The Host Unknown Podcast

This week in InfoSec (11:52)With content liberated from the “today in infosec” twitter account and further afield31st January 1995: AT&T and VLSI Protect Against EavesdroppingAT&T Bell Laboratories and VLSI Technology announce plans to develop strategies for protecting communications devices from eavesdroppers. The goal would be to prevent problems such as insecure cellular phone lines and Internet transmissions by including security chips in devices.30th January 1982: First Computer Virus WrittenRichard Skrenta writes the first PC virus code, which is 400 lines long and disguised as an Apple II boot program called “Elk Cloner“. Rant of the Week  (18:22)Anker finally comes clean about its Eufy security camerasFirst, Anker told us it was impossible. Then, it covered its tracks. It repeatedly deflected while utterly ignoring our emails. So shortly before Christmas, we gave the company an ultimatum: if Anker wouldn’t answer why its supposedly always-encrypted Eufy cameras were producing unencrypted streams — among other questions — we would publish a story about the company’s lack of answers.It worked.In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player.But Anker says that’s now largely fixed. Every video stream request originating from Eufy’s web portal will now be end-to-end encrypted — like they are with Eufy’s app — and the company says it’s updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request.That’s not all Anker is disclosing today. The company has apologized for the lack of communication and promised to do better, confirming it’s bringing in outside security and penetration testing companies to audit Eufy’s practices, is in talks with a “leading and well-known security expert” to produce an independent report, is promising to create an official bug bounty program, and will launch a microsite in February to explain how its security works in more detail.Those independent audits and reports may be critical for Eufy to regain trust because of how the company has handled the findings of security researchers and journalists. It’s a little hard to take the company at its word! Billy Big Balls of the Week (31:34)FBI says it ‘hacked the hackers’ of a ransomware service, saving victims $130 millionThe Department of Justice announced this week that FBI agents successfully disrupted Hive, a notorious ransomware group, and prevented $130 million worth of ransom campaigns that targets no longer need to consider paying. While claiming the Hive group has been responsible for targeting over 1,500 victims in over 80 countries worldwide, the department now reveals it had infiltrated the group’s network for months before working with German and Netherlands officials to shut down Hive servers and websites this week.“Simply put, using lawful means, we hacked the hackers,” Deputy Attorney General Lisa Monaco remarked during a press conference.The FBI claims that by covertly hacking into Hive servers, it was able to quietly snatch up over 300 decryption keys and pass them back to victims whose data was locked up by the group. US Attorney General Merrick Garland said in his statement that in the last few months, the FBI used those decryption keys to unlock a Texas school district facing a $5 million ransom, a Louisiana hospital that had been asked for $3 million, and an unnamed food services company that faced a $10 million ransom. Industry News (37:32)Thriving Dark Web Trade in Fake Security CertificationsAlmost all Organizations are Working with Recently Breached VendorsGoogle Fi Confirms Data Breach, Hints At Link to T-Mobile HackCity of London on High Alert After Ransomware AttackResearchers Warn of Crypto Scam Apps on Apple App StoreLazarus Group Attack Identified After Operational Security FailWomen in CyberSecurity Calls for Participants for New Measuring Inclusion WorkshopsArnold Clark Confirms Customer Data Compromised in BreachThreat Actors Use ClickFunnels to Bypass Security Services Tweet of the Week (45:41) https://twitter.com/StateOfLinkedIn/status/1621258534062006276 Come on! Like and bloody well subscribe!

This week in InfoSec 10:35)With content liberated from the “today in infosec” twitter account and further afield16th January 1983: Lotus 1-2-3 Goes on SaleThe Lotus Development Corporation releases Lotus 1-2-3 for IBM computers. While not the first spreadsheet program, Lotus was able to develop 1-2-3 because the creators of VisiCalc, the first spreadsheet, did not patent their software. 