The technology blog and podcast and TSB Jared Rimer

Hello folks, welcome to podcast 195 of the security box. Let's start off with a set of questions that came out of something we did not cover as part of last week's box. If you listen via the podcast, please submit your guesses before the answers are revealed. I'll personally give you credit where credit is due, and we can work out what you will get upon correct answers. The questions are: What 8 companies, 1 of which was part of the big ticket master breach were attacked? What small time actor group took responsibility for these 8 company attacks?which two companies disputed the hack? Finally, what was the most recent company that came out with confirming they were part of the actors fiasco? We also are going to cover the news, the landscape, Lastpass' recent fiasco that can happen to anyone and more. Our topic this week will be the talking about environment files that are used to store secrets including keys, usernames and passwords. Apparently these files, known as .env files are wide open and can be taken for use. Enjoy the program and thanks so much for listening!

Our Scam of the Week

Kelly, formerly Kelly Services has been targeting users who know the JRN's work. Kelly informed the JRN that this scam has been going around in this form for at least 5 months. The first report came from TSB's participant, Preston Gaylor. The second came from another subscriber who assists me in another capacity. Please read this blog post titled New scam from work provider, Kelly (formerly Kelly Services) for complete details on this. We link to the official web site where you too, can alert them about this scam. The representative informed me that they have over 500 copies of this and asked about the version that is going around. We'll be discussing this as part of the program, don't worry!





Our Question

If you intend to play, please do not look at the answers given below. We also are linking to sources of further reading too.

Our Question

What 8 companies, 1 of which was part of the big ticket master breach were attacked? What small time actor group took responsibility for these 8 company attacks?which two companies disputed the hack? Finally, what was the most recent company that came out with confirming they were part of the actors fiasco?
The Answer: Skip if you intend to participate and win
Answer: Snowflake, Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts. Progressive and Mitsubishi disputed the threat actor’s claims while Advance Auto Parts recently came out with details of their breach.
Sources from the blog:

Live Nation confirms breach at Ticketmaster
Advance auto parts confirms breach, numbers don’t match
Snowflake’s breach may be bigger than we think, let’s add yet another company to the mix


The links lead to our blog, where you can read more.



Lastpass needs a break here, this can happen to anyone

This can happen to anyone. While people want to jump ship because of this most recent outage, I don't blame them. It turns out, it was because of their chrome extension that somehow went completely ape and could have sent a DDOS attack. I don't want to go that far, but it was a 12-hour outage if not longer. I recently had to sign in and I was successful, and this happened on Thursday, June 6, 2024. This can happen to anyone, lastpass had a bad extension causing havoc is the blog post that leads to the story. I believe this could happen to anyone.



Other News


This is crazy, more snowflake news: “We aren’t going to require MFA”
23andMe now being investigated for the 2023 breach
Exposed tokens equals getting owned
Google sends large check, google avoids jury trial
Christie’s notifies people of ransomware attack, ransomhub takes them and Frontier telecom
We thought TikTok was bad, News Break seems to be worse




What are .env files and why should I care?

Why should I car

Hello folks, welcome to the security box podcast 194. On this podcast, we're going to talk about section 230 and its potential repeal. We've also got the news, the notes and the landscape. True stories are also told, one dealing with crypto and one dealing with a potential job. Running time, 4 hrs 21 minutes. We hope that you enjoy the program as much as we have.



News and notes

Here's what we're reading and potentially talking about. This list may not all be covered, but at the same time, some folk may miss things. Some may also be blogged too, so make sure you check out the blog where its free to register and comment.


