The Host Unknown Podcast - Episode 111 - Jav Is In The Top Four

Episode Date: July 8, 2022

This Week in InfoSec (08:04)With content liberated from the “today in infosec” twitter account and further afield8th July 2011: Space Rogue broadcast the final HNNCast. And with that, the Hacker N...ews Network came to an end. Final broadcast: https://www.facebook.com/78983739181/videos/10150254277486182/ https://youtu.be/UdKyDqU1p-41st July 1979: The first Sony Walkman, the TPS-L2, goes on sale in Japan. It would go on sale in the US about a year later. By allowing owners to carry their personal music with them, the Walkman and their iconic headphones introduce a revolution in listening habits and popular culture at large. Rant of the Week (17:12)Rogue HackerOne employee steals bug reports to sell on the sideA HackerOne employee stole vulnerability reports submitted through the bug bounty platform and disclosed them to affected customers to claim financial rewards.The rogue worker had contacted about half a dozen HackerOne customers and collected bounties “in a handful of disclosures,” the company said on Friday.HackerOne is a platform for coordinating vulnerability disclosures and intermediating monetary rewards for the bug hunter submitting the security reports.On June 22, HackerOne responded to a customer request to investigate a suspicious vulnerability disclosure through an off-platform communication channel from someone using the handle “rzlr.”The customer had noticed that the same security issue had been previously submitted through HackerOne.Bug collisions, where multiple researchers find and report the same security issue, are frequent; in this case, the genuine report and the one from the threat actor shared obvious similarities that prompted a closer look.HackerOne’s investigation determined that one of its employees had access to the platform for over two months, since they joined the company on April 4th until June 23, and contacted seven companies to report vulnerabilities already disclosed through its system. Billy Big Balls of the Week (23:42)Apple’s new Lockdown Mode defends against government spywareApple announced that a new security feature known as Lockdown Mode will roll out with iOS 16, iPadOS 16, and macOS Ventura to protect high-risk individuals like human rights defenders, journalists, and dissidents against targeted spyware attacks.Once enabled, the Lockdown Mode will provide Apple customers with messaging, web browsing, and connectivity protections designed to block mercenary spyware (like NSO Group's Pegasus) used by government-backed hackers to monitor their Apple devices after infecting them with malware.Attackers' attempts to compromise Apple devices using zero-click exploits targeting messaging apps such as WhatsApp and Facetime or web browsers will get automatically blocked, seeing that vulnerable features like link previews will be disabled. Industry News (33:14)TikTok CEO Addresses US Security ConcernSoftware Supply Chain Attack Hits Thousands of AppsHive Ransomware Upgraded to Rust to Deliver More Sophisticated EncryptionAPT Hacker Group Bitter Continues to Attack Military Targets in BangladeshNorth Korean Hackers Target US Health Providers With 'Maui' RansomwareMarriott Plays Down 20GB Data BreachFBI and MI5 Bosses Warn of “Massive” China ThreatMicrosoft Updates Windows 11 Subsystem for Android to Introduce Support For VPN-Assigned IPsApple Announces 'Lockdown Mode' to Protect Journalists, Human Rights Workers From Spyware Tweet of the Week (44:33)https://twitter.com/alxbrsn/status/1544707673282723840Ubisoft Accidentally Leaks Hundreds of Customer E-mail Addresses in Watch Dogs Marketing Snafu Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 okay so which one of you is going to resign first given that it seems to be the week of resignations uh well in good conscience i can no longer work with either of you two so i'm out okay okay and in good conscience i can work with neither of you two either um i i have no conscience so i'm happy to sit here and take all the sponsorship money. Go now, Jeff. Go now. All the sponsorship money? All of it? All of it. Every last penny. You're listening to the Host Unknown Podcast. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us
Starting point is 00:00:50 and welcome to episode 111-ish of the Host Unknown Podcast I was waiting for you to say something there Andy There we go I was on mute, I put my mic on mute to cough. I was on mute. It's so 2020, mate. I mean, come on. It's so passé now, darling. Oh, dear. Oh, yes, indeed. 111. So, Jav, how are you doing today? 111. So, Jav, how are you doing today?
Starting point is 00:01:33 I'm doing good. I'm doing good. It's a nice Friday, so sun's out. And yeah, I can't complain. Well, I can because I'm talking to you two, but I won't. Yeah, absolutely. And what's your week been? You did a little bit of travelling earlier. Yes, yes. I've been, for a while, it's been on my bucket list to get an investment property of some sort. So I've been travelling the country looking for someone that will sell me something for like 10 grand or 15 grand or something. So you've been going north, basically. Yeah, further and further on each trip.
Starting point is 00:02:05 But with the rising cost of petrol, it's like turning out to be cheaper if I just fly there or take the train, actually. Or just hand over the extra £10,000. So where have you narrowed your sights to? Or is that still sort of JAV confidential? Yeah, it's to be decided, really. Whoever accepts my local offers, really.