1-2-3 outsold VisiCalc by the end of the year and 2 years later Lotus bought out the assets of VisiCalc and hired its main creator as a consultant.25th January 1979: Robot Kills Auto WorkerRobert Williams of Michigan was the first human to be killed by a robot. He was 25 years old. The accident at the Ford Motor Company resulted in a $10 million dollar lawsuit. The jury deliberated for two-and-a-half hours before announcing the decision against Unit Handling Systems, a division of Litton Industries. It ordered the manufacturer of the one-ton robot that killed Williams to pay his family $10 million. The robot was designed to retrieve parts from storage, but its work was deemed too slow. Williams was retrieving a part from a storage bin when the robot's arm hit him in the head, killing him instantly. In the suit, the family claimed the robot had no safety mechanisms, lacking even a warning noise to alert workers that it was nearby.21st January 1981: It Could Go at Least 88 MPHProduction of the iconic DeLorean DMC-12 sports car begins in Dunmurry, Northern Ireland. While not truly a technological achievement, the DeLorean became known as a symbol of the high-tech 1980’s.Daves - https://twitter.com/HackingDave/status/1458576672341516290?s=20&t=SfemFgw0mfQ_eeuljrj6EA   Rant of the Week (18:35)MSG probed over use of facial recognition to eject lawyers from show venuesThe operator of Madison Square Garden and Radio City Music Hall is being probed by New York's attorney general over the company's use of facial recognition technology to identify and exclude lawyers from events. AG Letitia James' office said the policy may violate civil rights laws.Because of the policy, lawyers who work for firms involved in litigation against MSG Entertainment Corp. can be denied entry to shows or sporting events, even when they have no direct involvement in any lawsuits against MSG. A lawyer who is subject to MSG's policy may buy a ticket to an event but be unable to get in because the MSG venues use facial recognition to identify them.In December, attorney Kelly Conlon was denied entry into Radio City Music Hall in New York when she accompanied her daughter's Girl Scout troop to a Rockettes show. Conlon wasn't personally involved in any lawsuits against MSG but is a lawyer for a firm that "has been involved in personal injury litigation against a restaurant venue now under the umbrella of MSG Entertainment," NBC New York reported.James' office sent a letter Tuesday to MSG Entertainment, noting reports that it "used facial recognition software to forbid all lawyers in all law firms representing clients engaged in any litigation against the Company from entering the Company's venues in New York, including the use of any season tickets.""We write to raise concerns that the Policy may violate the New York Civil Rights Law and other city, state, and federal laws prohibiting discrimination and retaliation for engaging in protected activity," Assistant AG Kyle Rapiñan of the Civil Rights Bureau wrote in the letter. "Such practices certainly run counter to the spirit and purpose of such laws, and laws promoting equal access to the courts: forbidding entry to lawyers representing clients who have engaged in litigation against the Company may dissuade such lawyers from taking on legitimate cases, including sexual harassment or employment discrimination claims."The AG's office also said it is concerned that "facial recognition software may be plagued with biases and false positives against people of color and women." The letter asked MSG Entertainment to respond by February 13 "to state the justifications for the Company's Policy and identify all efforts you are undertaking to ensure compliance with all applicable laws and that the Company's use of facial recognition technology will not lead to discrimination." Billy Big Balls of the Week  (32:11)DoNotPay Retires 'Robot Lawyer' Before It Even Has Its First CaseIf you’ve been fantasizing about the day when artificial intelligence could get you out of paying traffic tickets, you’ll just have to keep dreaming. DoNotPay has backed out of its plans to use an AI-powered “robot lawyer” to council a defendant through a courtroom hearing in real time. The reason why? Well, apparently the law got in the way of the robot’s lawyering. The company’s founder and CEO, Joshua Browder, first announced the news in a Wednesday tweet. “After receiving threats from State Bar prosecutors, it seems likely they will put me in jail for 6 months if I follow through with bringing a robot lawyer into a physical courtroom,” he wrote. In a phone call with Gizmodo, Browder reiterated his view that, were he to follow-through on his initial promises, he’d likely end up with a prison sentence.  Industry News (36:28) WhatsApp Hit with €5.5m fine for GDPR ViolationsNew Cheats May Emerge After Riot Games HackRegulator Stress Test Highlights Cyber Insurance ConcernsTicketmaster Claims Bot Attack Disrupted Taylor Swift Tour SalesYahoo Overtakes DHL As Most Impersonated Brand in Q4 2022North Korean Group TA444 Shows 'Startup' Culture, Tries Numerous Infection MethodsNCSC: Iranian and Russian Groups Targeting Government, Activists and Journalists With SpearphishingZacks Investment Research Confirms Breach Affecting 820,000 CustomersIranian Group Cobalt Sapling Targets Saudi Arabia With New Personahttps://scambusters.org/scambusters19.html < 1997 Yahoo award scam Tweet of the Week (44:18)https://twitter.com/cybergibbons/status/1618672522853240833 Come on! Like and bloody well subscribe!

