The Host Unknown Podcast

The notes go here. I really can't go and look for them right now.  This week in InfoSec is a sticky pickleRant of the Week will have you guessing at who it could possibly be, again…Billy Big Balls is why british men need to take their passport to the bathroom these daysIndustry News is the latest and greatest security news stories from around the worldAndTweet of the Week is well... Thom got it wrong.   Come on! Like and bloody well subscribe!

8th July 2008: Several DNS vendors released patches to mitigate an attack method discovered by Dan Kaminsky which could be used to cause DNS cache poisoning. Kaminsky had discovered the vulnerability 6 months prior and reported it to vendors privately so they could address it. RIP, Dan.https://x.com/todayininfosec/status/194269569127019321110th July 1999: Cult of the Dead Cow (cDc) member DilDog debuted the program Back Orifice 2000 (BO2k) at DEF CON 7. It was the successor to Back Orifice, released by cDc a year prior. DilDog proclaimed it "a remote administration tool for corporate America". https://x.com/todayininfosec/status/1943440335608385876Outsourced Trust: How Coinbase's $400M Problem Started in an Indian Call CenterThe GPS Leak No One Talked About: Uffizio’s Silent ExposureHundreds of Malicious Domains Registered Ahead of Prime DayM&S Chair Details Ransomware Attack, Declines to Confirm if Payment Was MadeChinese State-Sponsored Hacker Charged Over COVID-19 Research TheftQantas Confirms 5.7 Million Customers Hit by Data BreachTribunal Ruling Brings ICO’s £12.7m TikTok Fine CloserFour Arrested in Connection with April UK Retail AttacksTikTok's Handling of EU User Data in China Comes Under Scrutiny AgainLLMs Fall Short in Vulnerability Discovery and ExploitationMPs Warn of “Significant” Iranian Cyber-Threat to UK  https://x.com/krezae/status/1943463109173338558 Come on! Like and bloody well subscribe!

27th June 2007: Live Free or Die Hard was released. Cop John McClane partners with hacker Matt Farrell to stop cyberterrorists trying to take down the US's infrastructure. Traceroute (1337!) is used to find the ringleader's location, then McClane kills him by shooting HIS OWN shoulder.https://x.com/todayininfosec/status/1938731279937057144     1st July 2003: California's data breach notification law went into effect. California became the first US state to require disclosure of breaches of personal information.https://x.com/todayininfosec/status/1940220561080332760 Meta calls €200M EU fine over pay-or-consent ad model 'unlawful' Meet Soham Parekh, the engineer burning through tech by working at three to four startups simultaneously https://x.com/nickvangilder/status/1940110830085054891 Come on! Like and bloody well subscribe!

17th June 1995: Spyglass goes publicWorld Wide Web software producer Spyglass Inc. went public, the year after it had begun distributing its Spyglass Mosaic software, an early browser for navigating the Web. With previous year's earnings at $7 million, Spyglass was founded by students at the Illinois Supercomputing Center, which also inspired Netscape Communications Corp.https://www.computerhistory.org/tdih/june/27/#spyglass-goes-public  26th June 1989: Robert Tappan Morris (who released the Morris worm in 1988) became the first person to be indicted under the US's Computer Fraud and Abuse Act (CFAA), enacted by Congress 3 years earlier. He was later sentenced to three years of probation and fined $10,050https://x.com/todayininfosec/status/1938292354965770278Visiting students can't hide social media accounts from Uncle Sam anymore Meta’s AI training on copyrighted content is ‘fair use’, US judge sayshttps://x.com/filip_dragovic/status/1937932750415086010 Come on! Like and bloody well subscribe!

11th June 1986: Ferris Bueller's Day Off was released. https://x.com/todayininfosec/status/193283823510271631713th June 1994: A Russian hacker group led by Vladimir Levin stole $10.7 million from Citibank via X.25, in what was the first international bank robbery over a network to be made public. Levin was caught in London in 1995 and sentenced in the US to 3 years in prison in 1998. https://x.com/todayininfosec/status/1933504310643773697  “Localhost tracking” explained. It could cost Meta 32 billion. Wanted: Junior cybersecurity staff with 10 years' experience and a PhD Industry News#Infosec2025: Top Six Cyber Trends CISOs Need to KnowHalf of Mobile Users Now Face Daily ScamsResearcher Finds Five Zero-Days and 20+ Misconfigurations in Salesforce CloudHands-On Skills Now Key to Landing Your First Cyber RolePhishing Alert as Erie Insurance Reveals Cyber “Event”Europol Says Criminal Demand for Data is “Skyrocketing”NIST Publishes New Zero Trust Implementation GuidanceMicrosoft 365 Copilot: New Zero-Click AI Vulnerability Allows Corporate Data TheftEuropean Journalists Targeted by Paragon Spyware, Citizen Lab ConfirmsTweet of the weekhttps://bsky.app/profile/brianhonan.bsky.social/post/3lrilyd7rpk2m   Come on! Like and bloody well subscribe!