Starting point is 00:02:33 Are you going to become a landlord or an Airbnb host? Or hostess. We don't discriminate. I don't think I'm brave enough to. No, this is true. Yeah, yeah. I'm initially just landlording in the traditional sense, I think. So like screwing tenants, taking their sort of DSS
Starting point is 00:02:51 and sort of not fixing leaks and having mould on the walls. Well, I mean, it fits with everything else. He doesn't do anything around here either. I mean, what are they going to do, leave me a bad review? Well, with all the others, I mean, it's like they're going to stick out. And if you've just joined us, this is Host Unknown, Homes Under The Hammer podcast. Did it, did it, did it.
Starting point is 00:03:22 So all you need, Jav, to be a landlord is you need a sheepskin jacket, a jag, and two dogs so you can walk around telling everybody that you owe them that they owe you rent, and you'll be fine. That's your landlord starter kit. Fantastic. Great advice. I should have come to you before I even went. You didn't rock up with your jag, did you?
Starting point is 00:03:48 That was a thing. No, I didn't. Okay, cool. Anyway, Andy, how are you? What have you been up to? Been working, working hard. Or hardly working, am I right? Or hardly working.
Starting point is 00:04:01 What was it you were saying? Are you incompetently competent or competently incompetent? So this is the thing of starting a new job and you start off as unconsciously incompetent, i.e. you don't know that you're bad at the job. And then you become consciously incompetent. You know that you've got a lot to learn. Then you become consciously competent, i.e. you have got a lot to learn then you become consciously competent i.e. you have to work hard to be competent and then finally you become unconsciously competent where actually it's second nature so where are you on that scale i would say i'm definitely the early stages of this journey it's one of those am i going to make it to the finish line i do not know
Starting point is 00:04:43 it's you know that whole never be the smartest person in the room? Yeah. Just for once, I would love that. You know, I just need a little bit of a... You need an edge. Yeah, I just need a morale booster, right? Help me out. Just give me something.
Starting point is 00:04:59 Yeah, no, learning lots of things. So I've moved to a company which is a specialist risk management company. And I've always been on the side of managing risk and being able to contribute something. But now, you know, walking into a room with other experts, you know, who are far more qualified in that field than I am. It does feel like I'm just, you know, kind of that guy that walks around the building site with a clipboard and just ticks things. Yeah. Yep. Yep.
Starting point is 00:05:28 You got a bucket. You got a hard hat on. Yep. Good, good, good. Are you the guy in the suit with a hard hat at the building site who points at the plan and then points at the building and then points at the plan and points at the building? Exactly. Yeah. I just need to, you know, start writing things down on that plan
Starting point is 00:05:48 and contributing a bit more. But hopefully it will come. It's, yeah, lots to do and very smart. But in the meantime, I'm learning lots, right? That's the most important thing. Yeah, absolutely. And also, you know, a lot of these smart people, if there's anything we've learned from this current government, that we shouldn't always trust these so-called experts, you know, and leaders in the field to know what they're talking about, right? So, I mean, I'm sure there's something you can add to that.
Starting point is 00:06:19 Yeah. But Alas, how's your week? You're not too far ahead of me in terms of new jobs. No, no. You've been three months on Monday just gone. So, oh, where am I? I'm not even going to suggest in case, you know, in case I don't make it through to the next payroll. You know, I've just been bitten by a... The life of a CISO.
Starting point is 00:06:43 Exactly, exactly. So a couple of nice breakthroughs this week, actually. I was on the call to somebody, and we were talking about whatever it was we were talking about. And he said, yeah, and then we're going to use... And then we're going to feed everything into Dave's new risk register. And it took me a second. It's like, Dave's new risk register. That's the thing I kicked off two months ago because we didn't have anything.
Starting point is 00:07:08 And now everybody's. Now you realize that everyone calls you Dave. Yeah. No, but it was kind of like, that's great. It's being circulated. People are knowing about this and want to now contribute to it. So it's one of those, you know, the circle is kind of closing on itself in a good way. So that was nice. That was really good.
Starting point is 00:07:30 So shall we see what's coming up on this week's show? This week in InfoSec reminds us of loft-heavy industries. Ranked of the Week brings us a brazen employee. Billy Big Balls is a game changer for Apple device owners. Industry News brings us the latest, greatest security news stories from around the world. And tweet of the week is the story of a 10-year
Starting point is 00:07:53 email thread. So, let's move on to our favourite part of the show, the part of the show that we like to call... This week in InfoSec. It is that part of the show where we take a stroll down InfoSec memory lane with royalty-free soundtrack and content liberated from the Today in InfoSec Twitter account and further afield. So our first story takes us back a mere 11 years when on this day, the 8th of July 2011,
Starting point is 00:08:35 Space Rogue broadcast the final HNN cast. And with that, the Hacker News Network came to an end. So for those who do not know their history, Space Rogue, aka Chris Thomas, was a founding member of the hacker think tank Loft Heavy Industries. So he was the first of Loft's members to leave following the merger of Loft with AtStake in 2000, and is also the last to reveal his true name. So he was one of seven loft members who testified before the u.s senate committee on governmental affairs in 1999 and he testified under his internet hand or space rogue and it was his testimony and that of other loft members that served to inform the government
Starting point is 00:09:19 of the current and future internet vulnerabilities to which federal and public channels were susceptible. So they specifically warned of internet vulnerabilities, claiming they could take down the internet within 30 minutes, for which obviously the Senate paid great attention to. And their testimony marked the first time that persons not under federal witness protection were permitted to testify under assumed names. I was going to ask, beforehand, did they sort of like,
Starting point is 00:09:53 what are you going to call yourself? I don't know, what are you going to call yourself? I don't know, just put two random words together. I'm Xanthor the Destroyer. Back then, I think everyone sort of went by internet handles then, right? It sort of came from the IRC days or, you know, bulletin boards. What were your internet handles?
