This week in InfoSec (08:27)

With content liberated from the “today in infosec” twitter account and further afield

4th November 2005: Microsoft AntiSpyware was renamed Windows Defender. 

https://twitter.com/todayininfosec/status/1191478555634323456

5th November 1993: The Bugtraq mailing list was created by Scott Chasin.

In 1995 it became the property of SecurityFocus, in 2002 Symantec acquired SecurityFocus, and the last message was posted to the list on February 25th, 2020, with no explanation from Symantec.

Bugtraq

https://twitter.com/todayininfosec/status/1324497907245109248   

Rant of the Week (16:17)

Twitter Chief Information Security Officer flies the coop

Troubled social media giant Twitter has lost the services of its chief information and security officer to cap off another chaotic week following its acquisition by Elon Musk.

Lea Kissner used their former employer’s platform to post: “I've made the hard decision to leave Twitter. I've had the opportunity to work with amazing people and I'm so proud of the privacy, security, and IT teams and the work we've done.”

They later posted, “I've loved this job and we got *so* much done, but here we are.”

Chief privacy officer Damien Kieran and chief compliance officer Marianne Fogarty are also said to have exited. And, separately, it's reported that the world's richest man has told Twitter staff that work-from-home is banned, and that tweeps need to work 40 or more hours a week from the office from now on.

Blue Badge Scams

If you teach your user base, verification means something specific, it will be hard for them to unlearn it. We learned that it's rare for a verified account trying to phish us. Changing the meaning of the check is a security issue.

Blue Badge impersonations

The new check mark system has resulted in Threat Actors successfully impersonating Twitter and defrauding users out of money

Although the account is now suspended, it rapidly got 35,000+ retweets and 4,990 likes.

A simple $8 investment can result in thousands of dollars stolen.

Self-certifying compliance

The idea of engineers self-certifying compliance with an FTC consent decree jumped out to me as patently absurd. So I found and read the consent decree. This thread discusses how this policy violates that decree and why I believe these people had no option but to resign. 

Billy Big Balls of the Week (27:14)

Apple limits AirDrop in China after its use in protests

Apple has placed time restrictions on AirDrop wireless file-sharing across iPhones in China after the feature was used by protesters to share images opposing the Chinese government, Bloomberg reports.

The “Everyone” option in Airdrop is now limited to a ten-minute window for users in China. After the ten minutes have passed, AirDrop’s device-to-device sharing will switch back to “Contacts Only,” making it harder to distribute content to strangers en masse. These new time restrictions have been introduced by Apple just weeks after the service was used to spread posters opposing president Xi Jinping.

The AirDrop restriction was included in the public release of iOS 16.1.1 on Wednesday, despite nothing about it being mentioned in the release notes. 9to5Mac readers were quick to discover that the restrictions seem limited to iPhones purchased in China.

Industry News (34:38)

Medibank Refuses to Pay Ransom After Data Breach

Swiss Re: Cyber-Insurance Industry Must Reform

SEC Announces 'Enforcement Action' For SolarWinds Over 2020 Hack

Instagram Influencer Gets 11 Years for Money Laundering

Medibank Confirms Data Stolen in Breach is Now Available Online

Couple Get 40 Years for Navy Espionage Plot

Malware Redirects 15,000 Sites in Malicious SEO Campaign

Majority of Security Managers Lack Threat Intelligence Skills

New Lenovo Notebook Models Affected By UEFI Firmware Vulnerabilities

Tweet of the Week (42:54)

https://twitter.com/Ox4d5a/status/1590578121526611968

Come on! Like and bloody well subscribe!