The Host Unknown Podcast - Episode 112 - We Love Our Intern
Episode Date: July 15, 2022This Week in InfoSec (08:09)With content liberated from the “today in infosec” twitter account and further afield12th July 2008: NextGenHacker101 taught us "how to view someone's IP address and co...nnection speed!" Tracer-tee! Naive? Troll? You decide. Painfully hilarious. https://youtu.be/SXmv8quf_xMhttps://twitter.com/todayininfosec/status/1414224928413454341 13th July 2001: Code Red Worms its Way into the Internet. The Code Red worm is released onto the Internet. Targeting Microsoft’s IIS web server, Code Red had a significant effect on the Internet due to the speed and efficiency of its spread. Much of this was due to the fact that IIS was often enabled by default on many installations of Windows NT and Windows 2000. However, Code Red also affected many other systems with web servers, mostly by way of side-effect, exacerbating the overall impact of the worm, ensuring its place in history among the many malware outbreaks infecting Windows systems in the late 1990’s and early 2000’s.7th July 1936: A Whole New Way to Drive a Screw: Several US patents are issued for the Phillips-head screw and screwdriver to inventor Henry F. Phillips. Phillips founded the Phillips Screw Company to license his patents. One of the first customers was General Motors for its Cadillac assembly-lines. By 1940, 85% of U.S. screw manufacturers had a license for the design. Rant of the Week (16:00)BMW starts selling heated seat subscriptions for $18 a monthBMW is now selling subscriptions for heated seats in a number of countries — the latest example of the company’s adoption of microtransactions for high-end car features.A monthly subscription to heat your BMW’s front seats costs roughly $18, with options to subscribe for a year ($180), three years ($300), or pay for “unlimited” access for $415.It’s not clear exactly when BMW started offering this feature as a subscription, or in which countries, but a number of outlets this week reported spotting its launch in South Korea.BMW has slowly been putting features behind subscriptions since 2020, and heated seats subs are now available in BMW’s digital stores in countries including the UK, Germany, New Zealand, and South Africa. It doesn’t, however, seem to be an option in the US — yet. Billy Big Balls of the Week (26:48)Hackers stole $620 million from Axie Infinity via fake job interviewsThe hack that caused Axie Infinity losses of $620 million in crypto started with a fake job offer from North Korean hackers to one of the game’s developers.The attack happened in March 2022 and pushed into the ground the then massively popular and quickly-growing game from Sky Mavis.By April 2022, the FBI was able to link the attack to the Lazarus and APT38 hackers, two groups who are often involved in cryptocurrency heists for the North Korean government.In a recent report from news publication on digital assets The Block, sources with knowledge about the attack said that the threat actors contacted staff at Sky Mavis over LinkedIn, posing as a company looking to hire them.One senior engineer at Axie Infinity showed interest in the fake job offer, due to the very generous salary, and went through multiple rounds of interviews.At one point, the engineer received a PDF file with details about the job. However, the document was the hackers' way into the Ronin systems - the Ethereum-linked sidechain that supports the Axie Infinity non-fungible token-based online video game.The employee downloaded and opened the file on the company’s computer, initiating an infection chain that enabled the hackers to penetrate Ronin’s systems and corrupt four token validators and one Axie DAO validator. Industry News (32:08)Majority Want Limitations on Social Media ContentSpike in Amazon Prime Scams ExpectedAerojet Rocketdyne Pays $9m Settlement Over Whistleblower AllegationsCyber Insurers Looking for New Risk Assessment ModelsMicrosoft Details How Phishing Campaign Bypassed MFAHavanaCrypt Ransomware Masquerades as a Fake Google UpdateCritical Industries Failing at IIoT/OT SecurityICO Calls for Review of Government “Private” MessagingState-Sponsored Hackers Targeting Journalists Tweet of the Week (38:48)https://twitter.com/cyb3rops/status/1547263760678756353 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Oh, it's just too hot. What have you been up to this week, Andy?
Not too much. It's been too hot to do anything.
Although I did actually go to a seafood buffet on Wednesday.
Pulled a muscle.
Hey!
You're listening to the Host Unknown Podcast.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome to episode 112-ish of the Host Unknown Podcast.
116.