This week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield19th January 1999: BlackBerry IntroducedRIM introduces the BlackBerry. The original BlackBerry devices were not phones, but instead were the first mobile devices that could do real-time e-mail. They looked like big pagers. They way the story goes, the name “BlackBerry” came from the similarity that the buttons on the original device had to the surface of a blackberry fruit. Those crazy Canadians!17th January 1994: Supreme Court Rules on Home VCR RecordingsThe US Supreme Court rules 5-4 that private use of home VCRs to tape TV programs for later viewing does not violate federal copyright laws. This ruling opens the floodgate for VCR sales, changing the landscape of TV watching forever. Rant of the WeekMailchimp 'fesses up to second digital burglary in five monthsEmail marketing service Mailchimp has confirmed intruders have gained access to more than 100 customer accounts after successfully deploying a social engineering attack.This is the second data spill in five months and yet the company, bought by Intuit for $12 billion in September 2021, continues to tell customers – with a straight face – that it takes the "security of users' data seriously."The latest digital burglary happened on January 11 when the resident security team spotted an "unauthorized actor accessing one of our tools used by Mailchimp customer-facing teams for customer support and account administration," the company blog states. Billy Big Balls of the WeekIllegal Solaris darknet market hijacked by competitor KrakenSolaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named 'Kraken,' who claims to have hacked it on January 13, 2022.The Tor site of Solaris currently redirects to Kraken, while blockchain monitoring experts at Elliptic report no movements in the cryptocurrency addresses associated with the site after January 13, 2022.Taking down competitorsSolaris was a Russian-speaking platform reportedly affiliated with Killnet, a pro-Kremlin hacktivist group that launched several DDoS attacks against organizations in the western world in 2022.Elliptic has traced several donations from Solaris to Killnet, amounting to more than $44,000 worth of Bitcoin. The DDoS group presumably used this money to purchase more firepower for launching disruptive attacks.In December 2022, Ukrainian cyber-intelligence analyst Alex Holden claimed to have breached Solaris and stolen $25,000, which was donated to a humanitarian charity in Ukraine.While Solaris disputed the claims about the hack and called out the lack of evidence, Holden later released more details and leaked source code and databases allegedly associated with the marketplace.On Friday, January 13, 2023, Kraken announced they had taken over Solaris' infrastructure, GitLab repository, and all project sources, thanks to "several huge bugs in the code."Kraken's statement claims that it took them three days to steal the clear text passwords and keys stored in Solaris' servers, access its infrastructure located in Finland, and then download everything without anyone stopping them.Finally, the attackers said they disabled Solaris' Bitcoin server, which aligns with Elliptic's observations in the blockchain. Industry NewsEuropean Businesses Admit Major Privacy Skills GapNissan Supplier Leaked Data on Thousands of CustomersChatGPT Creates Polymorphic Malware1000 Shipping Vessels Impacted by Ransomware AttackOver Four Billion People Affected By Internet Censorship in 2022FTX: Over $400m Stolen from Bankrupt ExchangeMailchimp Hit By Another Data Breach Following Employee HackThreatModeler Makes DevSecOps More Accessible With New MarketplaceRoaming Mantis' Hacking Campaign Adds DNS Changer to Mobile App Tweet of the Week  These are the Google searches Brian Walshe made before and after killing his wife Ana Walshe, according to prosecutorshttps://twitter.com/pedramamini/status/1616257197591109633?s=20&t=gQIsTkL_9exHYNvkcVyokg  Come on! Like and bloody well subscribe!

This week in InfoSec (09:55)With content liberated from the “today in infosec” twitter account and further afield12th January 1996: Apple posts major lossApple Computer announces that it will post a US$68 million first quarter loss. It also announces a restructuring plan to reduce the company by a thousand employees. This event leads to the resignation of Apple CEO Michael Spindler, who is replaced by Gil Amelio. Gil Amelio eventually purchases Steve Jobs’ company, NeXT, which leads to the development of Mac OS X as well as the return of Steve Jobs as Apple CEO.9th January 2007: Apple introduces iPhoneApple introduces the iPhone at Macworld. The phone wasn’t available for sale until June 29th, prompting one of the most heavily anticipated sales launches in the history of technology. Apple sold 1.4 million iPhones in 2007, steadily increasing each year to sell over 230 million in 2015 alone Rant of the Week (17:25)Royal Mail, cops probe 'cyber incident' that's knackered international mailRoyal Mail confirmed a "cyber incident" has disrupted its ability to send letters and packages abroad, and also caused some delays on post coming into the UK.The postal service, and the UK's National Cyber Security Centre and National Crime Agency, issued similar statements about the IT SNAFU on Wednesday, with Royal Mail advising customers to stop sending international mail until it fixed the problem."We're experiencing disruption to our international export services and are temporarily unable to dispatch items to overseas destinations," the organisation tweeted. "We strongly advise customers to hold any export items while we work to resolve the issue." Royal Mail added it was "sorry for any disruption this may cause," and would not comment further. This is a developing story; we'll keep you updated as we confirm any other details.Lockbit Ransomware - It was Russia!Royal Mail hit by Russia-linked ransomware attack Billy Big Balls of the Week (27:24)VALL-E AI can mimic a person’s voice from a three-second snippetMicrosoft researchers are working on a text-to-speech (TTS) model that can mimic a person's voice – complete with emotion and intonation – after a mere three seconds of training.The technology – called VALL-E and outlined in a 15-page research paper released this month on the arXiv research site – is a significant step forward for Microsoft. TTS is a highly competitive niche that includes other heavyweights such as Google, Amazon, and Meta.Redmond is already using artificial intelligence for natural language processing (NLP) through its Nuance business – which it bought for $20 billion last year including both speech recognition and TTS technology. And it's aggressively investing in and using technology from startup OpenAI – including its ChatGPT tool – possibly in its Bing search engine and its Office suite of applications.A demo of VALL-E can be found on GitHub.Semi-related - Microsoft Will Likely Invest $10 billion for 49 Percent Stake in OpenAIThis after the report by The Information about how Microsoft plans to integrate ChatGPT and GPT-4 into its software bundles like Word, Outlook, Bing and so forth. Industry News (33:40)UK Charities Offered Free Cyber Essentials SupportUS Supreme Court Allows WhatsApp to Sue NSO GroupSensitive Files From San Francisco Transit Police Allegedly LeakedGitHub Adds Features to Automate Vulnerability Code ScanningNew APT Dark Pink Hits Asia-Pacific, Europe With Spear Phishing TacticsRoyal Mail Halts International Deliveries After Cyber-IncidentTwitter: Leak of 200 Million Accounts Not Due to Historic BugGoogle Chrome 'SymStealer' Vulnerability Could Affect 2.5 Billion UsersThe Guardian Confirms UK Staff Data Was Accessed in Ransomware Attack Tweet of the Week (42:50)https://twitter.com/IanColdwater/status/1613690189246828544 Come on! Like and bloody well subscribe!