Starting point is 00:10:12 I had many. So Jester being one of them. No, I didn't actually add the Sir part until maybe 1999. Prior to that, it was just Jester. Well, you hadn't accomplished so much by that point. Exactly, yeah. I hadn't done so much. But yeah, no, it wasn't until maybe 98, I think.
Starting point is 00:10:33 What about you, Jav? What was your nom de plume? Oh, none of them I can remember are suitable for competing. Big Dick 69. No, no.
Starting point is 00:10:51 I've never been into false advertising. Adequately sized Dick 68. Room for improvement. Grower, not a shower. Anyway, with DVA, so Loft Heavy Industries, they created the Hacker News Network website in 1998, and their goal was to publicise security storage, which they believe should have been better publicised, as well as call-out inaccuracies in mainstream reporting.
Starting point is 00:11:22 We've seen many examples of this and sort of sensationalism in the past and they were the authoritative place to get your accurate security news from um you know by the late 90s but when they were acquired by at stake in 2000 at stake essentially shut down uh the hack news network because they had to find a balance between you know sort of providing this free educational service to the community and not pissing off their commercial customers. We're not touching that with a 12-foot barge pole. Yeah, exactly.
Starting point is 00:11:54 But, yeah, in the spring of 2009, Space Rogue did restart HNN and he continued to run it for another two and a half years until it came to its end in July of 2011. Wow. Why did, why did he give up? Do you know? Uh,
Starting point is 00:12:10 he did. Well, it basically became too much effort to run. So, you know, with the, I guess, researching stories,
Starting point is 00:12:16 editing, uh, and all of that, you know, he's saying it's sort of spending 40 to 50 hours a week on it. Crikey. Side gig. I thought this was bad enough
Starting point is 00:12:25 in the hour I have to spend with you guys, but blimey. Well, exactly. Well, funny, right? Funny, right? Has it been an hour or has it been more? Are we on episode... Yeah, we started this show on episode 115.
Starting point is 00:12:38 What people don't know, this now turned into episode 116, but we can talk about that another time. 112. Yeah. But, Les, I i'm gonna just quickly move on to our second story which takes us back long before i was born uh which is a mere 43 years to the first of july 1979 when the first sony walkman the tps2, went on sale in Japan. And it went on sale in the US a year later, obviously by allowing owners to carry their personal music with them.
Starting point is 00:13:12 The Walkman and their iconic headphones introduced a revolution in listening habits and popular culture. So I remember the knockoffs that came out in the late 80s and things like that. And I've actually got one of the more modern Sony Walkman cassette players in my drawer because I bought it back when I unearthed a Spectrum 48K. You remember those? Yeah. And in fact, we gave this particular one away as a prize at a conference, as I recall. Yes. And I wanted to sort of bring it back to life prize at a conference, as I recall. Yes.
Starting point is 00:13:45 And I wanted to sort of bring it back to life and have a go with it, etc. And I bought some old tapes. I think it was Jet Set Willy and I can't remember the other one anyway. A couple of tapes. And so I thought I'd buy a Sony Walkman to play the tapes into it. Do you know what? It wouldn't work. The gain was not high enough for it to work
Starting point is 00:14:05 so in the end i downloaded an app onto my iphone an iphone 4 um which simulated that and so i got a photo somewhere of a spectrum and an iphone connected with an audio cable with the iphone feeding the program into the spectrum it's like a real sort of contrast of technology there you know one slave into the other it was the wrong way around you know but but yeah so it was um yeah the whole wartman thing just is is really good i've still got cassette tapes in in you know um now that are on the shelf somewhere. But yeah, but do you think the mini disc came out as well after that with its anti-skip technology, right?
Starting point is 00:14:53 And the CDs. Because no one could jog with it or anything. And the CDs, yeah. Yeah, oh, the CDs. Well, that was the problem, though, wasn't it? The CDs, they would skip as you were walking. Yeah. But then they came up with anti-skip technology on those as well.
Starting point is 00:15:06 Yeah, all that meant was it just paused for, you know, two seconds. It was never as good. I mean, like, the Walkman, the original tape was just so good. It was, like, durable. You didn't have to worry about dust and scratches like you did on the CD. And it was just so easy to record. Like, you know, when, like, end of the year or something, they, you know, Capitol used to you know when like end of the year or something they you know Capitol used to do the top hundred songs of the
Starting point is 00:15:28 year you could sit there and record them off your stereo and have your own mixtapes making mixtapes for your you know the love of your life at the time obviously not it was more sorry I remember doing like no I'm not even going to go
Starting point is 00:15:45 into it after you know after an emotional break i remember the pasadena's i'm doing fine now sort of on loop along with uh who's the other one king of wishful thinking you know for the longest time there was a david bowie track that you know has some quite sort of atmospheric kind of crackling in it and all that sort of thing 10 years later i found it's because the tape was crinkled when i listened to the original i think it was on a cd it was like hang on where's where's the crackly bit? What's this edit? Yeah, exactly.