And I'd like to make a public apology for that joke in the cold open. We were struggling this week.
It's been too hot to do anything, let alone do anything interesting enough for us to try
and make a joke about. So yeah, Andy got his dad jokes book from 1973 out and yeah, we
were away. We were away. So talking about jokes jav how are you i for one am glad that
andy pulled out his dad joke but because his other jokes are not suitable for on air
this is true this is very true it's been hot and like you said so being too lazy to do anything
and it's really weird that it's so hot it's
sweltering yet when you get anything out for the kids like this little paddling pool or the little
shower thing the water's too cold even despite how hot it is so they don't want to go in it
yeah but jeb you're putting like a tea towel over their face and pouring it directly into their
mouth that's that's not how kids like to paddle these days that's the way of my people man i mean we're trying to build up immunity
character building right i'm not sure well
well i mean it does sound like you're speaking to us from inside a box, Jav, in fairness.
So maybe, you know, are you building up your own immunity there?
I am indeed. Yes. Why not? What's wrong with that?
So from Jav Waterboard and his kids, Andy, what have you been up to?
Working. And I was actually in the office this week.
So we've had a couple of hot days and I was debating whether or not I was better off at home actually in the office this week so we've had a couple of hot days and i was
debating whether or not i was better off at home or in the office um because you know the problem
in the office is that it's building controlled air con and so you know some people like it cooler
than it is some people you know and yeah i was pleasantly surprised that the office was a good temperature uh this week so that is how thrilling my week has been
i've exactly aircon is the highlight of everybody's week i heard a thing about you know with building
controlled aircon you know as you say everybody complains it's either too hot or it's too cold
or whatever so companies actually put up dummy thermostats and complaints go through the floor.
They drop massively because the temperature doesn't change, but people feel like they're in control of it.
Yes, yes, yes. It's like on elevators.
Some of the buttons don't do anything like the door close button.
Sometimes it doesn't do anything anything but it's just there
for that sense of satisfaction no it does do something you just have to press it 20 times
it's not a voice activated one uh but years and years back like when wi-fi was first uh sort of
becoming you know like widespread for businesses uh we set up like access points in the uh office and we switched
all the sales guys to wi-fi and uh you know complaints are like oh it's so slow it doesn't
work and all this kind of stuff so what we did we put back in um sort of like hubs so we put like
switches under their desk and we ran cables out back onto the desk so everyone could plug in
but they weren't connected to anything the other side they were still using wi-fi and literally everyone said it was just so much better
and they only use the wi-fi when they go to the meeting rooms and it was it's one of these things
where it's like nothing has changed but it's just that psychological thing people want to feel in
control like and the fact that it's sales people, right? Yeah, it's a different breed.
This works on everyone, though.
They've done tests repeatedly. They said if you want someone to enjoy, say,
wine more, you just tell them it's
more expensive. And as
long as they don't see the bottle that is from Tesco
or wherever the cheap brand is,
they will enjoy it more.
Yeah.
Yeah, well, you know, the brain's a powerful organ, right?
Yes, yes.
You know, speaking of thermostats in the office,
I read this story yesterday, and actually, like, cheap plug,
I made a TikTok about it as well.
Of course you did.
They done this, there's this academic paper written
about the unintended consequences of smart thermostats.
And they said that in the US, there's about, I don't know, 40 percent of homes have a smart thermostat.
And the problem is that people don't actually change the default settings on it.
So majority of them click on at 6 a.m.
So majority of them click on at 6 a.m.
So there's this massive strain on the electricity grid as all of them click on at 6 a.m. every morning.
A simple approach would be for manufacturers to introduce a random time over like a 15 minute period or a 10 minute period by default.
Do you know what I mean? Well, I set mine to 10 to 6.
I'm not one of the sheep.
I want mine on first.
Exactly.
Each morning you hear it click on and you go, yes, I won.
Exactly.
I get fresh energy.
I always like to come first.
Yeah.
But, you know, I was reading about it,
and apparently in the UK we've been very familiar with this phenomenon for a long time
because of the way our TV historically has been.
Oh, and the kettles.
Coronation Street.
Exactly.
It's a classic, yeah.
Yeah, yeah.
And apparently the largest pick-up demand
was in 4th of July 1990.