Over 90 malicious Android apps with 5.5M installs found on Google Play
Is Your Computer Part of ‘The Largest Botnet Ever?’
Treasury Sanctions Creators of 911 S5 Proxy Botnet
Chinese national arrested for operating proxy service linked to billions in cybercrime
Police seize over 100 malware loader servers, arrest four cybercriminals
Police seize over 100 malware loader servers, arrest four cybercriminals
Microsoft: Windows 11 preview update causes taskbar crashes
Live Nation finally confirms massive Ticketmaster data breach
macOS version of elusive 'LightSpy' spyware tool discovered
TikTok vaguely disputes report that it’s making a US-only app
X tweaks rules to formally allow adult content
Crooks threaten to leak 3B personal records 'stolen from background check firm'
Data firm execs convicted for helping fraudsters target the elderly




Section 230

Lawmakers say Section 230 repeal will protect children—opponents predict chaos is a two page article on the subject of section 230 and its potential update. We'll try to do our best and give you a fair balance of both sides. If you have not read this, what do you think?

Other coverage from the blog on section 230



Section 230 is still valid, holds up for now
Any time the government comes up with a bill, critics say something for good reason




Supporting the podcast

If you'd like to support our efforts on what this podcast is doing, you can feel free to donate to the network, subscribing to the security box discussion list or sending us a note through contact information throughout the podcast. You can also find contact details on our blog page found here. Thanks so much for listening, reading and learning! We can't do this alone.



Internet Radio affiliates airing our program

Our Internet Radio stations that carry us include Blue Streak Radio and International Friends Radio Network. The program is also carried live through the Independent Channel which is part of 98.6 the mix, KKMX, International. If you want to carry us, please use the Jared Rimer Network site to do that and let me know about your station. Please allow 3-4 hours for airplay, although we try to go 3 hours for this program. Thanks so much!

Hello folks, welcome to the security box, podcast 193. On this program, we're going to talk in an open forum about AI.

We'll find some articles, but we aren't going to cover articles in full but in passing.

We'll also cover the news, the landscape and more including a demo on the capital one application and virtual cards.



Things to ponder


Capital One has added the ability of doing virtual cards to their mobile application. You can still use the Eno extension, but I never got that to work, so I've set up one for a demo and will be moving to merchant specific cards for better security.
Have I Been Pwned has a couple of updates while Exposed doesn't. Both sites are good for what they do, and both should be checked if you're interested.
Kim Komando is reporting that Vapes are being sent through the mail through secret words. Parents, check those packages. If an article is found on this, I'll be sure to publish it. Still think TikTok is safe to use?




News

Lots of different things the news could bring up, some of which will be listed below.


We found articles on the sanctions of proxy 911 folk
Proxy 911 just got sanctioned, Brian posted on Maston
Now, we have to be aware of … Shrinklocker
x.ai looking for workers
City in dutch got owned, looks to be internal
Indian man steals 37k, may get 20 years
Intercontinental to pay $10m fine
Exposed data: Walmart employees exposed in Merrill email leak
Patriot cell phone carrier owned
T-Mobile wants to raise prices, I say no (opinion piece)
Actress sues open AI as voice is similar to theirs from last week's show
LockBit taking responsibility of London Drugs case




AI articles

These are more recent AI articles, but there are plenty of others we either don't have or don't know about. This section is going to be in open forum format.


AI companies promise to protect our elections. Will they live up to their pledges? Cyberscoop
Three bills governing AI in elections pass Senate committee Cyberscoop
AI gives new life to old scam targeting seniors KNX 1070 97.1 FM
FBI arrests man, charged with generating AI Child Abuse Material: the first of its kind




Supporting the podcast

If you'd like to support our efforts on what this podcast is doing, you can feel free to donate to the network, subscribing to the security box discussion list or sending us a note through contact information throughout the podcast. You can also find contact details on our blog page found here. Thanks so much for listening, reading and learning! We can't do this alone.



Internet Radio affiliates airing our program

Our Internet Radio stations that carry us include Blue Streak Radio and International Friends Radio Network. The program is also carried live through the Independent Channel which is part of 98.6 the mix, KKMX, International. If you want to carry us, please use the Jared Rimer Network site to do that and let me know about your station. Please allow 3-4 hours for airplay, although we try to go 3 hours for this program. Thanks so much!

