The Host Unknown Podcast - Episode 113 - Did you hear That?
Episode Date: July 22, 2022This week in InfoSec (10:25)With content liberated from the “today in infosec” twitter account and further afield17th July 1997: Major Disruption in Sending Most E-Mail Messages. A programming e...rror temporarily threw the Internet into disarray in a preview of the difficulties that inevitably accompany a world dependent on e-mail, the World Wide Web, and other electronic communications.At 2:30 a.m. Eastern Daylight Time, a computer operator in Virginia ignored alarms on the computer that updated Internet address information, leading to problems at several other computers with similar responsibilities. The corruption meant most Internet addresses could not be accessed, resulting in millions of unsent e-mail messages.15th July 1999: DilDog of Cult of the Dead Cow confirmed official Back Orifice 2000 CD-ROMs distributed during DEF CON 4 days prior were infected with the destructive CIH virus. Initially, cDc blamed pirated copies as the source, later discovering a duplicating machine had been infected.https://twitter.com/todayininfosec/status/128352319537128243419th July 1985: Chase Manhattan Bank discovered a message in one of its computer systems from Lord Flathead. The message said that unless he was given free use of the computer, he would destroy records in the system. Lord Flathead? He founded Myspace 18 years later!https://www.nytimes.com/1985/10/19/business/chase-computer-raided-by-youths-officials.htmlhttps://twitter.com/todayininfosec/status/1153507276629504006 Rant of the Week (16:28)Secret Service gives thousands of documents to January 6 committee, but hasn't yet recovered potentially missing texts(CNN)The US Secret Service produced an "initial set of documents" to the House select committee investigating the January 6, 2021, insurrection on Tuesday, in response to a subpoena last week that was issued amid reports of potentially missing text messages from the day of the insurrection.However, Tuesday's document production didn't include any of the potentially missing texts from January 5 and 6, 2021, a Secret Service official told CNN. That's because the agency still has not been able to recover any records that were lost during a phone migration around that time, the official said.“The USSS didn’t just delete texts after knowing they were evidence in a federal probe; it didn’t just lie about why/how the texts were deleted; the texts were so *professionally* deleted they can’t be recovered.”https://twitter.com/SethAbramson/status/1549488007614529538 Billy Big Balls of the Week (24:07)Glassdoor ordered to reveal identity of negative reviewers to New Zealand toymakerA California court has ordered employer-rating site Glassdoor to hand over the identities of users who claimed they had negative experiences working for New Zealand toy giant Zuru.In a decision that could prompt unease for online platforms that rely on anonymity to attract candid reviews, Glassdoor was ordered to provide the information so Zuru could undertake defamation proceedings against the reviewers in New Zealand. Industry News (33:26)TikTok Engaging in Excessive Data CollectionCISA Set to Open London OfficeNew MacOS Backdoor Communicates Via Public CloudDOJ Recovers $500K Paid to North Korean Ransomware ActorsLegal Experts Concerned Over New UK Digital Reform BillRomanian Man Accused of Distributing Gozi Virus Extradited to USUnpatched Flaws in Popular GPS Devices Allow Adversaries to Disrupt and Track VehiclesUK Regulator Issues Record Fines as Financial Crime SurgesMagecart Supply Chain Attacks Hit Hundreds of Restaurants Tweet of the Week (45:58)https://twitter.com/hela_luc/status/1549326122067890177 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
because last week someone on twitter was like oh you sound so terrible and i was like yeah blame
tom he edits in the crap sound he did that to me for years i know he only stopped when i
plugged the right microphone in yeah
i had to change my whole setup just to get around it.
Oh, dear.
What? Because there's bubbles in our water?
Yes.
Oh, we're recording.
Please don't leave that in.
Please, good sirs, I beg of you, don't get me cancelled.
Let's cancel the man.
You're listening to the Host Unknown Podcast.
Hello, hello, hello, good morning, good afternoon, good evening from wherever you are joining us.
Welcome to episode 113-ish of the Host Unknown podcast.
Indeed, gentlemen, how are we?
Jaff, how are you doing, sir?
Barely alive.
So, I got my blood tests done this week, and I just got a text as you were running the pre-roll.
And there's two things of concern.
One is my blood sugar levels.
Did it come up as gravy?
No, no, no.
Melty tarabo.
So the HbA1c, something you're very familiar with, Tom.
So the normal range is under 42.
42 to 47 is pre-diabetic and anything over 47 is diabetes.
So I came in at...
49.
46.
So I am just on the borderline of the borderline so it goes up another two points
and i'll be in tom territory but you know we've all had enough of experts right
so-called experts yeah i i had these results what like how long it must have been a while
about what 2017 they told me that I was pre-diabetic.
And you're still alive today.
Exactly.
So, you know, you can do what you need to do, Geoff.
