The Host Unknown Podcast - Episode 116 - Thom Can't Work The Buttons

Episode Date: August 12, 2022

This Week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield10th August 1988: 34 years ago today, Dade Murphy aka Zero Cool crashed 1507 computers, cau...sing a 7 point drop in the NY stock exchange. He was 11 and his family was fined $45,000. He was banned from touching a computer until he turned 18.https://twitter.com/hakluke/status/15572420864238714886th August 2014: A hacker announced the theft of 40 GB of data from the maker of FinFisher spyware, then leaked the price list, client list, and more.A Hacker Claims to Have Leaked 40GB of Docs on Government Spy Tool FinFisherTop gov't spyware company hacked; Gamma's FinFisher leakedhttps://twitter.com/todayininfosec/status/115895644924810854411th August 2015: A day after Oracle CSO Mary Ann Davidson posted a blog titled "No, You Really Can’t", security community blowback caused Oracle to remove the post.No, you really can’t (Wayback Machine)Oracle has this Modest Proposal, via its CSOhttps://twitter.com/todayininfosec/status/1293374259637768194 Rant of the WeekMeta's chatbot says the company 'exploits people'Meta's new prototype chatbot has told the BBC that Mark Zuckerberg exploits its users for money.Meta says the chatbot uses artificial intelligence and can chat on "nearly any topic".Asked what the chatbot thought of the company's CEO and founder, it replied "our country is divided and he didn't help that at all".Meta said the chatbot was a prototype and might produce rude or offensive answers."Everyone who uses Blender Bot is required to acknowledge they understand it's for research and entertainment purposes only, that it can make untrue or offensive statements, and that they agree to not intentionally trigger the bot to make offensive statements," said a Meta spokesperson.The chatbot, called BlenderBot 3, was released to the public on Friday.The programme "learns" from large amounts of publicly available language data. Billy Big Balls of the WeekBackground:  Twilio discloses data breach after SMS phishing attack on employees"On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials," Twilio said over the weekend."The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data."The company also revealed the attackers gained access to its systems after tricking and stealing credentials from multiple employees targeted in the phishing incident.To do that, they impersonated Twilio's IT department, asking them to click URLs containing "Twilio," "Okta," and "SSO" keywords that would redirect them to a Twilio sign-in page clone.​The SMS phishing messages baited Twilio's employees into clicking the embedded links by warning them that their passwords had expired or were scheduled to be changed.BBB: Cloudflare: Someone tried to pull the Twilio phishing tactic on us too.  Cloudflare says it was subject to a similar attack to one made on comms company Twilio last week, but in this case it was thwarted by hardware security keys that are required to access applications and services.Twilio reported a breach after employees received phishing text messages claiming to be from the company's IT department. These fooled them into logging into a fake web page designed to look like Twilio's own sign-in page, using pretexts such as claiming they needed to change their passwords. The attackers were then able to use credentials supplied by the victims to log into the real site.According to Cloudflare, it recorded a very similar incident late last month, which could suggest the two attacks may have originated from the same attacker or group.Detailing the incident on its blog, the content delivery network claimed that no Cloudflare systems were compromised, but said it was "a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached." Industry NewsMeta Takes Action Against Cyber Espionage Operations Targeting Facebook in South AsiaNumber of Firms Unable to Access Cyber-Insurance Set to DoubleSmishing Attack Led to Major Twilio BreachHealth Adviser Fined After Illegally Accessing Medical RecordsUS Treasury Sanctions Virtual Currency Mixer For Connections With Lazarus GroupPredator Pleads Guilty After Targeting Thousands of Girls OnlineCyber-criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP ReportsDeathStalker's VileRAT Continues to Target Foreign and Crypto ExchangesSuspected $3m Romance Scammer Extradited to Japan Tweet of the Weekhttps://twitter.com/mttaggart/status/1557399523575508993 Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 I just think we should completely avoid the whole topic of the crying CEO. I mean, it's quite a difficult thing to do, to stay away from the crying CEO, but I guess we can try. You're listening to the Host Unknown Podcast. You're listening to the Host Unknown Podcast. Dry your eyes, dear listener. We're sure you've had a tough week. We're sure that letting go of those people was probably the most difficult thing you could say or do this week. And it's probably put you in a very vulnerable position. But Friday's here. The Host Unknown podcast is here.