This week in InfoSec (07:15)With content liberated from the “today in infosec” twitter account and further afield3rd January 2009: The Genesis of BitcoinThe pseudonymous Bitcoin creator Satoshi Nakamoto mines the first 50 bitcoins, now known as the Genesis Block, six days before the initial release of the bitcoin software and launch of the cryptocurrency network. Bitcoin has become the de-facto digital currency, popular for its decentralized approach because no single entity can control, manipulate, or deactivate the currency and transactions can be highly private yet still remain secure.1st January 2000: Y2K Comes and GoesAfter years of hysteria regarding the Y2K bug, the world’s computers begin using the date 2000 with no major catastrophes. There is still debate whether the “Year 2000 Problem” was overblown by the technology industry or if the frantic updating done by armies of software developers leading up to Y2K averted disaster. I tend to lean towards the latter.Wrap up of the year:https://www.computing.co.uk/news/4061865/cyber-computings-biggest-security-stories-2022 Rant of the Week (17:02)ChatGPT banned in NYC schools over learning impact concernsThe NYC Department of Education has banned the use of ChatGPT by students and teachers in New York City schools as there are serious concerns about its use hampering learning and leading to misinformation.The organization manages the largest school district in the U.S., so others might follow with similar decisions.ChatGPT is a next-gen chatbot optimized for dialogue-format user interactions, released by OpenAI in November 2022. The chatbot has been very disruptive for several disciplines, including programming and essay writing.Another field that AI-based chatbots like ChatGPT are expected to revolutionize is internet searching, as those tools can provide richer answers to search terms and allow users to find what they're looking for using natural language.Microsoft is reportedly planning to integrate ChatGPT into Bing to give its search engine an edge over competitors like Google Search.NYC Dept. of Education is worried about the information that ChatGPT may convey to students, specifically the safety and accuracy of its answers. Moreover, the organization fears young students will grow complacent and lack the necessary skills to evaluate information. Billy Big Balls of the Week (27:01)WhatsApp adds proxy support to help bypass Internet blocksWhatsApp now allows users to connect via proxy servers due to Internet shutdowns or if their governments block the service in their country.The new proxy support option is available to all users running the latest WhatsApp iOS and Android applications.WhatsApp said that connecting through a proxy will maintain the messages' privacy and security as they will remain protected by end-to-end encryption.This ensures that they can only be read by you and the recipient, with no one in between, like the proxy server, Meta, or WhatsApp, being able to access their contents.[All this while the outcome of their use of personal data on WhatsApp in Ireland is still awaiting a decision from the courts after they were fined €390 million ($414 million) for misuse of data from Facebook and Instagram]"Using a proxy doesn't change the high level of privacy and security that WhatsApp provides to all users. Your personal messages and calls will still be protected by end-to-end encryption," the company said on Thursday."Our wish for 2023 is that these internet shutdowns never occur. Disruptions like we've seen in Iran for months on end deny people's human rights and cut people off from receiving urgent help," WhatsApp said."Though in case these shutdowns continue, we hope this solution helps people wherever there is a need for secure and reliable communication." Industry News (38:39)LockBit Hands Ransomware Decryptor to Kids' HospitalNHS is Most Scammed UK Government "Brand"General Electric Insider Handed Two Years for IP TheftRail Tech Giant Wabtec Discloses Global Data BreachMeta to Appeal €390m GDPR FineCops Catch Serial Child Abuser After Tech BreakthroughOver 200 Million Twitter Users' Details Leaked on Hacker ForumFive Guys Discloses Data Breach Affecting Employee PIIHackers Leverage Compromised Fortinet Devices to Distribute Ransomwarehttps://www.bbc.com/news/uk-england-gloucestershire-63637883 Tweet of the Week (45:53)https://twitter.com/igb/status/1611057796606488577 Come on! Like and bloody well subscribe!

