This week in InfoSec (10:21)

With content liberated from the “today in infosec” twitter account and further afield

8th June 1989: The beta release of the Bourne Again SHell (Bash) was announced as version 0.99. 2 months later Shellshock was introduced into the Bash source code and persisted in subsequent versions for over 25 years.

v0.99 release announcement

https://twitter.com/todayininfosec/status/1666487525320318988

3rd June 1983: Would You Like to Play a Game?

The science fiction film WarGames is released. Notable for bringing the hacking phenomena to the attention of the American public, it ignites a media sensation regarding the hacker sub-culture. The film’s NORAD set is the most expensive ever built at the time at a cost of $1 million dollars. 

Not widely known is that the movie studio provided the film’s star, Matthew Broderick, with the arcade games Galaga and Galaxian so he could get first-hand experience before shooting the film’s arcade scenes.

Rant of the Week (17:16)

Barracuda Urges Replacing — Not Patching — Its Email Security Gateways

It’s not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.

Barracuda tells its ESG owners to 'immediately' junk buggy kit

Billy Big Balls of the Week (24:45)

US govt now bans TikTok from contractors' work gear

BYODALAINGTI (as long as it's not got TikTok installed)

The US federal government's ban on TikTok has been extended to include devices used by its many contractors - even those that are privately owned. The bottom line: if some electronics are used for government work, it better not have any ByteDance bits on it. 

The interim rule was jointly issued by NASA, the Department of Defense and the General Services Administration, which handles contracting for US federal agencies. The change amends the Federal Acquisition Regulation to prohibit TikTok, any successor application, or any software produced by TikTok's Beijing-based parent ByteDance from being present on contractor devices. 

"This prohibition applies to devices regardless of whether the device is owned by the government, the contractor, or the contractor's employees. A personally-owned cell phone that is not used in the performance of the contract is not subject to the prohibition," the trio said in their update notice published in the Federal Register. 

The rule would apply to all contracts, even those below the "simplified acquisition threshold" of $250,000, purchases of commercial and off-the-shelf equipment, and commercial services so get ready to wipe those company phones, cloud services providers and MSPs that do business with Uncle Sam. 

AND 

British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attack

British Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app.

Microsoft reckons the Russian Clop ransomware crew stole the information.

British Airways, the BBC, and Boots were not hit directly. Instead, payroll services provider Zellis on Monday admitted its MOVEit installation had been exploited, and as a result "a small number of our customers" – including the aforementioned British trio – had their information stolen.

Zellis claims to be the largest payroll and human resources provider in the UK, and its customers include Sky, Harrods, Jaguar, Land Rover, Dyson, and Credit Suisse. In a statement posted on its website, Zellis blamed the MOVEit vulnerability for the security breach, and noted "all Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate."

Industry News  (34:33)

Clop Ransom Gang Breaches Big Names Via MOVEit Flaw

FBI Warns of Surge in Deepfake Sextortion Attempts

Cisco Counterfeiter Pleads Guilty to $100m Scheme

Cyber Extortionists Seek Out Fresh Victims in LatAm and Asia

Lazarus Group Blamed for Atomic Wallet Heist

Interpol: Human Trafficking is Fueling Fraud Epidemic

Microsoft Brings OpenAI Tech to US Agencies

Pharmaceutical Giant Eisai Hit By Ransomware Incident

Espionage Attacks in North Africa Linked to "Stealth Soldier" Backdoor

Tweet of the Week (43:58)

https://twitter.com/elonmusk/status/1666964082363371520

https://twitter.com/sawaba/status/1666930930714279942

https://www.forbes.com/lists/most-cybersecure-companies/

Come on! Like and bloody well subscribe!