Starting point is 00:16:30 And because it was at the beginning, it was in the first track, when he turned it over, the album had finished, so you didn't hear it on the other side, if you saw it. So, yeah, yeah, 10 years. 10 years just because of that one crackly tape. Anyway, excellent, lovely trip down memory lane there. Thank you, Andy, for this week's... This week in InfoServe. This is the podcast the Queen listens to.
Starting point is 00:16:59 Although she won't admit it. So let's move on, shall we, to the blood-boiling part of the show the part of the show that uh we like to call listen up rent of the week it's time to mother rage so you'd think that um you know any company that's dealing in sensitive information, such as vulnerabilities and bug reports and all that sort of thing, they'd have their security locked up tight. And you're right. This particular company, HackerOne, they absolutely do. They are a very reputable company, very open, honest, trustworthy, etc.
Starting point is 00:17:43 Unfortunately, the same cannot be said for one of their most recent employees. This particular employee joined on April the 4th of this year and was let go as June 23rd. So that was only about two and a half months, actually, two and a half months or so. And in that time, this particular person was a bit of a scoundrel, to say the least. So if you don't know what HackerOne does, they are a bug bounty company. So if you're a company that wants to outsource your bug bounty program, i.e. outsource the ability for security researchers around the world to test your platform, test your website, test your software products, and then get paid for any vulnerabilities that are found. This is what HackerOne does. They handle all of that for you. They handle all the payments and you just pay HackerOne directly so you don't
Starting point is 00:18:53 have to worry about it. This is all great because security researchers just put their findings. They look on the HackerOne website. They download what work is available to look at, and they start their research. And if they find something, they upload it. Well, this particular employee, who, as it turns out, has another name of Rizzler, R-Z-L-R, this particular person who was on the inside of HackerOne was taking these reports that were coming in from genuine security researchers who were expecting to be paid for it and then contacting the company directly and saying, hey, look what I found. Do you want to give me some money for this? Basically, stealing other people's work and passing it off as their own. And we all knew a kid like that at school. Right. So this guy is basically what you're saying is he's got see-saw potential. Absolutely. In fact, Andy and I have got a friend now who does that. Right.
Starting point is 00:20:03 Yeah, this is true yeah so this this person um did this seven times in this two and a half month period i mean that's like once every 10 days or so something like that absolutely shocking um presumably they were background checked and all that sort of thing but it really the amount of time they were in, this person came in with a premeditated idea, I think, of what they were going to do. They were going to gather as much money as they could and then just leg it. And probably, like so many of these genius criminals, got a bit greedy, thought this was a bit too easy and stayed a little bit too long. And it was only found out when a customer requested an investigation of a suspicious vulnerability disclosure through a direct channel rather than from HackerOne directly. And it basically matched up with one that had already been submitted.
Starting point is 00:21:07 So, yeah, absolutely shocking. When I was given the choice to do this or another story, this one just made my blood boil straight away. Just appalling, appalling. And thank goodness for the criminal minds who keep screwing it up. And also, well done, HackerOne, for disclosing it and being open and honest about it. In fact, Andy, you and i were talking about this before and you know they've done a bang up job on this yeah well especially i mean the whole model is based on trust right and they yeah yeah yeah fair play true yeah this is even
Starting point is 00:21:36 better than the time that they helped criminals launder money through an unofficial ransom uh disguised but bang bang on job well missed a long memory there sorry were you gonna ask them for sponsorship well we can cut this part out were you it's asking for hacker one if you're listening please join us come on the show. It'll only cost you, you know, four figures, and we can hear all about the story. Yeah. And what is it? Bug Crowned, if you want to sponsor us. You just need to do a few higher figures, and we'll get you on first.
Starting point is 00:22:18 Yeah, exactly. And we'll even say stuff about Hacker One for you. We'll read it from the script. That's right. We take all the liability, so you don't have to. Yeah. We're like Nigel Farage. We'll just read anything.
Starting point is 00:22:32 Yeah. Yeah. Oh, excellent. So, yeah, well done, HackerOne. And boo his, shame on you, Mr. Rizzler. Or Mr. the Rizzler. And that was this week's... Rant of the Week.
Starting point is 00:22:49 Feeling overloaded with actionable information? Yep. Fed up receiving well-researched, factual security content? Yes! Ask your doctor if the Host Unknown podcast is right for you. Always read the label. Never double dose on episodes. Side effects may include nausea, eye rolling
Starting point is 00:23:08 and involuntary swearing in anger. True story. I love that jingle. Oh, yeah. So I really like the music on that one. Right. Sorry, it's down to me now, isn't it? Yeah, we've got to keep the show moving on.