Hello folks, welcome to program 192 of the security box. This week, its going to be an open forum. We'll cover the news, we'll answer any questions that people have, and we'll traverse the landscape. No major topic, but a big piece of news about an arrest.

News, Notes and the landscape

Incognito

The biggest news coming out of the landscape is incognito's demise for good. the main man was arrested at a New York Airport. If convicted, he's going to spend a lot of time in jail. Each article is written a bit differently, and we want to be fair in our coverage and give you different perspectives.



Owner of Incognito dark web drugs market arrested in New York Bleeping Computer
The Press Release from the Justice Department: “Incognito Market” Owner Arrested for Operating One of the Largest Illegal Narcotics Marketplaces on the Internet The Justice Department
23-year-old man accused of running $100 million online narcotics marketplace | Ars Technica. Ars Technica




AI CSAM

This blew my mind. I don't know about anyone else, but this was wild. FBI Arrests Man For Generating AI Child Sexual Abuse Imagery comes from 404 media. This will prove that doing something like this, even if you start with other perps will eventually get you in trouble.



An Arrest out of Arizona

Arizona woman arrested and charged in North Korean IT worker scheme comes to us from Cyberscoop. She was not alone, there's another suspect mentioned and it goes in to details on who gets what if convicted.



More potential news

The following are linked from the blog. Accompanying articles are linked within.


Windows 11 recall AI coming to a Windows 11 near you
IOS and Ipad 17.5.1
PuTTY, Winscp targeted in Malware campaign
Do you use Quick Assist? I’ve never heard of it!




Our Things to ponder segment

It seems as though Better Help is more in trouble than we thought. Besides the potential breaches, we spotted a video that talks about all kinds of stuff. Its 16 minutes, but I feel that this is of value. This is the link to the Youtube Video that we linked to from our blog post. If you want to see it, you may. This came from the mastodon account, Today I learned. Also read: Better help shares data to facebook as this is mentioned in the video.



Our complete moron of the podcast

This has to be the moron of the podcast. While you can carry around cards like drivers licenses digitlly, this guy who is named in the article did not. He also either stopped after starting a chase, or the owner was able through the app to stop the truck. Besides theft, the suspect has no license at all. Nice going! Tesla’s Cybertruck thief chase cut short by Delaware police is the article. Have fun with a fine, and other penalties that are coming with no drivers license.



Supporting the podcast

If you'd like to support our efforts on what this podcast is doing, you can feel free to donate to the network, subscribing to the security box discussion list or sending us a note through contact information throughout the podcast. You can also find contact details on our blog page found here. Thanks so much for listening, reading and learning! We can't do this alone.



Internet Radio affiliates airing our program

Our Internet Radio stations that carry us include Blue Streak Radio and International Friends Radio Network. The program is also carried live through the Independent Channel which is part of 98.6 the mix, KKMX, International. If you want to carry us, please use the Jared Rimer Network site to do that and let me know about your station. Please allow 3-4 hours for airplay, although we try to go 3 hours for this program. Thanks so much!

On podcast 187 of the security box, we covered water security and this podcast is no different. On this podcast, we're going to talk about lax our damn security is. The title of this program Our Lax Dam Cybersecurity is not meant to be taken as swaring as dam is defined as a stopping point for water. Once that breaks, water can cause tons of havoc, so it is actually a good thing. Besides this topic, we'll have our news, notes and more.



Things that might be discussed


Black Basta breached over 500 organizations to date
https://technology.jaredrimer.net/2024/05/10/del-computers-had-a-databreach/
So … What’s going on with the vistamo guy and his sentence?
So, is lockbitsupp completely wrong in him saying they have the wrong man?
What’s going on with Ascension ?
Lockbit is still out there, sent through other network





Lax Dam Cybersecurity

I thought we blogged this, but it looks like we did not. Luckily for searching this out as I knew I had it in my inbox, the article comes from Cyberscoop. The article is titled Congress sounds alarm on lax dam cybersecurity which was a good one. If you read the article, what did you think?