26th May 1995: Realizing his company had missed the boat in estimating the impact and popularity of the Internet, Microsoft CEO Bill Gates issues a memo titled, “The Internet Tidal Wave,” which signaled the company’s focus on the global network. In the memo, Gates declared that the Internet was the “most important single development” since the IBM personal computer — a development that he was assigning “the highest level of importance.” Still, it is curious why it took someone who was regarded as a technology “innovator” so long to realize this.https://thisdayintechhistory.com/05/26/bill-gates-internet-tidal-wave/30th May 1996: AT&T Announces Video Phone Call System.  AT&T held a meeting to announce a system that would allow personal computers to make and receive video phone calls over standard telephone lines. In years of efforts by AT&T and others to find success in the technology, the AT&T system made use of Intel's Pentium processors and compression software to allow both video and audio information to share a phone line rather than a high-capacity ISDN, T-1, or T-3 line.https://www.computerhistory.org/tdih/may/30/#att-announces-video-phone-call-systemSecurity outfit SentinelOne's services back online after lengthy outageOpenAI model modifies shutdown script in apparent sabotage efforthttps://bsky.app/profile/robmesure.bsky.social/post/3lqcn6kq5oc26  Come on! Like and bloody well subscribe!

 Irish privacy watchdog OKs Meta to train AI on EU folks' postsJudge allows Delta's lawsuit against CrowdStrike to proceed with millions in damages on the linehttps://x.com/fesshole/status/1925815219655233765?s=46&t=1-Sjo1Vy8SG7OdizJ3wVbgAnd of course... can't NOT mention: https://www.bbc.co.uk/iplayer/episode/m002d2lh/inside-the-high-street-cyberattacks  Come on! Like and bloody well subscribe!

As always we will bring you today in infosec, a rant, admire a billy big ball move, talk about industry news, and bring you a tweet or alternatively suitable social media post of the week.Hey, it's hard enough Thom being off that I have to edit and publish this, I need to find an AI to write the notes for me. Love you all, Javvad... now go an subscribe!  Come on! Like and bloody well subscribe!

Episode 219 of the Host Unknown Podcast covers a wide range of humorous and insightful discussions relating to both technology and personal anecdotes. Key segments include a nostalgic look back at significant moments in InfoSec history, as well as a critique of a poorly-constructed analogy between casino strategies and cybersecurity. The hosts also discuss the misadventures of an AI app that wasn't really AI, cyber insurance claims, the fines against TikTok and NSO Group, and the importance of Cyber Essentials certification. The episode is peppered with casual banter about everyday life and observations, making for an entertaining yet informative listen. 00:00 Introduction and Initial Banter 00:57 Podcast Introduction and Missing Guest 01:29 Wrestling Anecdotes and Technical Difficulties 03:04 Travel Plans and Airport Preferences 05:12 Manchester Trip and Quiet Carriage Etiquette 08:58 InfoSec History: Banned from the Internet 11:00 InfoSec History: The Love Letter Virus 14:17 Rant of the Week: Casino Mindset in Security 18:19 Understanding the Author's Perspective 19:19 AI Shopping App Scandal 24:30 Industry News Highlights 26:00 TikTok's Data Transfer Fine 29:08 Meta vs. NSO Group 31:40 Cyber Essentials Certification 35:58 Tweet of the Week 38:23 Conclusion and Farewell Come on! Like and bloody well subscribe!