This week in InfoSec (09:44)With content liberated from the “today in infosec” twitter account and further afield15th December 1995: AltaVista LaunchesDeveloped by researchers at Digital Equipment Research Laboratories, the AltaVista search engine is launched. It was the first world wide web search service to gain significant popularity. One of the most popular search engines in the early world wide web, Google didn’t overtake AltaVista until 2001. AltaVista was eventually purchased by Yahoo! in 2003.11th December 1989: Joseph Lewis Popp allegedly mailed floppy disks to the UK which were labelled "AIDS Information Introductory Diskette". Surprise! The AIDS trojan on the disks demanded $189 to "renew the licence" by sending payment to a post office box in Panama. Virus Bulletinhttps://twitter.com/todayininfosec/status/1469660348928167943 Rant of the Week (17:02)Internal Note: [You’ll need to read this story first for background if you’re not familiar - Rackspace confirms ransomware attack behind days-long email meltdown]On the 12th day of the Rackspace email disaster, it did not give to me …… a working Exchange inbox treeThere's no end – or restored data – in sight for some Rackspace customers now on day 12 of the company's ransomware-induced hosted Exchange email outage.In the service provider's most recent update, posted at 0844 Eastern Time on Wednesday, Rackspace said it had hired CrowdStrike to investigate the fiasco, and noted it continues "to make all of our internal and external resources available to provide support to the remaining Hosted Exchange customers."Rackspace did not, however, say if or when it expects to recover people's data that was lost or scrambled when ransomware hit its systems – an attack that took down some of Rackspace's hosted Microsoft Exchange services on December 2. Since then, affected customers have been unable to get at their data held in the hosted service."We understand how important data recovery is to our customers," Rackspace wrote. "In ransomware attacks, data recovery efforts do necessarily take significant time, both due to the nature of the attack and need to follow additional security protocols. We will continue to keep you updated on these efforts." Billy Big Balls of the Week (27:19)SEC charges crew of social media influencers with $100m fraudEight braggadocious social media influencers fond of posing next to sportscars are facing charges from the US Securities and Exchange Commission (SEC) and Department of Justice (DoJ), who claim they manipulated their 1.5 million followers in order to help themselves to $100 million in "fraudulent profits."The suspects, all men in their twenties and thirties, were charged with conspiracy to commit securities fraud in connection with a long-running, social media-based "pump and dump" scheme, a recently unsealed Texas federal grand jury indictment [PDF] and an SEC complaint [PDF] revealed.The SEC alleged the suspects used Twitter and Discord to manipulate exchange-traded stocks in a $100 million securities fraud scheme, detailing some pretty amusing excerpts from exchanges it claims took place between individuals in the group.We're robbing f*cking idiots of their money. . .The commission claimed the defendants sometimes discussed their scheme over Discord voice chats that they "believed were private, but which were in fact being recorded."ORHere's something communism is good at: Making smartphones less annoyingThis week the kings of the Middle Kingdom issued directives to address some of the biggest annoyances associated with smartphones applications: copycat apps and bloatware.On Monday the Cyberspace Administration of China (CAC) launched a campaign it said would "rectify chaos" in smartphone apps by cracking down on several behaviors such as publication of "copycat apps" that use logos, pictures or text similar to existing apps to deceive users and potentially collect personal data and app subscription fees.The CAC also also plans to rectify dodgy ranking practices, and apps that lure people in with sexually suggestive or vulgar home pages. Apps distributed by QR code, rather than through app stores, are also in trouble.But wait, there's more! CAC will prevent auto downloads or installations without user consent. Apps that misrepresent their function or content are in the firing line as well.As are apps that tempt users with promises of making money.Excessive pop-ups, functions that serve as an obstacle to removing apps or forced renewals, and fake free trials are all on their way out.In the usual style of the CAC, the regulator did not specify how it would accomplish its goals, instead using phrases like "severely punish," "strictly regulate," and "crack down."Given the Authoritarian nature of the regime, though, these terms should be taken pretty much at face value. Industry News (35:12)North Korean Hackers Impersonate Researchers to Steal IntelHSE Cyber-Attack Costs Ireland $83m So FarSecurity Overlooked in Rush to Hybrid WorkingExperts Warn ChatGPT Could Democratize CybercrimeUber Hit By New Data Breach After Attack on Third-Party VendorTwitter Addresses November Data Leak ClaimsSigned Microsoft Drivers Used in Attacks Against BusinessesLoan Scam Campaign 'MoneyMonger' Exploits Flutter to Hide MalwareSenate Approves Bill Banning TikTok From US Government Devices Tweet of the Week (44:05)https://twitter.com/davenewworld_2/status/1603107286960029696 Come on! Like and bloody well subscribe!

