The Host Unknown Podcast - Episode 115 - We're All Going On a Summer Holiday
Episode Date: August 5, 2022This week in InfoSec (9:23)With content liberated from the “today in infosec” twitter account and further afield29th July 1985: An article in the New York Times cited multiple experts who alleged ...the vote counting systems of Computer Election Systems are vulnerable to tampering.Yep. Election systems vulnerabilities aren't a new phenomenon. Not even close. COMPUTERIZED SYSTEMS FOR VOTING SEEN AS VULNERABLE TO TAMPERINGhttps://twitter.com/todayininfosec/status/115607828460341658230th July 2013: Chelsea Manning was found guilty of espionage, theft, and computer fraud, as well as military infractions. United States v. Manninghttps://twitter.com/todayininfosec/status/12889252894652088346th August 1997: Microsoft Buys $150M of Apple stock. In an effort to help save Apple Computer and possibly deflect criticism in its own anti-trust trial, Microsoft Corp. buys $150 million in shares of Apple Computer Inc. Apple, which had been struggling to find direction and profits for years, agreed to the boost in funding with terms that dictated cooperation in the design of computers as well as shared patents. Microsoft agreed to continue supporting MS-Office for the Mac for another five years as well.Rant of the Week (18:11)India scraps data protection law in favor of better law coming … sometimeThe government of India has scrapped the Personal Data Protection Bill it's worked on for three years, and announced it will – eventually – unveil a superior bill.The bill, proposed in 2019, would have enabled the government to gather user data from companies while regulating cross-border data flows. It also included restrictions on sharing of personal data without explicit consent, proposed establishment of a new Data Protection Authority within the government, and more.On Wednesday, telecom minister Ashwini Vaishnaw tweeted that the bill was nixed because the Joint Committee of Parliament (JCP) recommended 81 amendments to the Bill's 99 sections."Therefore the bill has been withdrawn and a new bill will be presented for public consultation," said Vaishnaw.and...UK Parliament bins its TikTok account over China surveillance fearsPlan to educate the children turned out to be a 'won't someone think of the children?' momentThe UK's Parliament has ended its presence on TikTok after MPs pointed out the made-in-China social media service probably sends data about its users back to Beijing.The existence of the account saw half a dozen MPs write to the presiding officers of the Houses of Lords and Commons — Lord McFall of Alcluith and Sir Lindsay Hoyle, respectively — to ask for the account to be discontinued."While efforts made to engage young people in the history and functioning of parliament should always be welcomed, we cannot and should not legitimise the use of an app which has been described by tech experts as 'essentially Chinese government spyware'," wrote MPs Nusrat Ghani, Tim Loughton, Sir Iain Duncan Smith, Tom Tugendhat, plus Lord Alton of Liverpool and Baroness Kennedy of the Shaws.Billy Big Balls of the Week (26:21)Ex-T-Mobile US store owner phished staff, raked in $25m from unlocking phonesA now-former T-Mobile US store stole at least 50 employees' work credentials to run a phone unlocking and unblocking service that prosecutors said netted $25 million.Argishti Khudaverdyan, 44, of Burbank, California, was found guilty of 14 criminal charges [PDF] by a US federal jury on Friday.According to the Dept of Justice, Khudaverdyan co-owned a T-Mobile US store in Los Angeles, operating as a business called Top Tier Solutions, for about five months in 2017. T-Mo ended its contract with Khudaverdyan in June 2017 after being sketched out by his suspicious use of the carrier's computer system. It turned out he had been unlocking phones for customers without T-Mobile US's permission so that the devices could be used on different networks.Even after the self-styled un-carrier gave him the boot, he continued his illicit scheme, advertising unlocking and unblocking services through brokers, email spam, and websites that Khudaverdyan and Gharehbagloo controlled, such as unlocks247[.]com and swiftunlocked[.]com.Industry News (33:37)UK’s Top 10 Universities Failing on DMARCThousands of Apps Leaking Twitter API KeysLockBit Ransomware Exploits Windows Defender to Sideload Cobalt Strike PayloadTory Leadership Voting Delayed Over Security ConcernsT-Mobile Retailer Guilty of $25m Fraud Schemexperts Warn of Fake Football Ticket ScamsUkraine Shutters Major Russian Bot FarmUsers Still in the Dark Over $5m Theft From Blockchain Firm SolanaCREST and OWASP Partner on Verification Standard ProgramTweet of the Week (40:16)https://twitter.com/AndrewMohawk/status/1555430194743111683?s=20 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
can you hear that hear what what that can't hear anything yeah silence you know why lovely why
they're on holiday
you're listening to the Host Unknown Podcast
Hello, hello, hello, good morning, good afternoon, good evening from wherever you are joining us
And welcome to episode 115-ish of the Host Unknown Podcast
Close enough
Gentlemen, gentlemen, how are we?
