest AirlinesEncroChat Bust Leads to 6500 Arrests in Three YearsVPN and RDP Exploitation the Most Common Attack TechniqueLockBit Dominates Ransomware World, New Report FindsCharming Kitten’s PowerStar Malware Evolves with Advanced TechniquesMIT Publishes Framework to Evaluate Cybersecurity Methods Tweet of the Week (43:14)https://twitter.com/UK_Daniel_Card/status/1674094965348073474 Come on! Like and bloody well subscribe!

This week in InfoSec (10:26)With content liberated from the “today in infosec” twitter account and further afield17th June 1997: A group of users organised over the Internet cracked the Data Encryption Standard — the strongest legally exportable encryption software in the United States to that point — after only five months of work. The United States at the time banned the export of stronger encryption software out of fear that it would be used by terrorists, but companies designing the software claimed such restrictions were worthless because foreign countries offer much stronger programs. The US eventually relaxed certain restrictions but to this day still claims to exert authority over encryption technologies under the commerce clause. 17th June 1983: The movie "Superman III" was released. Gus Gorman lands a data entry job at Webscoe Industries, hacks into its computer systems, and funnels all of the half-cents into his next check, accruing $85,789.90. This type of crime would later be named "salami slicing".https://twitter.com/todayininfosec/status/1405615484091916294 Rant of the Week (15:16)FTC accuses DNA testing company of lying about dumping samplesThe Federal Trade Commission has alleged that genetic testing firm 1Health.io, also known as Vitagene, deceived people when it said it would dispose of their physical DNA sample as well as their collected health data.To make matters worse, the FTC also alleged in a consent order made public last week that the company didn't secure the information properly, and further, that it changed its privacy policy retroactively without properly notifying or getting consent from people whose data the company had already collected – people who had signed a different, earlier version of the policy.Under the proposed settlement, Vitagene/1Health.io will have to sharpen its data protection practices and put into place procedures to keep them sharp, as well as a pay a fine. The company has neither admitted nor denied any of the allegations. Billy Big Balls of the Week  (24:29)Reddit confirms BlackCat gang pinched some dataReddit this week confirmed ransomware gang BlackCat, aka AlphaV, broke into its corporate systems in February.The crew just the other day had bragged it stole 80GB from the biz, and had demanded the social media company pay $4.5 million to keep a lid on the data as well as ditch its controversial API pricing changes.A spokesperson for Reddit declined to comment on BlackCat's specific boasts, and insisted it's not the result of a fresh intrusion. The theft happened a few months ago, and was the result of a "sophisticated phishing campaign" against its staff that Reddit said it encountered on February 5 and disclosed on February 9. See also: Reddit hackers demand $4.5 million ransom and API pricing changes Industry News  (31:14)US Offers $10m Reward For MOVEit AttackersSmart Pet Feeders Expose Personal DataSecurity Researchers Uncover New Spyware Implant TriangleDB#InfosecurityEurope: Hackers Are the Immune System of the Digital Age#InfosecurityEurope: It’s Time to Think Creatively to Combat Skills Shortages#InfosecurityEurope: Drones Contain Over 156 Different Cyber Threats, Angoka Research FindsRedEyes Group Targets Individuals with Wiretapping MalwareUS Justice Department Launches New National Security Cyber SectionApple Addresses Exploited Security Flaws in iOS, macOS and Safari Tweet of the Week (41:36)https://twitter.com/tarah/status/1671691691965939712----Back up story: Mark Zuckerberg is ready to fight Elon Musk in a cage match Come on! Like and bloody well subscribe!

