This week in InfoSec takes us back to the birth of PCI-DSS Rant of the Week is a top 10 hit with our friends at the ICO Billy Big Balls aims to make everybody redundant Industry News brings us the latest and greatest security news stories from around the world And Tweet of the Week underscores the importance of never asking accountants to hire security professionals
This Week in InfoSec (08:33)
With content liberated from the “today in infosec” twitter account and further afield
29th March 2010: OpenSSL version 1.0.0 was released. It's easy to take for granted how pervasive the open source library is in the myriad of technologies used to transmit data over the internet and other networks. Take a moment to think about it.
https://twitter.com/todayininfosec/status/1641215201197412352
25th March 2010: 2010: Albert Gonzalez was sentenced to 20 years in prison for stealing credit card data from TJX and other companies. He is currently serving his sentence at FMC Lexington and is scheduled to be released in less than 4 months.
Find an inmate: BOP Register Number 25702-050
https://twitter.com/todayininfosec/status/1639657037935067137
Rant of the Week (13:55)
NHS Highland 'reprimanded' by data watchdog for BCC blunder with HIV patients
In a classic email snafu NHS Highland sent messages to 37 patients infected with HIV and inadvertently used carbon copy (CC) instead of Blind Carbon Copy meaning the recipients could see each other’s email addresses.
This is according to Britain’s data watchdog, the Information Commissioner’s Office, which has “reprimanded” the Health Board, which serves a regional population of some 320,000 people and has an annual operating budget of £780 million ($964 million).
The error took place in June 2019 when a member of staff opened the prior group email and copied all those on the list and emailed a newsletter to the the group of 37 “data subjects” - aka patients - without using BCC. Efforts to recall the mail failed.
Rather than issuing a £35,000 ($43,000) fine, the ICO is instead taking its “public sector approach” introduced in June 2022: working with senior leaders to “encourage compliance, prevent harms before they occur and learn lessons when things have gone wrong.”
The ICO described the email error as a “serious breach of trust.” In a statement, Stephen Bonner, ICO deputy commissioner for regulatory supervision, said of the mistake:
“The stakes are just too high. Research shows that people living with HIV have experienced stigma or discrimination due to their status, which means organisations dealing with this type of information should take the utmost care with their personal data.
“Every HIV service provider in this country should look at this case and see it as a crucial learning experience. We are calling on organisations to raise their data protection standards and put the appropriate measures in place to keep people safe,” he said.
The ICO said using BCC incorrectly is within the top 10 “non-cyber breaches, with nearly a thousand reported since 2019.”
Billy Big Balls of the Week (25:06)
Microsoft Security Copilot is a new GPT-4 AI assistant for cybersecurity
After announcing an AI-powered Copilot assistant for Office apps, Microsoft is now turning its attention to cybersecurity. Microsoft Security Copilot is a new assistant for cybersecurity professionals, designed to help defenders identify breaches and better understand the huge amounts of signals and data available to them daily.
Powered by OpenAI’s GPT-4 generative AI and Microsoft’s own security-specific model, Security Copilot looks like a simple prompt box like any other chatbot. You can ask “what are all the security incidents in my enterprise?” and it will summarize them. But behind the scenes, it’s making use of the 65 trillion daily signals Microsoft collects in its threat intelligence gathering and security-specific skills to let security professionals hunt down threats.
Microsoft Security Copilot is designed to assist a security analyst’s work rather than replace it — and even includes a pinboard section for co-workers to collaborate and share information. Security professionals can use the Security Copilot to help with incident investigations or to quickly summarize events and help with reporting.
Industry News (33:13)
NCA Harvests Info on DDoS-For-Hire With Fake Booter Sites
New MacStealer Targets Catalina, Newer MacOS Versions
France Bans TikTok, Other 'Fun' Apps From Government Devices
ChatGPT Vulnerability May Have Exposed Users’ Payment Information
Thieves Steal $9m from Crypto Liquidity Pool
NCA Celebrates Multimillion-Pound Fraud Takedowns
North Korean Hackers Use Trojanized 3CX DesktopApp in Supply Chain Attacks
GCHQ Updates Security Guidance for Boards
UK Regulator: HIV Data Protection Must Improve
Tweet of the Week (41:24)