And for those of you not familiar with what was happening on that day England were playing West Germany in the World Cup semi-finals and there
was a penalty shootout I was in Hawaii then wow just what were you doing in Hawaii yeah
I was celebrating Independence Day yes I'm traveling around the world and uh it was
my gap year jesus you took a gap in between jobs yeah sabbatical yeah yeah you get to take it after
25 years service yeah staying in a um like a hostel. One of the guys was...
Where was he
from? He was...
Is it Finland
that still has national service or something
like that? I can't remember, but he was on the
run from national service.
Brilliant.
People you find there.
Anyway, shall we see
what we've got coming up for you today?
This week in InfoSec teaches us a whole new way to screw. Well, we know about that because
Andy always comes first. Rant of the Week takes microtransactions to a whole new level
of ridiculousness. Billy Big Balls is the most expensive job someone has ever applied for.
Industry News brings us the latest and greatest security news stories from around the world.
And Tweet of the Week is something brilliant, which you're going to find out about in about
30 minutes once we've written it.
Okay, so let's move on to our favourite part of the show the part of the show that we
trademark like to call this week in infosec
it is that part of the show where we play royalty free intros with content liberated from the today
and infosec twitter account and further afield so our first story takes us back to practically
yesterday just 14 years ago to the 12th of july 2008 when youtuber next gen hacker 101 taught us how to view someone's ip address and connection
speed on any website so this is one of those uh sort of stories which you have to see and there's
a link in the show note because it is just that good so he explains that there's this built-in
viewer into your computer that allows you to view people's IP addresses.
So whatever website they're on and their connection speed.
And he does this by instructing you to open a command window, typing tracer T, and then the website you want to analyze.
And obviously the tracer then brings up all the hops along the way and the latency between each hop.
And obviously the trace route then brings up all the hops along the way and the latency between each hop.
And NextGenHacker101 explains that these IPs are all the visitors to the website and their connection speed. In the example he uses, such as like the website Google, had something like 10 users all with relatively good speed.
good speed um and whether this kid is just dumb af or a master troll uh this video was well worth viewing to remember simpler times um just painfully hilarious i don't recall that at all but that
sounds brilliant oh it's brilliant you gotta see it the technical genius behind that i mean yeah
over a million views on this one obviously a very niche market and yet
lost all the money still only gets you know a couple of ten thousands hey it's an artisan
video that one it's uh you know you need a particular taste to appreciate it
you know what's what's great about this video is is the comments section is still alive and well.
And they are brilliant.
So definitely go for the comments.
Go for the videos.
Stay for the comments.
So you can see how Jav has now turned into...
So back in the day, Jav never used to read the comments on his own YouTube channel
because he doesn't like hearing negativity.
There's only so many tears a man can cry.
But since he's been on TikTok, you know, TikTok's half the video, half the comments. He doesn't like hearing negativity. There's only so many tears a man can cry. Yeah.
But since he's been on TikTok, you know, TikTok's half the video, half the comments.
Yeah.
Because you can read the comments while you're watching the video.
You know, something that Reddit has since, you know, adapted as well.
And yeah, you can tell now Jeff goes straight for the comments.
His brain's been indoctrinated into the ways of TikTok.
The comments on TikTok are so much nicer, though.
The people are so nicer there compared to YouTube.
Everyone's a troll.
Oh, dear.
Anyway, our second story takes us back a mere 21 years to the 13th of July, 2001,
when Code Red wormed its way into the internet. So targeting Microsoft's IIS web server,
Code Red had a significant effect on the internet due to the speed and efficiency of its spread.
Much of this was due to the fact that IIS was enabled by default on most instances of Windows
NT and Windows 2000. However, Code Red also affected many other systems with web servers, mostly by way of side effect,
exacerbating the overall impact of the worm,
ensuring its place in history among the many malware outbreaks
infecting Windows systems in the late 90s and early 2000s.
And I think we covered this story about this time last year.
Well, given the source we get our information from,
almost certainly.
Yeah, well, this one is definitely further afield.
Oh, okay.
It just happened to coincide with that one.
Do you know what?
That really takes you back.
IIS web server.
I loved IIS.
I thought it was brilliant.
