This week in Infosec takes us back to a time a vendor took 3 years to fix a reported vulnerability (is this an old or new story?) Rant of the week is dedicated to password security 101, and how telling Daddy to fix it doesn’t always work Billy Big Balls is a shift in mindset for the industry, backed up with teeth and endorsed by at least two industry heavy hitters Industry News brings us the latest and greatest security news stories from around the world And Tweet of the Week reminisces of the times when we would happily raw dog the Internet, and then make useless things do useful tasks
This Week in InfoSec (11:00)
With content liberated from the “today in infosec” Twitter account
23rd November 2011: It was reported that Apple took over 3 years to fix the iTunes installer vulnerability which the FinFisher remote spying Trojan exploited.
Apple Took 3+ Years to Fix FinFisher Trojan Hole
https://twitter.com/todayininfosec/status/1331028461612392448
20th November 2000: eBay cancelled a listing for Kevin Mitnick's Bureau of Prisons inmate ID card due to uncertainty about his right to sell it. This was after an initial claim it was a prohibition from committing a "violent felony" and profiting from it.
eBay pulls Kevin Mitnick trinkets: Taking a firm stand against "violent felons"
https://twitter.com/todayininfosec/status/1329940298399703042
Rant of the Week (18:50)
GoDaddy has admitted to America's financial watchdog that one or more miscreants broke into its systems and potentially accessed a huge amount of customer data, from email addresses to SSL private keys.
In a filing on Monday to the SEC, the internet giant said that on November 17 it discovered an "unauthorized third-party" had been roaming around part of its Managed WordPress service, which essentially stores and hosts people's websites.
GoDaddy’s chief information security officer Demetrius Comes said his company "immediately began an investigation with the help of an IT forensics firm and contacted law enforcement."
Those infosec sleuths, we're told, found evidence that an intruder had been inside part of GoDaddy's website provisioning system, described by Comes as a "legacy code base," since September 6, gaining access using a "compromised password."
GoDaddy’s latest rebranding is a break from its sexist past
Billy Big Balls of the Week (28:36)
Huge fines and a ban on default passwords in new UK law
The government has introduced new legislation to protect smart devices in people's homes from being hacked.
Recent research from consumer watchdog Which? suggested homes filled with smart devices could be exposed to more than 12,000 attacks in a single week.
Default passwords for internet-connected devices will be banned, and firms which do not comply will face huge fines.
Industry News (34:36)
Sky Slow to Fix Bug in Routers
Teen Accused of Stealing Bitcoin Worth $36.5M
Multiple Bugs Enable Eavesdropping on 37% of Android Phones
Apple Sues “State-Sponsored” Spyware Firm NSO Group
Malicious JavaScript Loader is a Multi-RAT Dispenser
YouTube Live Crypto Scams Made Nearly $9m in October
UK Introduces New Cybersecurity Legislation for IoT Devices
Ukrainian Cops Bust Mobile Device Hacking Group
Tweet of the Week (43:09)
https://twitter.com/sociosploit/status/1462440968658079763
https://twitter.com/Raspberry_Pi/status/1463803587180511233?s=20