September 20, 2023
In this Episode:
Marcel Brown: September 20th, 1989. Apple releases the Macintosh Portable Computer, Apple’s first attempt at a laptop. That being said, at a weight of 16 pounds, the machine was hardly workable on your lap.
Edwin Kwan: Microsoft’s AI research division has been leaking 38 terabytes worth of sensitive data for over three years. The leak started back in July 2020 and was due to a Microsoft employee inadvertently sharing the URL for a misconfigured Azure blob storage bucket.
Katy Craig: Ireland’s Data Protection Commission, or DPC, found a glaring security flaw in TikTok’s Family Pairing feature. This feature was supposed to let adults chat with kids they’re related to. Now what could go wrong here?
Mark Miller: When a hospital or a health care system is hit with a breach, there are life and death consequences to consider. The people who perpetuate these breaches are concerned about nothing more than money, not the families affected. It puts the healthcare provider in an untenable situation.
The Stories Behind the Cybersecurity Headlines
Microsoft AI Research Team Leaked 38TB of Sensitive Data
This is Edwin Kwan from Sydney, Australia.
Discovered by a security researcher, the leak started back in July 2020 and was due to a Microsoft employee inadvertently sharing the URL for a misconfigured Azure blob storage bucket. The shared URL was using an excessively permissive Shared Access Signature Token which the security researcher described as challenging to monitor and revoke.
The Shared Access Signature Token allowed full control over the share files and have no limit on their expiry or scope. The 38 terabytes worth of exposed sensitive data included backups of personal information belonging to Microsoft employees, including passwords for Microsoft services, secret keys, and an archive of over 30,000 internal Microsoft Teams messages originating from 359 Microsoft employees.
Microsoft has since revoked the shared access signature token and said that no customer data was exposed and no other internal services faced jeopardy due to this incident.
– Wiz: https://www.wiz.io/blog/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers
– Bleeping Computer: https://www.bleepingcomputer.com/news/microsoft/microsoft-leaks-38tb-of-private-data-via-unsecured-azure-storage/
The TikTok Clock is Ticking in the EU
The EU just dropped a 345 million Euro hammer on TikTok over child privacy issues. Ireland’s Data Protection Commission, or DPC, found a glaring security flaw in TikTok’s Family Pairing feature. This feature was supposed to let adults chat with kids they’re related to. Now what could go wrong here?
This is Katy Craig in San Diego, California.
The DPC found that unverified adults could slide into the DMs of teenagers they’re not related to. It doesn’t stop there. If you’re a kid under 13, your TikTok account settings could let just about anyone view your content.
Helen Dixon, the boss at DPC, said these settings were public by default. Features like Duet and Stitch were also enabled.
The DPC also called out TikTok for being as clear as mud about how they process children’s data. They claim TikTok’s video publishing practices are basically pushing kids into the deep end of privacy risks. TikTok now has three months to clean up its act and comply with EU rules.
TikTok, of course, isn’t taking this lying down. They issued a statement saying they respectfully disagree with the fine and the criticisms. They argue that the DPC is living in the past, focusing on features that were changed years ago.
TikTok can still appeal, but for now, the clock is ticking. If you’re a social media giant, the EU is watching, and they’re not messing around when it comes to child privacy.
Whether you’re a TikTok user or just a concerned netizen, privacy isn’t a feature, it’s a right.
This is Katy Craig, stay safe out there.
– Security Affairs: https://securityaffairs.com/150918/breaking-news/tiktok-fined-e345m-irish-dpc.html
– Europa: https://edpb.europa.eu/system/files/2023-09/final_decision_tiktok_in-21-9-1_-_redacted_8_september_2023.pdf
Forget Casino Ransomware. Your Healthcare Provider is Under Attack
MGM and Caesars are getting all the press because they are the biggest entities hit in the current attack. But included in the report by David Bradbury, is a little statement that seems to be being ignored by those talking about the story. There were three other companies Bradbury confirms were attacked during the latest incident. The companies hit were in manufacturing, retail, and technology.
Bradbury’s report highlights that this type of social engineering hack has grown more persistent in the past year, with hundreds of companies falling prey. The ones I follow closely are those related to the healthcare industry because of the ramifications against hospital systems.
When a hospital or a health care system is hit, there are life and death consequences to consider. The people who perpetuate these breaches are concerned about nothing more than money, not the families affected. It puts the healthcare provider in an untenable situation.
One of the most available entry points of social engineering ransomware is that it’s impossible to train humans, thoughtful, intelligent people, how to be prepared for such an approach. An IT system admin or a health care provider, they’re there to help people. That’s what they’ve been trained to do. It’s part of their makeup and personality.
How can a company, much less an industry, train everyone at the entry point to understand a socially engineered approach and have them respond accordingly? It’s impossible .
I’m at a loss for an answer to this problem. It’s surfaced as a nuisance for the casinos, but it’s a deadly problem for the healthcare industry. Training doesn’t seem to be the answer. That’s just a small thumb in a dike of millions of opportunities for access.
Where will the real security come from in the near future when it comes to socially engineered ransomware attacks? I’d love to hear your thoughts because I don’t know.
– Reuters: https://www.reuters.com/technology/hackers-who-breached-casino-giants-mgm-caesars-also-hit-3-other-firms-okta-says-2023-09-19/
– Casino.org: https://www.casino.org/news/mgm-resorts-says-it-systems-restored-but-disruptions-remain/
– Washington Post: https://www.washingtonpost.com/travel/2023/09/19/vegas-casino-hacks-slot-machines-hotel-keys/
– Yahoo Finance: https://ca.finance.yahoo.com/news/hackers-breached-casino-giants-mgm-013755801.html
This Day, September 20, in Tech History
September 20th, 1954. The first FORTRAN program is executed. FORTRAN was developed by IBM scientists who were looking for a better way to program the IBM 704 mainframe computer. It quickly became the dominant programming language for scientific and engineering applications, and still is used today, especially in the area of high performance computing.
September 20th, 1989. Apple releases the Macintosh Portable Computer, Apple’s first attempt at a laptop. That being said, at a weight of 16 pounds, the machine was hardly workable on your lap. However, it was portable. And while the machine itself was not very popular, the lessons that Apple learned from the Macintosh Portable led to the creation of the PowerBook series of laptops a few years later, which was a much bigger success for Apple.
That’s your technology history for today. For more, tune in tomorrow and visit my website, ThisDayInTechHistory.Com.