Episode 202 - The Dog Eating Episode
Description
This week in InfoSec (11:25 )
With content liberated from the “today in infosec” twitter account and further afield
12th September 2014: Stephane Chazelas contacted Bash maintainer Chet Ramey about a vulnerability he dubbed "Bashdoor", which later becoming known as Shellshock. It was publicly disclosed 12 days later.
Shellshock was kind of a big deal - and the vuln had been in Bash for 25 years!
https://x.com/todayininfosec/status/1834293229472416242
9th September 2001: Mark Curphey started OWASP (the Open Web Application Security Project). In 2023 it was renamed the Open Worldwide Application Security Project.
https://x.com/todayininfosec/status/1833191889790480500
Rant of the Week (16:33 )
WhatsApp's 'View Once' could be 'View Whenever' due to a flaw
A popular privacy feature in WhatsApp is "completely broken and can be trivially bypassed," according to developers at cryptowallet startup Zengo.
According to cofounder Tal Be'ery, his team was building a web interface when they discovered a flaw in WhatsApp's View Once. While the feature was supposed to be limited to platforms where the necessary controls could be enforced, such as mobile clients, the WhatsApp API server didn't properly enforce it.
The server would still send these messages to other platforms, but they couldn't be viewed - unless someone fiddled with the code.
"The View [O]nce media messages are technically the same as regular media messages, only with the “view once” flag set," the technical explanation states.
"Which means it’s the virtual equivalent of putting a note on the picture that says 'don’t look.' All that is required for attackers to circumvent it, is merely to set this flag to false and the media become regular and can be downloaded, forwarded and shared."
Billy Big Balls of the Week (27:10 )
Australia’s government spent the week boxing Big Tech
The fun started on Monday when prime minister Anthony Albanese announced his intention to introduce a minimum age for social media, with a preference for the services to be off limits until kids turn 16.
"I want kids to have a childhood," the PM urged. "I want them off their devices … I want them to have real experiences with real people."
Albanese promised legislation to enact the rule will be tabled before Australia's next election, due by 2025. Opposition leader Peter Dutton broadly supported the proposal, which is pitched at parents who are tired of having to protect their kids online.
Industry news (34:34 )
DoJ Distributes $18.5m to Western Union Fraud Victims
Poland's Supreme Court Blocks Pegasus Spyware Probe
UK Recognizes Data Centers as Critical National Infrastructure
Mastercard Acquires Global Threat Intelligence Firm Recorded Future for $2.65bn
TfL Confirms Customer Data Breach, 17-Year-Old Suspect Arrested
Irish Data Protection Regulator to Investigate Google AI
Microsoft Vows to Prevent Future CrowdStrike-Like Outages
Record $65m Settlement for Hacked Patient Photos
Malicious Actors Spreading False US Voter Registration Breach Claims
Tweet of the Week (41:57 )
https://x.com/MikeTalonNYC/status/1834311262563377553
Come on! Like and bloody well subscribe!