This week in InfoSec takes us back to when one person brought down the internet service of a neighbouring country Rant of the Week is the consequences of bragging about your classified job Billy Big Balls aims to take a page out of a pilot’s playbook for the good of security Industry News brings us the latest and greatest security news stories from around the world And Tweet of the Week is career advice from someone who builds security leaders
This week in InfoSec (08:48)
With content liberated from the “today in infosec” twitter account and further afield
5th April 2002: A hacker compromised a server containing California's payroll database. The state's Controller's Office waited 2 weeks to warn victims. As a result angry lawmakers reacted by passing the first state data breach notification law in the US, SB 1386.
6th April 2011: The Georgian interior ministry announced that a 75-year-old woman was charged after she disrupted Internet service in neighbouring Armenia.
An elderly woman scavenging for copper? Add that to your DoS threat modelling diagram!
Rant of the Week (14:53)
Pentagon super-leak suspect cuffed: 21-year-old Air National Guardsman
The FBI has detained a 21-year-old Air National Guardsman suspected of leaking a trove of classified Pentagon documents on Discord.
US Attorney General Merrick Garland confirmed the arrest, saying Jack Douglas Teixeira of the United States Air Force National Guard in Massachusetts was nabbed earlier today.
The suspect was being held "in connection with an investigation into alleged unauthorized removal, retention, and transmission of classified national defense information," the AG said.
The Washington Post reported yesterday that whoever leaked the files was thought to be a twenty-something American who liked gaming and guns, and worked on a military base.
It's said he also controlled a private Discord server, and allegedly posted photographs of the classified Pentagon documents to impress the private group's 25 members, which included netizens in Europe, Asia, and South America.
It is believed those classified files were shared beyond that Discord chat, and surfaced in one form or another on social media, where it all spread like wildfire. The documents were said to be war plans detailing secret US and NATO support for a Ukrainian offensive to regain land invaded by Russia, and that American and British special forces were already in Ukraine.
Billy Big Balls of the Week (28:05)
To improve security, consider how the aviation industry stopped blaming pilots
To improve security, the cybersecurity industry needs to follow the aviation industry's shift from a blame culture to a "just" culture, according to director of the Information Systems
Audit and Control Association Serge Christiaans.
Speaking at Singapore's Smart Cybersecurity Summit this week, Christiaans explained that until around 1990, the number of fatal commercial jet accidents was growing alongside a steady increase of commercial flights. But around the turn of the decade, the number of flights continued to rise while the number of fatalities began to drop.
According to one analysis, [PDF] the rate of fatal accidents fell from nine per 10 million flights in the 80s to six per 10 million in the 90s. Between 1995 and 2001, that figure was three per 10 million.
“There was a big game changer,” Christiaans told the Summit. “Millions of people a day now fly in commercial aviation, and nothing happens.”
While acknowledging that improved technology, more mature processes and improved leadership all helped to improve aviation safety, the former pilot and field CISO at tech consultancy Sopra Steria said the biggest improvements came from a change to a “just culture” that accepts people will make mistakes and by doing so makes it more likely errors will be reported.
In a just culture, errors are viewed as learning opportunities instead of moral failing, creating transparency and enabling constant improvement.
“We're not trying to blame, we're not trying to point fingers, we're trying to find the reasons behind the mistake,” said Christiaans. “There are of course, exceptions like negligence where of course you will be punished by law. But otherwise, if you speak up freely, you will not be punished.”
While Twitter wants to sell its verification, Microsoft will do it for free on LinkedIn
As Elon Musk tears at Twitter's credibility by demanding businesses and individuals pay for their blue verification checks, Microsoft is pushing ts own free digital ID technology to companies and their employees on LinkedIn.
Later this month, Microsoft will let organizations use its Verified ID tool to prove their workers' employment, with staff then being able to display that employment verification on their LinkedIn profiles.
Like the trust the unpaid-for blue check mark on Twitter once conveyed, the Verified ID on LinkedIn will show that the people on the business-focused network – which has about 900 million users – work at where they say they work.
"By simply looking for a Verification, members and organizations can be more confident that the people they collaborate with are authentic and that work affiliations on their profiles are accurate," wrote Joy Chik, president of identity and network access at Microsoft.
Industry News (38:18)
Latitude Financial Refuses to Pay Ransom
KFC Owner Discloses Data Breach
US Scrambles to Investigate Military Intel Leak
Ethical Hackers Could Earn up to $20,000 Uncovering ChatGPT Vulnerabilities
Rapid7 Has Good News for UK Security Posture
Superyacht-Maker Hit by Easter Ransomware Attack
Pakistan-Aligned Hackers Disrupt Indian Education Sector
Over 20,000 Iowa Medicaid Members Affected By Data Breach
Five Arrests in Crackdown on $98m Investment Fraud Gang
Tweet of the Week (47:18)