Episode 162 - The Do Not Google It Episode

This week in InfoSec (05:54)With content liberated from the “today in infosec” twitter account and further afield18th July 2011: Microsoft Hotmail announced that it would be banning very common passwords such as "123456" and "ilovecats".  https://twitter.com/todayininfosec/status/1416957326205100035  27th July 1990: The case of United States v. Riggs was decided. Robert J. Riggs (Prophet) had stolen the E911 file from BellSouth, then co-defendant Craig Neidorf (Knight Lightning) had published it in Phrack. The file was neither valuable nor confidential. https://twitter.com/todayininfosec/status/1287768573310533633 Rant of the Week (16:59)VirusTotal: We're sorry someone fat-fingered and exposed 5,600 usersVirusTotal today issued a mea culpa, saying a blunder earlier this week by one of its staff exposed information belonging to 5,600 customers, including the email addresses of US Cyber Command, FBI, and NSA employees.The unintentional leak was due to the layer-eight problem; human error. On June 29, an employee accidentally uploaded a .csv file of customer info to VirusTotal itself, said Emiliano Martinez, tech lead of the Google-owned malware analysis site."This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators," Martinez wrote in a Friday disclosure."We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting."The employee had this list in the first place because the customer data was "critical to their role," we're told.For those who don't know: VirusTotal allows netizens to – among other things – upload files, or submit a URL to one, and the site runs the material through various malware-scanning engines to see if anything malicious is detected or identified. Premium subscribers can also download uploaded samples, and thus that's how the uploaded .csv file of customer info was accidentally leaked.https://www.bbc.co.uk/news/uk-politics-66333488 Billy Big Balls of the Week (24:01)Crooks pwned your servers? You've got four days to tell us, SEC tells public companiesPublic companies that suffer a computer crime likely to cause a "material" hit to an investor will soon face a four-day time limit to disclose the incident, according to rules approved today by the US Securities and Exchange Commission.The SEC proposed the changes last March, and on Wednesday the financial watchdog voted to adopt the requirements [PDF]. The rules, which take effect 30 days after being signed into the Federal Register later this year, will require publicly traded firms to openly disclose in a new section (Item 1.05) of Form 8-K any cybersecurity incident that has a material impact on their business. Companies must make this determination "without reasonable delay," according to the new rules. If they decide a security breach is material, then they have four days to sub