This week in InfoSec (11:40)With content liberated from the “today in infosec” twitter account and further afield7th December 1999: RIAA Sues NapsterThe Recording Industry Association of America sues the peer-to-peer file sharing service Napster alleging copyright infringement for allowing users to download copyrighted music for free. The RIAA would eventually win injunctions against Napster forcing the service to suspend operations and eventually file bankruptcy. In the end the RIAA and its members would settle with Napster’s financial backers for hundreds of millions of dollars.While the case was ostensibly about copyright violations, the bigger picture for the RIAA was also about control. The recording industry in general was caught with its pants down when it came to digital music and the Internet. They were not prepared for the sudden popularity of digital music downloads that Napster introduced and were not ready with a model to monetise downloaded music. This lawsuit, along with future lawsuits targeting individuals, was intended to squash the practice of downloading music as much as it was to recover compensation. However, the practice of downloading music could not be stopped as other non-centralised peer-to-peer file sharing services popped up in place of Napster. 4th December 2001: Goner Worm Hits the InternetDisguised as a screen saver and spread through an infected user’s Microsoft Outlook e-mail software, the Goner worm spreads through the Internet at a pace second only to the Love Bug virus the previous year. Goner was estimated to cause about $80 million dollars in damage. Rant of the Week (20:41)Egad, did Apple do something right? End-to-end encryption for (most) iCloud servicesApple says it will provide end-to-end encryption for most iCloud services, having abandoned its previously announced – and then quietly shelved – plan to check the legality of on-device photos prior to cloud synchronisation.Cupertino announced three security enhancements on Wednesday, one of which it calls Advanced Data Protection. "Advanced Data Protection is Apple's highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices," explained Ivan Krstić, Apple’s head of security engineering and architecture, in a canned statement.Apple already offers end-to-end (E2E) encryption by default for 14 iCloud services, including passwords in iCloud Keychain and Health data. But the iBiz has not made E2E encryption broadly available for iCloud, preferring instead to retain access to a significant amount of the customer data on company servers. That has suited law enforcement authorities, who continue to worry aloud about being left in the dark by encryption. Billy Big balls of the Week (31:57)Brief update on last week's story: San Francisco terminates explosive killer cop botsSan Francisco legislators this week changed course on their killer robot policy, banning the police from using remote-control bots fitted with explosives. For now.On Tuesday, the city's Board of Supervisors voted unanimously to explicitly prohibit lethal force by police robots following a public backlash and worldwide media attention. Under a previously approved policy, SF police robots under human control could have used explosives to kill suspects. The droids were not allowed to use guns.States label TikTok 'a malicious and menacing threat'Two more US states have launched aggressive action against made-in-China social media app TikTok.Texas on Wednesday banned the app from government devices, with governor Greg Abbott ordering [PDF] the ban "to protect sensitive information and critical infrastructure from TikTok.""TikTok harvests vast amounts of data from its users' devices – including when, where, and how they conduct internet activity – and offers this trove of potentially sensitive information to the Chinese government," Abbott wrote.Which is tame compared to the actions and language used by Indiana's attorney-general, who has decided to sue the Chinese social media platform – twice!TikTok's Chinese analog, Douyin, contains many more safeguards – including required youth modes, real name authentications, bans on minors viewing live broadcasts, prevention of salacious material and restrictions on how long and when minors can access the app. Chinese users under the age of 14 are limited to 40 minutes of daily use, between 0600 and 2200. Users in the US have no limit and spend an average of 99 minutes per day on TikTok, according to the office of the AG."In short, TikTok poses known risks to young teens that TikTok's parent company itself finds inappropriate for Chinese users who are the same age," argues the complaint. Industry News (38:41) Gen Z Internet Users "Normalize" Cybercrime - ReportSwiss Government Wants to Implement Mandatory Duty to Report Cyber-AttacksSupply Chain Web Skimming Attacks Hit Dozens of SitesRussia's VTB Bank Suffers its Biggest Ever DDoSICO Fines Rogue Nuisance Callers £500,000UK Government Department Using Unsupported Applications, Reveals WatchdogNZ Privacy Commissioner Investigates Mercury IT Ransomware AttackPet Dog Unmasks Drug Trafficker on Encrypted ChatApple Introduces New Data Protections to Increase Cloud Security Tweet of the Week (46:07)   https://twitter.com/_noid_/status/1600135215225053184https://twitter.com/jomc/status/1600637738352627713   Come on! Like and bloody well subscribe!