Oh, yeah.
It's a great...
And to secure it.
Yeah, back then you just literally installed it
and then ran IIS lockdown.exe.
Yeah.
Job done.
I'll tell you what, we could learn a lot from that.
Oh, no.
You couldn't get better than a nice and secure, you know,
IAS 6 web server running on NT4 service pack 6A.
Ah, there we go.
See, you're older than you look.
Not me.
No, no. I've just studied the way. Someone told you. See, you're older than you look. Not me. No, no.
I've just studied the ways.
Someone told you.
Yeah, exactly.
I've heard these stories.
And you don't agree in history and ancient.
But our final story, it will take you back to your university days, Tom.
A mere 86 years to the 7th of July, 1936.
Not entirely hacking related, but it is sort of,
if you're a locksmith, you know, a lock picker, you may appreciate.
It's got nothing to do with locks, though.
I'm trying to make a tenuous link, right?
Don't read too much into it.
Right, guys, we're going to give out one piece of accurate,
factual information on this show.
Just one piece and this is it.
Let it be this one.
So a whole new way to drive a screw when several US patents issued for the Phillips head screw and screwdriver to inventor Henry F. Phillips.
So Phillips founded the Phillips Screw Company to license his patents.
And one of the first customers was General Motors for its Cadillac assembly lines.
And by 1940, so four years later, 85 percent of U.S.
screw manufacturers had a license for the design.
Wow. Here we are today with the Philips screwdriver.
Wow. You see, I was a fan of the Godfrey J.
posidrive inventor.
What?
It's a far more refined design.
But this did remind me that in Canada,
they have a triangular screw as well,
as in a triangular drive part of the screw,
which is unique in the world. No one else in a triangular uh drive part of the screw um which is unique in the world no one else has a triangular one and i know this because i read a wiki on on i think i went you know when
you go down the little rabbit holes about the difference between it wasn't on the first of
april posi drive and all that sort of thing no i'm serious serious so you know any of our canadian
listeners out there send us a photo of of all of your projects with triangular screw heads.
Not screw heads, you know what I mean?
The drivey part.
Yeah.
Wow.
Tom, you need better hobbies, honestly.
That's all I'm going to say.
I'm not going to argue with that in the slightest, actually.
You know, there's only so much self-abuse one can do to oneself.
Excellent. In the slightest, actually. You know, there's only so much self-abuse one can do to oneself.
Excellent. Thank you very much, Andy, for that very positively driving experience
of This Week in InfoSec.
This Week in InfoSec.
If you work hard, research stories with diligence, in InfoServe.
If you work hard,
research stories with diligence,
and deliver well-edited, award-winning,
studio-quality content for high-paying sponsors, then you too
can be usurped by three idiots
who know how to think on their feet.
You're listening to the award-winning
Host Unknown Podcast.
And now for the part that I get the impression
that both Jav and Andy are most looking forward to
because they were positively foaming at the mouths
at this story and therefore assumed that I would be too,
but a fairly safe assumption.
It's time for this week's...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
So this story has gone pretty much viral at the moment.
And if just the headline alone should send you into a tailspin straight away.
So BMW start selling heated seat subscriptions for $18 a month.
So, I mean, check out the show notes.
I'm going to ignore the rest of it there.
But the deal here is, and BMW has always been known for
everything is a bloody optional extra, right?
And get as much money from you as possible.
Yeah, exactly.
Exactly.
You know, and many software companies, in fact, many companies generally,
are working on this microtransaction or subscriptions model
in order to maintain cash flow, right?
Because they invest a huge amount of money in a product,
they sell it, and then that product is so good,
it lasts for three, four, five years, and you don't get any more money with which to invest into your business.
So these kinds of subscriptions are, well, they're either anathema to you, or they're just the cost of using something.
anathema to you or they're just the cost of using something. However, when you do buy something, you know, a car or whatever, you would expect to have the, you know, whatever is you've ordered
is in the car. So if you have ordered a car and it has the physical components for heated seats
in there, you would expect that you would be able to switch them on.
Or if you buy a second-hand car that has heated seats in it,
you would expect that you would be able to use them.