Jav, how are you?
Very good, very good, thank you.
Although I feel a bit let down by how people perceive me sometimes.
Oh, really?
This will be interesting.
Yeah, exactly.
So I stepped out into the road that's behind my garage from which I access my garage.
And someone had graffitied on my spray painted on the outside wall of my garage.
And they'd done it as a, you know, one of those cartoon bombs, like the round circle with the wick that goes out the top like
those looney tunes oh yeah it was like it was like that and then there was some words written on top
and then i walked up and someone else's garage like uh down uh someone else's garage also had
it so clearly some kids had come and they'd sprayed that on so i was like stepping back
looking at it thinking like what the hell and my daughter comes out and she sees me
looking at something she comes out she turns around sees it and then she looks
at me and says why did you spray your bomb on this?
And I said what makes you think I could do it?
And she just shrugged and said it seems like something you would do. And I'm like, I'm so disappointed.
She's just thinking you're going through a midlife crisis.
That's all.
That's right.
He's getting a bit out there tagging stuff.
Oh, dear me.
So that's my fun.
I wish I could have caught the kids that were doing it,
because then I would have said, look.
This is how you do it.
I'm not angry.
I'm just disappointed.
I'd say, look, look at me spray paint like a big painting of me on there
looking cool and cyberpunk-y or something.
That would be cool.
Do a caricature and the name Javad, but with fours instead of eights.
Oh, that's really good.
That's really good.
And holding a keyboard, but cynic written on it.
Yeah, there you go.
There you go.
You could be a keyboard warrior.
Exactly.
The only kind I am.
Andy, anything exciting happen to the walls of your garage this week uh sadly not no but my um
so every year I have well I've got neighbors on both sides every year one side they go to France
for a good three or four weeks every summer um and this morning I heard the other side were
also packing to go away.
So when my missus was walking the dog, she said, you know,
oh, off on your holidays?
And they said, yeah, they're off for a week,
which basically gives me a week without neighbours.
So this is the week I shall be calling the hedge fund manager to come and cut the hedges either side of our borders
without the neighbours here.
So I can take a bit of height off the top
without any queries or complaints or anything.
And yeah, it's shaping up to be a good week next week.
What I want to know is where do you exactly live?
It feels like every month you're having
trees cut down hedges cut down yeah and it still is like it still sounds like you live in the middle
of the tropical rainforest or something but there's nothing tropical about it i live in a um
in an area that it's actually called white leaf uh you know put it that way so it's a very leafy area. And full of white people?
Yeah. Once upon a time
it may have been, but no, it's
actually the chalk cliffs that give it the
name white. So we have
the North Downs based here.
Ah, right.
Yes, yes.
So that was, I know,
a bit of excitement there. So I'm actually
very excited about it. So you're going to'm actually very excited about so you're going to
get the hedges done you're going to move the um take a foot off the top yeah take the house borders
move those out exactly yeah yeah an inch every year check out the underwear drawers check out
you know what's what's behind that locked door on the top floor?
Do you remember the twits by Roald Dahl?
The story.
Yeah.
It's like the old couple that were arguing.
And I think the husband does it to the wife.
It's like at the bottom of her chair and walking stick,
he adds a little bit of wood every day, like a real thin sliver.
And after about a month or or so she's sitting on the
chair and her feet are dangling and her walking sticks are high and he goes oh you got the shrinks
that's what's happened that's what Andy's gonna do all your house is on like some sort of like
shrinking you know landfall that's why your garden appears like it's shrinking but that's
all that's happening yeah that's right i mean my garden's
always been uh you know 27 foot wide yeah well uh how's your week tom yeah good good um busy as
usual but uh not not traveling into london which was which was kind of nice i have to say and we're
both still employed which is a good thing. Hey, always a bonus, right? Always a bonus.
Unbelievable.
I'm taking another step forward with a little project I'm doing.
I've just ordered a large piece of a two-way mirror for...
