The Host Unknown Podcast

Episode 162 - The Do Not Google It Episode

Episode Summary

This week in InfoSec reminisces about simpler passwords Rant of the Week looks at a layer 8 problem Billy Big Balls is the SEC no longer messing around Industry News brings us the latest and greatest security news stories from around the world And Tweet of the Week - could be a trip down infosec memory lane

Episode Notes

This week in InfoSec (05:54)

With content liberated from the “today in infosec” twitter account and further afield

18th July 2011: Microsoft Hotmail announced that it would be banning very common passwords such as "123456" and "ilovecats".  

https://twitter.com/todayininfosec/status/1416957326205100035  

27th July 1990: The case of United States v. Riggs was decided. Robert J. Riggs (Prophet) had stolen the E911 file from BellSouth, then co-defendant Craig Neidorf (Knight Lightning) had published it in Phrack. The file was neither valuable nor confidential. 

https://twitter.com/todayininfosec/status/1287768573310533633

 

Rant of the Week (16:59)

VirusTotal: We're sorry someone fat-fingered and exposed 5,600 users

VirusTotal today issued a mea culpa, saying a blunder earlier this week by one of its staff exposed information belonging to 5,600 customers, including the email addresses of US Cyber Command, FBI, and NSA employees.

The unintentional leak was due to the layer-eight problem; human error. On June 29, an employee accidentally uploaded a .csv file of customer info to VirusTotal itself, said Emiliano Martinez, tech lead of the Google-owned malware analysis site.

"This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators," Martinez wrote in a Friday disclosure.

"We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting."

The employee had this list in the first place because the customer data was "critical to their role," we're told.

For those who don't know: VirusTotal allows netizens to – among other things – upload files, or submit a URL to one, and the site runs the material through various malware-scanning engines to see if anything malicious is detected or identified. Premium subscribers can also download uploaded samples, and thus that's how the uploaded .csv file of customer info was accidentally leaked.

https://www.bbc.co.uk/news/uk-politics-66333488

 

Billy Big Balls of the Week (24:01)

Crooks pwned your servers? You've got four days to tell us, SEC tells public companies

Public companies that suffer a computer crime likely to cause a "material" hit to an investor will soon face a four-day time limit to disclose the incident, according to rules approved today by the US Securities and Exchange Commission.

The SEC proposed the changes last March, and on Wednesday the financial watchdog voted to adopt the requirements [PDF]. The rules, which take effect 30 days after being signed into the Federal Register later this year, will require publicly traded firms to openly disclose in a new section (Item 1.05) of Form 8-K any cybersecurity incident that has a material impact on their business. 

Companies must make this determination "without reasonable delay," according to the new rules. If they decide a security breach is material, then they have four days to submit an Item 1.05 Form 8-K report detailing the material impact of the incident's "nature, scope, and timing," plus any impact or likely impact on the business. Those 8-K forms are made public by the SEC.

It is that time of the show where we head to our news sources over at the Infosec PA newswire who have been very busy bringing us the latest and greatest security news from around the globe!

 

Industry News (30:05)

Booz Allen Pays $377m to Settle Government Fraud Case

Cyber-Attack Strikes Norwegian Government Ministries

Industry Coalition Calls For Enhanced Network Resilience

Dark Web Markets Offer New FraudGPT AI Tool

Group-IB Founder Sentenced in Russia to 14 Years for Treason

SEC Wants Cyber-Incident Disclosure Within Four Days

Supply Chain Attack Hits NHS Ambulance Trusts

NCSC Publishes New Guidance on Shadow IT

OpenAI, Microsoft, Google and Anthropic Form Body to Regulate AI

 

https://www.outkick.com/robot-pizza-start-up-shuts-down-because-they-couldnt-keep-cheese-from-sliding-off/

 

Tweet of the Week (42:02)

https://twitter.com/hilare_belloc/status/1683797122628321280