This week in InfoSec (12:01) With content liberated from the “today in infosec” twitter account and further afield12th June 1989: Callers to a Florida probation office were connected to a phone sex line. Southern Bell officials said it was the first time their switching equipment had been reprogrammed by a hacker. Phrack #27https://twitter.com/todayininfosec/status/166841728111263744115th June 2004: The first mobile phone virus, Cabir, was discovered. It infected devices running the Symbian OS and spread via Bluetooth. 68% of you are thinking "Symbian OS? Never heard of it." Learn how it got its name and how it spread in a stadium in Finland:First smartphone malwarehttps://twitter.com/todayininfosec/status/1669380905662545921 Rant of the Week (21:09)Capita wins £50M fraud reporting contract with City of London copsCapita, which is still dealing with a digital break-in that exposed customers' data to criminals, has scored a £50 million contract with the City of London police to run contact and engagement services for the force's fraud reporting service.The five-year agreement kicks off in 2024 and the territorial cops responsible for law enforcement in the financial district of the capital (aka the "square mile," – the Met looks after Greater London) have an option to extend it for a further two years, should they wish to do so.The work will see Capita provide an "end-to-end customer management process" to potential victims of fraud when they contract the service. The current iteration receives upwards of 350,000 calls and 2.3m unique visits to the website annually.In a statement, Capita pledged to "deploy" its "customer experience model for identifying, managing and monitoring customers using data and specialist coaching to support potential victims of crime."EU boss Breton: There's no Huawei that Chinese comms kit is safe to use in EuropeEuropean Commission's own networks to toss Middle Kingdom boxes amid calls for total replacementEuropean commissioner Thierry Breton wants Huawei and ZTE barred throughout the EU, and revealed plans to remove kit made by the Chinese telecom vendors from the Commission's internal networks."We cannot afford to maintain critical dependencies that could become a weapon against our interests," he declared in a Thursday speech.The Chinese vendors' presence in foreign networks has been a point of concern for years. There are concerns that backdoors in Huawei equipment could allow China to spy on foreign nations, given Chinese law requires local businesses to share info with Beijing. However, Huawei has repeatedly rejected the claims of backdoors, insisted it follows the law of the land wherever it operates, and denied that Chinese laws would see it sell out customers.Those protestations haven't stopped the US, UK, and at least ten EU countries from banning the manufacturer's kit from their networks. ZTE has also run afoul of regulators. Billy Big Balls of the Week (32:17)US mother gets call from ‘kidnapped daughter’ – but it’s really an AI scamAfter being scammed into thinking her daughter was kidnapped, an Arizona woman testified in the US Senate about the dangerous side of artificial intelligence technology when in the hands of criminals.Jennifer DeStefano told the Senate judiciary committee about the fear she felt when she received an ominous phone call on a Friday last April.Thinking the unknown number was a doctor’s office, she answered the phone just before 5pm on the final ring. On the other end of the line was her 15-year-old daughter – or at least what sounded exactly like her daughter’s voice. Industry News (42:07)Data Flows Between UK and US to be Simplified Under New AgreementOfcom Latest MOVEit Victim as Exploit Code ReleasedGMicrosoft Pays $20m to Settle Another FTC COPPA CaseNo Zero-Days but PGM Flaws Cause Patch Tuesday ConcernMFA Bypass Kits Account For One Million Monthly MessagesEuropol Warns of Metaverse and AI Terror ThreatEU Passes Landmark Artificial Intelligence ActMalicious Actors Exploit GitHub to Distribute Fake ExploitsLockBit Makes $91m From US Victims in Two Years Tweet of the Week (50:49)https://twitter.com/InfoSecSherpa/status/1062036305146724354https://twitter.com/fesshole/status/1662495137992175617 Come on! Like and bloody well subscribe!

This week in InfoSec (10:21)With content liberated from the “today in infosec” twitter account and further afield8th June 1989: The beta release of the Bourne Again SHell (Bash) was announced as version 0.99. 2 months later Shellshock was introduced into the Bash source code and persisted in subsequent versions for over 25 years.v0.99 release announcementhttps://twitter.com/todayininfosec/status/16664875253203189883rd June 1983: Would You Like to Play a Game?The science fiction film WarGames is released. Notable for bringing the hacking phenomena to the attention of the American public, it ignites a media sensation regarding the hacker sub-culture. The film’s NORAD set is the most expensive ever built at the time at a cost of $1 million dollars. Not widely known is that the movie studio provided the film’s star, Matthew Broderick, with the arcade games Galaga and Galaxian so he could get first-hand experience before shooting the film’s arcade scenes. Rant of the Week (17:16)Barracuda Urges Replacing — Not Patching — Its Email Security GatewaysIt’s not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.Barracuda tells its ESG owners to 'immediately' junk buggy kit Billy Big Balls of the Week (24:45)US govt now bans TikTok from contractors' work gearBYODALAINGTI (as long as it's not got TikTok installed)The US federal government's ban on TikTok has been extended to include devices used by its many contractors - even those that are privately owned. The bottom line: if some electronics are used for