Well, not anymore, because BMW, probably the first company to go to this degree,
company to go to this degree, have said that there is now a subscription in order to enable the heated seats in your car. So it's $180 for a year, $300 for three years, or unlimited access to your heated seats for $415.
This is, well, actually, one, it does make my blood boil in a sense
because what it means is that car manufacturers are now going to be
ostensibly building one type of car, and and that is their very very top model with all the
all the toys and features in it and then uh depending on what you buy at the showroom
will be what uh what you get access to uh and even then uh as i've noticed i've got a
mercedes which i bought second hand even then um when it's bought new with those features enabled,
they're actually only enabled for three years. And so certain subscriptions will expire.
So this just, you know, this pay for play thing, one, it can't be great for the environment,
right? Because we're putting, you know, we're building massively over specced cars that
in many cases are not going to be utilized but two it
just seems like this massive money grab and before I actually flip this around a little bit
gents I'm guessing you agree on this this is just this is like the easy jet of cars that it's
nothing premium about this this is like you know orion air where it's
like okay hey look your flight's only you know seven pounds oh you want steps to get up to the
plane that's another nine pound you want to take luggage with you that's you want access to the
indoor toilet yeah exactly and all this and this is just cheap like from bmw there's just no excuse
for this like all they're going to do is drive a market of people
that are just going to hack their cars,
just get all the features unlocked.
And I'm fully supportive of that as well.
Yeah.
Although I think Corey Doctro commented on this
and he quoted one of the, I think it's 1201 off the DCMA.
He said, if you hack it yourself,
then technically under the law,
you could get done for like half a million dollars
and five years prison sentence in the US.
And this is like one of the arguments
that John Deere farmers, John Deere tractors,
farmers have been having dispute with them
over the right to repair and everything and what have you.
And, you know, on one hand, you know,
it plays to that thing that, oh, well,
it's only really cold two months of the year.
So I only need to subscribe for two months of the year
and then I'll be saving money.
But you can't.
But you can't and you won't.
I mean, even if you could, I mean, most people are like Andy. It's like it's only the cup of it's only one cup of coffee a week.
And, you know, all these subscriptions add up and suddenly you're drinking like 2000 barrels of coffee a week.
And you don't know where all your money is going and why you're broke all the time.
Well, thank God he does, because otherwise we wouldn't be recording on this
slightly more stable platform yes so so you you're absolutely right and jeff you pick up on an
interesting point there and this is how i think companies like bmw can turn it around because
the minimum subscription for any of these services and i i looked into this and it's even things like, you know, automatic full beam adjustment on the headlights and, you know,
all sorts of stuff, right?
You know, so the kit is there.
It's just not a safety feature.
Yeah.
Well, it's not a safe.
Well, it's an advanced safety feature.
It meets all of the standard requirements that a car would meet.
It just means you don't have to manually click the standard requirements that a car would meet it just means you don't have
to manually click the beams down when a car don't understand the justification this is pure money
this is pure profiteering it is yes why are you if i brought a bmw why would you take up space
on my dashboard that i've paid for for a feature that i don't have access to digital dash mate isn't it I will
charge them rent I will charge them rent for that space all right good luck with that but I think so
so just a quick question is that why people haven't paid for years on BMWs to have their
indicators enabled yeah yeah that's right yeah it all makes sense now 18 a month but the only way they can turn this around is if they make it
very very flexible so like heated seat and you you know you raised it as a you know as a slightly
acerbic point jeff but i think it's true sensible people would be able to buy you know a baseline
model and enable features as they need it so So air con in the summer, they could maybe enable for the two months they need it.
Heated seats in the winter, you know, windshield, windshields,
windscreen defrost, you know, fast defrost, et cetera.
That would be how BMW could make this attractive
because people would then be paying for when they needed these things
rather than when they didn't.