I mean, you haven't moved from the room because you can't get through the door.
Yeah, and I'll still wear it.
I've got, like, 15 sodas a day in it.
Yeah.
Exactly.
So what was point two that you were worried about?
Oh, the cholesterol so apparently normal cholesterol values are 2.5 to 5 between 2.5 and 5 and mine was
uh 2.7 5.3 so just uh so what you're sayingav, all I'm hearing is that you're a high achiever.
I am. I am. Exactly.
You operate in the 95th percentile of what most people would operate.
If you've just joined us, welcome to the Host Unknown medical podcast with me, Dr. Tom Langford.
Actually reminds me of the time chel son and got tested
positive for elevated testosterone uh so he's a former mma fighter and they get tested for drugs
and everything and he got tested for testosterone at like he's like i asked him how how high how
much higher than normal was it and they're like 10 10%. He goes, test it again. There is no way that I'm only 10% higher than the average man.
You must have caught me on a low day.
So that's what I'm going to go back to my doctor with.
There's no way I'm only like pre-diabetic.
Test me again.
I aim for the stars.
So aside from Jav dying in the next week or two, Andy, how are you?
So I am actually good.
So I don't know if you recall, a few weeks back,
I talked about how I had to find a caterer for my sister's milestone birthday.
That was this weekend just gone.
It was the weekend just gone, yeah.
So we had a nice Airbnb down in West Sussex,
and everyone believed that I would be doing this barbecue myself and people
are like hey you know there's no food when's the food getting here and I'm like relax it'll be here
four o'clock on Saturday and lo and behold at four o'clock on Saturday you know these sort of two
people turned up Chef Claire and her kitchen porter started bringing in all these fresh ingredients.
So it was only my missus that knew that, you know, I'd actually hired a private chef.
And we were speculating maybe they're going to like pre-prepare the burgers or something, you know, make them at home and transport them.
No, no. Everything came in fresh and everything was made fresh, including like the phyllo pastry to go around.
So they wheeled the cows in?
Yep, the cows were brought in, slaughtered in front of us.
Slaughtered in front of the children.
But I have to say the food was absolutely phenomenal.
And it is just, it was better than a restaurant, honestly.
It was just so good.
Oh, wow.
Wow, that's fantastic yeah enjoyed it please
tell me they arrived at five past four and you just started to sweat because that would have been
uh they did they actually arrived at ten past four oh i bet were you sweating i was you know
i was because it's one of these things right you know you book it all online i spoke to her a
couple of weeks ago not spoken to her since and it's like should there be, right? You know, you book it all online. I spoke to her a couple of weeks ago and not spoken to her since.
And it's like, should there be a text saying, like, I'm on the way
or, like, you know, looking forward to seeing her?
I'm like, yeah, what's up?
I sound desperate, you know.
Am I about to get the Domino's menu out?
Yeah.
Funny enough, there was literally only one place in town,
and it was a Domino's, should things go wrong.
Wow.
Yeah, and then, yeah, so obviously the chef and the porter
started bringing all this food in, and everyone's like,
well, that's a lot of food.
And then they started wheeling in sort of all this equipment
and chiller boxes and stuff, and everyone's like,
they're getting a bit comfortable in the kitchen.
I'd like to introduce you to my second family.
Yeah.
No, but it was good.
I highly recommend getting a private chef for any event you have.
I shall bear that in mind, as I'm sure many of our listeners on Minimum Wage will.
Indeed.
So, talking of Minimum W wage, Tom, how was your week?
God, it's been bloody hot, isn't it?
Bloody hot.
Guarantee British people talking about the weather this week.
We're only happiest when we moan about the weather.
Yeah.
No, but there were...
I mean, I was going to mention it in one of the stories,
but I thought, God, everyone's bored of it.
But obviously, in the UK, Google and Oracle cloud servers
were shut down at their data centres because they just couldn't cool them.
The air that they were pulling in to cool the equipment inside was too hot.
Yeah.
They normally top out at 35 degrees
centigrade if if the air that they're pulling in is higher than 35 then for every degree it goes up
the internal temperature goes up yeah so in freedom units that's 105 fahrenheit wasn't it for
yeah for our uh over this over the pond yeah friends which i know they say isn't that
hot no that's right but also the daily mail also uses fahrenheit when they talk about temperatures
on the tube yes because they like to make it sound quite high yeah yeah but i mean i had yeah
one of my neighbors was from uh she's from Kenya and in the old WhatsApp group chat
we got for the road.
And she was saying, yeah, they're used to, you know,
40 degrees in the shade, but this is just a different type of heat.
It's like the UK is just too humid.
It's British heat.
Yeah, it's just too humid.
The humidity is all messed up.
Yeah, nothing like Delhi in the height of the summer, though.