Starting point is 00:23:25 I'm too busy looking at the notes and the added notes that have been put in there since our little recording faux pas earlier that hopefully nobody noticed. So let's move on to another faux pas and Jav and this week's... Big Balls of the Week. and Jav and this week's You know what Tom, I don't know what I'd do to deserve this. I'm so nice to you. You know, I'm not even like throwing you under
Starting point is 00:23:57 the bus today or disagreed with you too much and like this is what I get and then you wonder why I'm mean to you. I love the caveat, I haven't even disagreed with you too much. like this is this is what i get and then you wonder why i'm mean to you i love the caveat i haven't even disagreed with you too much yet too obviously yet yet exactly so how billy big balls off the week goes to apple and tim apple has some kahunas. So, you know how it is. People's whole lives revolve around their phones these days. Everything is on there.
Starting point is 00:24:37 You can't even go and get a paper ticket from a parking machine anymore. You have to do it through an app. So everything's on there. It's kind of all right because if you don't have change which i never do um but um hold on sorry my phone's ringing i forgot to put it on silent no and that's not an invitation for you to start phoning me andy which is what's something you always do yeah so our whole life is is on the phone everything's there but it's also a treasure trove of information for criminals bad guys out there they can uh oh thanks actually these phoning me up now before i had a chance to put my watch on mute i put my phone on me but not my watch so everything's on your phone your life's there, but there is a lot of information
Starting point is 00:25:27 that can be misused and that's not just from advertisers or people with bad... Jav, can you answer your phone please mate? I can hear it come through the sound right now, you've reached the O2 messaging service. Okay. So Apple have announced... Oh my god. You know what? I can hear it ringing in my headphones. I know because I'm holding it up.
Starting point is 00:25:56 Yeah, why? We're just trying to show your incompetence. Oh, really? And this is the best way you could think of it? This is a deflection technique, nothing else. Yeah. Apple know that their phones are very popular. They've gone on the privacy bandwagon for a while.
Starting point is 00:26:18 They're saying, like, buy iPhones, we take your privacy seriously. But criminals also know that, and there have been many targeted attempts against individuals based on their phones so you if you know their geolocation you can use that to do a drone strike if you are um what's that that nso group then the pegasus spyware also can affect iphones and give away all your information, trade secrets and whatever. So, you know, who wants to go up against corrupt governments, dodgy regimes and fancy state backed software manufacturers whose whole job is to break into phones?
Starting point is 00:27:01 Well, Apple, and they've announced a new security feature known as lockdown mode which will roll out with ios 16 to protect high risk individuals like human rights defenders journalists and dissidents against targeted spyware attacks so i assume you just like you know you can be running down the road being chased by Agent Smith and you pull out your phone and say, Siri, enable lockdown mode. All of a sudden, enabling lockdown mode. All the shutters come down. And yeah, yeah, yeah. If you could add some sound effects in the background, Tom, that would be great. Does it flood all your chats with memes? Yes we call it the Andy feature.
Starting point is 00:27:56 So the lockdown mode you can still use messaging, web browsing and still use messaging, web browsing and... You can still use it as a phone, basically, can't you? Yeah, yeah, yeah. But there are some connectivity protections designed to block mercenary spyware used by government-backed hackers to monitor their Apple devices after infecting them with malware.
Starting point is 00:28:23 Attackers attempt to compromise Apple devices using zero-click exploits, targeting messaging apps such as WhatsApp or on Facebook or web browsers will get automatically blocked. Seeing what vulnerable features the link previews will be disabled. So this is really, really good.
Starting point is 00:28:42 I think it's one that's almost auto-sandboxing everything. What I was wondering is that this is a really good feature now for people who are valuing their op set, like journalists or what have you. But I think more and more of these features might even creep into the standard build of an iPhone that, you know, the way they're going with like do not track and everything.
Starting point is 00:29:09 I think this is a really good, you know, general security feature. I mean, like why, you know, and I say this as a being employed by a security awareness vendor. If you can have it so that the phone doesn't allow you to click on something and got compromised, you don't need to then train the user. Don't click on a link or here's how you check out what's dodgy.
Starting point is 00:29:29 If your security software can do that for you itself and just prevent it, I think that's, that could be really, really useful. But yeah, I think, you know, I just asked, I don't think it's got enough coverage. Is that Apple have also doubled their bounty program. I was just about to say exactly that. For any sort of findings in lockdown mode. And they go up to a maximum of $2 million
Starting point is 00:29:55 if you find a vulnerability with their lockdown mode. Because it's a million in anything else, but if it's to do with lockdown mode, it's $2 million, yeah. Wow. Do you think Rizzler submitted a bug bounty for that? I don't think anyone else has done it yet. The problem was the evidence he provided was paper thin. Let's roll that story up now. Oh, very good.'s a it's a really
Starting point is 00:30:29 good feature and i think we need more of these features natively in these devices and i think we you probably will i think even um maybe like corporate issued devices might even be something like this it's like here's a brand new wi-Fi. By the way, we've disabled everything you might find useful on it except for work. It's sort of like a better MDM. But if this is something that can also be triggered remotely as well, it means that if a company's SOC is seeing that somebody's being targeted, et cetera, they can trigger this without the user having to do anything in the sense that, you know, the user might not know they're being attacked because it's, you know, quite surreptitious and behind the scenes.
