This week in InfoSec takes us back to the time Shell was born again Rant of the Week is a bold strategy to increase sales Billy Big Balls introduces us to BYODALAINGTI Industry News brings us the latest and greatest security news stories from around the world And Tweet of the Week advertises an unintended pwn2own competition
This week in InfoSec (10:21)
With content liberated from the “today in infosec” twitter account and further afield
8th June 1989: The beta release of the Bourne Again SHell (Bash) was announced as version 0.99. 2 months later Shellshock was introduced into the Bash source code and persisted in subsequent versions for over 25 years.
v0.99 release announcement
https://twitter.com/todayininfosec/status/1666487525320318988
3rd June 1983: Would You Like to Play a Game?
The science fiction film WarGames is released. Notable for bringing the hacking phenomena to the attention of the American public, it ignites a media sensation regarding the hacker sub-culture. The film’s NORAD set is the most expensive ever built at the time at a cost of $1 million dollars.
Not widely known is that the movie studio provided the film’s star, Matthew Broderick, with the arcade games Galaga and Galaxian so he could get first-hand experience before shooting the film’s arcade scenes.
Rant of the Week (17:16)
Barracuda Urges Replacing — Not Patching — Its Email Security Gateways
It’s not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.
Barracuda tells its ESG owners to 'immediately' junk buggy kit
Billy Big Balls of the Week (24:45)
US govt now bans TikTok from contractors' work gear
BYODALAINGTI (as long as it's not got TikTok installed)
The US federal government's ban on TikTok has been extended to include devices used by its many contractors - even those that are privately owned. The bottom line: if some electronics are used for government work, it better not have any ByteDance bits on it.
The interim rule was jointly issued by NASA, the Department of Defense and the General Services Administration, which handles contracting for US federal agencies. The change amends the Federal Acquisition Regulation to prohibit TikTok, any successor application, or any software produced by TikTok's Beijing-based parent ByteDance from being present on contractor devices.
"This prohibition applies to devices regardless of whether the device is owned by the government, the contractor, or the contractor's employees. A personally-owned cell phone that is not used in the performance of the contract is not subject to the prohibition," the trio said in their update notice published in the Federal Register.
The rule would apply to all contracts, even those below the "simplified acquisition threshold" of $250,000, purchases of commercial and off-the-shelf equipment, and commercial services so get ready to wipe those company phones, cloud services providers and MSPs that do business with Uncle Sam.
AND
British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attack
British Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app.
Microsoft reckons the Russian Clop ransomware crew stole the information.
British Airways, the BBC, and Boots were not hit directly. Instead, payroll services provider Zellis on Monday admitted its MOVEit installation had been exploited, and as a result "a small number of our customers" – including the aforementioned British trio – had their information stolen.
Zellis claims to be the largest payroll and human resources provider in the UK, and its customers include Sky, Harrods, Jaguar, Land Rover, Dyson, and Credit Suisse. In a statement posted on its website, Zellis blamed the MOVEit vulnerability for the security breach, and noted "all Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate."
Industry News (34:33)
Clop Ransom Gang Breaches Big Names Via MOVEit Flaw
FBI Warns of Surge in Deepfake Sextortion Attempts
Cisco Counterfeiter Pleads Guilty to $100m Scheme
Cyber Extortionists Seek Out Fresh Victims in LatAm and Asia
Lazarus Group Blamed for Atomic Wallet Heist
Interpol: Human Trafficking is Fueling Fraud Epidemic
Microsoft Brings OpenAI Tech to US Agencies
Pharmaceutical Giant Eisai Hit By Ransomware Incident
Espionage Attacks in North Africa Linked to "Stealth Soldier" Backdoor
Tweet of the Week (43:58)
https://twitter.com/elonmusk/status/1666964082363371520