You literally are having a shower in your clothes.
And then, yeah, you look forward to rainy season, right?
Just so you can shower in your clothes again.
Showering with rainwater instead of sweat.
Yeah.
But the problem I've got at the moment is because I live in a sort of a new build flat
and I'm on the ground floor
and it's kind of slightly set into the ground level.
The temperature in my flat has barely gone down this week.
Yeah.
All the windows are holding the heat.
The fan's running.
What, sorry?
I thought basements were meant to be cooler.
Well, if it was actually underground maybe under underground but i think because it's um it's just i don't know i don't
know what am i an architect so so you were low so you're low enough underground to be considered
like one of the uh the bottom feeders in, but not low enough to enjoy the advantage of cooling
from your natural environment.
Look, if you're going to call me a bottom feeder,
please don't bring up my hobbies here.
Anyway, shall we see what we've got coming up for you today?
This week in InfoSec brings us one of the great hacker names.
Rant of the Week is a
presidential nod to Enron. Billy Big Balls is of a ranty persuasion. Surprise, surprise. Industry
News brings us the latest and greatest security news stories from around the world. And Tweet of
the Week is more InfoSec career advice. Because we are all about the career advice.
because we are all about the career advice.
So let's move on to our favourite part of the show,
the part of the show that we like to call Trademark.
This week in InfoSec. it is that part of the show where we take a stroll down infosec memory lane with a royalty-free
backing tune content liberated from the today in infosec twitter account and further afield
so our first story takes us back 25 years to the 17th of July 1997
when major disruption occurred.
Major disruption?
Sending email messages.
Exactly.
A programming error temporarily threw the internet into disarray
in a preview of the difficulties that inevitably accompany a world
dependent on email, the World Wide Web, and other electronic communications.
So the world experienced one of its first major disruptions
when a programming error temporarily caused an email outage.
So in the morning of July 17th, 1997,
a system operator accidentally uploaded a corrupt database
to the Internet's root domain service.
Wow.
And this made it impossible to send email or access the web
if you're attempting to resolve.com or.net domains
until the problem was fixed.
So it took about four hours, which is, although,
a relatively short period of time.
Within that, in 97, millions of emails had already failed to be sent.
I was going to say, in 97, I thought both emails failed.
Yeah, exactly.
There wasn't too much of the old.code at UK and the occasional.org going around.
But yeah, so that was four hours back then.
Can you imagine messing up a root server these days?
Oh, my God.
Although we've probably got a bit more resilience in terms of mirroring and
caching and stuff.
But you know,
once you take a feed from the root server,
God,
what,
what gets,
what gets done in four hours on the internet these days?
Most of the stuff I do on the internet gets done in two minutes.
Yeah,
exactly.
But you'd be spending a long time trying to find that content
this is true this is true so i'd have to crack out the old um littlewoods catalog
the old jazz man oh no stop the analog backup uh our second story takes us back 23 years to the 15th of july 1999 uh when deal dog of uh cult of the dead cow
deal dog of cdc confirmed the official back orifice 2000 cd roms which were
distributed during defcon four days prior were actually infected with the destructive CIH virus.
So they did initially blame pirated copies as being the source of, I mean, fancy that,
pirating, you know, backdoor software as the source of the virus.
But they later, you know, confess a duplicating machine that they used had been infected.
And so they were happy sharing this virus.
They kind of wrote the playbook on any kind of cyber incident,
which basically started with, wasn't us, nothing to do with us,
wasn't our problem.
And then it was, oh, it was us, but we do take security seriously.
Yeah.
I mean, the best part about this
is the fact that it is you know literally for software that is a virus yeah well no back orifice
isn't a virus i mean it may be classed as it but there was never it was intention
no but i think every major antivirus software detected it as a virus yeah yeah they did um
you know but i mean yeah the best thing about it,
you could eject someone else's CD-ROM tray, right?
That was the best part of it.
Yeah, the cup holder opens, those open up.
Exactly.
Or, more importantly, you could close it
while they've got their coffee in it.
Yeah.
Alas, but our third and final story
is one that we've covered before,
probably about 12 months ago, but I will always chuck it in.
So it takes us back 37 years, a time before I was born,
to the 19th of July 1985, when Chase Manhattan Bank
discovered a message in one of its computer systems from Lord Flathead.
And so the message said that unless he was given free use of its computer systems from lord flathead and so the message said that unless he
was given free use of the computer he would destroy records in the system so imagine this
you're this uh massive bank and lord flathead is uh leaving you threats uh so lord flathead
was indeed 14 year old tom anderson of california California and 18 years later
he went on to found
Myspace.
But at that time he wasn't arrested
but his computer was confiscated
and never returned.
For the young people out there
Myspace was a bit like Facebook
before Facebook was big.
It was like Facebook version 1.