This week in InfoSec  (10:26)With content liberated from the “today in infosec” twitter account and further afield1st April 1998: Hackers changed the MIT home page to read "Disney to Acquire MIT for $6.9 Billion".https://x.com/todayininfosec/status/1907094503552336134     1st April 2004: The now ubiquitous Gmail service is launched as an invitation-only beta service. At first met with skepticism due to it being launched on April Fool’s Day, the ease of use and speed that Gmail offered for a web-based e-mail service quickly won converts. The fact that Gmail was invitiation-only for a long time helped fueled a mystique that those who had a Gmail address were hip and uber-cool. Those of us who are actually hip and uber-cool didn’t mind, of course, as those types of things don’t bother hip and uber-cool people. https://thisdayintechhistory.com/04/01/gmail-launched/   Rant of the Week (14:07)Kink and LGBT dating apps exposed 1.5m private user images onlinehttps://www.bbc.co.uk/news/articles/c05m5m5v327oResearchers have discovered nearly 1.5 million pictures from specialist dating apps – many of which are explicit – being stored online without password protection, leaving them vulnerable to hackers and extortionists.Anyone with the link was able to view the private photos from five platforms developed by M.A.D Mobile: kink sites BDSM People and Chica, and LGBT apps Pink, Brish and Translove.These services are used by an estimated 800,000 to 900,000 people.M.A.D Mobile was first warned about the security flaw on 20 January but didn't take action until the BBC emailed on Friday.They have since fixed it but not said how it happened or why they failed to protect the sensitive images. Billy Big Balls of the Week (24:00)Oracle's masterclass in breach comms: Deny, deflect, repeatThere have been some disclosure stinkers in the past. Back in 2016, The Reg discovered that Yahoo! had taken a few years to disclose security snafus that occured in 2013 and 2014, for example. These days we often see organizations simply choose not to publicly address their issues. A quick self-referral to the regulators and some letters sent directly to those affected pass as the bare minimum, and while these organizations won't get any Brownie points for transparency, the approach doesn't tend to invite too much in the way of long-lasting criticism either.When Oracle issued its flat-out denial of the first breach allegations that surfaced from cybercrime forums, it seemed like it was yet another wannabe big-time scriptkiddie making false claims for clout.To make matters worse, Oracle seemingly tried to swerve any flak with some careful semantics. Its original denial stated: "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."Infosec experts Kevin Beaumont and Jake Williams later both claimed that Oracle appears to have used the Internet Wayback Machine's archive exclusion process to remove evidence about the intrusion. Industry News (33:25)Google to Switch on E2EE for All Gmail UsersICO Apologizes After Data Protection Response SnafuNorth Korea's Fake IT Worker Scheme Sets Sights on EuropeRoyal Mail Investigates Data Breach Affecting SupplierStripe API Skimming Campaign Unveils New Techniques for TheftOver Half of Attacks on Electricity and Water Firms Are DestructiveAmateur Hacker Leverages Russian Bulletproof Hosting Server to Spread MalwareCrushFTP Vulnerability Exploited Following Disclosure IssuesMajor Online Platform for Child Exploitation Dismantled Tweet of the Week (41:25)https://x.com/MalwareJake/status/1907416667052786110 Come on! Like and bloody well subscribe!

This week in InfoSec  (11:22)With content liberated from the “today in infosec” twitter account and further afield27th February 2002: Timothy Allen Lloyd was sentenced to 41 months in prison for activating a logic bomb at Omega Engineering, 20 days after being fired as a network administrator.https://x.com/todayininfosec/status/1895255588881474024    18th February 2013: Burger King's Twitter account was compromised, had its name changed to McDonalds, and shared offensive tweets. The incident was a...well...Whopper! https://x.com/todayininfosec/status/1891999132866183322 Rant of the Week (17:34)Army soldier suspected of AT&T heist Googled ‘can hacking be treason,’ ‘defecting to Russia’The US Army soldier suspected of compromising AT&T and bragging about getting his hands on President Trump's call logs allegedly tried to sell stolen information to a foreign intel agent.The military man even Google searched for "can hacking be treason," and "US military personnel defecting to Russia," according to prosecutors who argue he poses a serious flight risk and should be detained.Cameron John Wagenius, 21, was arrested in Texas in December, and last week told a federal court judge he intends to plead guilty to unlawfully posting and transferring confidential phone records. Prosecutors have also linked Wagenius to two other men accused of stealing data from more than 150 Snowflake cloud accounts in April 2024, and then demanding payment to keep a lid on that info.After admitting his crimes in court, and showing a willingness to enter a guilty plea, "Wagenius should be detained as both a danger to the community — given his ability to access sensitive datasets — and a serious risk of flight," Uncle Sam's attorneys argued."While engaged in these criminal activities, Wagenius conducted online searches about how to defect to countries that do not extradite to the United States and that he previously attempted to sell hacked information to at least one foreign intelligence service," the documents allege.  Billy Big Balls of the Week (24:32)100-plus spies fired after NSA internal chat board used for kinky sex talkMore than 100 US spies have been fired, and their security clearance revoked, after an internal NSA messaging system was used by staff to chat about their sex lives.After the NSA – the National Security Agency, that is, not the other meaning – confirmed on state media it was "aware of posts that appear to show inappropriate discussions" by intelligence community employees and that "investigations to address this misuse of government systems are ongoing," Trump's Director of National Intelligence Tulsi Gabbard announced more than 100 people had since been terminated.The messaging app in question is the NSA's Intelink, a secure intranet service used by various American military and intelligence teams to share information, including top secret and classified threat intel.Federal workers said to have been involved in the NSFW Intelink chatter included personnel at the NSA, the Defense Intelligence Agency, and US Naval Intelligence."There are over 100 people from across the intelligence community that contributed to and participated in … what is really just an egregious violation of trust," Gabbard told Fox News commentator Jesse Watters Tuesday. "What to speak of, like basic rules and standards around professionalism." Industry News (32:54)Chinese-Backed Silver Fox Plants Backdoors in Healthcare NetworksRansomware Gang Publishes Stolen Genea IVF Patient DataHaveIBeenPwned Adds 244 Million Passwords Stolen By InfostealersSignal May Exit Sweden If Government Imposes Encryption BackdoorDISA Global Solutions Confirms Data Breach Affecting 3.3M PeopleFBI Confirms North Korea’s Lazarus Group as Bybit Crypto HackersOpenSSF Publishes Security Framework for Open Source SoftwareSoftware Vulnerabilities Take Almost Nine Months to PatchDragonForce Ransomware Hits Saudi Firm, 6TB Data Stolen Tweet of the Week (42:59)https://x.com/roytait/status/1895224942565970354 Come on! Like and bloody well subscribe!