Starting point is 00:31:12 But if the SOC finds it, boom, they can lock it all down. And they're securing all the endpoints, not just, you know, the standard laptop, et cetera. Yeah. Yeah. No, good point, good point. So, you know, you see, you can track your employees, you see, oh, they're entering a dodgy country. Yeah. Let's just enable lockdown mode as they go through customs
Starting point is 00:31:36 and, you know, good luck with trying to get any data off it. Well, people often say that you should, you know, get a brand new device when you go to China and things like that. I guess if you just put it into lockdown mode, it would be the same thing, effectively, wouldn't it? No, I mean, what they'll do, they'll literally just grab your face, hold it to your phone, use it to unlock Face ID and then switch lockdown mode off. Yeah, yeah, yeah. But I do love it. I mean, this sounds like such a West Coast, someone in San Francisco thinking of it. Well, you know, these regimes, they can get it.
Starting point is 00:32:08 I tell you what, why don't you just buy another £1,500 iPhone and travel? Yeah. And then you won't have that problem. You're a genius. Genius, Dave. Why didn't I think of that? Good one. Oh, dude. No, it's good. It's good. I think it definitely qualifies for a big ball move, Billy Big Ball's move, because it does put a target on them somewhat.
Starting point is 00:32:32 But hopefully it's, well, hopefully this is a case where the other phone manufacturers will actually copy and, you know, roll this out amongst other sort of phones as well, because, you know, frankly, something needs to be done, right? And this is quite a bold move to try and address that balance. Definitely, definitely. Thank you, Jav, for this week's...
Starting point is 00:32:57 Billy Big Balls of the Week. It doesn't matter if the judges were drinking. Host Unknown was still awarded Europe's most entertaining content status. So it was, and so it was. And that was only a few weeks ago, really, which just goes to show that, well, just goes to show how much time flies.
Starting point is 00:33:25 And talking of time flying, what time is it, Andy? It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire, who have been very busy bringing us the latest and greatest security news from around the globe. Industry News. TikTok CEO addresses US security concern. Industry news. TikTok CEO addresses US security concern. Industry news.
Starting point is 00:33:51 Software supply chain attack hits thousands of apps. Industry news. Hive ransomware upgraded to Rust to deliver more sophisticated encryption. Industry news. to deliver more sophisticated encryption. Industry news. APT hacker group Bitter continues to attack military targets in Bangladesh. Industry news.
Starting point is 00:34:17 North Korean hackers target US health providers with Maui ransomware. Industry news. Marriott plays down 20 gig data breach. Industry news. FBI and MI5 bosses warn of massive China threat. Industry news. Microsoft updates Windows 11 subsystem for Android to introduce support for VPN-assigned IPs. Industry news.
Starting point is 00:34:41 Apple announces lockdown mode to protect journalists, human rights workers from spyware. And that was this week's... Wow. Huge if true. Huge. Huge. Although 20 gig data breach apparently isn't huge.
Starting point is 00:35:03 This is the third time Marriott have been breached in five years. Four years? What is it? I mean, come on. There was that you were saying last week. It's good to have a breach every three years because it brings it back to the forefront of everyone's mind. Yeah, but not three in three years. Yeah, exactly. I mean, come on.
Starting point is 00:35:20 That InfoSec program is not working. Well, that's just... Obviously obviously i'd have to click on the link to know more and i'm damned if i'm going to do that but it just seems to me that you know maybe because they were so easy to roll over the first time the criminals just wait for them to pick themselves up and get back to business as usual and go all right let's try let's have another go and they're kind of like being you know constantly being punched by the school bully in the same place, even though the bruise has cleared up.
Starting point is 00:35:49 It still bloody hurts and it's still taking them out. And I'm wondering if it's, you know, a persistent set of attacks or if it is just now incompetence. Right, so take a back, right, the whole thing back in the day, so much data went, right? You know, credit card information, you know, that original one from when they acquired Starwood Hotel. So, you know, huge amounts of data and they got fined for it. And then they got breached again last, I can't remember if it was last year or the year before. But anyway,
Starting point is 00:36:21 they keep losing personal data, right? So you'd think that they would have some type of controls in place. And don't forget, controls are there to not to deliberately or to necessarily always stop malicious people. It's to stop accidents from happening as well. So in this recent case, apparently an employee at Baltimore Airport got fished at the airport Marriott and so they allowed someone to connect to their machine and then that person who connected their machine exfiltrated this data 20 gigs worth of data right and so Marriott tried to downplay it and said oh you know there's non-sensitive business files that were taken but then there were 400 people that had sort of sensitive personal information taken as well and that includes full credit card details with CVV, expiry dates, and also HR files containing information on employees.
