Episode: 3858 Title: HPR3858: The Oh No! News. Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3858/hpr3858.mp3 Transcribed: 2025-10-25 06:46:23 --- This is Hacker Public Radio Episode 3858 for Wednesday, the 17th of May 2023. Today's show is entitled The Oh No News. It is part of the series' privacy and security. It is hosted by some guy on the internet, and is about 15 minutes long. It carries a clean flag. The summary is, Scotty talks about Toyota's dead-a-leak and more on the Oh No, news. Hello and welcome to another episode of Hacker Public Radio. I'm your host, some guy on the internet, and this is The Oh No News. Oh no! Threat analysis, your attack service. In this article, for-profit companies charging sex-stortion victims for assistance, and using deceptive tactics to elicit payments. Wow, these are some scummy people in this article. The FBI is warning about for-profit companies offering sex-stortion victims assistance services. That's reported that these companies are charging exorbitant fees, whereas law enforcement organizations normally do this kind of stuff for free. So if you were to contact the FBI through their internet crime complaint center and try to get help, they would help you for free, which is the right thing to do. And also while we're on the topic, for anybody out there, you know, I'm going to go out on the limb here. I'm going to take the risk as some guy on the internet. I feel like if somebody has to do it, I should be the one to do it. Please do not send anyone, images of yourself, scantly clad, or less than scantly clad, either as a means of affection or any means. Please don't do it. There's even terms for some of these type of transactions. I guess you'll recall them. I don't know what else to call them. I've heard a one called UDP. This was brought to my attention by a female. She explained to me what UDP means. And, you know, in the tech industry, we know of TCP, IP, you know, UDP packets, that kind of thing. UDP stands for unsolicited dog picks, except you replace dog with male extension, which is usually referred to with a D. Don't do it. Whatever you do, don't do that. Okay, how strongly you feel or how much you think this will help your chances with the other party. Don't do it. Now with that said, these companies, they're using deceptive tactics, including threats and manipulation and providing false information to coherse, extortion victims in the paying for their services. This article tells victims, you know, be careful here. A few things that you can look out for if you're approached by one of these companies, where they want you to do things like sign a contract first, you know, some form of agreement, and you have to pay first before any sort of help happens, especially if the help come, especially if the contract includes something like a non-disclosure agreement, you know what I mean? Virtually anything that has a non-disclosure agreement in it, if you're not working with very private data that belongs to someone else and you're managing it for them, or some sort of government secret, you know, some sort of secret. It didn't have to be government. It could be just, I mean, you could be working for like, I don't know, Kentucky Fried Chicken, and they don't want their recipe to get out. So you might have to sign a non-disclosure agreement. So that's norm. But when you're going to these guys for help and they're supposed to be helping you and they're saying, hey, look, non-disclosure agreement here, you know, don't tell anybody about what we're dealing to you. That's a red flag. So they use these high pressure situations and scare tactics after they get you into a contract to keep the business flowing, all that kind of stuff. FBI is just telling you to watch out. You can contact the FBI internet crime complaint center for help, free help, help at no cost, I should say. They also have some other information down in there about the cyber tip line. If you are getting any sort of sex torsion, emails or text messages or whatever, they got more information down there and article. In our next story, former ubiquity dev who extorted the firm gets six years in prison. All right, so a former senior developer for ubiquity by the name of Nicholas Sharp. Sorry, if you keep hearing that little clink sound, that's my UBGs. It's around my neck from time to time accidentally click it and it'll make that noise. Yeah, Nicholas Sharp, former senior dev over at you, you book a little over there. The guy got six years in prison for stealing company data. Now, apparently, I don't know if he got fired or whatever, but he left the company and decided he would take some data. I'm guessing the company did not cancel his credentials. So they were still active. He used a VPN and I'm not going to say the name of the VPN because I don't want to get dragged to the mud here. The story does mention the VPN. Well, you know what, it'll be fine. He used Surfshark VPN to hide his IP during the attack. Now, the story says that there was an internet outage during the time of the attack. So I guess when it when it reconnected his IP was exposed. So they learned that it was him through that. That's how the FBI found out it was him. Yeah, so they got him. He got a bunch of charges basically wire fraud and stealing the data making false statements to the FBI. That kind of stuff came to the potential of 37 years in prison. But they decided to go easy on him gave him six. You know, he must have decent lawyer. He also got three years of supervised release afterwards. So that's like probation or whatever. Pretty sure he's a felon. Good luck getting a job after that. At least in in IT anywhere, really. Oh, and he was also ordered to pay restitution to ubiquity restitution of $1.5 million. So if you're a company out there hiring in the IT space, be on the lookout for Mr. Sharp. In our next article, Toyota car location data of two million customers exposed for 10 years. Well, somebody at Toyota Motor Corporation is looking for a job or more specifically, Toyota Connect Corporation. Over at Toyota Connect, which manages the cloud infrastructure for the Toyota Motor Corporation, they misconfigured the cloud environment. Yeah, so apparently they had it open to the internet basically and anyone could go in and get the data. Or if you believe the story, that is now the models of the Toyota that were affected were the any Toyota between January, second of 2012 all the way up to April 17th of 2023. And those are the cars that have the T Connect G link and T Connect G link light or T Connect G book services within those vehicles. So those those are the services that provide like voice assistance, customer support, car status management and emergency roadside assistance that kind of stuff the Toyota cloud infrastructure manages that and the data that was exposed. This was not a hack. It was an exposure due to misconfiguration. It exposes your car's