Oh, yeah.
Oh, dear.
Oh, God, here we go.
No, for a TV in my bedroom behind a mirror.
So, yeah, it's going to be...
Is this the room that you rent out on Airbnb?
It's the one that the doors always stay locked.
Yeah.
No, no, so I've got a big, wide mirror in my bedroom
and I thought I would put a TV behind it.
And it's been a little bit more complicated
than I thought it might have been
a little bit more expensive but
the project's coming together nicely so
the second to last part was getting
the mirror, the 2N mirror itself
ordered and I've just got to build a little
wooden frame to fit inside
the mirror
frame to hang on the TV
so it should be good.
That's the plan, anyway.
So what benefit does this provide, I suppose?
Is it more of a, it looks cool,
or is that the TV's completely hidden out of the way
when it's not on, or is there...?
Yeah, so yes and yes.
So the thing is, the TV, you you know stands out from a wall right so
it's a wall-mounted tv obviously and there's a sound bar underneath it um it's most philips
ambi lights ones so the lights you know the the the back of the screen lights up as it were
according to the colors that are on the screen and so with the mirror which is a big sort of wide thing, on the top of the, or on the front of the TV,
with, you know, obviously showing through the mirror,
but the mirror will look like it's floating
because it's like a couple of inches off the wall.
And the back of the wall should be bathed with light as well
from when the TV's on.
So it should look quite good, I think.
Right. And the thought of just getting some LED strips
and sticking them to the back of the telly isn't
good enough now? No, it doesn't work
because they don't react to what's on the screen do they?
So next week we're going to
hear about Tom and how his TV
and his new mirror crushed to the floor
and now he's got to buy everything
Quite possibly, and how I'm picking out
shards of glass from my backside
after it fell onto the bed.
You know, right?
So, yes.
So, talking about
shards of glass,
shall we see what we've got coming up
for us this week?
This week in InfoSec,
Talks Voting Systems. Around to the Week asks Parliament to engage with the youth for us this week. This week in InfoSec, talks voting systems.
Rant of the Week asks Parliament
to engage with the youth
without using the PLA.
Billy Big Balls unlocks
the secrets behind making
millions in coin.
Industry News brings us the
latest and greatest security news stories
from around the world.
And finally, Tweet of the Week exposes the real secrets behind becoming a white hat.
Right, moving swiftly on to our favourite part of the show,
the part of the show that we like to call...
This Week in InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane
with content liberated from the Today in InfoSec Twitter account
and further afield.
from the Today in InfoSec Twitter account and further afield.
So our first story takes us back to a time before I was born 37 years ago to the 29th of July 1985 when an article in the New York Times
cited multiple experts who alleged the vote counting systems
of a computer election system are vulnerable to tampering yes election system
vulnerabilities are not a new phenomenon phenomenon
yeah so the computer program that is used to count more than one third of the votes cast at the presidential
election um you know in the u.s it is actually vulnerable to manipulation and fraud according
to multiple witnesses in court actions uh who are challenging local and congressional elections in
three states uh you may be familiar with a former president who is still alleging that a vote was stolen from him um you know citing these
sort of very very uh specific reasons um that you know these systems are not tamper proof um
it's the sea monsters wasn't it i don't know but there's basically a lack of federal or state
standards that mandate specific safeguards um in in these uh sort of uh these
systems that go out there um and obviously in the uk the elections or the the tory elections this
week were actually delayed when um you know the ncse have highlighted there are potential threats
to the voting system here as well and so um the electronic one so they're switching to paper i've done online
voting before and you you can um you know for various things various um memberships and stuff
like that and it's kind of like how are we getting this so wrong now what is i don't know but even
like i mean the paper one's not exactly difficult do you mean yeah you don't have. But even, like, do you know, I mean, the paper one's not exactly difficult.
Do you know what I mean?
Yeah.
You don't have to show ID, and I get the reasons why,
and, you know, I think it's a good thing.
But, I mean, the problem is half the people can't be asked to vote.
Why don't you have to show ID?
That's an interesting one. You just need to know a name.
And also, you know, so the whole ID thing is,
they say it discriminates against people, you know, typically, you know, lower income who don't have passports or driving licenses.
So you automatically disqualify, you know, half the Tory electorate.
Yeah.
People that could vote against them.
But yeah, yeah.
1985, 37 years.