And he had his brother called Lord Philip.
And a cousin called Lord Posse Drive.
I was going to say, the one no one talks about or no one's ever heard of.
Well, they always confuse the two.
They always think the cousin and the brother are the same person.
Same thing.
Right, thank you Andy
for this week's
This Week in InfoServe. in us the most entertaining cybersecurity content amongst our peers. In 2022, you crowned us the
best cybersecurity podcast in Europe. You are listening to the double award-winning
Host Unknown podcast. How do you like them apples?
Must be swim picking. Right, let's move on to the ranty part of the show.
It's time for this week's...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
So I would have said, unless you've been living under a rock recently,
you'd know that all of this investigation into the January 6th
riots and insurrection from last year, just prior to the transition of power to Biden.
With the week we've just had, I think most of us would have liked to live under a rock
just because of the heat. But if we could have raised our heads from our sweaty pillows and beds and everything,
we probably have been at least paying some attention to this
and the amount of very bizarre stuff that's coming out from these hearings.
One of the most bizarre things is news of the Secret Service. Now,
as many people know, the Secret Service is actually a very large organization,
but one of its key roles is as close call to protection for the president and the president's family and the vice president, etc.
And even when a president stops being president, they're still assigned a security service
detail for the remainder of their lives.
Now, the U.S. Secret Service, they're a federal organization.
They are required to carry out certain activities.
As you can imagine, they are also responsible for handling and managing and sort of and keeping
lots of communications records, unsurprisingly, right? And as a federal and government organization,
all of this stuff needs to be kept.
Now, given that they're privy to some very, very confidential and top secret information that goes along, this stuff needs to be kept secure.
But it also needs to be kept on record to ensure that government is operating correctly.
Sounds right. You know, we have to keep records in business on a regular basis, right?
So when the Secret Service, the US Secret Service, were asked to provide details of all of the
text messages that were sent between various agents and what was going,
you know, and obviously the people they were protecting.
All of the communications you would expect
would be neatly archived, neatly looked after.
But there'd be thousands of them from that period of time
because it's a large organization.
And frankly, at the time, there was a lot going on. What they actually turned over was one text message, a single text message, then saying, we deleted the rest.
but we've deleted all of them.
Fantastic. And this is shocking.
This is, as our introduction suggested,
this is Enron-esque levels of evidence disposal
that has to be, well, it has to be a criminal act,
to say the least.
And in fact, the texts just weren't weren't just deleted
they were professionally deleted by that i can only assume means they were overwritten
numbers and the number of times they can't be recovered from the the magnetic media or whatever
media they were stored on um they they uh they were so they were termed in the media as professionally deleted,
which tells you that there was a certain level of,
well, not even a certain level, this was totally premeditated.
Somebody deliberately did this.
Now, this might not sound like much, but a lack of evidence means,
but a lack of evidence means,
or the willful destruction of evidence in itself is a criminal act by its, you know, just as it stands.
But the deletion of this evidence
when they were asked to deliver it to the hearing
has got to tell you something
about what was in those messages.
I just, this is, well, can you imagine a GCHQ
or is it the Metropolitan Police?
I think they provide the close quarter protection
for the royal family and all that sort of thing.
Can you imagine them saying, you know,
I'm sorry, we deleted all communications. there would be an absolute outcry yeah and uh just i find it shocking
absolutely shocking that a government agency of this caliber um has has done something like this
and quite so egregious and obvious and in your face so i'm just stunned i just
you know you know when you go you you get angry and then you get a bit you know you go a bit red
and then you then you become incandescent and then it's just like you just burn out because
it's just too much that's exactly what's happened here for me This is just unbelievable to the point where I can barely process it.
It's so on brand though, isn't it?
It is.
So on brand for that administration.
Yeah.
But the Secret Service is supposed to be independent of all this.
Well, you know, so I think after the whole incident at the Capitol,
there were some of those insurgents who said on video afterwards that they had plans to coordinate with the Secret Service.
That's right.
And they were, you know, the president was involved in it and everything.
So it's not surprising if there was anything even hinting towards some form of collaboration or turning a blind eye towards certain things or what have you,
then they'd rather take the lesser crime of tampering with evidence
as opposed to actually going down for treason.
I have to say, I'd be tempted to just burn the whole organisation
to the ground and start again.
Do you know what I mean?
It's like that has to be such...
That level of corruption has to be so ingrained for that act to have been carried out.
You can't trust that organization ever again. But but, yeah, shocking, absolutely shocking.
And, you know, if something if there isn't some kind of significant punitive action against the US Secret Service as a result of this.
I'll be amazed. I'll be amazed.
Yeah, you can't be deleting that stuff.
No.
All of that stuff's public record.
No. Exactly. Exactly.
Right. Well, I just I'm at a loss.