Starting point is 00:01:02 And Javad is here. How are you, Jav? Oh, I'm very good, I'm very good. I have next week off which is great. I'm not going anywhere which is even better so I'm not spending any money. You know I did sit down and like shed a few tears in front of my kids. You know this is very difficult. I can't take you on an overpriced holiday this year. So they were comforting me by the end of it. But some more excitement in my neighbourhood. Ooh! A few days ago, one of my neighbours,
Starting point is 00:01:34 who's two houses down on the left, so there's my immediate neighbour, there's the service alleyway, and then they live on the other side. Now, they're builders and they've got a couple of vans and one of them got nicked overnight no but surely no tools were left in the van overnight well unfortunately he had several tools in the van um but the van but the van itself was his major tool because you know he's lugging around stuff and what have you so he came to me he was really
Starting point is 00:02:05 distraught he was like i see you've got some cameras up can you catch anything there and i was like mate gdpr and all this stuff i can only cover my own driveway you know like i'm not yeah i can't cover the road and the alleyway in your house and he goes like brother i give you permission if you want to face the camera this way so um so you went through the satellite footage that you had for the uh so i'm in the process of upgrading my camera system gonna add four more cameras what yes is this a wired system or an ip system this is all a wired system okay so the guy comes and he'll install it for me i'm not installing it myself yet because as soon as it's wires and stuff and electricity i don't know how to do it that's outsourcing you can't do the buttons outsourcing you're written all over it exactly
Starting point is 00:03:04 exactly who do you think i am like a sock analyst or something i can't do the buttons. Outsourcing, you're written all over it. Exactly, exactly. Who do you think I am, like a sock analyst or something? I don't do anything myself. Going to outsource it to some East End barra boy done good. Yeah, yeah. No, there's a really good guy not too far from here. He's got a shop that he installs. He's the one that got my current setup going, and it's really good.
Starting point is 00:03:29 He also, like, every time he comes around to look at the cameras or fit or whatever he goes hey i can also get you one of those chipped like sky boxes if you're like you know those dream boxes that give you every year i said no no no oh you know these neighbors and these neighbors they've all got it you can ask them it works i said no i don't want them thank you very much it gets you all the blueys and everything yeah i know i know so yeah basically neighborhood watch control center i am i am i'm just picturing like where in my office i can set up a whole bank of monitors and like you know i'm gonna set up like walkie-talkies with the neighbors and everything it's gonna be like you know, I'm going to set up like walkie talkies with the neighbors and everything. It's going to be like, you know, Oh,
Starting point is 00:04:06 what's your cool sign going to be? Yeah. Eagle. Eagle. Eagle. There we go. And then your neighbor, Bob,
Starting point is 00:04:18 the builder. Yeah. Yeah. Oh, fantastic. Do you know what? The, the, the, Yeah. Yeah. Oh, fantastic. Do you know what? The ongoing saga of your back passage must have every listener hanging on every word in every episode.
Starting point is 00:04:35 So, you know, if nothing else, it gets everybody back to listening to next week's episode. I know. I know. So stay tuned, folks. Indeed. Stay tuned for the further sagas of jav's back passage andy how are you uh good i'm literally as jav was talking i was just scrolling through my
Starting point is 00:04:55 neighborhood watch whatsapp group um because there's actually a white van that was going around our area and someone said hey keep an eye out for these scumbags and he's posted um you know screenshots from his cctv uh i chased them off and they're trying to steal materials from my house um and basically it's a white van that's been stolen so it's a legit van from a building oh it's not like a mr whippy then no but it's uh no it's a building company van so you know quite likely to be in the area and stuff. But, yeah, the van was stolen. They've put some false plates on it as well. Now, you know, far be it from me to be the detective of the group,
Starting point is 00:05:35 but Jav's neighbour has just had a building van stolen. You have just had a stolen building works van driving around nicking stuff i reckon you two should be talking so the only missing piece here the only missing piece here last wednesday and thursday night where were you tom i'm gonna plead the fifth on that uh so how was your week anyway, other than a productive trip to Lidl? Yes, indeed. It's always a productive trip to Lidl.