This is not a new issue. and we still haven't got it right
no yeah i think it's one of those things it's not just about we haven't got it right i think
now it's just more widespread so that there's more people taking a look at it or poking around or
remotely being able to access it like a lot of vulnerabilities it's like it's not that they've
changed in severity or we've still not got it right it's just poor people with bad services are paying attention to it so it's a bit
like you know the the world isn't a a much more awful place than it was a hundred years ago it's
just that we hear more about the bad stuff yeah yeah i think when you look at some other studies
they say we're actually living in one of the best times in relative wealth and prosperity and safety.
And well-being and all that sort of stuff.
Yeah, yeah.
Says the three well-paid people in InfoSec.
But yes, let's carry on.
Yeah, let's move on to our second,
before we draw too much attention to it.
Let's skip our white privilege here, guys.
Our second story takes us back only nine years to the 30th of July 2013,
when Chelsea Manning was found guilty of espionage, theft and computer fraud, as well as military infractions.
So after serving in Iraq since October 2009, former United States Army Private First Class Manning was arrested in May 2010
after Adrian Lamo, a computer hacker in the United States,
indirectly informed the Army's Criminal Investigation Command that Manning had acknowledged passing classified material
to the whistleblower website WikiLeaks.
And so Manning was ultimately charged with 22 specified offences,
including communicating national defence information
to an unauthorised source,
and the most serious of charges, aiding the enemy.
So Manning was eventually acquitted of the most serious of charges aiding the enemy um so manning was eventually acquitted that most serious charge that of aiding the enemy but for giving secrets
to wikileaks um there were five or six espionage counts um but manning was also found guilty of
five theft specifications two computer computer fraud, and multiple military infractions without any sort of detail behind that one.
But Manny was eventually sentenced to 35 years imprisonment, reduction in pay grade and forfeiture of all pay and allowances,
and a dishonorable discharge, which obviously President Barack Obama commuted the sentence on 17th January 2017,
reducing it to a total of seven years confinement.
So, yeah, WikiLeaks, that was a great era for understanding what information was out there.
For getting people imprisoned.
Yeah, exactly. And Julian Assange is about to be extradited as well.
This whole era is...
Is he still in the UK at the moment?
I'm pretty sure he is. They've approved his extradition to the US.
I must admit, I've both lost track and interest.
Yeah, I was going to say, it's more the interest piece, right?
I think when he started being accused of smearing his own fa feces on the walls of the Ecuadorian embassy,
that was kind of like, yeah, I'm switching off.
This series is going nowhere.
Yeah, yeah.
He jumped the shark after season two.
Yeah, exactly.
But I will just end our final story, taking us back a mere 25 years to the 6th of August 1997,
when Microsoft purchased $150 million of Apple stock.
Oh, yes.
I wonder what that's worth now.
In an effort to help save Apple Computer
and potentially deflect criticism of its own antitrust trial,
Microsoft Corporation purchased $150 million of shares
in Apple Computer Inc.
because Apple had been struggling to find direction and profits for years. So they agreed to boost in funding with
terms that dictated cooperation in the design of computers as well as shared patents. And Microsoft
also agreed to continue supporting MS Office for Mac as part of that deal. So, yeah, look at them now.
Yeah.
I remember seeing the clip of the keynote where Steve Jobs is there
and he introduces Bill Gates as the big investor.
And everybody starts booing.
Yeah, yeah.
He came up on screen, everyone starts booing,
and then Steve Jobs went into dad mode,
like he just did the rim of his glasses and he sat down
and he patiently explained why it's a good thing
and why they're all idiots for booing.
It was very well done.
Mad.
Although MS Office only really started working properly for Mac
whence Satya Nadella took over.
Let's be clear.
When he knew exactly which line to remove from the code
to just make it work seamlessly.
Hey, I mean, the guy's a talent.
Let's be clear.
Excellent.
Thank you, Andy, for this week's...
This week in InfoSec.
You're listening to the award-winning Host Unknown podcast,
the show which Smashing Security sets their out-of-office to.
I hope both Carole and Graham are sitting on a beach
drinking mimosas or cosmopolitans or whatever it is
that Graham insists they uh and having a lovely
time okay so shall we move on to this week's listen up rent of the week it's time to mother
rage so uh two quick ones today actually uh two in total so the first one we've
spoken much about many of the
laws that are being
brought in by India
one of which was
recently we've been talking
about laws that insist that
port scans are reported within
what is it 24 hours or something like that
every single port scan
6 hours wasn't it?
