Episodes

  • Episode 209 - The Javvad Is In Big Trouble Episode

    Episode 209 - The Javvad Is In Big Trouble Episode
    Nov 18 2024

    This week in InfoSec (08:24)

    With content liberated from the “today in infosec” twitter account and further afield

    12th November 2012: John McAfee went into hiding because his neighbour, Gregory Faull, was found dead from a gunshot. Belize police wanted him to come in for questioning, but he fled to Guatemala where he was then arrested. He was never charged, though he lost a $25 million wrongful death suit.

    https://x.com/todayininfosec/status/1856538748361515355

    12th November 2000: Bill Gates demonstrates a functional prototype of a Tablet PC. Microsoft claims “the Tablet PC will represent the next major evolution in PC design and functionality.” However, the Tablet PC initiative never really took off and it wasn't until Apple introduced the iPad in 2010 that tablet computing was widely adopted.

    Microsoft Declares Tablets Are the Future

    Rant of the Week (15:41)

    Amazon MOVEit Leaker Claims to Be Ethical Hacker

    A threat actor who posted 2.8 million lines of Amazon employee data last week has taken to the dark web to claim they are doing so to raise awareness of poor security practice.

    The individual, who goes by the online moniker “Nam3L3ss,” claimed in a series of posts to have obtained data from 25 organisations whose data was compromised via last year’s MOVEit exploit.

    Billy Big Balls of the Week (24:12)

    O2's AI granny knits tall tales to waste scam callers' time

    Watch out, scammers. O2 has created a new weapon in the fight against fraud: an AI granny that will keep you talking until you get bored and give up.

    O2, the mobile operator arm of Brit telecoms giant Virgin Media, says it has built the human-like AI to answer calls from fraudsters in real time, keeping them busy on the phone and wasting their time by pretending to be a potential vulnerable target.

    "Daisy" is claimed to be indistinguishable from a real person, fooling scammers into thinking they've found perfect prey thanks to its ability to engage in "human-like" rambling chat, the biz claims.

    For several weeks in the run-up to International Fraud Awareness Week (November 17–23), the AI has already frustrated scam callers with meandering stories about her family and talked at length about her passion for knitting, according to O2.

    Industry News (28:20)

    Amazon MOVEit Leaker Claims to Be Ethical Hacker

    Bank of England U-turns on Vulnerability Disclosure Rules

    Massive Telecom Hack Exposes US Officials to Chinese Espionage

    Microsoft Power Pages Misconfiguration Leads to Data Exposure

    Sitting Ducks DNS Attacks Put Global Domains at Risk

    O2’s AI Granny Outsmarts Scam Callers with Knitting Tales

    Ransomware Groups Use Cloud Services For Data Exfiltration

    Bitfinex Hacker Jailed for Five Years Over Billion Dollar Crypto Heist

    Palo Alto Networks Confirms New Zero-Day Being Exploited by Threat Actors

    Tweet of the Week (36:05)

    https://x.com/J4vv4D/status/1856981250306687143

    Come on! Like and bloody well subscribe!
    Show more Show less
    44 mins
  • Episode 208 - The Dedicated to Cesar Romero Episode