Starting point is 00:06:13 The stuff you can find there is surprising, surprising. I have a cupboard full of it now. It's almost a cliché, but everyone does it, right? Well, whenever I need a trombone, a TIG welder and a wetsuit, where else would you go? Exactly. Do you know what? I was walking through there the other day and they had some,
Starting point is 00:06:35 you know when you do welding, you have to wear a helmet, you know, that blanks out the vision so you don't go blind. And they had some automatic welding helmets. So basically you can see through them and then as soon as it detects light, boom, it changes and, you know, it goes dark, et cetera. They looked so cool. Are you going to convert it into like a Star Wars thing? Do you know, I was so close to buying one.
Starting point is 00:07:02 So when a lightsaber lights up, the mask automatically drops down sort of thing. Yeah, exactly. So I then have to use the force. Exactly. Oh, it's so close to buying one. I was like, for goodness sake. You know, it was like I had a paint job down the side,
Starting point is 00:07:18 you know, like, you know, red and yellow flames and stuff. It looked really cool. It looked really cool. But yeah, aside from that, been in the office, making the most of their air conditioning, obviously, just like everybody else. So yes, yeah. And I'm picking up another or not,
Starting point is 00:07:37 picking up on a project and completing another. So I had the glass delivered for my TV mirror in the bedroom. So that's being fitted this weekend. And, yeah, going to kick off and do another magic mirror as well. So, yeah, busy. It's going to be a busy weekend. So I'm hearing a lot of stuff that you are doing yourself and I'm hearing a lot of stuff that Jav's outsourcing.
Starting point is 00:08:03 Yes. How the turns of table do it. Exactly. And yet you're the CISO. Oh, and that's right. And there's some fella in North London I've got to install some cameras for as well. It's a pain in the arse if he's trying to sell me dodgy software.
Starting point is 00:08:24 Try and upsell. Yeah, Office 95, he said it's the latest version. Anyway, shall we see what we've got coming up for you today? This week in InfoSec talks about repressive government's weapon of choice long before Pegasus. Rant of the week is another big tech chatbot in the wild. Billy Big Balls demonstrates why defence in depth really can save you some pain.
Starting point is 00:08:51 Industry News brings us the latest and greatest security news stories from around the world as usual. And Tweet of the Week is an InfoSec dad joke. My favourite kind. So let's move on to our favourite part of the show, the part of the show that we like to call... This Week in InfoSec. It is that part of the show which for more than nine months in the year
Starting point is 00:09:27 takes a stroll down InfoSec memory lane with content liberated from the Today in InfoSec Twitter account and further afield. So a quick first story which takes us back this week 34 years in 1988 when Dade Murphy, a.k.a. Zero Cool, crashed 1,507 computers, causing a seven point drop in the New York Stock Exchange. He was 11 years old at the time and his family was fined forty five thousand dollars. He was then banned from touching the computer until he turned 18. And that story made the front page of The New York Times on 10th of August 1988. It's true.
Starting point is 00:10:06 I saw it. I saw it. I was there. Yeah. I definitely saw it. Yeah. So we won't dwell too much on it because everyone knows all about Dave Murphy, aka Zero Cool.