Oh, six hours, yeah, exactly.
I was being generous.
And that's under review at the moment as well.
But India also has a data protection law in the works,
or rather it did.
It used to because surprisingly,
given there's a billion people in india
and it's a massive economy etc etc there is no substantial data protection law in place
and there was one that was coming in per the personal data protection bill. It's been worked on for the last three years. And finally,
it was announced that it's going to be removed and a new bill will be put in its place.
So it was proposed initially in 2019, would have allowed the government to gather user data from companies
while regulating cross-border data flows. Kind of normal there. It also included restrictions
on sharing of personal data without consent, proposed the establishment of a new data
protection authority, all that sort of good stuff. Now, unfortunately, it was seen to be a little bit too authoritarian.
It basically said the Indian government has access to everything, everywhere.
But on Wednesday, the bill was finally declared dead because the Joint Committee of Parliament recommended 81 amendments to the bill's 99 sections.
Now, I'm assuming that that means that they took issue with 81 of those 99 sections,
because 81 amendments could have just been, you know, a couple of missing dots on the top of the I's and a couple of cross T's.
assuming it was dropped because you know when you've only got 18 um you know actual useful bits of legislation out of the 99 that's probably a bit of a problem so yeah that how getting that
totally wrong is just beggar's belief but then again in light of having to report your port scans every four or six hours and
who knows now the second one is uh sorry can i just go back to that uh that personal right so
they've been working on it for three years right what i don't understand and you know that many
countries around the world have these uh sort of personal data privacy laws.
I think Europe is certainly leading the way with GDPR.
You know, it's been established for a very long time.
There's actually test cases, like interpretations of how, you know,
nation members implement different laws and, you know,
tweets that they can get around that.
And on the other side, you've got China that is just, you know, we own everything regardless.
We'll decide what's right.
Why don't they just copy one of those two?
Do you know what I mean?
I'm not being funny.
Just copy what someone else has done and stick your name on the top of it.
Don't try and create something else.
It's worked for infosec professionals for years.
Exactly.
I mean, there's only so many variations of policies that are out in the marketplace, right?
Yeah, exactly. Absolutely right. Absolutely right.
Right, so the second one, another government, the UK Parliament, bins, it's bins or bans, I'm not sure,
its TikTok account over the Chinese surveillance fears.
So the UK's parliament has ended its presence on TikTok because a bunch of MPs pointed out that effectively the platform, TikTok platform, is effectively Chinese government spyware, as has been stated by a number of loose cannon professionals.
Scare-mongering.
Fake news.
Fake news. professionals that is scaremongering fake news fake news but the a bunch of uh mps have um
basically said that we can't be using this it's you know all of the data it uses is just going
to be siphoned off and sent to china um we cannot and should not legitimize you the use of an app
which has been described by tech experts as essentially Chinese government spyware.
I wrote MPs Nusrat Ghani, Tim Loughton, Serene Duncan-Smith, Tom Tuggan something, Tuggan Hat, plus Lord Alton of Liverpool and Baroness Kennedy of the Shores.
Is that the Geordie Shores?
But they're happy to use Facebook.
They're happy to use WhatsApp.
Although, in fairness, that data is being gathered by a so-called ally.
Although based upon recent events in the US, those allies are not exactly to be trusted anyways, given that even in the Pentagon, data has been scrubbed and deleted you know post the january 6th
insurrections um so but yeah nonetheless it does seem to be like sure that okay this data is being
gathered but what are you putting onto it if you're putting content that is useful for your
target audience what is the challenge of that i guess is part of it that they seem to be
encouraging uk nationals to use tiktok i mean that that horse is already bolted right yeah you know
everybody's using tiktok at least you can start to you know own and change that um uh that narrative, but it does seem to be very, very short, you know, short sighted here.
Now, now I'd like to introduce two young professionals who are avid TikTok users and
know about the youth in question. Jav, Andy. I've got to admit, you know what? TikTok did
me dirty on the train home yesterday. I don't normally, you know, I have a rule of no TikTok between the hours of 8 and 8, you know, 8 a.m. and 8 p.m.
But yesterday I was on the train on the way back after a long day.
I thought, hey, I'll open up TikTok.
And the very first one was a scantily clad, you know, young lady dancing.