Starting point is 00:37:13 But taking it back to what controls would you put in place? Bearing in mind, you have been fined in the tune of millions of pounds already, you know, in different regions as well. Like DLP, right? You're looking for credit card data or PII egress in the network, okay? Why would they not have that control in place? And I get, you know, that you allow a certain amount of data to go out, you know, without stopping it because it may be bau or it's an acceptable risk but surely the details of 400 people is not something that should be allowed to go out without being flagged somewhere yeah so when they said that somebody connected to the machine um in the airport does that mean they they allowed this person to plug in over usb uh socially engineered, they state.
Starting point is 00:38:06 So I think it was one of these, hey, it's me, Dave, from the IT help desk. Can you go to this site and find the executable? Yeah, that probably makes more sense because it would take a while to copy 20 gig of data over, wouldn't it? Yeah, and that's what I mean. But something must have flagged and said, hey, look, there's sensitive data going out of the network. I think it does.
Starting point is 00:38:27 I think it also plays to the fact of budgets, because I know most hotels are still hurting from the pandemic and cash just isn't available. And hotel profits are razor thin at the best of time, or Rizler thin even. Sure. But you lose 330 million guest data in 2014. Yeah.
Starting point is 00:38:53 Then you lose 5.2 million guest data in 2020. Yeah. Along with employee logins. Surely at that point you're saying, look, you know, this is actually costing us more in fines to address the root cause. Yeah, exactly. I completely agree. I'm just trying to think of the nonsensical logic.
Starting point is 00:39:12 Now you're saying I completely agree once Andy's shown you what a farce your way of thinking was. And I'm like, oh, no, it's just no budget. There's no budget for this thing. They have razor thinthin profits. I mean, like the minibar. They're literally giving the stuff away on the minibar. Are you all right?
Starting point is 00:39:32 Have you had a stroke or something? I'm not sure. I'm just saying, honestly, you're so full of shit, but that's what makes you a great CISO. No, but what I was saying was the rationale that's being given internally is profits are too thin. We can't afford to spend all the money that we want. We'll put other things in place like education and awareness and stuff like that, rather than the expensive multimillion dollar DLP. We'll spend 10 grand on a PowerPoint and send that round. And the regulators will tick the box and we'll get away with it. That's probably the rationale as to why DLP hasn't gone in. That's not to say it's not true that what Andy's saying isn't true, because of course they're going to get hit with fines again and again
Starting point is 00:40:21 every time they get um they get uh hacked but and and the business is wrong in its assumption that you know we can't afford to do this because they can't afford to not do it now wow so many words to say absolutely nothing but okay anyway the other story that sounds like you generally yes it. Game recognises game, my friend. That's what I always say. Mind you, you take all the words you use in this podcast and you use them three or four times elsewhere.
Starting point is 00:40:56 TikTok and the Cron show or whatever it's called now. The Jarek show. That's it. All that sort of stuff. So yeah, that's it. You know, all that sort of stuff. So, yeah, that's fair. Anyway, you had your little moan? I've had my little moan. Just one, a story that's near and dear to Andy and mine hearts.
Starting point is 00:41:21 The TikTok CEO addresses US security concerns. And I fully agree with him there is absolutely just like a witch hunt going on here i don't know why they think oh the the um the ccp is interested in finding out the u.s user data on their 14 year old girls who are dancing to trends i mean it's just it's just farcical i think there's no basis on this and because those 14 year old girls will be government employees in 10 years time well this is uh what's that um cruz senator cruz this was his old thing wasn't it about how tiktok china's trying to dumb down americans infiltrating with their algorithms. Well, it certainly works with you two.
Starting point is 00:42:07 Up at 3 o'clock in the morning still on TikTok. One more TikTok. Oh, just one more. One more set of jiggly boobs. I pay attention. When it tells me to go to sleep, I go to sleep. I do everything that app tells me to do. But, you know, I mean, so the whole argument was about whether or not
Starting point is 00:42:26 the data sits in china or not and so right basically if data sits in china then the chinese government can read it okay and they have the resources to do that and they will do that and they will profile it and they will do everything but i mean this is exactly what Facebook's doing to US data. Yeah, it is, absolutely. This is exactly what they're doing with Instagram, Meta, Facebook, all your Oculus Rift stuff. You've got to use Facebook login to use Oculus Rift. It's like if you think that companies are not doing this, then you're pretty dumb.
Starting point is 00:43:03 But the difference is, though, is that Facebook is an American company and they can control that. They can change regulation, they can control, and if it comes to it, they will send armed soldiers into data centres to secure servers if they have to. They can't do that with China. No, all you do, you'd have a good old set of good old boys who are told that the government's there to steal their guns
Starting point is 00:43:29 or take away their rights or give women the right to vote on their own bodies. And those data centers will be manned by patriots to fight back. I don't see why the US think they're any better than China. They're going to take away our Minecraft crossbows if we don't see why the US think they're any better than China. They're going to take away our Minecraft crossbows if we don't starve them. Exactly, yeah. They're not any better, not at all, but they have more control over the US companies
Starting point is 00:43:56 than they do over the China ones. That's what it comes down to. This is like that Spider-Man meme, where Spider-Man pointed to Spider-Man. Yeah, yeah. I mean, you know how much love I have for Facebook, let's face it. And I think TikTok is the lesser evil here without a shadow of a doubt. Exactly.
