Episode 128 - The Higher Average IQ Episode

This week in InfoSec (08:27)With content liberated from the “today in infosec” twitter account and further afield4th November 2005: Microsoft AntiSpyware was renamed Windows Defender. https://twitter.com/todayininf....osec/status/11914785 November 1993: The Bugtraq mailing list was created by Scott Chasin.In 1995 it became the property of SecurityFocus, in 2002 Symantec acquired SecurityFocus, and the last message was posted to the list on February 25th, 2020, with no explanation from Symantec.Bugtraqhttps://twitter.com/todayininfosec/status/1324497907245109248    Rant of the Week (16:17)Twitter Chief Information Security Officer flies the coopTroubled social media giant Twitter has lost the services of its chief information and security officer to cap off another chaotic week following its acquisition by Elon Musk.Lea Kissner used their former employer’s platform to post: “I've made the hard decision to leave Twitter. I've had the opportunity to work with amazing people and I'm so proud of the privacy, security, and IT teams and the work we've done.”They later posted, “I've loved this job and we got *so* much done, but here we are.”Chief privacy officer Damien Kieran and chief compliance officer Marianne Fogarty are also said to have exited. And, separately, it's reported that the world's richest man has told Twitter staff that work-from-home is banned, and that tweeps need to work 40 or more hours a week from the office from now on.Blue Badge ScamsIf you teach your user base, verification means something specific, it will be hard for them to unlearn it. We learned that it's rare for a verified account trying to phish us. Changing the meaning of the check is a security issue.Blue Badge impersonationsThe new check mark system has resulted in Threat Actors successfully impersonating Twitter and defrauding users out of moneyAlthough the account is now suspended, it rapidly got 35,000+ retweets and 4,990 likes.A simple $8 investment can result in thousands of dollars stolen.Self-certifying complianceThe idea of engineers self-certifying compliance with an FTC consent decree jumped out to me as patently absurd. So I found and read the consent decree. This thread discusses how this policy violates that decree and why I believe these people had no option but to resign.   Billy Big Balls of the Week (27:14)Apple limits AirDrop in China after its use in protestsApple has placed time restrictions on AirDrop wireless file-sharing across iPhones in China after the feature was used by protesters to share images opposing the Chinese government, Bloomberg reports.The “Everyone” option in Airdrop is now limited to a ten-minute window for users in China. After the ten minutes have passed, AirDrop’s device-to-device sharing will switch back to “Contacts Only,” making it harder to distribute content to strangers en ma