government work, it better not have any ByteDance bits on it. The interim rule was jointly issued by NASA, the Department of Defense and the General Services Administration, which handles contracting for US federal agencies. The change amends the Federal Acquisition Regulation to prohibit TikTok, any successor application, or any software produced by TikTok's Beijing-based parent ByteDance from being present on contractor devices. "This prohibition applies to devices regardless of whether the device is owned by the government, the contractor, or the contractor's employees. A personally-owned cell phone that is not used in the performance of the contract is not subject to the prohibition," the trio said in their update notice published in the Federal Register. The rule would apply to all contracts, even those below the "simplified acquisition threshold" of $250,000, purchases of commercial and off-the-shelf equipment, and commercial services so get ready to wipe those company phones, cloud services providers and MSPs that do business with Uncle Sam. AND British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attackBritish Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app.Microsoft reckons the Russian Clop ransomware crew stole the information.British Airways, the BBC, and Boots were not hit directly. Instead, payroll services provider Zellis on Monday admitted its MOVEit installation had been exploited, and as a result "a small number of our customers" – including the aforementioned British trio – had their information stolen.Zellis claims to be the largest payroll and human resources provider in the UK, and its customers include Sky, Harrods, Jaguar, Land Rover, Dyson, and Credit Suisse. In a statement posted on its website, Zellis blamed the MOVEit vulnerability for the security breach, and noted "all Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate." Industry News  (34:33)Clop Ransom Gang Breaches Big Names Via MOVEit FlawFBI Warns of Surge in Deepfake Sextortion AttemptsCisco Counterfeiter Pleads Guilty to $100m SchemeCyber Extortionists Seek Out Fresh Victims in LatAm and AsiaLazarus Group Blamed for Atomic Wallet HeistInterpol: Human Trafficking is Fueling Fraud EpidemicMicrosoft Brings OpenAI Tech to US AgenciesPharmaceutical Giant Eisai Hit By Ransomware IncidentEspionage Attacks in North Africa Linked to "Stealth Soldier" Backdoor Tweet of the Week (43:58)https://twitter.com/elonmusk/status/1666964082363371520https://twitter.com/sawaba/status/1666930930714279942https://www.forbes.com/lists/most-cybersecure-companies/ Come on! Like and bloody well subscribe!

Voting has closed for this years European Cybersecurity Blogger Awards has closed. Did you vote with your conscience, or did you vote for us? This week in InfoSec (08:33)With content liberated from the “today in infosec” twitter account and further afield30th May 1972: John Postel published RFC 349, Proposed Standard Socket Numbers.RFC 349https://twitter.com/todayininfosec/status/1266805406707232768 1st June 1999: Shawn Fanning and Sean Parker release the filesharing service Napster. The service provides a simple way for users to copy and distribute MP3 music files. It became an instant hit, especially among college students. Just over 6 months later, on December 7, 1999, the Recording Industry Association of America (RIAA) filed a lawsuit against the service, alleging mass copyright infringement. Eventually this lawsuit forced the shutdown of the company on September 3, 2002, but not before the popularity of downloading digital music was firmly entrenched in a generation of Internet users. Rant of the Week (16:32)Amazon Ring, Alexa accused of every nightmare IoT security fail you can imagineAmerica's Federal Trade Commission has made Amazon a case study for every cautionary tale about how sloppily designed internet-of-things devices and associated services represent a risk to privacy – and made the cost of those actions, as alleged, a mere $30.8 million.The regulator on Wednesday charged, via the US Dept of Justice, two Amazon outfits with various privacy snafus.The e-tail giant’s Ring home security cam subsidiary was accused of “compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.”“Not only could every Ring employee and Ukraine-based third-party contractor access every customer’s videos (all of which were stored unencrypted on Ring’s network), but they could also readily download any customer’s videos and then view, share, or disclose those videos at will,” reads the FTC's complaint [PDF].The document goes on to describe how “a customer service agent might need access to the video data of a particular customer to troubleshoot a problem, that same customer service agent had unfettered access to videos belonging to thousands of customers who never contacted customer service.”Another nightmare: “Although an engineer working on Ring’s floodlight camera might need access to some video data from outdoor devices, that engineer had unrestricted access to footage of the inside of customers’ bedrooms.”Ring staff weren’t trained on how to handle private data. And some abused it, horribly, according to the consumer watchdog.The complaint details one employee who, the FTC said, “viewed thousands of video recordings belonging to at least 81 unique female users,” and “focused his prurient searches on cameras with names indicating that they surveilled an intimate space, such as ‘Master Bedroom,’ ‘Master Bathroom,’ or ‘Spy Cam’.”The employee spent more than an hour a day on this revolting stuff, undetected by Ring, for months, it was claimed.When a female coworker reported this activity, her supervisor “discounted the report, telling the female employee that it is ‘normal’ for an engineer to view so many accounts," the FTC