This week in InfoSec  (11:10)With content liberated from the “today in infosec” twitter account and further afield4th December 2013: Troy Hunt launched the free-to-search site "Have I Been Pwned? (HIBP)". At launch, passwords from the Adobe, Stratfor, Gawker, Yahoo! Voices, and Sony Pictures breaches were indexed. Today? Billions of  compromised records from hundreds of breaches.https://twitter.com/todayininfosec/status/1864299155583127739     5th December 1996: Julian Assange pleaded guilty to 25 of 31 hacking charges and related charges and was ordered to repay $2,100 to Australian National University. He had been arrested in 1994 for hacking crimes committed in 1991. The court case details weren't released until 2011.https://twitter.com/todayininfosec/status/1864664694243434977 Rant of the Week (17:21)Severity of the risk facing the UK is widely underestimated, NCSC annual review warnsThe number of security threats in the UK that hit the country's National Cyber Security Centre's (NCSC) maximum severity threshold has tripled compared to the previous 12 months.Published Tuesday 3rd December, GCHQ's tech offshoot's 2024 review reveals that 12 incidents topped the NCSC's severity classification system out of a total 430 cases that required support from its Incident Management (IM) team between September 2023 and August 2024. The finding represents a 16 percent increase year-over-year.The number of nationally significant incidents also rose from 62 last year to 89 in the latest data, six of which were caused by exploiting two Palo Alto and Cisco zero-days. This number includes the 12 deemed maximally severe and an undetermined number of attacks on the UK's central government. Billy Big Balls of the Week (25:50)Badass Russian techie outsmarts FSB, flees Putinland all while being tracked with spywareA Russian programmer defied the Federal Security Service (FSB) by publicizing the fact his phone was infected with spyware after being confiscated by authorities.Kirill Parubets was detained in Russia for 15 days after being accused of sending money to Ukraine, during which time the man was beaten and subjected to aggressive efforts to recruit him as an FSB informant on his contacts in Ukraine.According to his account of the story, published with his consent by Toronto University's Citizen Lab and First Department legal organization, he says he was threatened with life imprisonment if he failed to comply with the recruitment drive.In order to secure release, he agreed but before he was indoctrinated he and his wife fled the country. Always keep a second passport, if possible.  Industry News (32:21)Crypto.com Launches Massive $2m Bug Bounty ProgramGerman Police Shutter Country’s Largest Dark Web MarketENISA Launches First State of EU Cybersecurity ReportWirral Hospital Recovery Continues One Week After Cyber IncidentFBI Warns GenAI is Boosting Financial FraudEuropol Dismantles Major Online Fraud Platform in Major Blow to FraudstersDeloitte Denies Breach, Claims Cyber-Attack Targeted Single ClientRomania Exposes TikTok Propaganda Campaign Supporting Pro-Russian CandidateFCC Proposes Stricter Cybersecurity Rules for US Telecoms Tweet of the Week  (43:43) https://twitter.com/McGrewSecurity/status/1865050788369772974 Come on! Like and bloody well subscribe!