Starting point is 00:10:18 Well, everyone except my mum, in fairness. Okay. Well, we'll stick a link in the show notes. I think there's a screen uh you know screenshot so our uh second story takes us back eight years to the 6th of august 2014 and it may sound familiar because a hacker announced the theft of 40 gigabytes of data from the maker of fin fisher spyware uh hacker then leaked the price list, client list, and more. So NSO Group's Pegasus was not the first spyware vendor
Starting point is 00:10:51 to be used by oppressive governments to spy on anyone they wanted. And this week in 2014, an Anglo-German company, Gamma International UK Limited, the maker of the secretive Finn Fisher spyware, which sold exclusively to governments and police agencies, was hacked. So during the hack, it revealed its clients, prices and its effectiveness across an unbelievable span of applications, operating systems and more. And this parody sort of Twitter account by the hacker claiming credit for the leak was set up in tandem with the data
Starting point is 00:11:25 being released. And it really sort of spilled the tea on what many people already suspected about these sort of dodgy selling practices that were going on. So in 2012, the FinFisher software was found sort of being widely used by governments in the Middle East, particularly Bahrain to hack and spy on computers and phones of journalists and dissidents. And Gamma Group, the company that makes FinFish, are denied having anything to do with it, saying that they only sell their hacking tools
Starting point is 00:11:55 to good governments. Oh, come on. Those authoritarian regimes must have stolen a copy. But unfortunately, those files stolen from Gamma's networks provided hard proof that they knew exactly what they were selling, who they were selling, even during the accusations at the time in 2012. And they knew that the software was being used to attack Bahraini activists. But yeah, that stolen data contained client list, priceless source code,
Starting point is 00:12:24 details about the effectiveness of the FinFisher malware, user support documentation, tutorials, you know, and more. And an invoice to the Baronian government as well, presumably. had a list like how finchfish have performed against the 35 top antivirus products um literally showing how easy it was to defeat um you know detection jesus but yeah it's uh the documents did reveal some like good uses statistics by country i mean imagine you know like other customers include um you know which sort of prompted the parody Twitter account to tweet, we have some integrity. We do not sell to Israel. So I'm sure this is probably the origin story of Pegasus anyway, right?
Starting point is 00:13:16 They're like, well, we'll make our own. Yeah. You have to question the morals of any company that would just, you know, when faced with simple facts, just deny everything and say, no, it's not true. You know that that's going to come out at some point in the future. They stopped the copy and then they planted a fake invoice on our systems as well.
Starting point is 00:13:43 And then they made a bank transfer to make it look like we sold it to them. It's so good they used it on us and we didn't detect it. Yeah. But, you know, like, so prior to the leak, so in 2013, like human rights advocates and virus hunters, basically they scrutinized this FinF software to like uncover potential abuses because they first got a glimpse of it um when the egyptian state security uncovered um you know during that revolution that this software was actually being used and up until that point in 2011 people had never seen
Starting point is 00:14:20 like researchers had only ever suspected it um to the point where even like you know friend of the show miko hipponen um the chief research officer at helsinki based f secure actually told bloomberg that we know it exists but we've never seen it so you think of it like a rare diamond um but yeah it's quite the rarity and the story obviously was repeated again with pegasus you just need to rotate the names of spyware and the names of governments caught using it. And the story is good to go. And the names of companies denying that they had anything to do with it. It all just gets brushed under the carpet.
Starting point is 00:14:55 Yeah, there's something interesting, though. Just a few days ago, and I had a quick scan through and I don't think we cover it later on the show, but there's a former Twitter employee um who who worked from 2013 2015 who's been convicted for spying for saudi arabia so ahmed abu amu was charged with sending saudi officials private information of users uh who were critical of the kingdom um in exchange for hundreds of thousands of dollars so when you talk about insider threats and uh when you talk about like you don't really need pegasus you just need to pay someone who's working for one of the companies to give you all the information um and uh yeah i
Starting point is 00:15:37 think it just and and then the second point is you mentioned miko and i've just got to give a cheap plug uh miko's new book if it's's Smart, It's Vulnerable, is out. Widely publishing. I've started reading it. It is a very good read so far. It's not on Amazon, though, is it? Oh, no, I've got to send a pre-copy, I think. Oh, God.
Starting point is 00:15:58 Everybody I know has been sent a pre-read. Mikko, I know you're listening. I know you're a fan of the show. Do a man a favour. Send me a couple of copies i'll give one to andy and everything i'll be honest i'll wait until it comes out on blinkist so i can listen to it in sort of 15 minutes i always set it to like 1.25 speed. Yeah. So anyway, right, our final story is from a mere seven years ago when on the 11th of August
Starting point is 00:16:32 2015, a day after Oracle's CSO Mary Ann Davidson posted a blog titled, No, You Really Can't. The blowback from the security community caused Oracle to remove the post. So what was so controversial about this, I hear you ask?