And the woman sitting next to me on the train i could
feel the disgust in her eyes so obviously i swiped up and there's another one there
i was like oh dear the algorithm is not doing me any favors on this train journey okay so i just
owned it yeah what's interesting is you didn't say the algorithm isn't working.
You were just saying the algorithm wasn't doing you any favours
at that particular time.
Exactly.
I owned it.
I just liked the post and just kept scrolling.
The algorithm was like, he's logging on earlier than usual
from a location he doesn't.
He must be stressed.
Let's, like, give him his interest.
I'm going to give him an intense two and a half minutes
of semi-naked ladies.
That should easily see him done.
Yeah.
Yeah.
I was waiting for, like, you know, the cute dog videos
that normally come up, but no.
Not yet.
You pervert.
You pervert.
On that horrible note.
Rant of the Week.
This is the podcast the Queen listens to.
Although she won't admit it.
Jav, please tell me you've got a slightly cleaner way to open up this next section.
Yes, so I will keep it completely clean, unlike our filthy friend Andy over here.
T-Mobile has many stores and there was one co-founder of a store who well it operates as a business called Top Tier Solutions and there was a an employee who's R. Gishti and I can't pronounce his surname but he worked there
for five months in 2017 but top tier and well T-Mobile ended its contract with him because
some suspicious activity was taking place that violated their terms and conditions
and what have you.
Turns out he'd been unlocking phones for customers
without T-Mobile's permission
so the devices could be used on different networks.
So case closed, yes?
Not quite.
I think Mr. Kudiverdian is a hero of our time, right?
Oh, well, well, you know, how long can you fight the darkness
before the darkness becomes you or whatever that term is?
He went rogue.
Wow, we pivoted.
You take someone's livelihood away from them.
He was doing a common service, unlocking people's phones,
and that was ripped for him.
He then took a walk in the night.
It was pouring down with rain.
He slipped and fell,
caught a glimpse of his reflection in the puddle,
punched the ground hard and said,
no, I will get my revenge.
And a bat flew around him.
Yes, yes.
So he then went on a rampage, should I say, where he fished his former staff at the T-Mobile staff at the T-Mobile store.
So and he stole at least 50 of their work credentials.
And he then started unlocking and unblocking services.
That prosecutor said netted $25 million.
How much was he charging to unlock phones to earn $25 million?
$12.5 million a phone.
Yeah, exactly.
That is a significant amount of cash.
Yeah.
You've got to be busy.
You've got to work hard.
Yeah, yeah. But, you know, it's like he offered to unblock devices
that had been reported lost or stolen or banned from networks.
So clearly every criminal in the US who stole a phone would come to him
and say, hey, man, you got any other unlocking services?
And he's like, maybe I do, maybe I don't.
Okay, this changes the tone quite considerably.
But do you remember when your iPhone was stolen?
Oh, yes.
And that guy in India was asking you for your password.
Yeah, begging me to unlock it.
And you're saying it's a lot of money for him,
but it's not much money for you.
Yeah.
And you're like, it's a stolen phone.
He's like, yes, sir, but you got it through insurance.
It doesn't matter for you now
i've got it i played 150 for it please but but here's the thing you know not notwithstanding
that companies you know that telco companies lock their phones to their networks when you know that
that in itself there's a whole argument about you shouldn't be doing that you're buying a piece of
hardware blah blah blah all that sort of thing kind of get it you know a little bit of a robin hood moment here whilst he unlocks
their phones then we go into very illegal territory here you know so these phones have been stolen
they have been removed off networks etc but he's unlocking them anyway that is supporting a criminal
enterprise at the end of the day so he's not a billy big balls he's just a criminal enterprise at the end of the day. So he's not a Billy Big Balls. He's just a criminal again, Jab.
You're regularly supporting criminals in your Billy Big Balls.
Do you know what?
25 million from doing this scam.
That is some Billy Big Ball energy.
It is.
It is.
Yeah, for a criminal.
What volumes is he doing?
Criminally big volumes Look, look
What do they say in medicine?
What is it? The Hippocratic Oath or something?
Yeah
Someone's been shot, they're at the operating table
You've got to save them
They could have been a bank robber
It doesn't matter, your job as a doctor is to save them
Same thing with our top G over here.
It's not the same thing.
He gets a phone.
It's not working.
It's not the same thing.
He doesn't know if it's stolen.