This week in InfoSec  With content liberated from the “today in infosec” twitter account and further afield24th November 2014: The Washington Post published an article which included a photo of TSA master keys. A short time later functional keys were 3-d printed using the key patterns in the photo. Oops.https://twitter.com/todayininfosec/status/1860803840620044356   22nd November 2010: Matt Blaze published the PowerPoint slides he was contractually required to submit for his 2011 RSA Security Conference presentation. Matt hates PowerPoint. Take a moment to admire the slides he submitted.https://twitter.com/todayininfosec/status/1860027850369519669 Rant of the Week (12:47)https://www.theregister.com/2024/11/26/third_major_cyber_incident_declared/A UK hospital is declaring a "major incident," cancelling all outpatient appointments due to "cybersecurity reasons."The Wirral University Teaching Hospital NHS Trust, located in North West England, said the so-called "incident" affects the whole Trust, which oversees Wirral Women and Children's Hospital, Clatterbridge Hospital, and Arrowe Park Hospital.Although the tech problems began on Monday, officials confirmed to The Register it is still dealing with the fallout as of Tuesday morning. All outpatient appointments were canceled on Monday and the same decision was made today, according to Arrowe Park and Clatterbridge's social media posting. All patients whose appointments were canceled will be contacted to rearrange them. Billy Big Balls of the Week (20:48)Put your usernames and passwords in your will, advises Japan's governmentJapan's National Consumer Affairs Center on Wednesday suggested citizens start "digital end of life planning" and offered tips on how to do it.The Center's somewhat maudlin advice is motivated by recent incidents in which citizens struggled to cancel subscriptions their loved ones signed up for before their demise, because they didn't know their usernames or passwords. The resulting "digital legacy" can be unpleasant to resolve, the agency warns, so suggested four steps to simplify ensure our digital legacies aren't complicated:Ensuring family members can unlock your smartphone or computer in case of emergency;Maintain a list of your subscriptions, user IDs and passwords;Consider putting those details in a document intended to be made available when your life ends;Use a service that allows you to designate someone to have access to your smartphone and other accounts once your time on Earth ends.The Center suggests now is the time for it to make this suggestion because it is aware of struggles to discover and resolve ongoing expenses after death. With smartphones ubiquitous, the org fears more people will find themselves unable to resolve their loved ones' digital affairs – and powerless to stop their credit cards being charged for services the departed cannot consume.Some entrepreneurs have already identified end of life services as an opportunity. "Dead Man's Switch" apps can be set to contact whomever you choose if you do not sign in to certain accounts after a period you select as a likely indicator of your departure from this world.Meta also offers the chance to nominate a "legacy contact" who can manage your account.Such services aren't just opportunistic: grieving people have a lot on their plate, and executing wills is not always straightforward.  Industry News (31:08)ICO Urges More Data Sharing to Tackle Fraud EpidemicOver a Third of Firms Struggling With Shadow AIDarknet Services Fuel Holiday Scams and E-Commerce ExploitsNHS Trust Declares Major Incident for “Cybersecurity Reasons”Nuclear Decommissioning Authority Opens Sellafield Cyber CenterNew EU Commission to Unveil Healthcare Cybersecurity Plan in First 100 DaysT-Mobile Claims Salt Typhoon Did Not Access Customer DataAlbanian Drug Smugglers Busted After Cops Decrypt CommsUK Justice System Failing Cybercrime Victims, Cyber Helpline Finds Tweet of the Week (39:43)https://bsky.app/profile/mattpotteruk.bsky.social/post/3lbyu4dy3b22f Come on! Like and bloody well subscribe!

