Hello and welcome to the Thursday, October 20th, 2020 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

Xavier, who is currently attending the CTI summit in Luxembourg, listened to a talk by Patrice of Red,

and the founder of Onifay, I pronounce this correctly, Onifay is one of the companies performing

internet-wide scans for open ports to identify exposed services. These type of scans,

Shodan, for example, being another one that does that and it's quite famous for it,

have happened for quite some time, often for research purposes. But lately, so if the business model

of attack surface detection for organizations has a little bit evolved around

this and there have been a good number of companies that basically have collected the same

kind of data. In a diary posted day, Xavier is going over some of the ethical issues

evolve with these scans, some of the things that

these companies should take care of before they sort of just start scanning. I've always been

a bit ambivalent about these services. What I do think there is a purpose for them, but the

question really is, you know, how many of them do we need?

And there is a significant percentage of the scans that we are seeing that are attributable

to these companies. So in addition to the consideration Xavier put forward, I would probably

add that they also should make some of the data available publicly in return for the cost of the public's network that they are using to perform these scans.

This week, the US government started accepting applications for student loan forgiveness via a website,

student aid.gov.

As expected applications do require a number of sensitive personal information like social security

numbers and the like.

And the FBI today warned and shouldn't really be a surprise,

...