He doesn't know if it's been robbed.
For all he knows, it's someone's grandmother
left it for him in a will, but it was locked.
T-Mobile being assholes.
They discontinued it because the bill pay is no longer alive. You but there's memories on there you know ever thought of it like that
why are you so negative about everything i'm i'm definitely on the side of hmrc now jav i have
hating on hard-working enterprising i think hmrc definitely got it right
so you know t-mobile can charge you to unlock the phone and what have you.
But, oh, it's OK for them to make millions and millions of years.
But one scrappy individual with balls the size of kahunas can...
Unlocking legitimately stolen phones.
Well, you know, that's just like the assumption.
That's the allegations. No proof.
Yeah, he didn't ask where the phones came assumption. That's the allegations. No proof.
He didn't ask where the phones came from.
Those are the words that you said.
I'm just saying that it could have been like that.
But anyway, you know, you're just clearly wrong and you're a hater, you know.
Damn, this should have been a rant.
This is brilliant.
Thank you, Joe, for this.
Look, he set up a website.
He set up several websites.
You could go there.
Oh, now you're advertising for him.
No, no, no.
And you could do it.
If you could set up a website or if you could do a few clicks and links
and make some money, would you not do it?
If it was legal, yeah.
Yeah, see?
And so we agree sam tom agrees billy big balls of the week
this is the host unknown podcast the couch potato of InfoSec broadcasting.
OK, Andy, we are rapidly running out of time and patience, I think.
So, Andy, what time have you got?
It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe. Industry news. UK's top 10 universities failing
on DMARC. Industry news. Thousands of apps leaking Twitter API keys. Industry news.
Lockbit ransomware exploits Windows Defender to sideload Cobalt Strike payload.
Industry news.
Tory leadership voting delayed over security concerns.
Industry news.
T-Mobile retailer guilty of $25 million fraud scheme.
Industry news.
Experts warn of fake football ticket scams. Industry news. Experts warn of fake football ticket scams.
Industry news.
Ukraine shutters major
Russian bot farm. Industry
news. Users
still in the dark over $5 million
theft from blockchain firm
Solana. Industry news.
Crest and OWASP
partner on verification standard
program. Industry news. Andrest and OWASP partner on Verification Standard Programme.
Industry News.
And that was this week's...
Industry News.
Huge if true.
Huge if true.
Huge indeed.
How the hell are the top ten universities failing on DMARC
when DMARC is something that even I was able to set up
for my company when I was running my own company?
Even I was able to implement it.
I don't know.
I guess it's about who they employ, right?
Christ, I couldn't employ anybody less technical than me.
True, true.
You know, I know that, you know, I just had a couple of domains to protect
and all that sort of blah, blah, blah, all that sort of thing.
It still only took me about 25 minutes tops,
and that was following a, you know, how-to thing.
Surely there's – this is fundamental table stakes.
So, yeah, security vendor assessed each of the...
Oh, you're actually reading it. Okay.
Ten universities in each country.
Oh, yeah, 97% across all regions
are failing to actively block fraudulent emails.
The figure rose to 100% in the UK.
Yes!
This is why we got Brexit.
Yes, exactly.
To be the leader.
That's a problem.
All our sysadmins are European.
They can't get into it.
That's right.
They need physical access to the servers.
They can't do it.
Sorry.
Oh, man.
I think that's appalling.
Mind you, it's a bit like, you know,
still having cross-site scripting and SQL injection in the OWASP top 10 anyway, right?
That sort of stuff should never happen.
And that leads on nicely to the story about Quest and OWASP
partnering together.
I don't understand how this is.
I mean, Quest is always wax lyrical about the OWASP top 10.
They made it a fundamental part of their methodology.
I'm just trying to understand what they're going to do together
other than release a new standard as I read the paragraph.
I guess rather than just referring to each other's standards,
you know, from the outside, they're going to get together
and start integrating some of their materials at a far more basic level, right?
You know what? I just love how we can read the headline and know pretty much what it's about.
Like CRESP and OWASP partner on verification standard program.
Imagine that on a mainstream website and people reading it thinking is this the latest marvel
crossover episode or something it's just like you have no idea what these terms mean who they are
or what they're doing i tell you what i want to know more about this t-mobile retailer who's
guilty of a 25 million dollar fraud scheme he sounds like a legend speaking of legends i've got to say ukraine shatters major
russian bot farm as if i've got enough to do to deal with you're being bombed your infrastructure
is there people are thing but you still have time to take down bot farms see other countries around
the world take note that's how you do note. That's how you do shit.