I'm just it's not that I'm angry anymore.
I'm just so disappointed
rant of the week
this is the podcast
the Queen listens to
although she won't admit it
and talking to Queens
Jav
it's you now
And it's time for your
Billy Big Balls
Of the Week
So this week's
Billy Big Balls is when an
Unstoppable force meets an
Immovable object
I think that's
You have two parties at work here
Most people are familiar with the Service Glass Store, where the website It's, oh, well, you have two parties at work here.
Most people are familiar with the service Glassdoor,
where the website Glassdoor, where employees or, in most cases,
ex-employees of organizations can leave reviews of how that organization was. They can leave things about how, ratings on how they felt the executive team was,
how it's managed, how the ratings on how they felt the executive team was how it's managed how the
company culture is and you know oftentimes as you'd expect it's uh there's a bit of grievances
being aired however the big thing about glassdoor is that it is anonymous so they that you have to
provide them with some details about where you work, the location and what have you.
But, you know, that's all there.
Now, like most anonymous services, there is that kind of wiggle room where sometimes you could, you know, game the system, I suppose,
where people can buy negative reviews for their competitors, for example,
and say, oh, that place is a horrible place to work.
They underpay, the management's incompetent, and the culture is toxic.
It's like the TripAdvisor thing, right? You can buy ratings, negative and positive,
and you can sabotage people and blah, blah, blah.
Exactly, exactly.'s that that same principle
now uh there is a toy company in new zealand called zuru z-u-r-u and they claimed that um
some of the negative reviews left about them were false.
They were written by trolls or competitors or people with an ulterior motive, an agenda against them.
You know, because they could not possibly be a horrible place to work, in quotes.
place to work in quotes so a california court has ordered glass door to hand over the identities of users who claim they had negative experiences working for zero that's shocking I thought it was a New Zealand court. No. No.
Is it really?
It's a California court.
Yeah.
The toy giant is based in New Zealand.
Yeah, yeah, that's right.
But I thought it was under New Zealand law.
Oh, interesting.
No, no.
So what the hell?
What the hell is that?
I do not come to me for legal advice.
I'm just uh explaining what what what happened um and and
the reasoning for this is so that zero could undertake deformation proceedings against the
reviewers in new zealand so this is really complicated from a geographical perspective. Putting that aside, what kind of bullshit is this?
I know it's a really big one, but this is a rant.
This is absolutely unacceptable.
I mean, the thing is, if most companies do conduct an exit interview,
people would normally tell them why they're leaving.
In fact, they should look internally and they will probably realise
why people are leaving.
But, you know, this is really, really, it sets a really bad precedence
because you think about there's lots of websites which are only popular
or only good because they provide that level of anonymity.
Tom, you're very familiar with the
website reddit you're often on there yeah you know posting to things like am i the arsehole for
changing jam audio levels in the in the podcast post recording or you know i've never told anyone
this but you know and all those sorts of things these sorts of things are often really useful for
people as well they sometimes want advice from others and what have you but they don't want to post it
under their own names and what have you but um but yeah i think this is such a it's a billy
big balls because this like really opens the door for so many other things and not in a good way yeah so i think part of the problem here is there's a couple of problems
here one and three actually firstly nobody's going to want to work for zero because they they think
if you're going to say something nasty about them you're going to get you know you're you're
ass sued taken to court yeah two glass door may not survive it as in its current format
because now your review is no longer um anonymous but the third one i think glass door could get
away could survive this if they entirely change their sort of technical model because at the
moment it's anonymous but they are still storing
the data of who you are you know they step they are still storing identifiable information
they should be taking a leaf out of the the vpn providers playbook and basically not store the
data once it's been sort of verified okay you are an actual human being blah blah blah that data should be deleted from the system so that when something like this happens they
physically cannot hand over the details that's how you run an anonymous system
yeah you're right um the way they've currently got it is you can't actually do anything on
clock you can't i don't think you can actually go and browse through reviews without having an
account.
That's correct.
Yeah.
And,
and it's,
you know,
and I think you can link it with your Google or Facebook or Twitter or
whatever,
like that,
that sort of,
but,
you know,
again,
it just,
it just collects so much data from you immediately.
Yeah.
Before you even have a look
at what's there.
And you're right.
This is what the whole model,
business model is based on.
And you completely destroy it
in one quick move.
So unless Glassdoor
objects to this court order
and does it strongly and defeats it,
I think you could see a lot of websites go down this route.
Yeah.
I mean, let's face it.
The world is not going to collapse because Glassdoor closes.
No, but it is useful to understand a bit more about a company culture no i completely agree
i you know there is a service there to be provided you know but it's not going to be a disaster but
what this is is a precedent for many other organizations you know what about whistleblowing
um you know uh websites and you know and services because there are whistleblowing services,
companies that provide services to companies to allow them
to run a whistleblower service.