    Episode 208 - The Dedicated to Cesar Romero Episode
    Nov 11 2024
    This week in InfoSec (13:28)With content liberated from the “today in infosec” twitter account and further afield5th November 1993: Bugtraq was created by Scott Chasin as a full disclosure vulnerability reporting mailing list at the dawn of the World Wide Web. Bugtraq had an enormous influence on how orgs responded to vuln disclosure and paved the way for a shift which led to bug bounty programs.https://twitter.com/todayininfosec/status/1853799779626578186 5th November 2007: Google introduces the Android platform, its mobile operating system for cell phones based on a modified version of the Linux operating system. The first Android-based phone would ship in September of 2008.https://thisdayintechhistory.com/11/05/android-introduced/ Rant of the Week (18:54) Voted in America? This Site Doxed YouIf you voted in the U.S. presidential election yesterday in which Donald Trump won comfortably, or a previous election, a website powered by a right-wing group is probably doxing you. VoteRef makes it trivial for anyone to search the name, physical address, age, party affiliation, and whether someone voted that year for people living in most states instantly and for free. This can include ordinary citizens, celebrities, domestic abuse survivors, and many other people.Voting rolls are public records, and ways to more readily access them are not new. But during a time of intense division, political violence, or even the broader threat of data being used to dox or harass anyone, sites like VoteRef turn a vital part of the democratic process—simply voting—into a security and privacy threat. Billy Big Balls of the Week (27:09)Schneider Electric ransomware crew demands $125k paid in baguetteshttps://www.theregister.com/2024/11/05/schneider_electric_cybersecurity_incident/Schneider Electric confirmed that it is investigating a breach as a ransomware group Hellcat claims to have stolen more than 40 GB of compressed data — and demanded the French multinational energy management company pay $125,000 in baguettes or else see its sensitive customer and operational information leaked.And yes, you read that right: payment in baguettes. As in bread.Schneider Electric declined to answer The Register's specific questions about the intrusion, including if the attackers really want $125,000 in baguettes or if they would settle for cryptocurrency. A spokesperson, however, emailed us the following statement:"Schneider Electric is investigating a cybersecurity incident involving unauthorised access to one of our internal project execution tracking platforms which is hosted within an isolated environment. Our Global Incident Response team has been immediately mobilised to respond to the incident. Schneider Electric's products and services remain unaffected." Industry News (33:18)Google Cloud to Mandate Multifactor Authentication by 2025IRISSCON: Organizations Still Falling Victim to Predictable Cyber-AttacksDefenders Outpace Attackers in AI AdoptionUK Cybersecurity Wages Soar Above Inflation as Stress Levels RiseNCSC Publishes Tips to Tackle Malvertising ThreatCanada Orders Shutdown of Local TikTok Branch Over Security ConcernsUK Regulator Urges Stronger Data Protection in AI Recruitment ToolsInterlock Ransomware Targets US Healthcare, IT and Government SectorsMajor Oilfield Supplier Hit by Ransomware Attack Tweet of the Week (41:01)https://twitter.com/fesshole/status/1854832499714576399 Come on! Like and bloody well subscribe!
    Show more Show less
    47 mins
  • Episode 207 - The Raw! Live! Uncut! Episode

    Episode 207 - The Raw! Live! Uncut! Episode
    Nov 5 2024

    No notes this week - Andy had ONE job...

    Come on! Like and bloody well subscribe!
    Show more Show less
    48 mins
  • Episode 206 The Sole Founder Episode

    Episode 206 The Sole Founder Episode
    Oct 25 2024

    How does Thom also do the episode notes?

    This week in infosec was about a EULA

    Rant of the week

    https://securityaffairs.com/170125/laws-and-regulations/sec-fined-4-companies-misleading-disclosures-impact-solarwinds-attack.html

    Billy Big Balls

    https://www.theregister.com/2024/10/24/anthropic_claude_model_can_use_computers/

    Some news articles from infosecurity-magazine.com

    Tweet of the week

    https://x.com/thomas_violence/status/1849627627474293148

    Come on! Like and bloody well subscribe!
    Show more Show less
    18 mins
  • Episode 205 The Stone Cold Episode

    Episode 205 The Stone Cold Episode
    Oct 14 2024
    This week in InfoSec (08:29)With content liberated from the “today in infosec” twitter account and further afield10th October 1995: Netscape introduced the "Netscape Bugs Bounty", a program rewarding users who report "bugs" in the beta versions of its recently announced Netscape Navigator 2.0 web browser.Navigator was the dominant browser from 1995-1998, when it was overtaken by Internet Explorer.https://twitter.com/todayininfosec/status/18444662777185566838th October 2008: University student David Kernell was arraigned. He compromised the Yahoo! email account of US vice presidential candidate Sarah Palin, using public info to reset her password, posting her emails to 4chan. He was later found guilty and died from MS complications in 2018.https://twitter.com/todayininfosec/status/1843619068302983592 Rant of the Week (20:24) Cards Against Humanity campaigns to encourage voting, expose personal data abuseUp to $100 for planning to vote and a public smear – how is this not illegal?The troublemakers behind the party game Cards Against Humanity have launched a campaign demonstrating how easy it is to buy sensitive personal data about American voters, while simultaneously encouraging those Americans to plan how to cast a vote in the upcoming presidential election.The "Cards Against Humanity Pays You to Give a Shit" campaign uses US citizens' personal data obtained from a broker to identify whether individuals voted in the 2020 US presidential election and how they lean politically. Those who didn't vote are asked to put info into the website, promise to vote in the upcoming election, make a voting plan, "and publicly post 'Donald Trump is a human toilet'" in exchange for up to $100. Billy Big Balls of the Week (28:42)FBI created a cryptocurrency so it could watch it being abusedThe FBI created its own cryptocurrency so it could watch suspected fraudsters use it – an idea that worked so well it produced arrests in three countriesNews of the Feds' currency, an Ethereum-based instrument named NexFundAI, appeared in a Wednesday Department of Justice announcement that eighteen individuals have been charged "for widespread fraud and manipulation in the cryptocurrency markets."The Feds allege some of the fraud involved "wash trades" – transactions conducted solely to increase the volume of trades in a security or other asset. Rising volumes of trades are often seen as an indicator that a stock is of increasing interest as it has good growth prospects – a signal that can see prices rise. But wash trades are often conducted by related entities, or even the same entity, to create a false market signal – an arrangement also known as "pump and dump." Industry News (34:36) New EU Body to Centralize Complaints Against Facebook, TikTok, YouTubeNew Generation of Malicious QR Codes Uncovered by ResearchersApple’s iPhone Mirroring Flaw Exposes Employee Privacy RisksFormer RAC Employees Get Suspended Sentence for Data TheftInternet Archive Breached, 31 Million Records ExposedMarriott Agrees $52m Settlement for Massive Data BreachEU Adopts Cyber Resilience Act for Connected DevicesOver 10m Conversations Exposed in AI Call Center HackDisinformation Campaign Targets Moldova Ahead of EU Referendum Tweet of the Week (45:07)https://twitter.com/JackRhysider/status/1844502566799085769 Come on! Like and bloody well subscribe!
    Show more Show less
    51 mins
  • Episode 204 - The Umms and Ahhs Episode