But that, I think, is extremely unlikely. And I think overall, whilst I believe that certain
things, certain enhancements, certainly when it comes to sort of multimedia entertainment and
stuff like that, I think is fairly viable or even GPS, you know, SatNav, because SatNav needs constant
updates in order to be accurate. And that requires investment. And I've got no issue with
things like that, that actually I can see a real benefit for. But I think this is a bad,
bad move by BMW. And it'd be really interesting to see if they change it in the coming in the coming years uh it's unlikely I think I think this is just the future and and actually
I believe Tesla's like led the way on this because like you you get updates you can buy a model and
then certain features you can pay for that aren't available yet but when they become available it's
just a software download and then you can you know opt to upgrade at that point or not so as long as it's just soft and this is the
problem with software defined everything and i think this with electric cars is only going to get
worse because everything is going to get software defined you're right but then again and like oh
you want 300 brake horsepower ah gonna have to pay extra for that
otherwise you can get the 200 brake horsepower model well yeah if you bought a 200 horsepower
brake horsepower model but then you get an option a year later when actually you might have a little
bit more money to pay 300 bucks or a thousand bucks to to have it enabled to 300 horsepower
because of various upgrades.
That, I think, is fair enough because you didn't buy the model with 300 horsepower.
Yeah, but then the same principle applies here.
If you didn't buy the model with heated seats...
Yeah, yeah.
Why should you add it on?
Yeah, yeah, you can add it on.
Yeah, why should you?
Yeah, but it's just the the same i think it's just a
slippery slope you either you know this whole subscription model in physical products i think
is where it becomes really difficult if it's just purely software that you're subscribing to and
buying then that's fine but when it's a physical product and you know it's there and you can touch
it and feel it but there's just a software block on it i think that's what um psychologically it's just frustrating it is
frustrating it may well result in in safety issues because of people hacking their cars
i think that's that's a very real danger and i think the threat of legal action isn't going to
isn't going to put people off there yeah drivers don't care about law no no but can you imagine
insurance companies refusing to pay out because you had of course the the heated heated seats
even though it's got nothing to do with the rest of the thing oh no you violated the uh they go
out of their way to find reasons not to pay out yeah yeah and now we come to it now we come to it it's not BMW it's the insurance companies
and that was this week's
rant of the week
this is the host unknown podcast
home of Billy Big Ball Energy
yes it is and it is time for this week's
yes and this this one falls to me as always as the designated big baller of the group.
So, Axie... You've already done a TikTok about this,
so you should know it inside out.
I don't think I have, actually.
Oh, OK. We'll see that later, then.
Yes, yes, probably later.
Definitely see it after this show, yeah.
Axie Infinity, the company that makes the game Sky Mavis,
lost a whole bunch of money. And how this
started was one of their developers got a job offer via LinkedIn, of all places. So the job
offer seemed very, very generous. You two know all you know jumping ship as soon as you could receive a generous offer and they were like says the man who switched jobs like eight times in the
last three years no three and a half years i've been at my current job so like you can't say that
you two are still on your probation period guys so that uh one of the senior engineers um showed interest in a job offer because of the
very generous salary and then the really big balls move here is that the the people making the job
offer put them through several rounds of interviews so they spent time building legitimacy with it and at the end they sent
the engineer a PDF file with details about the job. However the document was the hacker's way
into the company's systems, the back-end systems, more specifically their Ron's systems, the backend systems. More specifically, their Ronin systems,
the Ethereum-linked sidechain that supports
the Axie Infinity NFT-based online video game.
You know this story inside out,
because you're definitely not reading that.
No.
And if those words don't mean anything to you,
don't worry.
They mean nothing to anybody.
Anyway, so the game is based on blockchain and they have NFTs and they have DAOs and whatever.
Non-fungible tokens.
Yes, yes, yes.
And so basically, because of lack of segregation within the backend system,
because all of the the way they they deployed
their their nodes on the blockchain and everything uh and the fact that that engineer opened the file
on his work laptop it gave the criminals access into the backend systems they got into um the
some pride they got access to some private keys and they made off with an eye watering six hundred and twenty million in crypto.
So I think this is an absolutely awesome Billy Big Balls move that you spend so long.
This is like this is this isn't even spear phishing.
This is whaling.
They identified their target.
And yeah, Andy, don't say it.
But, you know, the fact that they spent time
to identify the right employees,
they targeted them with the right attack.
And it was not like a
highly sophisticated i'm doing air quotes as i say it was just really a social engineering attack
and once they built their trust through these multiple levels of um interviews they then hit
them with the malicious pds um brilliant it is it is um apparently the fbi say that um it could be north
korea behind it but who knows who knows but i'm a big fan of this work was this a was this a zero
day attack because you think a malicious pdf will be picked up by any kind of, you know, endpoint stuff, right? Maybe they were running Sentinel-1.
