This week in InfoSec takes us back to the day the music industry changed forever Rant of the Week plays privacy-failing bingo with Amazon Billy Big Balls is NSO group asking us to meet the new boss, same as the old boss Industry News brings us the latest and greatest security news stories from around the world And Tweet of the Week is a glimpse of our AI future
Voting has closed for this years European Cybersecurity Blogger Awards has closed. Did you vote with your conscience, or did you vote for us?
This week in InfoSec (08:33)
With content liberated from the “today in infosec” twitter account and further afield
30th May 1972: John Postel published RFC 349, Proposed Standard Socket Numbers.
https://twitter.com/todayininfosec/status/1266805406707232768
1st June 1999: Shawn Fanning and Sean Parker release the filesharing service Napster. The service provides a simple way for users to copy and distribute MP3 music files. It became an instant hit, especially among college students. Just over 6 months later, on December 7, 1999, the Recording Industry Association of America (RIAA) filed a lawsuit against the service, alleging mass copyright infringement. Eventually this lawsuit forced the shutdown of the company on September 3, 2002, but not before the popularity of downloading digital music was firmly entrenched in a generation of Internet users.
Rant of the Week (16:32)
Amazon Ring, Alexa accused of every nightmare IoT security fail you can imagine
America's Federal Trade Commission has made Amazon a case study for every cautionary tale about how sloppily designed internet-of-things devices and associated services represent a risk to privacy – and made the cost of those actions, as alleged, a mere $30.8 million.
The regulator on Wednesday charged, via the US Dept of Justice, two Amazon outfits with various privacy snafus.
The e-tail giant’s Ring home security cam subsidiary was accused of “compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.”
“Not only could every Ring employee and Ukraine-based third-party contractor access every customer’s videos (all of which were stored unencrypted on Ring’s network), but they could also readily download any customer’s videos and then view, share, or disclose those videos at will,” reads the FTC's complaint [PDF].
The document goes on to describe how “a customer service agent might need access to the video data of a particular customer to troubleshoot a problem, that same customer service agent had unfettered access to videos belonging to thousands of customers who never contacted customer service.”
Another nightmare: “Although an engineer working on Ring’s floodlight camera might need access to some video data from outdoor devices, that engineer had unrestricted access to footage of the inside of customers’ bedrooms.”
Ring staff weren’t trained on how to handle private data. And some abused it, horribly, according to the consumer watchdog.
The complaint details one employee who, the FTC said, “viewed thousands of video recordings belonging to at least 81 unique female users,” and “focused his prurient searches on cameras with names indicating that they surveilled an intimate space, such as ‘Master Bedroom,’ ‘Master Bathroom,’ or ‘Spy Cam’.”
The employee spent more than an hour a day on this revolting stuff, undetected by Ring, for months, it was claimed.
When a female coworker reported this activity, her supervisor “discounted the report, telling the female employee that it is ‘normal’ for an engineer to view so many accounts," the FTC noted.
Billy Big Balls of the Week (29:42)
Pegasus-pusher NSO gets new owner keen on the commercial spyware biz
Spyware maker NSO Group has a new ringleader, as the notorious biz seeks to revamp its image amid new reports that the company's Pegasus malware is targeting yet more human rights advocates and journalists.
Once installed on a victim's device, Pegasus can, among other things, secretly snoop on that person's calls, messages, and other activities, and access their phone's camera without permission. This has led to government sanctions against NSO and a massive lawsuit from Meta.
The Israeli company's creditors, Credit Suisse and Senate Investment Group, foreclosed on NSO earlier this year, according to the Wall Street Journal, which broke that story the other day.
Essentially, we're told, NSO's lenders forced the biz into a restructure and change of ownership after it ran into various government ban lists and ensuing financial difficulties.
The new owner is a Luxembourg-based holding firm called Dufresne Holdings controlled by NSO co-founder Omri Lavie, according to the newspaper report. Corporate filings now list Dufresne Holdings as the sole shareholder of NSO parent company NorthPole.
Dufresne Holdings has removed "a number of directors and officers" across NSO and is involved in the company's day-to-day management, the Wall Street Journal added.
An NSO spokesperson meanwhile said "the company is managed directly by our CEO, Yaron Shohat. The lenders are currently in a process of restructuring the shareholders."
The company has not only faced criticism over its Pegasus spyware implant, US and European officials over the past couple of years have cracked down on NSO in particular, and commercial spyware in general.
Reports keep emerging about Pegasus and other surveillance technologies being used in ways that decidedly violate NSO's claims that it only sells the malware to legitimate government agencies "for the purpose of preventing and investigating terrorism and other serious crimes."
It is that time of the show where we head to our news sources over at the Infosec PA newswire who have been very busy bringing us the latest and greatest security news from around the globe!
Industry News (37:34)
Romania’s Safetech Leans into UK Cybersecurity Market
Nine Million MCNA Dental Customers Hit by Breach
Ransomware Gangs Adopting Business-like Practices to Boost Profits
Human Error Fuels Industrial APT Attacks, Kaspersky Reports
Nigerian Cybercrime Ring's Phishing Tactics Exposed
Pentagon Cyber Policy Cites Learnings from Ukraine War
Amazon to Pay $31m After FTC's Security and Privacy Allegations
HMRC in New Tax Credits Scam Warning
Horabot Campaign Targets Spanish-Speaking Users in the Americas
Tweet of the Week (44:04)
https://twitter.com/securityweekly/status/1664335258655784960