Supporting the podcast

If you'd like to support our efforts on what this podcast is doing, you can feel free to donate to the network, subscribing to the security box discussion list or sending us a note through contact information throughout the podcast. You can also find contact details on our blog page found here. Thanks so much for listening, reading and learning! We can't do this alone.



Internet Radio affiliates airing our program

Our Internet Radio stations that carry us include Blue Streak Radio and International Friends Radio Network. The program is also carried live through the Independent Channel which is part of 98.6 the mix, KKMX, International. If you want to carry us, please use the Jared Rimer Network site to do that and let me know about your station. Please allow 3-4 hours for airplay, although we try to go 3 hours for this program. Thanks so much!

Hello everyone, welcome to podcast 190 of the security box. The big question is here on this week's podcast, and it is: "Is Age Verification legal?"

Besides finding out the answer to this, we'll have the news, the notes and the landscape. Hope you'll enjoy the show as much as we are bringing it to you.



LockbitSupp identified

Huge news coming out of the press in regards to the mastermind of Lockbit. Don't be surprised if you find more coverage, but these are the articles from our sources.


LockBit ransomware admin identified, sanctioned in US, UK, Australia Bleeping Computer
LockBit gang leader exposed in FBI ransomware breakthrough CyberNews
U.S. Charges Russian Man as Boss of LockBit Ransomware Group KrebsOnSecurity
Ransomware mastermind LockBitSupp reveled in his anonymity—now he’s been ID’d Ars Technica


As stated, there may be more than this around the web and the JRN will be blogging two, possibly all three or more if we find them.

In the second, we not only know who he is, but what he's charged with. At the time of writing this in to the show notes, the JRN has not read Brian's article yet and only spotted signs of it on Mastodon as he does.



Other Newsy things from the blog

These items may be braught up as part of the blog and news segment. They are in no particular order.


Are we surprised that TikTok will sue the U.S. Government?
Chinese banks hit again
Jack Dorsey praises Twitter for being “freedom technology”
Fake tech support scams and sponsored search results
The Yahoo boys are people you need to be aware of: Scripts, scams and more await
Notice from Dropbox


There may be others not listed here, and this could be a subset.



Is Age Verification Legal?

This segment may contain adult themes. According to an article that was read and blogged, age verification has been found to be legal. With Coppa in various parts of the world, and sites that need to make sure they're dealing with adults per content law, we think that this is a clear and cut open and closed case. But how do we do this now that most do the bear minimum but yet nothing in place to verify anything entered?

For example, staff that do this show could say they're over age on a site like Live Journal when for example, the mix opened its blog there but yet the mix was not even of age. This could be an example used.

What to read


Age Verification is lawful the technology blog and podcast
Court makes it clear – age verification on adult sites is constitutional Cybernews


What do you think? If this is now the case, how to enforce such provisions that are already in place or adopt and follow new ones?

Podcasts covering the topic


The Security box, podcast 155: What’s going on with age verification?


There are other blogs that also discuss this in other contexts, feel free to check them out.



Supporting the podcast

If you'd like to support our efforts on what this podcast is doing, you can feel free to donate to the network, subscribing to the security box discussion list or sending us a note through contact information throughout the podcast. You can also find contact details on our blog page found here. Thanks so much for listening, reading and learning! We can't do this alone.



Internet Radio affiliates airing our program

Our Internet Radio stations that carry us include Blue Streak Radio and International Friends Radio Network. The program is also carried live through the Independent Channel which is part of 98.6 the mix, KKMX, International. If you want to carry us, please use the Jared Rimer Network site to do that and let me know about your station. Please allow 3-4 hours for airplay, although we try to go 3 hours for this program. Thanks so much!