Starting point is 00:16:49 Well, Oracle's chief security officer, Marianne Davidson, would like to get rid of all the reverse engineering security weenies, as she put it. And she wanted you to know that static analysis is Oracle's job, not yours, and that looking for security vulnerabilities in this way breaks the license agreement that you signed up to. So obviously at which point the internet exploded. The blog post in which she gave Oracle's position on this point
Starting point is 00:17:17 got called various things, arrogant, holier-than-thou, petty, condescending, idiotic scolding patronizing yeah whining and it was basically you know within 24 hours it's deleted um and with the benefit of obviously unemotional hindsight and you know the pitchfork mob mentality of the angry twitter um there were actually some interesting points made in a blog post um but it was unfortunately buried inside paragraphs of uh as you say sort of you know condescending um vitriol really um so she like literally quoting you know from the blog um she goes on say recently i have seen the largest uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it insert big sigh here this
Starting point is 00:18:06 is why i've been writing a lot of letters to customers that start with hi how's it aloha but end with please comply with your license agreement and stop reverse engineering our code already um and so yeah it's quite a tough one you, she goes on to say that, you know, we're really good at, you know, scanning for vulnerabilities. You know, we write half of these software, you know, these analysis tools ourselves. So, you know, we actually understand what's happening. So all these tools you use have a close to 100% false positive rate. So, you know, stop wasting our time by reporting them. You know, we're just trying to save time
Starting point is 00:18:45 in this mutually time wasting exercise um but the problem is because she goes on such a rant and it's a rant that you'd have been proud of tom um she literally i mean the links in the show notes because the way back machine doesn't forget right um so you know she actually starts going off track on some of these other frustrations she's facing she does this q a and it's just like question hey i've got an idea why not do a bug bounty pay third parties to find this stuff answer bigger sigh bug bounties for the new boy band many companies are screaming fainting and throwing their underwear at security researchers to find problems in their code and insisting this is the way walk in it if you're not doing bug bounties your code isn't secure oh well we find 87 percent of security vulnerabilities ourselves security researchers find about three percent and the rest are found by customers and it's you know that whole sort of i don't know there's just a
Starting point is 00:19:43 lot of arrogance about this you know it was uh yeah just the way it didn't come across well uh and i do sort of remember in 2015 this kind of kicking off on twitter but you know i was drinking a lot at the time so i don't think i got involved i know the feeling i remember it well actually no i don't but uh yeah i think that you know there's a way of getting your point across, but sort of hiding behind the, you know, any of this reverse engineering you're trying to do is a violation of your license agreement.
Starting point is 00:20:12 Stop trying to tell us about vulnerabilities. I think universally recognized is the wrong way about doing it. I mean, I think the point of trying to stop people from just, you know, basically script kiddies just from running tools against the product and saying, oh, we found something. When those tools are freely available and are used by Oracle, it just wastes everybody's time. There's a way of saying that that doesn't involve putting things
Starting point is 00:20:37 in brackets like even bigger sigh and all that sort of crap. I mean, and this is the problem with a lot of these stuff. And I think Oracle as well suffers probably because of Larry Ellison more than anything, but suffers from an arrogance anyway, you know, as a corporate culture. And I think if you don't message things correctly, if you don't think about your audience and who you're talking to and what you want them to take away from it,
Starting point is 00:21:03 it's just going to get, you to get drowned out in all the noise and tears and vulnerable LinkedIn posts. Yeah, but I guess this is a good reminder not to write with such emotion without sitting on it for a while, and also why big companies have such rigorous controlled media channels. Yeah, well, especially as it was removed and said something like, this post did not reflect our corporate values or something like that. That's normally something that you say when somebody goes on
Starting point is 00:21:38 some kind of Nazi-based profanity-laden rant rather than just talking about weenies uh excellent andy thank you for that lovely trip down memory lane in this week in infrasur if you work hard research stories with diligence and deliver well-edited, award-winning, studio-quality content for high-paying sponsors, then you too can be usurped by three idiots who know how to think on their feet. You're listening to the award-winning Host Unknown podcast. Ratchet and Tom, if it's smart, it's vulnerable, is now available on Amazon. So you can go on there and get yourself a hard copy or the Kindle version.