noted. Billy Big Balls of the Week (29:42)Pegasus-pusher NSO gets new owner keen on the commercial spyware bizSpyware maker NSO Group has a new ringleader, as the notorious biz seeks to revamp its image amid new reports that the company's Pegasus malware is targeting yet more human rights advocates and journalists.Once installed on a victim's device, Pegasus can, among other things, secretly snoop on that person's calls, messages, and other activities, and access their phone's camera without permission. This has led to government sanctions against NSO and a massive lawsuit from Meta.The Israeli company's creditors, Credit Suisse and Senate Investment Group, foreclosed on NSO earlier this year, according to the Wall Street Journal, which broke that story the other day.Essentially, we're told, NSO's lenders forced the biz into a restructure and change of ownership after it ran into various government ban lists and ensuing financial difficulties.The new owner is a Luxembourg-based holding firm called Dufresne Holdings controlled by NSO co-founder Omri Lavie, according to the newspaper report. Corporate filings now list Dufresne Holdings as the sole shareholder of NSO parent company NorthPole.Dufresne Holdings has removed "a number of directors and officers" across NSO and is involved in the company's day-to-day management, the Wall Street Journal added.An NSO spokesperson meanwhile said "the company is managed directly by our CEO, Yaron Shohat. The lenders are currently in a process of restructuring the shareholders." The company has not only faced criticism over its Pegasus spyware implant, US and European officials over the past couple of years have cracked down on NSO in particular, and commercial spyware in general.Reports keep emerging about Pegasus and other surveillance technologies being used in ways that decidedly violate NSO's claims that it only sells the malware to legitimate government agencies "for the purpose of preventing and investigating terrorism and other serious crimes."It is that time of the show where we head to our news sources over at the Infosec PA newswire who have been very busy bringing us the latest and greatest security news from around the globe! Industry News (37:34)Romania’s Safetech Leans into UK Cybersecurity MarketNine Million MCNA Dental Customers Hit by BreachRansomware Gangs Adopting Business-like Practices to Boost ProfitsHuman Error Fuels Industrial APT Attacks, Kaspersky ReportsNigerian Cybercrime Ring's Phishing Tactics ExposedPentagon Cyber Policy Cites Learnings from Ukraine WarAmazon to Pay $31m After FTC's Security and Privacy AllegationsHMRC in New Tax Credits Scam WarningHorabot Campaign Targets Spanish-Speaking Users in the Americas Tweet of the Week (44:04)https://twitter.com/securityweekly/status/1664335258655784960 Come on! Like and bloody well subscribe!

This week in InfoSec (09:59)With content liberated from the “today in infosec” twitter account and further afield26th May 2006: BackTrack v1.0 was released.https://twitter.com/todayininfosec/status/126547168776142438421st May 2012: Nmap 6.00 was released. https://nmap.org/6/https://twitter.com/todayininfosec/status/126358991810779136223rd May 1997: Carlos Felipe Salgado Jr. (aka "Smak"), who allegedly stole 100,000 credit cards from an Internet provider was granted bail on the condition he not go "anywhere near a computer." He was arrested after trying to sell it to the FBI.Hacker gets conditional bailhttps://twitter.com/todayininfosec/status/1264033568436568070 Rant of the Week (16:25)Dish confirms 300,000 people's data was exposed in February's attackBut don't worry – we know it was deleted.Dish Network has admitted that a February cybersecurity incident and associated multi-day outage led to the extraction of data on nearly 300,000 people, while also appearing to indirectly admit it may have paid cybercriminals to delete said data.Dish customers can rest easy, at the very least, as the telco said in a sample letter posted to the Maine Attorney General's breach notification website that customer databases weren't accessed and the stolen data belonged instead to employees both past and present, their family members, "and a limited number of other individuals" that Dish didn't specify.The satellite TV company also didn't say what sorts of personal information was stolen from those 296,851 individuals in the attack, aside from driver's license and non-driver ID card numbers.Dish never went on the record to publicly state the attack was caused by ransomware, though internal sources who contacted The Register, did report that ransomware was involved. Dish also made mention of ransomware in its SEC filing.Reports from February citing internal Dish sources claim the Black Basta ransomware gang was behind the break-in at Dish, and in its template letter [PDF] notifying affected individuals of the incident, the company sought to reassure recipients that there's no evidence the extracted data has been misused, and that it believes the data has been deleted.Er, who confirmed that again?"We have received confirmation that the extracted data has been deleted," Dish said, adding that it has been monitoring the dark web and criminal forums for signs the data is available online. "The results of the monitoring are consistent with the confirmation that the extracted data has been deleted," it added. That, as Emsisoft security analyst Brett Callow has pointed out, could be interpreted as an admission that Dish paid whatever ransom was demanded of it because "totally untrustworthy cybercriminals assured us the data would be deleted if we paid the ransom," Callow tweeted.  