This week in InfoSec  (08:24)With content liberated from the “today in infosec” twitter account and further afield12th November 2012: John McAfee went into hiding because his neighbour, Gregory Faull, was found dead from a gunshot. Belize police wanted him to come in for questioning, but he fled to Guatemala where he was then arrested. He was never charged, though he lost a $25 million wrongful death suit.https://x.com/todayininfosec/status/1856538748361515355   12th November 2000: Bill Gates demonstrates a functional prototype of a Tablet PC. Microsoft claims “the Tablet PC will represent the next major evolution in PC design and functionality.” However, the Tablet PC initiative never really took off and it wasn't until Apple introduced the iPad in 2010 that tablet computing was widely adopted.Microsoft Declares Tablets Are the Future Rant of the Week (15:41)Amazon MOVEit Leaker Claims to Be Ethical HackerA threat actor who posted 2.8 million lines of Amazon employee data last week has taken to the dark web to claim they are doing so to raise awareness of poor security practice.The individual, who goes by the online moniker “Nam3L3ss,” claimed in a series of posts to have obtained data from 25 organisations whose data was compromised via last year’s MOVEit exploit. Billy Big Balls of the Week (24:12)O2's AI granny knits tall tales to waste scam callers' timeWatch out, scammers. O2 has created a new weapon in the fight against fraud: an AI granny that will keep you talking until you get bored and give up.O2, the mobile operator arm of Brit telecoms giant Virgin Media, says it has built the human-like AI to answer calls from fraudsters in real time, keeping them busy on the phone and wasting their time by pretending to be a potential vulnerable target."Daisy" is claimed to be indistinguishable from a real person, fooling scammers into thinking they've found perfect prey thanks to its ability to engage in "human-like" rambling chat, the biz claims.For several weeks in the run-up to International Fraud Awareness Week (November 17–23), the AI has already frustrated scam callers with meandering stories about her family and talked at length about her passion for knitting, according to O2. Industry News (28:20)Amazon MOVEit Leaker Claims to Be Ethical HackerBank of England U-turns on Vulnerability Disclosure RulesMassive Telecom Hack Exposes US Officials to Chinese EspionageMicrosoft Power Pages Misconfiguration Leads to Data ExposureSitting Ducks DNS Attacks Put Global Domains at RiskO2’s AI Granny Outsmarts Scam Callers with Knitting TalesRansomware Groups Use Cloud Services For Data ExfiltrationBitfinex Hacker Jailed for Five Years Over Billion Dollar Crypto HeistPalo Alto Networks Confirms New Zero-Day Being Exploited by Threat Actors Tweet of the Week (36:05)https://x.com/J4vv4D/status/1856981250306687143 Come on! Like and bloody well subscribe!

This week in InfoSec (13:28)With content liberated from the “today in infosec” twitter account and further afield5th November 1993: Bugtraq was created by Scott Chasin as a full disclosure vulnerability reporting mailing list at the dawn of the World Wide Web. Bugtraq had an enormous influence on how orgs responded to vuln disclosure and paved the way for a shift which led to bug bounty programs.https://twitter.com/todayininfosec/status/1853799779626578186   5th November 2007: Google introduces the Android platform, its mobile operating system for cell phones based on a modified version of the Linux operating system. The first Android-based phone would ship in September of 2008.https://thisdayintechhistory.com/11/05/android-introduced/ Rant of the Week (18:54)  Voted in America? This Site Doxed YouIf you voted in the U.S. presidential election yesterday in which Donald Trump won comfortably, or a previous election, a website powered by a right-wing group is probably doxing you. VoteRef makes it trivial for anyone to search the name, physical address, age, party affiliation, and whether someone voted that year for people living in most states instantly and for free. This can include ordinary citizens, celebrities, domestic abuse survivors, and many other people.Voting rolls are public records, and ways to more readily access them are not new. But during a time of intense division, political violence, or even the broader threat of data being used to dox or harass anyone, sites like VoteRef turn a vital part of the democratic process—simply voting—into a security and privacy threat. Billy Big Balls of the Week (27:09)Schneider Electric ransomware crew demands $125k paid in baguetteshttps://www.theregister.com/2024/11/05/schneider_electric_cybersecurity_incident/Schneider Electric confirmed that it is investigating a breach as a ransomware group Hellcat claims to have stolen more than 40 GB of compressed data — and demanded the French multinational energy management company pay $125,000 in baguettes or else see its sensitive customer and operational information leaked.And yes, you read that right: payment in baguettes. As in bread.Schneider Electric declined to answer The Register's specific questions about the intrusion, including if the attackers really want $125,000 in baguettes or if they would settle for cryptocurrency. A spokesperson, however, emailed us the following statement:"Schneider Electric is investigating a cybersecurity incident involving unauthorised access to one of our internal project execution tracking platforms which is hosted within an isolated environment. Our Global Incident Response team has been immediately mobilised to respond to the incident. Schneider Electric's products and services remain unaffected." Industry News (33:18)Google Cloud to Mandate Multifactor Authentication by 2025IRISSCON: Organizations Still Falling Victim to Predictable Cyber-AttacksDefenders Outpace Attackers in AI AdoptionUK Cybersecurity Wages Soar Above Inflation as Stress Levels RiseNCSC Publishes Tips to Tackle Malvertising ThreatCanada Orders Shutdown of Local TikTok Branch Over Security ConcernsUK Regulator Urges Stronger Data Protection in AI Recruitment ToolsInterlock Ransomware Targets US Healthcare, IT and Government SectorsMajor Oilfield Supplier Hit by Ransomware Attack Tweet of the Week (41:01)https://twitter.com/fesshole/status/1854832499714576399 Come on! Like and bloody well subscribe!