What happens then?
What happens if somebody wins in court in some country
that a whistleblower is identified?
I am not a lawyer either, but the principles are being upheld
in the same way.
Indeed. Indeed, we were in violent agreement, which is a very scary thing.
Exactly. And I've got to say, that's a terrible Billy Big Balls. Who's the Billy Big Balls in this?
big balls in this i think the big balls move is by zuru to actually have the audacity to go to a court and and ask them to give the names of this is like the what is it de-anonymize this service
in another country now yeah yeah exactly what what's that uh jay and silent bob and they one
of the movies and they um they they they win a the lottery at the end of Bob and they one of the movies and they they win
the lottery
at the end of something
and they make it
their mission to go
through all the negative
comments that people
have left on them
and they find them
and they go to their houses
and they beat them up
so they're like
knock on the door
and like 14 year old kid
opens the door
are you like
ladies man
696969
and he goes like
yeah
and like punch
oh dear that was this week's nine, six, nine. He goes like, yeah. And like, punch.
Oh dear. That was this week's Billy Big Balls of the Week.
You're listening to the double award-winning Host unknown podcast.
All right.
I think it's time that we moved on.
And Andy, what is the time?
It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News TikTok engaging in excessive data collection.
Industry News
CESA set to open London office.
Industry News
New macOS backdoor communicates via public cloud.
Industry news.
DOJ recovers US$500,000 paid to North Korean ransomware actors.
Industry news.
Legal experts concerned over new UK digital reform bill.
Industry news.
Romanian man accused of distributing Gozi virus extradited to US.
Industry news.
Unpatched floors in a popular GPS devices allow adversaries to disrupt and track vehicles.
Industry news.
to disrupt and track vehicles.
Industry news.
UK regulator issues record fines as financial crime surges.
Industry news.
Magecart supply chain attacks
hit hundreds, hundreds of restaurants.
Industry news.
And that was this week's...
Industry News.
I see Andy's cursor immediately going to the TikTok story,
which I was going to jump to.
But, yeah, that's just life.
I also just want to say we did not do a great job
reading those ones out this week.
No, it was a bit...
We all screwed up at one point.
Speak for yourselves.
I blame the way the headlines were written.
They didn't roll off the tongue.
That's right.
Joe, they've all gone downhill since Eleanor left.
They have.
What?
They have.
I also want to know why thespians are being paid in North Korea.
I thought it was like, what's going on?
They don't have any real cyber criminals,
so they have to pay actors to do it.
Ah, right.
That's what that's about.
Right, because they don't have the skills for it, right?
Yeah, exactly.
Fake it till you make it type thing.
Yeah, they hire people to pretend.
That makes a lot more sense.
Yeah.
You say that, and just on a side note someone was telling
me um this is someone we i don't think you know them but they were presenting you wouldn't know
they went to a different school yeah yeah they're presenting at rsa rsa i think or something and um
in one of their slides they referred to bad guys breaking into systems
and they got a complaint from someone afterwards saying that guys is not inclusive enough so they
should use the term bad actors unbelievable and actresses no no identify separately
no they're all called actors and that's that's fine I don't have a problem with that What I have a problem with, nobody sent me
The memo that said that actresses are now called
Actors
It just happened
I didn't know that
For years
I like the Top Gear version of it
There's a policeman, no it's a police officer
No, what do you call a female one?
It's a policeman woman
It's like a fireman woman.
Just send your complaints to our Reddit channel, r slash Smashing Security.
Yeah, we read every complaint.
We do.
And you'll get a response.
So TikTok has been engaging in excessive data collection and connecting to mainland china-based infrastructure uh as claimed in a in a white paper um yes so between yeah
obviously the 11th sorry between the 1st of july and the 12th of july they focused on device and
user collection and the report identified multiple instances of unwarranted data harvesting, including device mapping, hourly monitoring of device location,
persistent calendar access, continuous requests for access
to contacts and device information.
Oh, no.
So just like Facebook and Instagram.
Yeah.
Yeah.
Exactly.
Yeah, but they're saying that, obviously,
they've got over a billion active users globally.
So that's a lot of data which they've collected.
But if they've got the storage, fair play to them.
Yeah, I mean, someone's got to go through it, right?
Yeah, exactly.
Yeah.
Keeping people employed.
We are propping up the Chinese economy.
Yeah.
So I guess, you know, the Chinese government will know
that we're meeting for dinner on
Tuesday evening.
You told them now?
Yeah.
Just don't tell them which restaurant
on the Edgware Road.
Oh!
Oh!
Don't tell them about Andy's not allergy oh
this the headline about the new mac os backdoor communicates via public cloud one um well why
the hell not i mean it's cheap and easy right uh? But two, it does remind me of that whole thing of,
for the longest time, people would say that, you know,
Macs don't get viruses, blah, blah, blah, blah, blah.