Billy Big Balls of the Week (26:30)Ads for lucrative jobs in Asia fail to mention chance of slavery as crypto-scammerThe FBI has issued a warning about fake job ads that recruit workers into forced labor operations in Southeast Asia – some of which enslave visitors and force them to participate in cryptocurrency scams.The warning follows reports of multi-storey slave compounds housing unwilling workers in places like Cambodia.The FBI's advice suggests those scams are ongoing."Criminal actors assign debts to victims under the guise of travel fees and room and board, and use victims' mounting debt and fear of local law enforcement as additional means to control victims. Trafficked victims are sometimes sold and transferred between compounds, further adding to their debt," said the FBI.Advocacy groups and media report similar tactics, with victims targeted online and promised lucrative jobs abroad with travel fees and other benefits paid.Upon arrival in a foreign country – which may not even be the one jobseekers were told they'd visit – workers' passports and travel documents may be confiscated, and the victim coerced to conduct scams under the threat of violence.The scams the slaves conduct often involve "pig butchering" tactics that see perpetrators encourage victims to make investments in cryptocurrency. Once payments are made, the scammer ceases communication with the victim and their cash disappears. Pig butchering perps often use romance scams, promises of sex, or illegal gambling as lures. Industry News (32:53)Meta Fined €1.2bn for Violating GDPRChina Issues Ban on US Chipmaker ProductsTwo-Thirds of IT Leaders Say GDPR Has Reduced Consumer TrustDiversity advocate and renowned practitioner, Becky Pinkard, to be Inaugurated into Infosecurity Europe's Hall of FamePrivate Sector Cybersecurity Task Force Called for to Defend DemocraciesUS Sanctions North Korean Entities Training Expat IT Workers in Russia, China and LaosSMBs Targeted by State-Aligned Actors for Financial Theft and Supply Chain AttacksNCSC Warns Against Chinese Cyber Attacks on Critical InfrastructureExpo Framework API Flaw Reveals User Data in Online Services Tweet of the Week (39:35)https://twitter.com/ireteeh/status/1661635416204648448https://twitter.com/VladCraita/status/1661461184665604096?s=20https://twitter.com/primevideouk/status/1661760395659321346 Come on! Like and bloody well subscribe!

European Security Blogger Awards 2023Vote for us (and Thom and teissTalk) here:https://forms.gle/o6LwY6t5bSY9Fp5CA  This week in InfoSec (11:24)With content liberated from the “today in infosec” twitter account and further afield15th May 2011: Sony Begins Restoration of Its PlayStation Network after Cyber AttackAfter a malicious cyber attack compromises Sony Computer Entertainment's data center in San Diego, California, the PlayStation Network is shut down on April 20. The ensuing investigation revealed a number of security flaws, and in tandem with outside security firms, Sony implemented a number of upgrades to deter and mitigate future attacks to its network and its customers’ personal information. The Americas, Oceania, Europe and the Middle East were the first regions to regain access to the PlayStation Network, and among other measures, customers were required to reset their passwords upon initially signing in. As more and more personal information is posted online, whether for financial, social, or business transactions, the safekeeping and protection of this data has come to the forefront of Internet consumer concerns.  20th May 2003: Rain Forest Puppy reflected on change in the security industry and made a declaration of his personal change. https://web.archive.org/web/20090510083820/www.wiretrip.net/rfp/txt/evolution.txthttps://twitter.com/todayininfosec/status/1395378144861896705  Rant of the Week (18:00)Upstart encryption app walks back privacy claims, pulls from stores after probeA new-ish messaging service that claimed to put privacy first has pulled its end-to-end encryption claims from its website and its app from both the Apple and Google software stores after being called out online.Converso – a comms app launched in September 2022 – billed itself as a "next-generation messaging app that keeps your conversations completely private." This, according to the developer's website, included "proprietary state-of-the-art end-to-end encryption technology," no storage of messages on servers, and "absolutely no use of user data." It claimed it could stand up to the likes of Signal and WhatsApp in the security stakes. A blogger who goes by Crnković and has an interest in encryption protocols heard about Converso from an ad on a podcast and decided to poke around to see if the software lived up to the hype. Crnković found the app talked to a Google Cloud-hosted database that was left completely open to the public by the software's developers. This Firestore database, we're told, included encrypted message content, metadata about people's messages, their private encryption keys, phone numbers, and more. Essentially, it would be possible for anyone to fetch that information and decrypt a stranger's message that went through the app, according to the researcher.Crnković concluded:Not only is metadata public, but so too are the keys used to encrypt messages. Anyone can download a Converso user's private key, which could be used to decrypt their secret conversations.There's no longer any real distinction between cleartext and encrypted messages – nothing is meaningfully encrypted. For your security, you shouldn't use Converso to send any message that you wouldn't also publish as a tweet."Dissecting Converso was in large part a learn-as-you-go exercise for me, as I don't have prior experience reverse engineering mobile apps," Crnković told The Register. "I was shocked at each exponentially worse mistake."Telegram vulnerability: https://danrevah.github.io/2023/05/15/CVE-2023-26818-Bypass-TCC-with-Telegram/ Billy Big Balls of the Week (27:37)Microsoft decides it will be the one to choose which secure login method you useMicrosoft wants to take the decision of which multi-factor authentication (MFA) method to use out of the users' hands and into its own.The software maker this week is rolling out what it calls system-preferred authentication for MFA, which will present individuals signing in with the most secure method and then alternatives if that method is unavailable.Redmond first unveiled the feature in a disabled state in April and is now making it generally available to all commercial users through the Azure Portal or Graph APIs, with the decision whether to enable it for tenants now resting with administrators.That said, in July Microsoft will make system-preferred authentication a default feature in its Azure Entra portfolio for all user accounts, with more information coming out next month.The goal is to shore up security by not only delivering new features to harden products and services but to, at times, strong-arm people into using them.More security, fewer problems?"This system prompts the user to sign in with the most secure method they've registered and the method that's enabled by admin policy," Alex Weinert, vice president and director of identity security at Microsoft, wrote in a blog post. "This will transition users from choosing a default method to use first to always using the most secure method available. If they can't use the method they were prompted to use, they can choose a different MFA method to sign in." Industry News (36:43)Ex-Ubiquiti Employee Imprisoned For $2m Crypto Extortion SchemeNSO Group Spends Millions Lobbying US GovernmentCyber-Resilience Programs Failing on Poor VisibilityNew Cloud Data Leak Adds to Capita's WoesGovernment Publishes Playbook to Enhance Smart City SecurityChatGPT Leveraged to Enhance Software Supply Chain SecurityMontana Signs Ban on TikTok Usage on Personal DevicesApple's App Store Blocks $2bn in Fraudulent TransactionsCyber Warfare Escalates Amid China-Taiwan Tensions Tweet of the Week (48:17)https://twitter.com/pmbaumgartner/status/1658804805014368256 Come on! Like and bloody well subscribe!

This week in InfoSec (09:16)With content liberated from the “today in infosec” twitter account and further afield11th May 1997: Deep Blue Defeats Kasparov in Tournament MatchThe IBM computer and artificial intelligence Deep Blue defeats reigning chess champion and one of the greatest chess players of all time, Garry Kasparov, in the 6th and deciding game of a tournament match, thus becoming the first time a computer defeated a chess champion in match play. A year earlier, Deep Blue had bested Kasparov in 2 individual games but Kasparov eventually won the match 4-2. This time, after being reprogrammed and upgraded, the 1997 Deep Blue, capable of calculating 200 million moves per second, won 2 matches out of 6 vs Kasparov’s 1 victory and 3 draws. After the defeat Kasparov asked for a rematch but IBM declined and retired Deep Blue.The defeat of a reigning chess champion at the hands of artificial intelligence made headlines around the world and marked a milestone in the development of AI and machine learning. From this early landmark moment, the advancement of computing power and machine learning has created even more powerful artificial intelligence. Kasparov in 2016 stated that “Today you can buy a chess engine for your laptop that will beat Deep Blue quite easily”.  9th May 1996: Linux Gets Happy FeetLinus Torvalds describes in an e-mail to a mailing list his conception of what he believes should be the logo for the Linux operating system. This is what soon becomes Tux the penguin, the “brand character” for Linux. Perhaps had he known the movie Happy Feet would be released a little over 10 years later, he would have chosen a Warbler instead. Rant of the Week (15:24)Twitter rolls out encrypted DMs, but only for paying accountsTwitter has launched its 'Encrypted Direct Messages' feature allowing paid Twitter Blue subscribers to send end-to-end encrypted messages to other users on the platform.End-to-end encryption (E2EE) uses private and public key pairs to encrypt information sent over the internet so that only the sender and the recipient can read it.The private decryption key is only stored on the sender's device and is not shared with anyone else. However, the public encryption key is shared with others who want to send you encrypted data.As the private decryption key is only stored on the local recipient's device and never stored anywhere else along the way, such as on the messaging app's servers, even if someone intercepts the message, they won't be able to read it without the decryption key.End-to-end encrypted DMs on Twitter have been a sought-after and massively requested feature that was teased and retracted in 2018.Last November, mobile researcher Jane Manchun Wong noticed that the source code of Twitter for Android hinted at work towards implementing an E2EE system, with Elon Musk all but confirming the suspicions.Almost half a year later, Twitter officially announced today the availability of an encrypted messages feature on the latest version of the Twitter apps for iOS and Android and on the web platform.Based on the details in the announcement, which mentions using a device-generated private key and a centrally-provided public key, Twitter has implemented an asymmetric encryption scheme. Billy Big Balls of the Week (23:18)India to send official whassup to WhatsApp after massive spamstormIndia's IT minister Rajeev Chandrasekhar will ask WhatsApp to explain what's up, after the Meta-owned messaging service experienced a dramatic increase in spam calls.India is the largest market for WhatsApp, with over 450 million