Who knows? Who knows? Couldn't possibly comment.
Excellent. Thank you, Jav. Those were some very Billy Big Balls.
Billy Big Balls of the Week.
of the week.
Attention.
This is a message for all other InfoSec podcasts. Busted.
We caught you listening again. This
is the Host Unknown podcast.
So just as the
attackers there, either
the Lazarus Group or
APT38 took plenty of time to set the scene and build the trust, etc.
We have taken a huge amount of time to bring you some of the latest news from around the world.
But most importantly, Andy has the time.
And Andy, what time is it?
It is that time of the show where we head over to our news sources
over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news
from around the globe.
Industry news.
Majority want limitations on social media content. Industry news. Majority want limitations on social media content.
Industry news.
Spike in Amazon Prime scams expected.
Industry news.
Aerojet Rocketdyne pays $9 million settlement over whistleblower allegations.
Industry news.
Cyber insurers looking for new risk assessment models. Industry news. Cyber insurers looking for new risk assessment models.
Industry news.
Microsoft details how phishing campaign bypassed MFA.
Industry news.
Havana crypt ransomware masquerades as fake Google update.
Industry news.
Critical industries failing at I-I-O-T-O-T security
Industry News
ICO calls for review of government private messaging
Industry News
State-sponsored hackers targeting journalists
Industry News
And that was this week's...
Industry News. And that was this week's... Industry News.
Huge.
Huge if true.
Am I like Ron Burgundy
while I'll read out anything
that's put in front of me?
Yes.
What's IIOT?
So I'm just...
IIOT slash OT
stands for
Industrial Internet of Things slash Operational Technology Systems.
Oh.
Which I did not know.
Well, you learn something new every day.
Yeah.
There's your takeaway, people.
Yeah.
You only have to sit through 35 minutes to get.
Yeah.
I thought O-T was that woman from Strictly Come Dancing, but.
Nothing.
Strictly come dancing.
Barracuda's State of Industrial Security 2022 report found that companies are running into problems when implementing IIoT security projects, with 93% admitting they don't know what it means.
I'm not surprised.
They've heard of IoT, not IIoT, right? Yeah, exactly.
The biggest cause for failure was that technology took too long to implement
while expense was the second.
I think you could cut and paste that in response to any technology project.
Yeah.
Yeah.
So the headline, spiking Amazon Prime scams expected,
surely it should now read, spike in Amazon Prime
scams happened?
Didn't happen? Yeah.
So bear in mind, this was
a story from... For the whole week.
Monday.
Yeah, pretty much. Although, Jav, I'm sure
you did a TikTok on Amazon, didn't you?
I did, I did.
Amazon Crime Day.
Hey.
So was this an this uh an infosec thing or was it just a general bitch about their pricing uh well me bitching yeah yeah that was andy bitching i was
just talking about how there was like you know different reports out about so many dodgy domains being registered and the scams were rolling in.
So I like this story about the ICO. Well, I don't really like it. The ICO calls for a view of
government private messaging. And this is basically the Information Commissioner's Office has asked
the UK government to review its use of private correspondence channels, including email, WhatsApp and other messaging services.
It's like, how are people meant to talk these days then?
It's, you know, during the pandemic.
Well, the government, they do it in a formal manner that can be recorded.
And certainly not using another country's service.
A little corridor in the corner, like, you know, secret handshakes.
But with COVID, what were you meant to do?
You meant to just do it through these things?
Well, to paraphrase something that I think, was it Norman Tebbitt said in the 80s?
You know, being reviewed by the ICO must be like being savaged by a dead sheep.
That is, I've not heard that one before.
That's good.
Before my time as well.
So what are these new risk assessment models?
I'm actually going to click on it.
That's how interested I am.
Cyber insurers.
Cyber insurers. Yeah, it's a long-running thing right and so cyber insurers are trying to find ways to get out of insuring companies that they consider high risk yeah right and yet companies
need to have insurance yeah so those things that to get out of insuring them how you know
repeat after me.
No.
No.
They're trying to get out of paying them, I guess.
