This week in InfoSec reminisces about simpler passwords Rant of the Week looks at a layer 8 problem Billy Big Balls is the SEC no longer messing around Industry News brings us the latest and greatest security news stories from around the world And Tweet of the Week - could be a trip down infosec memory lane
This week in InfoSec (05:54)
With content liberated from the “today in infosec” twitter account and further afield
18th July 2011: Microsoft Hotmail announced that it would be banning very common passwords such as "123456" and "ilovecats".
https://twitter.com/todayininfosec/status/1416957326205100035
27th July 1990: The case of United States v. Riggs was decided. Robert J. Riggs (Prophet) had stolen the E911 file from BellSouth, then co-defendant Craig Neidorf (Knight Lightning) had published it in Phrack. The file was neither valuable nor confidential.
https://twitter.com/todayininfosec/status/1287768573310533633
Rant of the Week (16:59)
VirusTotal: We're sorry someone fat-fingered and exposed 5,600 users
VirusTotal today issued a mea culpa, saying a blunder earlier this week by one of its staff exposed information belonging to 5,600 customers, including the email addresses of US Cyber Command, FBI, and NSA employees.
The unintentional leak was due to the layer-eight problem; human error. On June 29, an employee accidentally uploaded a .csv file of customer info to VirusTotal itself, said Emiliano Martinez, tech lead of the Google-owned malware analysis site.
"This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators," Martinez wrote in a Friday disclosure.
"We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting."
The employee had this list in the first place because the customer data was "critical to their role," we're told.
For those who don't know: VirusTotal allows netizens to – among other things – upload files, or submit a URL to one, and the site runs the material through various malware-scanning engines to see if anything malicious is detected or identified. Premium subscribers can also download uploaded samples, and thus that's how the uploaded .csv file of customer info was accidentally leaked.
https://www.bbc.co.uk/news/uk-politics-66333488
Billy Big Balls of the Week (24:01)
Crooks pwned your servers? You've got four days to tell us, SEC tells public companies
Public companies that suffer a computer crime likely to cause a "material" hit to an investor will soon face a four-day time limit to disclose the incident, according to rules approved today by the US Securities and Exchange Commission.
The SEC proposed the changes last March, and on Wednesday the financial watchdog voted to adopt the requirements [PDF]. The rules, which take effect 30 days after being signed into the Federal Register later this year, will require publicly traded firms to openly disclose in a new section (Item 1.05) of Form 8-K any cybersecurity incident that has a material impact on their business.
Companies must make this determination "without reasonable delay," according to the new rules. If they decide a security breach is material, then they have four days to submit an Item 1.05 Form 8-K report detailing the material impact of the incident's "nature, scope, and timing," plus any impact or likely impact on the business. Those 8-K forms are made public by the SEC.
It is that time of the show where we head to our news sources over at the Infosec PA newswire who have been very busy bringing us the latest and greatest security news from around the globe!
Industry News (30:05)
Booz Allen Pays $377m to Settle Government Fraud Case
Cyber-Attack Strikes Norwegian Government Ministries
Industry Coalition Calls For Enhanced Network Resilience
Dark Web Markets Offer New FraudGPT AI Tool
Group-IB Founder Sentenced in Russia to 14 Years for Treason
SEC Wants Cyber-Incident Disclosure Within Four Days
Supply Chain Attack Hits NHS Ambulance Trusts
NCSC Publishes New Guidance on Shadow IT
OpenAI, Microsoft, Google and Anthropic Form Body to Regulate AI
Tweet of the Week (42:02)
https://twitter.com/hilare_belloc/status/1683797122628321280