users – many of whom have in the last couple of weeks received plenty of spam calls from overseas. Many of the calls involve fake job offers, usually with a request to negotiate the gig on a different messaging platform – which makes tracking the perps harder.The timing of that spam storm is intriguing. On May 1, Indian carriers were required to implement AI-powered spam call filters. As The Register reported in November 2022, the AI-infused system was developed after a blockchain-based spam-buster bombed.Might scammers have turned to WhatsApp after conventional carriers hardened up?Whatever the exact reasons for WhatsApp being whacked, Chandrasekhar is not happy about the amount of spam it's carried. He told local media his ministry will send a "please explain" missive to WhatsApp. HP https://twitter.com/dcuthbert/status/1656926678096986112?s=20 Industry News  (30:35)Only 39% of IT Security Decision-Makers See it As Business EnablerCISOs Worried About Personal Liability For BreachesEU's Client-Side Scanning Plans Could be UnlawfulNextGen Healthcare Data Breach: One Million Patient Records AffectedSpanish Police Arrest 40 in Phishing Gang BustNSA and Allies Uncover Russian Snake Malware Network in 50+ CountriesTwitter Hacker Admits Guilt in New York Court, Extradited from SpainNCSC and ICO Dispel Incident Reporting MythsThreat Actors Use Babuk Code to Build Hypervisor Ransomware Tweet of the Week (39:15)Tweet of the Week is the part of the show where everyone chooses a tweet they like. It could be a funny tweet, an interesting tweet they’ve read, educational, amusing, or useful, whatever they like.  It doesn’t have to be security-related necessarily.[Better not be!]https://twitter.com/InternetH0F/status/1656624723395051530 Come on! Like and bloody well subscribe!

Vote for us here! -> https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewformThis week in InfoSec (08:15)With content liberated from the “today in infosec” twitter account and further afield3rd May 1978: Earliest known case of spam.  Gary Thuerk, a marketing representative for Digital Equipment Corporation, sends out an e-mail promoting an open house for the company’s latest computer systems to 393 recipients on the ARPANET, a precursor to the modern Internet. While this number sounds small by today’s standards, this was all the ARPANET users on the west coast of the United States. Given that this was an unsolicited commercial e-mail, it is now considered the first of its kind. In other words, the first spam message well before the term was coined. It brought a quick and negative response from many users and Thuerk was warned by ARPANET administrators that mass mailings were not an acceptable use of the network. The backlash notwithstanding, the open house was largely successful with over $12 million dollars of DEC equipment being sold. I guess it was better to ask forgiveness than permission in this case! https://nakedsecurity.sophos.com/2008/05/27/spamreg-or-spam-whats-in-a-name/according to Hormel’s SPAM® FAQ, the name was dreamt up by a chap called Ken who received a $100 prize for his efforts. Hormel says that we have to thank him that we’re not all eating Crinkycrinky or Canned Flappertanknibbles.29th April 2004: The Sasser worm is released into the wild, infecting over 1 million Windows XP and Windows 2000 computers worldwide.Although the worm did not have an intentionally destructive payload, it caused many computers to slow down or crash and reboot repeatedly along with clogging up network traffic. Among the effects of the worm, the British coast guard had to resort to paper maps for the day, a French news agency lost satellite communication for hours, Delta Airlines had to delay or cancel many flights, and the University of Missouri had to disconnect its network from the Internet. (GC: Memories of Sasser? 🙂)Author Sven Jaschan.  German kid.  Also created the Netsky worm.  Bragged about it to his schoolmates.Following his arrest, Microsoft said that they had received tip-offs from more than one source, and that the $250,000 reward for identifying the author of the Netsky worm would be shared between them.https://en.wikipedia.org/wiki/Sven_JaschanGot off very lightly as he was underage when the virus was written - just given 30 hours community service.  No fine.Went to work the next day as normal.... which was as a developer for a German cybersecurity company called SecurePoint.  In retaliation, the anti-virus company Avira officially halted its cooperation with Securepoint. Rant of the Week  (17:12)Cloudflare Q1 Earnings Call Transcripthttps://www.linkedin.com/posts/mattfivesixpartners_pretty-brutal-takedownthrowing-under-the-activity-7058819871119175681--ULh/?utm_source=share&utm_medium=member_ios Billy Big Balls of the Week (28:46)graham@grahamcluley.com Feel free to talk about anything you want which might fall into the category of big ball energy as you don’t need to be spoon fed like the other muppets I work with.Joe Sullivan.https://www.washingtonpost.com/technology/2023/05/04/sullivan-sentencing-uber-executive/ Industry News (37:56)UK Gun Owners May Be Targeted After Rifle Association BreachT-Mobile Reveals Second Breach of the YearHackers Exploit High Severity Flaw in TBK DVR Camera SystemBitmarck Halts Operations Due to Cybersecurity BreachDark Web Bust Leads to Arrest of 288 SuspectsThree-Quarters of Firms Predict Breach in Coming YearApple and Google Unveil Industry Specification For Unwanted TrackingUS Authorities Dismantle Dark Web "Card Checking" PlatformConsumer Group Slams Bank App Fraud Failings Tweet of the Week (46:48)https://twitter.com/joshlemon/status/1654268564160020482 Vote for us here! -> https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform   Come on! Like and bloody well subscribe!