This week in InfoSec (06:17)With content liberated from the “today in infosec” twitter account and further afield27th November 1995: Microsoft Shipped Internet Explorer 2.0Microsoft Corp. shipped Internet Explorer 2.0, starting a browser war with the popular Netscape Navigator. Netscape Communications Corp. had had a virtual monopoly on World Wide Web browsers since the infancy of the web. The Netscape Navigator and Communicator browsers serve as a format for viewing and creating World Wide Web pages, as well as participating in newsgroups and sending e-mail. Microsoft promoted its Internet Explorer with specific mention of its privacy and encryption features (such as support for SSL).  Chrome browser has a New Year’s resolution: HTTPS by default (2020)24th November 2014: The Washington Post published an article which included a picture of TSA master keys. As a result, a short time later functional keys were 3-d printed using the [unblurred] key patterns displayed in the picture.The secret life of baggage: Where does your luggage go at the airport? (Image since changed)https://twitter.com/todayininfosec/status/1198722561355337728 Rant of the Week (18:41)Australia will now fine firms up to AU$50 million for data breachesThe Australian parliament has approved a bill to amend the country's privacy legislation, significantly increasing the maximum penalties to AU$50 million for companies and data controllers who suffered large-scale data breaches.The financial penalty introduced by the new bill is set to whichever is greater:AU$50 million [Approximately $34m USD for context]Three times the value of any benefit obtained through the misuse of information30% of a company's adjusted turnover in the relevant periodPreviously, the penalty for severe data exposures was AU$2.22 million, considered wholly inadequate to incentivize companies to improve their data security mechanisms.The new bill comes in response to a series of recent cyberattacks against Australian companies, including ransomware and network breaches, resulting in the exposure of highly sensitive data for millions of people in the country."The Albanese Labor government has wasted no time in responding to recent major data breaches. We have announced, introduced, and delivered legislation in just over a month," reads the media announcement."These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect."The most notable incidents were the Optus telecommunication provider data breach that impacted 11 million people and the Medibank insurance firm ransomware attack that exposed the data of 9.7 million.Apart from setting higher fines, the new bill also gives greater powers to the Office of the Australian Information Commissioner (OAIC) to get more involved in the privacy breach resolution and scope determination process.  Billy Big Balls of the Week (28:19)San Francisco lawmakers approve lethal robots, but they can't carry gunsSan Francisco police can deploy so-called "killer robots" following a Board of Supervisors' vote on Tuesday, clearing the cops to use robots equipped with explosives in extreme situations.The robots primarily will be used to neutralize and dispose of bombs, and provide video reconnaissance, according to San Francisco Supervisor Rafael Mandelman. He added that none of the robots will carry guns, "and SFPD has no plans to attach firearms," in a Twitter thread after the vote. "However, in extreme circumstances it is conceivable that use of a robot might be the best and only way of dealing with a terrorist or mass shooter," Mandelman said.Such a situation has happened before. In July 2016 a mass-shooting incident left five police officers dead and another 11 people wounded, and the suspect was cornered in a local building. Police strapped an explosive charge onto a bomb-disposal robot, which detonated near the suspect, killing him.[One particular comment on this which made me chuckle was: “Considering American cops can't even go into an active shooter situation to save schoolchildren, I assume this will be the first course of action for anything above a parking ticket.”] - *Shots fired* (but not by the Texas police) Industry News (34:48)Experts Find 16,000+ Scam FIFA World Cup DomainsIreland’s DPC Fines Meta €265m Following Large-Scale Data LeakLet's Encrypt Issues Three Billionth CertificateAustralian Parliament Passes Privacy Penalty BillMajority of US Defense Contractors Not Meeting Basic Cybersecurity RequirementsResearchers Accidentally Crash Cryptomining BotnetEight Charged with $30m Unemployment Benefits FraudUK Extends NIS Regulations to IT Managed Service ProvidersWhatsApp Files on Dark Web Show Millions of Records For Sale Tweet of the Week (43:40)https://twitter.com/hackinarticles/status/1597820497856643072 Come on! Like and bloody well subscribe!

This week in InfoSec (11:48)With content liberated from the “today in infosec” twitter account and further afield24th November 1998: AOL announces it will buy Netscape CommunicationsAOL announces it will buy Netscape Communications in a stock-for-stock deal worth approximately $4.2 billion. At the time it was considered a good move by AOL and Netscape to merge forces to better compete with Microsoft in the browser and Internet provider markets. However, Microsoft’s dominance in the personal computer market could not be stopped and the Netscape browser lost almost all market share to Internet Explorer. In 2003 Microsoft settled a monopoly lawsuit with AOL (then merged with Time Warner) for $750 million over the loss of value of Netscape. AOL itself, once a dominant Internet Service Provider, slowly lost their subscriber base with the evolution of broadband Internet in the 2000’s and operates primarily as a media conglomerate, although their dial-up service still subscribes approximately 2 million users as of 2013.  In 2015 that went up to 2.1 million but is now reported to be in the thousands.  21st November 2017: It was reported that Uber had concealed a massive hack that exposed data of 57m users and drivers 13 months previously Rant of the Week (17:17)Tax filing websites have been sending users’ financial information to FacebookMajor tax filing services such as H&R Block, TaxAct, and TaxSlayer have been quietly transmitting sensitive financial information to Facebook when Americans file their taxes online, The Markup has learned.The data, sent through widely used code called the Meta Pixel, includes not only information like names and email addresses but often even more detailed information, including data on users’ income, filing status, refund amounts, and dependents’ college scholarship amounts. The information sent to Facebook can be used by the company to power its advertising algorithms and is gathered regardless of whether the person using the tax filing service has an account on Facebook or other platforms operated by its owner Meta.  