No notes this week - Andy had ONE job... Come on! Like and bloody well subscribe!

How does Thom also do the episode notes? This week in infosec  was about a EULARant of the weekhttps://securityaffairs.com/170125/laws-and-regulations/sec-fined-4-companies-misleading-disclosures-impact-solarwinds-attack.htmlBilly Big Ballshttps://www.theregister.com/2024/10/24/anthropic_claude_model_can_use_computers/Some news articles from infosecurity-magazine.com Tweet of the week https://x.com/thomas_violence/status/1849627627474293148  Come on! Like and bloody well subscribe!

This week in InfoSec  (08:29)With content liberated from the “today in infosec” twitter account and further afield10th October 1995: Netscape introduced the "Netscape Bugs Bounty", a program rewarding users who report "bugs" in the beta versions of its recently announced Netscape Navigator 2.0 web browser.Navigator was the dominant browser from 1995-1998, when it was overtaken by Internet Explorer.https://twitter.com/todayininfosec/status/18444662777185566838th October 2008: University student David Kernell was arraigned. He compromised the Yahoo! email account of US vice presidential candidate Sarah Palin, using public info to reset her password, posting her emails to 4chan. He was later found guilty and died from MS complications in 2018.https://twitter.com/todayininfosec/status/1843619068302983592 Rant of the Week (20:24) Cards Against Humanity campaigns to encourage voting, expose personal data abuseUp to $100 for planning to vote and a public smear – how is this not illegal?The troublemakers behind the party game Cards Against Humanity have launched a campaign demonstrating how easy it is to buy sensitive personal data about American voters, while simultaneously encouraging those Americans to plan how to cast a vote in the upcoming presidential election.The "Cards Against Humanity Pays You to Give a Shit" campaign uses US citizens' personal data obtained from a broker to identify whether individuals voted in the 2020 US presidential election and how they lean politically. Those who didn't vote are asked to put info into the website, promise to vote in the upcoming election, make a voting plan, "and publicly post 'Donald Trump is a human toilet'" in exchange for up to $100. Billy Big Balls of the Week (28:42)FBI created a cryptocurrency so it could watch it being abusedThe FBI created its own cryptocurrency so it could watch suspected fraudsters use it – an idea that worked so well it produced arrests in three countriesNews of the Feds' currency, an Ethereum-based instrument named NexFundAI, appeared in a Wednesday Department of Justice announcement that eighteen individuals have been charged "for widespread fraud and manipulation in the cryptocurrency markets."The Feds allege some of the fraud involved "wash trades" – transactions conducted solely to increase the volume of trades in a security or other asset. Rising volumes of trades are often seen as an indicator that a stock is of increasing interest as it has good growth prospects – a signal that can see prices rise. But wash trades are often conducted by related entities, or even the same entity, to create a false market signal – an arrangement also known as "pump and dump." Industry News (34:36) New EU Body to Centralize Complaints Against Facebook, TikTok, YouTubeNew Generation of Malicious QR Codes Uncovered by ResearchersApple’s iPhone Mirroring Flaw Exposes Employee Privacy RisksFormer RAC Employees Get Suspended Sentence for Data TheftInternet Archive Breached, 31 Million Records ExposedMarriott Agrees $52m Settlement for Massive Data BreachEU Adopts Cyber Resilience Act for Connected DevicesOver 10m Conversations Exposed in AI Call Center HackDisinformation Campaign Targets Moldova Ahead of EU Referendum Tweet of the Week (45:07)https://twitter.com/JackRhysider/status/1844502566799085769 Come on! Like and bloody well subscribe!