This Week In InfoSec (09:00)With content liberated from the “today in infosec” twitter account and further afield23rd April 2008: Microsoft announced that some of its antivirus tools had mislabeled Skype as adware for several days due to a bad definition update. 3 years later Microsoft bought Skype for $8.5 billion.Microsoft mislabels Skype as adwarehttps://twitter.com/todayininfosec/status/1253558642537713664 26th April 1999: Chernobyl Virus Melts Down PCsThe first known virus to target the flash BIOS of a PC, the CIH/Chernobyl Virus triggers its payload on this day, erasing hard drives and disabling PCs primarily in Asia and Europe. One of the most destructive viruses in history, it is estimated that 60 billion PCs were infected worldwide causing $1 Billion in damages.The virus had been created exactly one year earlier on April 26, 1998 by Taiwanese student Chen Ing-hau and set to trigger its destructive payload exactly one year later. It began to spread in the wild and was first discovered in June of 1998, given the name CIH due to the author’s initials discovered in the virus code. From this time forward it was reported that a variety of companies accidentally distributed the virus through various downloads, updates, and CDs.When the virus triggered on this date it just happened to coincide with the date of the Chernobyl disaster in 1986 and therefore the press began to call it the Chernobyl virus, even though there has never been any evidence to show that this date was chosen intentionally for this reason.My memories of Chernobyl/CIH here: https://nakedsecurity.sophos.com/2011/04/26/memories-of-the-chernobyl-virus/ Rant of the Week (17:35)International cops urge Meta not to implement secure encryption for allWhy? Well, think of the children, of courseAn international group of law enforcement agencies are urging Meta not to standardize end-to-end encryption on Facebook Messenger and Instagram, which they say will harm their ability to fight child sexual abuse material (CSAM) online.The Virtual Global Taskforce was formed in 2003 and is currently chaired by Britain's National Crime Agency. The VGT consists of 15 law enforcement bodies, including Interpol, the FBI, the Australian Federal Police and other law enforcement agencies from around the world. In its letter [PDF], the VGT said reports from tech industry partners play a key role in fighting CSAM content, with Meta being its leading reporter of abuse material.But the taskforce thinks that will end if Meta continues its encryption push. "The VGT has not yet seen any indication from META that any new safety systems implemented post-E2EE will effectively match or improve their current detection methods," the taskforce said.  Billy Big Balls of the Week (28:07)After 13 years, Google has finally added syncing to Google Authenticator in iOS and Android. By adding sync, you no longer need to worry about losing access to your online accounts. If you lose your phone, just restore them on a new device.All good, right?  Err…https://twitter.com/mysk_co/status/1651021165727477763Yes, Google syncs your 2FA codes via HTTPS.  But Mysk found out they weren’t end-to-end encrypted.  In short, Google can see your 2FA codes.  Furthermore, anyone who can access your Google account (such as law enforcement) can access your 2FA codes.Oh dear…https://twitter.com/christiaanbrand/status/1651279598309744640In response, Google said it had:“We’re always focused on the safety and security of Google users, and the newest updates to Google Authenticator was no exception.”“Plans to offer E2EE for Google Authenticator down the line.”“Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.”What impressive balls of Google to introduce this new feature to a security/privacy product - after 13 years! - and brazenly do it in an insecure way.! Industry News (37:43)American Bar Association Breach Hits 1.5 Million MembersThousands of Social Media Takedowns Hit People SmugglersYellow Pages Canada Hit by Cyber-Attack, Black Basta Claims CreditUK Cyber Pros Burnt Out and OverwhelmedQuad Countries Prepare For Info Sharing on Critical InfrastructureCritical Flaw Patched in VMware Workstation and FusionMan Arrested for Selling Data on 300 Million Victims to RussiansMicrosoft Blames Clop Affiliate for PaperCut AttacksAPT Groups Expand Reach to New Industries and Geographies Tweet of the Week (45:06)https://twitter.com/vxunderground/status/1651384225692786689 Come on! Like and bloody well subscribe!