The Lighthouse IT Podcast - May 21st, 2021
Security Researcher's Twitter Account Hacked... by using WordPress?
Security Researcher Vinny Troia is having a bit of a bad day when his Twitter account seemed to be compromised. The ultimate culprit? An old WordPress site that had API integration with Twitter (often used for automatically sharing blog posts to Twitter and other social media).
What is API?
- Extensible programming interface that applications use to share data back and forth.
- Uses a key/secret pair, similar to a really complex username and password
- Bypasses MFA and other security services for the userspace
Great questions about impact to our businesses when something gets compromised. API Keys need to be thought about!
Remember JEDI? The Pentagon may be sick of the drama...
Back in September, Microsoft was awarded the contract for the Joint Enterprise Defense Infrastructure contract.
Was defense-specific cloud services, but shrouded in drama with Amazon filing lawsuits and some distaste from employees about doing work with the DoD.
Pentagon is now reviewing and may pull the plug on the project.
Group Behind Colonial Pipeline Attack Issues Apology
Since our last podcast, Colonial Pipeline was affected by a ransomware attack by group DarkSide. The Colonial Pipeline is one of the US's largest fuel pipelines and was pretty well shutdown due to the ransomware event.
But what came after, is where it gets interesting - shortages for fuel and people stockpiling gas (much like toilet paper from a year ago), drastically affected fuel supplies. CP eventually paid up the $5m ransom, but the attackers mysteriously went silent and then later posted the following to their darkweb site:
We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.
Our goal is to make money and not creating problems for society.
From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.
They've admitted to being in it for the money and actually have a code of conduct. They review attacks to make sure that they do not extort hospitals, funeral homes, and non-profits. They primarily target large organizations and have even been known to donate some of their profits to charities.
Upcoming subscription service, Twitter Blue, will cost $3/monthTwitter has hinted that it will be coming out with a subscription service called Twitter Blue. So far, it'll be $3/month, but it could have a tiered pricing model that includes more premium level features. Twitter has been testing things like undoing tweets, thinking about charging to use Tweetdeck, Super follows, and ad-free scrolling. So maybe these features will be included in Twitter Blue. There is no timeline yet, but I imagine this will be in the news more and more soon.
Twitter's new tip jar
A couple weeks ago, Twitter released a Tip Jar...
- If someone adds a Tip Jar to their profile, users can tip them via services like Bandcamp, Cash App, Patreon, PayPal, and Venmo.
- Twitter takes no cut of the profits. Right now, only “creators, journalists, experts, and nonprofits” can receive tips,
Some security concerns here as one user pointed out that sending a tip via PayPal allows the recipient to see your address on the virtual receipt.
AT&T Inc. and Discovery Inc. combining forces
Last time we talked about Verizon getting out of the media industry by selling off Yahoo, AOL, etc., but now, AT&T and Discovery reached a deal to combine their media assets into a new publicly traded company. No name as of yet.
This is a public outreach campaign consisting of a series of statewide drawings to increase awareness of the availability of COIVD-19 vaccines and provide incentives to Ohioans to get their vaccination.
- Ohio will be doing a drawing every week for 5 weeks starting May26th
- Anyone 18 or older who has had at least one shot of a COVID-19 vaccine is eligible.
- 12-17 year olds who have had at least one shot are eligible to win a four-year scholarship to any Ohio state college or university.
- So if you are registered to vote in Ohio and have gotten at least one shot, you should be entered already, but you can also enter online.
- Seems like the lottery statistics are truly good this time.
Have a Question?
We'd love to know what's on your mind - submit your questions and we'll try to answer them!