GPS information. So you can be tracked by anyone on it or during the time of the leak. You could have been tracked by anyone during that time, as well as have all the information about your car, you know, the chassis number and other, you know, identifiers for your car. Yeah, two million people wide open on the internet fully exposed in our next story. Failure to comply with bus open data regulations. All right, this is happening out in the UK, a PSV operator Thia Dred LTD, I guess a bus company. They didn't exactly comply with England's open data regulations of 2022. Naughty Naughty. So the traffic commissioner for the West Midlands. Yeah, he got to work one day rolled up his sleeves and decided to slap a big fat $1,500 fine or 1,500 pound fine, which was based on 100 pound penalties for each vehicle that did not comply to this bus company. I mean, since we already had to tell you the story, tell you this over here, just giving away data. Now you got over here in the UK. Well, apparently they're trying not to give away the data in the UK, so you got to give us the data in our next story. Criminals pose as Chinese authorities to target US-based Chinese community. So the FBI has a warning out there, letting US citizens or visitors long-term visitors of the United States living within the Chinese community to be on a lookout because there are criminals from overseas posing as Chinese law enforcement, Chinese prosecutors, things of that nature. They're making contact with the US citizens and Chinese community here within the US, telling them, hey, we believe that you were involved in some sort of financial crime or fraud, and then they threaten to arrest them. They start showing what looks like legitimate warrants for their arrest. They also have a lot of a lot of basic information about their victims, so information they may have picked up from data leaks. They use that as a part of the, I guess you would call it an attack. This isn't really fishing, they're not fishing for credentials they're just trying to get money, so it's extortion through this fraud I guess. Any FBI is just letting people know, hey, if you're contacted by someone who's pretending to be law enforcement, be on a lookout, and I will say the same for anybody who's not out of the Chinese community. With all these data leaks, data breaches, and other attacks going on, whether it be a bank, the US government, or, you know, last pass, Cody, whatever. Wherever you have your data, once these leaks get out there, it all gets sold, and people who want to, you know, commit fraud, and fish you or scam you, they're going to use all of that stolen data, leaked data, whatever you want to call it, and build it into their attack against you. They're socially engineered attack. So everyone here listening, understand these attacks are becoming more sophisticated, just because they're receiving more and more personalized data through these breaches. For our next article, Twitter rolls out encrypted DMs, but only for paying accounts. All right, these articles brought to us from bleeping computers, and they're talking about how Twitter for the blue check mark paying customers are going to have the into and encrypted DMs feature. Right now they're saying it's still testing, so don't use for production, or don't trust, you know, quote unquote, yet, but you can try it out. That kind of thing, Elon apparently put a tweet out as well, telling people, you know, test it, but don't rely on it just yet. I guess this is a feature to get people to pay for the blue check mark, saying, hey, you know, we'll have into an encryption, and this is something you'll only get if you pay us for it. I'm going to tell you as some guy on the internet, someone you can clearly trust, if you're sending anything sensitive via Twitter, you're doing it wrong. Sensitive information should not be on Twitter or near Twitter. I would even argue not even on a device that contains Twitter app, you know, with these apps, you have to give these apps permission to access all of the data on the device. So if you have something sensitive on the device with these apps that you just hand over all permissions to, yeah, you're in trouble. I would not be doing that. And I'm pretty sure 12 to 24 months from now, we'll have a court case where somebody got dragged through the court system and nailed to a cross because they thought that the end to end encryption meant only they had the private key, and only the people they wanted to communicate with had the public key. The case will reveal that no Twitter indeed also has that private key. They're probably the ones who generated it for you, you know, like you have no, I'm pretty sure you won't have control over that key, like you can't change it. You'll probably have to have the app, like it'll probably only work inside of the app, which means, yeah, Twitter will simply have control over that feature, you will not. Yeah, so if you want to send encrypted messages, you know, try a proton email or figure out what GPG is and how that works with Thunderbird. The Lord knows I sure can't. No, a matter of fact, call a platoon platoon. Get your setup with that. I think he did a show on it not too long ago. Clatoon, where are you? We need you over here. Clatoon, quick. In our next article, Discord discloses data breach after support agent got hacked. All right, this is a quick and simple one. It was a data breach over at Discord, not Discord or the company, but one of their support agents at their party. I'm guessing it was a session token attack. The story does not give those kind of details, but that's what's been happening a lot recently. Whenever you save accounts on your system, like for Discord, Thunderbird, Firefox, any sort of web-based technology, a lot of them have the ability to save your login as a session token or a session ID, which means, yay, it's convenient. You can rejoin or start a session with that client without verifying because you've already authenticated it once in the past, where it's bad is that little bit of convenience removes security. That little session token, that cookie, that little bit of data, if it's stolen, now someone else can also have access to your data via a separate client using that session token because it's already verified that it's an authentic, it's an authenticated request. Thank you for listening to Hacker Public Radio. I'm some guy on the internet and this concludes the Oh No News. Oh no! You have been listening to Hacker Public Radio as Hacker Public Radio does work. Today's show was contributed by a HBR listener like yourself. If you ever thought of recording a podcast, you click on our contribute link to find out how easy it really is. Hosting for HBR has been kindly provided by an honesthost.com, the internet archive, and our syncs.net. On the Sadois status, today's show is released under Creative Commons, Attribution 4.0 International License.