I met someone yesterday who thought that Macs don't get viruses.
Brilliant.
Was it your mum?
No.
Because she's heard it from you for all these years, like,
Mum, Macs are so secure, they don't, nothing happens.
That's exactly what I haven't been saying.
Goodness me.
No, this was a mid-30s educated person, you know, just thought that Macs didn't get viruses.
But that seems...
Part of that statement's not true.
Yeah, exactly.
Sorry, it took me a while to fall in there.
But it was fascinating that that story is still going on.
And it's like a 20-year-old story, right?
Or not story, but 20-year-old concept.
Probably longer.
Because every major antivirus or endpoint protection organization
is offering stuff for Mac because there's stuff out there.
So where is this coming from?
It's not even coming from Apple either.
Apple are not saying this in the slightest.
Yeah.
So bizarre.
So I have a question for you based on the headline,
unpatched flaws in popular GPS devices allow adversaries
to disrupt and track vehicles.
If I were to mention popular GPS devices, what comes to mind?
TomTom.
Google Maps.
That's one.
Garmin.
Okay.
Garmin, another, yeah.
So have you guys ever heard of the MyCodus MV720?
Ah, the MyCodus MV720.
No.
No.
No, me neither.
I think this story is a bit of a reach to call it a popular.
Seriously.
Yeah, so all of these flaws are based on.
So BitSight describes six severe vulnerabilities in the MyCodus MV720 GPS tracker,
a popular device designed for vehicle fleet management and theft protection.
So it might not be a, you know, a public, in the public eye, but if it's commercial,
maybe it's something that's, you know, that they wire into trucks and stuff like that.
So maybe it's...
It's funny you say that as I read down, it is a hardwired gps tracker there it is it is it's used
in over uh like 169 countries around the world they've got okay that's pretty popular in fairness
yeah okay yeah so uh 1.5 million devices are in use across the world yeah that's not as popular as i would have thought
but but nonetheless that's it's not an insignificant amount there's gonna be entire
companies supply chain that's gonna rely on this device right it's this isn't yeah like just a tiny
bit play you could you could uh divert a truck by the sounds of it.
I'm making this up because I haven't listened.
I haven't read this, obviously.
You haven't read the story.
But you could divert a truck so that it could be attacked and raided.
You could divert a truck so that goods arrive in the wrong place constantly
that goods arrive in the wrong place constantly and so therefore they're spoiled by the time they get to the intended destination.
I mean, there's all sorts of disruptive attacks you can do against companies
or even a country's infrastructure, potentially.
Yeah.
And also...
When you get cheaply made chinese iot devices
the problem is that in your home okay it's not a problem your lights might not come on but when
you're a company and your whole business model relies on it you've got like a hundred trucks
and all of them are fitted with that that becomes then a big attack surface. But also as well, to your point about the Chinese manufacturers here,
is that a lot of these chips are produced and they're white badged,
white labelled and used in multiple other products.
So it might be that the Mycodas one here, the well-known Mycodas one here,
is the tip of the iceberg because it may be using the
same chipset as a whole bunch of others it's just the way my codas have particularly implemented
this this chipset makes it vulnerable it's just going to be a matter of time before others are
but who knows we should find out so so there's some issues in the api server there's some issues
on the gps tracker protocol and then there's a whole bunch of issues in the API server. There's some issues on the GPS tracker protocol.
And then there's a whole bunch of issues on the web server side.
So things like hard-coded password.
Oh, for goodness sake.
There's a default password.
There's like broken authentication in the API server
and how it speaks to the GPS tracker.
Cross-site scripting.
For Christ's sake. Even
I know. Even I know that's bad.
How do you
code something like that and not find
it? Well,
there is that. I mean, if you're
not looking for it, you're not going to find it. But you can
apparently cut off the
fuel supply as well on
trucks or what have you oh because uh because
you want to disable them if they're stolen and stuff like that yeah yeah yeah so it could be
dangerous i mean if if they if trucks are being diverted to be attacked you know and they can't get away. People could die. What'd somebody think
of the drivers?
But yeah.
No, BitSight
are the company that
done it and they've actually written up a
decent report. It's like
a proper pen test report, how it should have
come back if the manufacturers had
done it and they would have fixed it. yeah it's um interesting fascinating wow what they need to do
my coders if you're listening and you want to sponsor a podcast that could give some real world
advice um smashing security they don't need anybody but but we do. We'll take you as sponsors.
Raise your profile.
Yeah, exactly.
Raise your profile.
We've got hundreds,
hundreds of people
who need to know about this story.
Oh, excellent.
That was this week's
Industry News. Oh, excellent. That was this week's...
Industry News.