Yeah.
That's how you get shit done, right?
Yeah.
That's impressive.
That is seriously impressive.
That I will agree with you on, Jav.
That is this week's Billy Big Balls.
Actually, that is a Billy Big Ball move in fairness, isn't it?
Yeah. Yeah.
Ukraine claims to have neutralised 1,200 cyber incidents
and cyber attacks on government and strategic critical infrastructure
since the start of the war.
Since the war, they've stopped 1,200 incidents.
That's more than many non-warring nations have detected.
I mean, I guess I guess that, you know, any modern army is now going to be or armed forces are now going to be mobilizing on a cyber front anyway. Right.
Well, yeah, I mean, it's it's natural. I mean, if you can take down a country's, say, power grid, you can either you can either bomb the power station or
you can if you can like digitally lock them out of it then hey let's lock them out of it it's cheaper
it's quicker and then if you've taken over the country you still have all the working
infrastructure that you can you can use again rather than have to build it up again
and it's definitely cheaper because you just have to tell the hacker concern
that if they don't do it, you're going to tell their mum.
Yeah.
All right, that was this week's...
Industry News.
In 2021, you voted us the most entertaining cyber security content
amongst our peers.
In 2022, you crowned us the best cybersecurity podcast in Europe.
You are listening to the double award winning host unknown podcast.
How do you like them apples?
So we were minutes before the show.
We still hadn't found the tweet of the week
but we pulled it out of the bag
for you
and when I say we
I mean I think it was Jav
wasn't it actually
so Andy here you go
for this week's
tweet of the week
and we always play that one twice
tweet of the week
and so I shall take us home
this week's tweet of the week is from andrew mohawk
what a great name andrew um so it's he's quote tweeting uh nomad uh who's saying thank you
uh for receiving um and it's got like the the wallet address um for returning 11.2 million
dollars to our recovery address we've recovered a total of $16.6 million so far.
And so Andrew has quote tweeted that and he says,
everyone is a white hat when your transactions are traceable,
which I think is very true.
It's like the people that, you know,
this is like the digital equivalent of people that record themselves giving
stuff to homeless people, you know, and sort of like equivalent of people that record themselves giving stuff to
homeless people you know and sort of like being nice in public yes yes oh I hate those videos
that is just like yeah but but no I hate people being nice to other people
for the views though for the views for the views like you know what you could either run a google
adwords campaign to boost your video to like a million views but that'll cost you like For the views, though, Tom, there's a difference. For the views. Like, you know what? You could either run a Google AdWords campaign
to boost your video to, like, a million views,
but that'll cost you, like, £2,000 maybe.
Or you could give a homeless person £100,
edit the video to make it look like a great act of philanthropy
and share it out there and, boom, viral.
Right, just give them a wash and a haircut.
Your job done right yeah yeah
kind of like what we did with you tom wasn't it
you know what this is almost a bit like it's just a prank like when you get caught oh no i'm not
really a black hat it was just for i was just a hat, but I'm just showing you how easy it is for me to steal money.
Here it is.
I'll give it back now
and let that be a lesson to you.
Just a prank, bro.
Yeah.
I just borrowed the $2 million.
I was going to give it.
I just wanted to wind you up.
It was resting in my account.
Resting, I tell you.
Oh, brilliant.
Thank you, Andy, for this week's Tweet of the Week.
And so we come to the end of the show.
Gentlemen, thank you very much.
What a wonderful belly laugh in time we have had.
Jeff, thank you so much for disagreeing with me.
It's been good fun.
Oh, you're welcome.
It's what I've been
put on the earth to do. And Andy, thank you very much. Stay secure, my friend. Stay secure.
You've been listening to the Host Unknown podcast. If you enjoyed what you heard,
comment and subscribe. If you you hated it please leave your
best insults on our reddit channel worst episode ever r slash smashing security
is this point of the show where i say i don't particularly understand that last tweet and i
just laughed along because it kind of it's all right thing. It's alright.
I'm still
disappointed by your
grandad joke this week about
Roy
Oh, about Roy Uverson.
Yeah.
Anywhere you
want, you got it.
No, just stop.
In the show notes. You got it. No, stop. Just stop. Just stop.
In the show notes.