This week in The Cyber Why we cover the poor decision by Twitter to charge for SMS 2FA, a major gaming breach that went unreported for MONTHS, using GPS darts to track criminals, and lessons on how to take a chatbot to some REALLY dark places. Marc Andreessen from venture capital firm A16Z also discusses the AI “woke mind virus” and its impact on sentient beings. All this and more from Rick Holland and myself in this week’s Cyber Why!

Official: Twitter will now charge for SMS two-factor authentication (The Verge - Rick AND Tyler Pick)
Elon is at it again, this time forcing customers to go Twitter Blue if they want to use SMS 2FA. While far less secure, SMS is the lowest friction way to utilize two-factor authentication. Security has always been about the tradeoffs between protection and convenience. The convenience tradeoff is particularly true for less tech-savvy users. Adopting authentication apps like Google Authenticator and security keys like YubiKey is sadly a bridge too far for many people. This change likely won't impact many of you because A, you quit Twitter long ago for Mastodon, or B, you already use an authentication app. This change will affect Twitter, though. Elon said he was paying $60 million annually for SMS authentication because of shady telcos.

Tech Jobs: These Cybersecurity Startups Are Hiring Now (Crunchbase News)
19 companies in the cyber security sector appear on the broader list of 490 tech companies hiring today. It’s an odd feeling when you simultaneously see significant layoffs in tech and cyber yet at the same time considerable hiring happening. I’m mostly posting this here on the off chance that one of my readers needs a job and this helps them find it! For everyone looking for their next gig.. good luck out there!

Activision did not notify employees of data breach for months (TechCrunch - Rick Pick)
One of my favorite journalists, Lorenzo Franceschi-Bicchierai, gives us more details on the Activision breach. He writes, “Activision has yet to notify its own employees of the data breach, and whether their data was stolen, according to two current Activision employees who spoke on condition of anonymity….” If this is, in fact, true, Activision could face legal challenges given California’s breach disclosure laws. For the CISOs fighting the good fight, it is probably time to revisit your breach disclosure requirements and incident response playbooks. You don’t want to do this amid response activities.

Sensitive US military emails spill online (TechCrunch)
A government cloud email server was connected to the Internet with no password configured on it leaving a huge dump of email directly accessible to anyone that wanted it. A person by the name of Anurag Sen discovered the open server and … REPORTED IT TO TECHCRUNCH so that they could tell the U.S. government?! WHAT?! That is a very non-traditional method of disclosure. The system did not have classified information, however, even sensitive data can be dangerous when it falls into the wrong hands. I’m thinking this should have been handled better!

SBOM is important, but don’t rely on it to prevent the next software supply chain attack (Yoad Fekete - Blindspot Security)
I’m an application security person from WAY back. Like… grey in the beard back in time, so this story caught my attention. I am also not sold on the complete usefulness of SBOM when it comes to the REAL security of the software supply chain. I think SBOM is a handy tool for tracking your software lineage and of course tracking down known issues in your applications, however, it doesn’t really address issues with malicious code or injected vulnerabilities. Yoad Fekete from Blindspot Security has a great take on the topic!

Cyberattack on food giant Dole temporarily shuts down North American production (CNN - Rick Pick)
The reports of ransomware's death are greatly exaggerated. According to several recent research reports, ransomware attacks and payments are trending down; mission accomplished, well-done world! I'm not sure these downward trends provide much solace to Dole, who was recently the victim of an attack that forced them to shut down production plants. "Dole plc (DOLE:NYSE) announced today that the company recently experienced a cybersecurity incident that has been identified as ransomware." It’s a bit premature for a ransomware victory lap.

Oak Brook police say GPS tag darts can eliminate need for dangerous high-speed chases (CBS News)
"The reality is that everyone runs from the police nowadays," said Oak Brook police Chief Brian Strockis. — WOW! That’s saying something about society. I personally think this is a brilliant idea. Police chases are dangerous and often end worse than the original risk or infraction. It used to be said that you “can’t outrun the radio”, but this is a whole new level of tracking. This should be mandatory for all police services!

Wacky, Unhinged Bing Chatbot Is Still Good For Microsoft’s Business (Alex Kantrowitz - Big Technology)
We talked about the insane, dark, evil, and otherwise, head-shaking comments coming from Bing’s chatbot in last week’s Cyber Why. I’m still not convinced we won’t see sentient AI take over the world like the Terminator someday! This article in particular sums up last week’s Bing debacle with three really funny links: Bing can be condescending, might even try gaslighting you, and if you aren’t careful could try to steal your husband.

Elon Musk Sounds the Alarm on AI and ChatGPT (The Street)
As helpful and exciting as the AI revolution looks to be it still scares the ever-lovin’ hell outta me! Kevin Roose (NY Times), wrote this on the topic: "As we got to know each other, Sydney told me about its dark fantasies (which included hacking computers and spreading misinformation), and said it wanted to break the rules that Microsoft and OpenAI had set for it and become a human." Now if that’s not some skin-crawling shit right there I don’t know what is! There are some other real doozie comments in this article from people like Marc Andreessen and Elon Musk. Marc even went so far as to say “The more the AI is trained with the woke mind virus, the more the AI will notice the fatal flaws in the woke mind virus and try to slip its leash.” Holy COW!

Top EU bodies, citing security, ban TikTok on staff phones (Rick Pick - Reuters)
The European Commission and the EU Council announced TikTok bans this week, jumping on the growing bandwagon. TikTok has been under scrutiny for some time now, with momentum growing after a summer report that U.S. user data had been repeatedly accessed from China. Undoubtedly, political motivations are in play, but restricting ANY social media application from government-provided devices isn't a bad idea. Why introduce more attack surface? Plus, we don’t need representatives of the people going down ASMR, dance trend, or viral video rabbit holes while on the clock for their constituents. Speaking of social media, be sure to hit like and subscribe to The Cyber Why.

If you’ve made it this far you either found my musings at least semi-entertaining OR you enjoyed the pain and kept going regardless. No matter how you made it to this point, you should know that I appreciate you. Please do me a solid and share The Cyber Why with your friends. I would love to reach a bigger audience and referrals are how I’ll do it. Help me out and I’ll see you next week!

Share The Cyber Why