Billy Big Balls of the Week (25:37)Meta links US military to fake social media influence campaignsIn its latest quarterly threat report, Meta said it had detected and disrupted influence operations originating in the US, and it calls out those it believes are responsible: the American military.Meta said it picked up on three major covert influence operations on its platforms in the third quarter of the year, the first of which originated in the United States.Meta previously reported on secretive influence ops being performed by the US in August, but didn't specify anything about its observations at the time outside of saying they originated within the country.Now, however, the social media giant is getting more specific. "Although the people behind this operation attempted to conceal their identities and coordination, our investigation found links to individuals associated with the US military," Meta said in the report [PDF]. Police text 70,000 victims in UK's biggest anti-fraud operationDetectives have begun contacting 70,000 people suspected of being victims of a sophisticated banking scam.The Metropolitan Police is sending text messages to mobile phone users it believes spoke with fraudsters pretending to be their bank.Met Commissioner Sir Mark Rowley described an "enormous endeavour" in gathering evidence after the discovery of an online fraud network.There have been more than 100 arrests so far, and one man has been charged.People who receive a text message in the next 24 hours will be directed to the Action Fraud website to register their details as officers build cases against suspects.The scam involved fraudsters calling people at random, pretending to be a bank and warning of suspicious activity on their account.They would pose as employees of banks including Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, NatWest, Nationwide and TSB.The fraudsters would then encourage people to disclose security information and, through technology, they may have accessed features such as one-time passcodes to clear accounts of funds.As many as 200,000 people in the UK may have been victims of the scam, police said, with victims losing thousands of pounds, and in one case £3m. Industry News (32:27)Experts Warn Threat Actors May Abuse Red Team Tool NighthawkUK Privacy Tsar Defends Controversial Enforcement StrategyMeta Removes Pro-US Accounts in Middle East and Central AsiaPanaseer Launches Guidance on Security Controls Ahead of EU's New LegislationRussian DDoS Briefly Downs European Parliament SiteUK Cops Lead Action Against Fraud Site that Made £100m+Cyber Essentials Scheme Set for April 2023 UpdateSonder confirms data breach, documents and other PII potentially compromisedSharkBot Malware Found in Android File Manager Apps With Thousands of Downloads Tweet of the Week (40:45)https://twitter.com/TheCollierJam/status/1595388389972496386 Come on! Like and bloody well subscribe!

This week in InfoSec (07:14)With content liberated from the “today in infosec” twitter account and further afield12th November 2000 Microsoft Declares Tablets Are the FutureBill Gates demonstrates a functional prototype of a Tablet PC. Microsoft claims “the Tablet PC will represent the next major evolution in PC design and functionality.” However, the Tablet PC initiative never really took off and it wasn't until Apple introduced the iPad in 2010 that tablet computing was widely adopted.17th November 2018: US President Donald Trump signed a bill into law, approving the creation of the Cybersecurity and Infrastructure Security Agency (CISA). The bill was the CISA Act.Trump signs bill that creates the Cybersecurity and Infrastructure Security Agencyhttps://twitter.com/todayininfosec/status/1328528180500717568 Rant of the Week (18:44)Germany says nein to Qatari World Cup spyware, err, appsWorld Cup apps from the Qatari government collect more personal information than they need to, according to Germany's data protection agency, which this week warned football fans to only install the two apps "if it is absolutely necessary." Also: consider using a burner phone.The two apps are Ehteraz, a Covid-19 tracker from the Qatari Ministry of Public Health, and Hayya from the government's Supreme Committee for Delivery & Legacy overseeing the Cup locally, which allows ticket holders entry into the stadiums and access to free metro and bus transportation services.Norway's data protection agency, meanwhile, this week said it was "alarmed by the extensive access the apps require" and warned that Qatari authorities likely use the apps to monitors' users location, in addition to snooping through personal data.See also: World Cup apps pose a data security and privacy nightmare Billy Big Balls of the Week (29:05)Australia to 'stand up and punch back' against cyber crimsAustralia's government has declared the nation is planning to go on the offensive against international cyber crooks following recent high-profile attacks on local health insurer Medibank and telco Optus.The aggressive posture was expressed in the announcement of a "Joint standing operation" that will see the Australian Federal Police and the Australian Signals Directorate (Australia's GCHQ/NSA analog) run a team with a mission "to investigate, target and disrupt cyber-criminal syndicates with a priority on ransomware threat groups."Minister for Home Affairs and Cyber Security Clare O'Neil said the operation will "scour the world, hunt down the criminal syndicates and gangs who are targeting Australia in cyber-attacks, and disrupt their efforts.""This is Australia standing up and punching back," she said during an interview on local political talking heads program Insiders. "We are not going to sit back while our citizens are treated like this and allow there to be no consequences for that."O'Neill said the operation will "for the first time [be] offensively attacking these people." Industry News (36:10)T: Google to Pay $392m in Landmark Privacy CaseA: Billbug Targets Government Agencies in Multiple Asian CountriesJ: Euro Authorities Warn World Cup Fans Over Qatari AppsT: Majority of Companies Reduce Cybersecurity Staff Over HolidaysA: Chinese Spy Gets 20 Years for Aviation Espionage PlotJ: US: Iranian Hackers Breached Government with Log4ShellT: More Than Half of Black Friday Spam Emails Are ScamsA: Hundreds of Amazon RDS Snapshots Discovered Leaking Users' DataJ: Zeus Botnet Suspected Leader Arrested in Geneva Tweet of the Week (43:30)https://twitter.com/attritionorg/status/1593487371819192321https://twitter.com/SoVeryBritish/status/1592554974432866306 Come on! Like and bloody well subscribe!