    Episode 204 - The Umms and Ahhs Episode
    Oct 7 2024

    This week in InfoSec (10:01)

    With content liberated from the “today in infosec” twitter account and further afield

    27th September 2001: Jan de Wit was sentenced to 150 hours of community service in the Netherlands for creating and spreading the Anna Kournikova virus. It was one of the first of the major viruses created from a virus toolkit - the dawn of cybercrime toolkits.

    https://twitter.com/todayininfosec/status/1839709145282277614

    3rd October 2017: A week after he retired as the result of Equifax's data breach, former CEO Richard F. Smith told members of Congress that one person in the IT department was at fault.

    https://twitter.com/todayininfosec/status/1841893372035838342

    Rant of the Week (14:52)

    It's true, social media moderators do go after conservatives

    Because they're most likely to share crappy misinformation online

    Since Elon Musk bought Twitter nearly two years ago – a $44 billion acquisition he tried to pull out of – the mogul has driven a narrative that moderation of the microblogging website disproportionately targeted conservatives, libertarians, and Trump supporters.

    A scientific paper published in the journal Nature this week confirms that was the case, with justification. The groups more likely to be subjected to moderation were also more likely to share misinformation from low-quality news sites.

    Billy Big Balls of the Week (21:49)

    Use this link to read the story: https://www.404media.co/email/e7ecda94-675a-4538-901f-b2ccb35fe916/?ref=daily-stories-newsletter - the other link below for the show notes (the one above is tied to my account)

    Someone Put Facial Recognition Tech onto Meta's Smart Glasses to Instantly Dox Strangers

    A pair of students at Harvard have built what big tech companies refused to release publicly due to the overwhelming risks and danger involved: smart glasses with facial recognition technology that automatically looks up someone’s face and identifies them. The students have gone a step further too. Their customized glasses also pull other information about their subject from around the web, including their home address, phone number, and family members.

    Industry News (32:05)

    PwC Urges Boards to Give CISOs a Seat at the Table

    Cyber-Attacks Hit Over a Third of English Schools

    ISACA: European Security Teams Are Understaffed and Underfunded

    T-Mobile to Pay $15.75m Penalty for Multiple Data Breaches

    British Hacker Charged in the US For $3.75m Insider Trading Scheme

    Meta Teams Up with Banks to Target Fraudsters

    FIN7 Gang Hides Malware in AI “Deepnude” Sites

    Northern Ireland Police Data Leak Sees Service Fined by ICO

    Microsoft and US Government Disrupt Russian Star Blizzard Operations

    Tweet of the Week (38:52)

    https://twitter.com/iamdevloper/status/1842097858196979989

    Come on! Like and bloody well subscribe!
    Show more Show less
    42 mins
  • Episode 203 - The Too Soon Episode