You know, they want to take their money,
but they don't want to pay them back when it happens.
Yeah.
So almost nine in ten insurers are calling for a consistent industry approach to evaluate client cyber risk.
Yeah.
Yeah.
You and you and the rest of our industry.
Exactly.
Welcome to InfoSec.
You can pick from any of these standards.
Yes.
You can pick from any of these seven standards.
Sorry.
Any of these eight standards that you could know. Any of these Seven standards, sorry Any of these eight standards
Any of these nine standards
Well this one's based on NIST
This one's based on CIS
This one's based on ISO
That's pretty much it
Last week as well there was like a new
Standard that the US government
Came out with
Which is based off of NIST.
Yeah.
Everly based off NIST.
That's all they need to do here.
Insurers just need to get together and work with the government
and get another standard based off NIST.
Create a new standard.
Yeah.
Why not?
Absolutely.
That would fix everything.
That would fix everything.
Well, excellent.
That was, thank you, excellent. That was,
thank you, gentlemen.
That was this week's
Industry News.
You're listening to
the host unknown podcast.
Bubblegum for the brain.
And we now come crashing
to the final part of the show.
The part of the show that we like to call Tweet of the Week. And we always play crashing to the final part of the show, the part of the show that we like to call...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And I shall take us home with this one.
And this week's Tweet of the Week is a tweet from Florian Roth,
who says,
Can we get a Kitchen Nightmares but with IT departments
and a cyber Gordon Ramsey
that shouts at people for not having an asset inventory,
log or vulnerability management.
I would love that.
Oh my God, that would be superb.
It would be fantastic.
And you know what, the comments on this one
are actually pretty great as well.
People give an example saying,
this log is fucking raw.
My God, they're storing unparse logs in the same database as the parse stuff.
Look at this.
You can't use a scene with this.
That's it.
I'm shutting down the analyst workflow right here.
What in the bloody hell?
You closed the ticket because AV already removed Mimikatz?
And plenty more InfoSecc related humor on that one but it would be a fantastic game but who would play the role
of gordon ramsay oh i don't know someone who's used to ranting
yeah but they also have to be highly respected in the industry as well. Oh, good point. Yeah.
You know, one thing I have issue with this tweet is that they say like you shout at people.
Surely this should be someone shouting at the CISOs.
Because like CISOs or security teams seem to be the ones always complaining and shouting anyway.
And, you know know very slopey
shoulders they're like oh we don't have an asset inventory because it hasn't provided me one or so
because the intern didn't do it yeah and we hired to do exactly exactly
no shouts at the ceos definitely they're the ones or the cfos
yes sitting there minding his own business and someone kicks down the door and shouts The CEOs, definitely. They're the ones, or the CFOs. Yeah, CFOs.
Undercover CFOs.
Sitting there, minding his own business,
and someone kicks down the door and shouts at him.
Where's your motherfucking asset industry?
Oh, brilliant.
Thank you, Andy.
That was this week's...
Tweet of the Week.
Well, here we are.
Nearly, well, just over 40 minutes
and we come to the end of the show.
That flew past as it always does.
Indeed.
For sure, for sure.
So, Jav, thank you very much for your your uh well for eventually turning up and for your
contributions and 33 minutes late today i was on time with my drink when i joined you two were off
like well i'm getting a tea i'm getting a coffee i'm getting my cat and a red bull whatever it is
oh he's having another stroke not have been on time yeah like we were i was literally here for 30 minutes
chatting yeah no you you were early on jab time not the i had to listen to andy talking about
you know the types of tea he has to make in his new exactly it's like it just helps me memorize
like you know who has what and so like you know dave has milk two two sugars. It's got a little song.
Dave has milk, two sugars.
Georgie has none.
See? Tom already knows it.
That's how long
we're on the phone for.
I'm glad you're finally doing something useful.
And Andy, thank you very much
for your time today.
Stay secure, my friends.
Trademark.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
We should actually check our Reddit channel for complaints.
Yeah, we should.
Or doesn't our intern do that?
Like, what's his name?
George Clooney or something?
I don't know.
George Clooney?
Yeah.
Is it?
Something like that.
I never remember the names of these interns.
They're so transient anyway.