You're listening to the host unknown podcast,
Bubblegum for the brain.
And we once again come crashing to the end of the story.
We would be crashing to the end of the podcast, rather,
if the fuel hadn't been cut off by our Mykotas GPS device.
So we come crawling to a stop then with this week's...
Tweet of the Week.
We always play that one twice.
Tweet of the Week.
And I shall take us home with this one. This is a tweet from Hella
and it says, I have an opportunity to talk to around 50, 14 to 16 year old girls about cyber
security. Cyber security today. This is in order to encourage them to consider a career in our
awesome industry. What would you tell them?
Oh, God.
And I like this tweet because I thought, oh, what would I say to 14 to 16 year olds about the cybersecurity industry?
And it has enlisted a number of responses, some of which are great, some of which are not so great.
I mean, you've got those on one side saying,
run, don't join the industry, find something else.
It's a terrible industry.
Run, Forrest, run.
Yeah.
But my favorite one is the one which says,
money, there's so much money to be made in this industry,
which I think depends on what role you take.
And it could be true.
But my favorite response is actually from Tim Burnett, who says there is no single role in cyber.
InfoSec is as broad as it's deep and there is demand for every skill, which is a good one.
It says we do this to support the business.
Solutions must be proportionate and relevant
to making keeping business profitable.
It can be stressful and lonely, so look after yourself.
Yeah.
Which I think is a fantastic response.
One of the responses was delete TikTok.
I'm just saying, guys.
It's lucky you're not.
There's also a lot of bad advice.
It's lucky you're not a 14 to 16 year
old girl basically yes exactly i can handle my tiktok yeah i think it's it's it's it's one of
those things that again kind of like reeks off our industry's elitism where we have this opinion
that uh working in cyber security is somehow a more noble or difficult or something to consider
or in a different light. I mean, one of my daughters is like, you know, at that age now,
and so I just say to her like, just fight whatever it is, you get into a big company,
spend a few years there,
learn how to communicate with people, talk to people,
whatever the role is, whether it's in IT or consulting or law or whatever.
And, you know, you'll find a career path in what have you,
but, you know, lean towards whatever your natural sort of,
where the opportunities are.
your your natural sort of um where the opportunities are and you know i i think there's there's too much emphasis put on your passion or being passionate about the industry or or it's got to be something
that you really love i think a lot of times when when you're young you really don't know so you
just go into something and as long as it's the right team and the right environment where,
which allows you to, to grow, then you'll get good at whatever that skill is and you will grow to
love it as a result, not, not because you're passionate about it, but you become passionate
once you become good at it. And, you know, the role that the industry we're looking at today is
very different from when any of us three started, there wasn't a career path of moving into cyber there was just like it and it security or data
security was was part of it and and i think in firewalls firewall manager in the it department
that was security exactly exactly and and i think in the next 10 years, the industry is going to be completely different from what it is today.
So, you know, I think it's...
God, yeah.
We've got all kinds of stupid roles like evangelist and advocate
and crap that does nothing.
Yeah, but still employing people.
Yeah, and also hiring people that apparently do less than nothing. So that's
a really weird one. I was going to say at least 50% of us are still employing at least 50% of us.
Yeah, exactly. I like to think I went back to the coalface, you know, where the real work was done.
Or certainly looking down on it anyway. Well,, exactly. From your ivory seesaw. I will always, you know, think of you two as I look down upon you.
But, you know.
Anyway, very good.
Yeah, that's a particularly, that's quite a thoughtful tweet of the week, Andy.
I've got to say.
It was, wasn't it?
There's hidden depths to you, but it's just,
there's a lot of stuff to get through
to get to it, I guess.
Anyway, that was this week's Tweet of the Week.
Gentlemen, we have run fairly long this week,
so we'll put that right next week.
Whatever we ran over this week, we'll take off next week's.
But, yeah, it's been a next week's. But yeah, it was,
it's been a pleasure,
gentlemen.
Thank you very much.
Jav,
thank you for your contributions and for weirdly agreeing with me on a,
on occasion.
I know I'm scared too.
And Andy,
thank you very much.
Stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
r slash smashing security.
So if we're running long, if you cut out my joke about Biden,
which neither of you got, then we should come in.
Yeah.
Oh, no, it's even funnier to let you die on your ass.
With friends like you.
I was about to say, with your pre-diabetes diagnosis,
that does explain your grumpiness.
Maybe your blood sugar's low when you get grumpy.
Well, we know how grumpy he gets when his blood sugar's low anyway, right?
Yeah.
Go grab a Snickers then.
Oh, actually,
I haven't even checked to see if the sounds work.
Amateur hour.
You hear that?
Hear what?
Do you know what?
It doesn't matter
how many times we do it.
It's always funny. It's like a reflex action isn't it
oh dear yes we heard it yeah