    Episode 203 - The Too Soon Episode
    Sep 24 2024
    This week in InfoSec (10:44)With content liberated from the “today in infosec” twitter account and further afield18th September 2001: The Nimda worm was released. Utilising 5 different infection vectors, it became the most widespread virus/worm after only 22 minutes.https://twitter.com/todayininfosec/status/1836495262409175187 17th September 2014: Apple announced that the iOS 8 operating system (used on iPhone and iPad) would be architected to prevent it from being technically feasible for the company to extract data from customer devices. A day later Google made a similar announcement pertaining to Android.With iOS 8 Update, Apple Will No Longer Provide User Data to Policehttps://twitter.com/todayininfosec/status/1836071319030374437 Rant of the Week (17:50)No way? Big Tech's 'lucrative surveillance' of everyone is terrible for privacy, freedomBuried beneath the endless feeds and attention-grabbing videos of the modern internet is a network of data harvesting and sale that's perhaps far more vast than most people realise, and it desperately needs regulation. That's the conclusion the FTC made after spending nearly four years poring over internal data from nine major social media and video streaming corporations in the US.These internet behemoths are collecting vast amounts of data, both on and off their services, and the handling of such data is "woefully inadequate," particularly around data belonging to children and teenagers, the FTC said. Billy Big Balls of the Week (28:06)LinkedIn started harvesting people's posts for training AI without asking for opt-inLinkedIn started harvesting user-generated content to train its AI without asking for permission, angering netizens.Microsoft’s self-help network on Wednesday published a "trust and safety" update in which senior veep and general counsel Blake Lawit revealed LinkedIn's use of people's posts and other data for both training and using its generative AI features.In doing so, he said the site's privacy policy had been updated. We note this policy links to an FAQ that was updated sometime last week also confirming the automatic collecting of posts for training – meaning it appears LinkedIn started gathering up content for its AI models, and opting in users, well before Lawit’s post and the updated privacy policy advised of the changes today. Industry News (35:07) Over Half of Breached UK Firms Pay RansomICO Acts Against Sky Betting and Gaming Over CookiesAT&T Agrees $13m FCC Settlement Over Cloud Data BreachEuropol Taskforce Disrupts Global Criminal Network Through Supply Chain AttackGoogle Street View Images Used For Extortion Scams8000 Claimants Sue Outsourcing Giant Capita Over 2023 Data BreachWestern Agencies Warn Risk from Chinese-Controlled BotnetGoing for Gold: HSBC Approves Quantum-Safe Technology for Tokenized BullionsCybersecurity Skills Gap Leaves Cloud Environments Vulnerable Tweet of the Week (42:39)https://twitter.com/ProfWoodward/status/1837084678836171089 Come on! Like and bloody well subscribe!
    Show more Show less
    47 mins
  • Episode 202 - The Dog Eating Episode

    Episode 202 - The Dog Eating Episode
    Sep 16 2024
    This week in InfoSec (11:25)With content liberated from the “today in infosec” twitter account and further afield12th September 2014: Stephane Chazelas contacted Bash maintainer Chet Ramey about a vulnerability he dubbed "Bashdoor", which later becoming known as Shellshock. It was publicly disclosed 12 days later.Shellshock was kind of a big deal - and the vuln had been in Bash for 25 years!https://x.com/todayininfosec/status/1834293229472416242 9th September 2001: Mark Curphey started OWASP (the Open Web Application Security Project). In 2023 it was renamed the Open Worldwide Application Security Project.https://x.com/todayininfosec/status/1833191889790480500 Rant of the Week (16:33)WhatsApp's 'View Once' could be 'View Whenever' due to a flawA popular privacy feature in WhatsApp is "completely broken and can be trivially bypassed," according to developers at cryptowallet startup Zengo.According to cofounder Tal Be'ery, his team was building a web interface when they discovered a flaw in WhatsApp's View Once. While the feature was supposed to be limited to platforms where the necessary controls could be enforced, such as mobile clients, the WhatsApp API server didn't properly enforce it.The server would still send these messages to other platforms, but they couldn't be viewed - unless someone fiddled with the code."The View [O]nce media messages are technically the same as regular media messages, only with the “view once” flag set," the technical explanation states."Which means it’s the virtual equivalent of putting a note on the picture that says 'don’t look.' All that is required for attackers to circumvent it, is merely to set this flag to false and the media become regular and can be downloaded, forwarded and shared." Billy Big Balls of the Week (27:10)Australia’s government spent the week boxing Big TechThe fun started on Monday when prime minister Anthony Albanese announced his intention to introduce a minimum age for social media, with a preference for the services to be off limits until kids turn 16."I want kids to have a childhood," the PM urged. "I want them off their devices … I want them to have real experiences with real people."Albanese promised legislation to enact the rule will be tabled before Australia's next election, due by 2025. Opposition leader Peter Dutton broadly supported the proposal, which is pitched at parents who are tired of having to protect their kids online. Industry news (34:34)DoJ Distributes $18.5m to Western Union Fraud VictimsPoland's Supreme Court Blocks Pegasus Spyware ProbeUK Recognizes Data Centers as Critical National InfrastructureMastercard Acquires Global Threat Intelligence Firm Recorded Future for $2.65bnTfL Confirms Customer Data Breach, 17-Year-Old Suspect ArrestedIrish Data Protection Regulator to Investigate Google AIMicrosoft Vows to Prevent Future CrowdStrike-Like OutagesRecord $65m Settlement for Hacked Patient PhotosMalicious Actors Spreading False US Voter Registration Breach Claims Tweet of the Week (41:57)https://x.com/MikeTalonNYC/status/1834311262563377553 Come on! Like and bloody well subscribe!
    Show more Show less
    45 mins