This week in InfoSec  (10:01)With content liberated from the “today in infosec” twitter account and further afield27th September 2001: Jan de Wit was sentenced to 150 hours of community service in the Netherlands for creating and spreading the Anna Kournikova virus. It was one of the first of the major viruses created from a virus toolkit - the dawn of cybercrime toolkits.https://twitter.com/todayininfosec/status/18397091452822776143rd October 2017: A week after he retired as the result of Equifax's data breach, former CEO Richard F. Smith told members of Congress that one person in the IT department was at fault.https://twitter.com/todayininfosec/status/1841893372035838342 Rant of the Week (14:52)It's true, social media moderators do go after conservativesBecause they're most likely to share crappy misinformation onlineSince Elon Musk bought Twitter nearly two years ago – a $44 billion acquisition he tried to pull out of – the mogul has driven a narrative that moderation of the microblogging website disproportionately targeted conservatives, libertarians, and Trump supporters.A scientific paper published in the journal Nature this week confirms that was the case, with justification. The groups more likely to be subjected to moderation were also more likely to share misinformation from low-quality news sites. Billy Big Balls of the Week (21:49)Use this link to read the story: https://www.404media.co/email/e7ecda94-675a-4538-901f-b2ccb35fe916/?ref=daily-stories-newsletter - the other link below for the show notes (the one above is tied to my account)Someone Put Facial Recognition Tech onto Meta's Smart Glasses to Instantly Dox StrangersA pair of students at Harvard have built what big tech companies refused to release publicly due to the overwhelming risks and danger involved: smart glasses with facial recognition technology that automatically looks up someone’s face and identifies them. The students have gone a step further too. Their customized glasses also pull other information about their subject from around the web, including their home address, phone number, and family members. Industry News (32:05)PwC Urges Boards to Give CISOs a Seat at the TableCyber-Attacks Hit Over a Third of English SchoolsISACA: European Security Teams Are Understaffed and UnderfundedT-Mobile to Pay $15.75m Penalty for Multiple Data BreachesBritish Hacker Charged in the US For $3.75m Insider Trading SchemeMeta Teams Up with Banks to Target FraudstersFIN7 Gang Hides Malware in AI “Deepnude” SitesNorthern Ireland Police Data Leak Sees Service Fined by ICOMicrosoft and US Government Disrupt Russian Star Blizzard Operations Tweet of the Week (38:52)https://twitter.com/iamdevloper/status/1842097858196979989 Come on! Like and bloody well subscribe!

This week in InfoSec  (10:44)With content liberated from the “today in infosec” twitter account and further afield18th September 2001: The Nimda worm was released. Utilising 5 different infection vectors, it became the most widespread virus/worm after only 22 minutes.https://twitter.com/todayininfosec/status/1836495262409175187  17th September 2014: Apple announced that the iOS 8 operating system (used on iPhone and iPad) would be architected to prevent it from being technically feasible for the company to extract data from customer devices. A day later Google made a similar announcement pertaining to Android.With iOS 8 Update, Apple Will No Longer Provide User Data to Policehttps://twitter.com/todayininfosec/status/1836071319030374437 Rant of the Week  (17:50)No way? Big Tech's 'lucrative surveillance' of everyone is terrible for privacy, freedomBuried beneath the endless feeds and attention-grabbing videos of the modern internet is a network of data harvesting and sale that's perhaps far more vast than most people realise, and it desperately needs regulation. That's the conclusion the FTC made after spending nearly four years poring over internal data from nine major social media and video streaming corporations in the US.These internet behemoths are collecting vast amounts of data, both on and off their services, and the handling of such data is "woefully inadequate," particularly around data belonging to children and teenagers, the FTC said.  Billy Big Balls of the Week (28:06)LinkedIn started harvesting people's posts for training AI without asking for opt-inLinkedIn started harvesting user-generated content to train its AI without asking for permission, angering netizens.Microsoft’s self-help network on Wednesday published a "trust and safety" update in which senior veep and general counsel Blake Lawit revealed LinkedIn's use of people's posts and other data for both training and using its generative AI features.In doing so, he said the site's privacy policy had been updated. We note this policy links to an FAQ that was updated sometime last week also confirming the automatic collecting of posts for training – meaning it appears LinkedIn started gathering up content for its AI models, and opting in users, well before Lawit’s post and the updated privacy policy advised of the changes today. Industry News (35:07)  Over Half of Breached UK Firms Pay RansomICO Acts Against Sky Betting and Gaming Over CookiesAT&T Agrees $13m FCC Settlement Over Cloud Data BreachEuropol Taskforce Disrupts Global Criminal Network Through Supply Chain AttackGoogle Street View Images Used For Extortion Scams8000 Claimants Sue Outsourcing Giant Capita Over 2023 Data BreachWestern Agencies Warn Risk from Chinese-Controlled BotnetGoing for Gold: HSBC Approves Quantum-Safe Technology for Tokenized BullionsCybersecurity Skills Gap Leaves Cloud Environments Vulnerable Tweet of the Week  (42:39)https://twitter.com/ProfWoodward/status/1837084678836171089 Come on! Like and bloody well subscribe!