Starting point is 00:44:13 I happily submit my data to China. Yeah, something win-win. Yeah, exactly. Oh, dear. Oh dear. Excellent. That was this week's... Industry News. If you work hard,
Starting point is 00:44:35 research stories with diligence and deliver well-edited, award-winning, studio-quality content for high-paying sponsors, then you too can be usurped by three idiots who know how to think on their feet.
Starting point is 00:44:46 You're listening to the award-winning Host Unknown podcast. Right, we come crashing to the end of the show, and it's the part of the show that we call... Tweet of the Week. And we always play that one twice. Tweet of the Week. So I shall take this one home with a tweet which Tom Hughes shared. It just kind of put a smile on my face when I saw it.
Starting point is 00:45:14 And it is from Alex Bursan. And he says, back in 2012, Ubisoft accidentally added everyone a CC on a marketing email. Long story short, someone hit reply all, and 10 years later, the email thread is still going strong. And I think that's beautiful. And he includes a screenshot of the email. I mean, we've all been there, right?
Starting point is 00:45:37 You know, where you get this email and it's like, you know, someone replies unsubscribe and then someone else says, please stop replying to all. And then someone comes back five hours later and says please remove me from this list and then someone else says please stop replying to all um just classics right you know those things and they typically die off after a couple of days um but he's included a screenshot from uh you know when he looked at it uh at the weekend and it's like one of the one of the replies in it uh actually says since this thread started i've gotten married had a child gotten divorced gotten remarried
Starting point is 00:46:10 and become an executive at redacted company and um you know someone else says hey i had my first child yesterday i hope everyone's been well over the last decade god i'm so tired and it's like this 10 year thread of just, you know, the only thing they have in common is being Ubisoft customers. It's a forum, right? Basically, yeah, with a lot of bounce backs, I'm guessing. Yeah, exactly. A lot of bounce backs and a really long thread.
Starting point is 00:46:37 Yeah, but 10 years. I mean, this is up there with the Billy Big Bull. I love the banality of it as well. You know, the stuff that's sort of being mentioned in there I mean, this is up there with the Billy Big Bull. I love the banality of it as well. You know, the stuff that's sort of being mentioned in there. Was it somebody said they had their gallbladder removed recently? Oh, your gallbladder didn't deserve you or blah, blah, blah. And it's just, it has just become, well, it's going to become the new Facebook. Yeah.
Starting point is 00:47:05 So somebody said, it's nice to see this thread still going after all these years. I hope you're all living your best lives. That's right, yeah. It's lovely. It's lovely. I want to be looped into it. If anyone can add me to it, loop me in. Yeah, that's right.
Starting point is 00:47:21 And you're going to get it, and the first thing you're going to reply is, unsubscribe. Yeah. And you're going to get it, and the first thing you're going to reply is, unsubscribe. Yeah. Well, I wonder how many people sort of said, hey, I'm leaving my, you know, over the years, I'm leaving my job. Can you add my new email instead? Yeah, that's right. Or forwarding it on to their personal address.
Starting point is 00:47:41 Oh, dude, that's great. This reminds me, Andy, you're one that that holds our archival records because you don't delete anything unlike me but uh it reminds sometimes every now and then like you haven't done it for a while but you find an old old emails chain that the three of us were exchanging about something and like you say hey guys look what i found i'm like oh my god why does that still even exist delete delete delete yeah I need like the equivalent of, you know, lockdown mode for when I die. No, we need lockdown mode for you. Enron protocol.
Starting point is 00:48:13 Yes. Very much hard drive with me. That's right. You prize it out of your cold, dead fingers. Yeah. Excellent. That was this week's... Well, it was tough going.
Starting point is 00:48:33 It was an extra half hour than we intended to spend recording, but we made it. We made it. I can't believe we did. The technology issues aside, the thing is still recording, which is always good. So, yes, thank you very much, gentlemen. Jav, thank you so much for your time today.
Starting point is 00:48:53 Yeah, whatever, whatever. Thank you very much for your time today. You're like Conor McGregor giving it all the loud in the beginning and afterwards, like, you were just business, brother. You were just business after getting knocked out by khabib and andy thank you so much for your uh contributions today stay secure my friends stay secure you've been listening to the host unknown podcast if you enjoyed what you heard comment and subscribe if you hated it please leave your best insults on our Reddit channel.
Starting point is 00:49:25 The worst episode ever. r slash Smashing Security. That was a marathon, not a sprint. It was. It was, yeah. And hopefully, Jav, your trip to the doctors this morning was for your blood pressure. No, no, just like, but I was for your blood pressure. No,
Starting point is 00:49:46 no, just like, but, but I'm having my, you're an angry, bitter man is what's coming across. What? Come on.
Starting point is 00:49:53 I'm the most chilled out, laid back person. And I know, and like, you know, really it's, you don't know many people then. No,
Starting point is 00:50:01 I don't. Well, You don't know many people then, do you? No, I don't. Mate, you're not even the most chilled out, laid back person on this call. No. I mean, you're definitely in the top four, but you're not. Just always missing out on that podium position.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.