Starting point is 00:22:28 Oh, fantastic. I will do that straight after the show. As long as he can get a voucher. Mikko, if you're listening, text us a voucher, mate. Okay, on to my favourite part of the show, the part of the show that I like to call... Listen up! R part of the show, the part of the show that I like to call... Listen up! Rant of the Week.
Starting point is 00:22:47 It's time for Mother F***ing Rage. So this might sound a little bit wrong at first, that I'm ranting about this, given the subject. So Meta, i.e. Facebook, have released a chatbot, and people can chat to this chatbot, clues in the name, on Facebook and ask it questions on nearly any topic and we'll get a sensible answer back. The thing is, though, this prototype chatbot has told the BBC journalist that Mark Zuckerberg exploits its users for money, which I think is hilarious. So it's an honest chatbot.
Starting point is 00:23:36 It's an honest chatbot. Well, also, the chatbot uses artificial intelligence, and effectively, it has access to everything on the internet, so it can make up its own mind. So when presented with all of humankind's universal knowledge, it came to the conclusion that Mark Zuckerberg exploits its users for money, that our country, either US, is divided and he didn't help at all. So these are fairly interesting claims from something that has the sum of all humankind's knowledge. You'd think Meta and Zuckerberg might be in a little bit of a spin about this. And I know there's a lot of people out there who are probably sort of punching the air and saying, yes, here's one in the eye for you, Zuckerberg, you human-skinned lizard, reptile person, you. But what people forget, and I used the phrase slightly earlier, is that there's no such thing as bad publicity in the sense that Zuckerberg knows
Starting point is 00:24:46 exactly what's going on here because what Facebook, and let's call it by its original name because meta's ridiculous, what Facebook does is gather as much data about everybody that it possibly can. And the use of this chatbot is doing just that. It is gathering vast amounts of data from what people are asking it, what it's no doubt siphoning off huge amounts of data from people's computers while it's doing it. It wouldn't surprise me in the slightest. It shouldn't surprise anybody there. And it's doing exactly what Zuckerberg says.
Starting point is 00:25:28 And the fact that it's getting this kind of coverage makes me think that we shouldn't have covered it at all because we know that our many, many dozens of listeners will have such an influence on this. But the fact is the coverage it's getting is getting more people to use it and therefore facebook is getting more access to more data for it to use process and sell so blender working is what you're saying his plan's yeah exactly his evil genius plan is working and the fact that you know blender bot 3 um which i i don't know perhaps they misspelt brenda i don't know but it was it was released on friday so just a week ago and it's already garnered international coverage which is
Starting point is 00:26:21 very very concerning so yeah if you're if you're sort of listening concerning. So yeah, if you're, if you're sort of listening to this, if you're, if you're reading about this and you're thinking, ha, you know, Zuckerberg's been sort of hung by his own petard, unfortunately, I think you're wrong. And unfortunately, you know, if you've interacted with, uh, with Brenda, then chances are she knows a whole lot more about you than you probably know about yourself now. Wow. Your microphone was on. Your camera was on. Yeah.
Starting point is 00:26:53 Yeah, exactly. We saw what you were doing with that industrial power tool. I love how – and, folks, listeners, I have to apologize for Tom. He's a bit old. Well, and folks, listeners, I have to apologize for Tom. He's a bit old. But Facebook, one of the most popular used services, internationally releases a new service.
Starting point is 00:27:18 And Tom is surprised it's garnered coverage internationally. But it's gone viral. You know, it's gone so viral, everyone's like talking about it around the world. I mean, it's not like Facebook is a small product that no one uses. And I mean, like, just think about Apple releases a new phone and it's just got like, you know, 0.2 millimeters shaved off the corner and one extra pixel on this camera. And that gets international coverage all the time. So I think that's just part and parcel of these large companies.
Starting point is 00:27:44 Whenever they release anything, there's always going to be coverage um but i what i did hear though was that if if this hadn't of garnered them the coverage they wanted zuckerberg did have a crying picture on hand he was about to release it to say about how how bad he felt. How vulnerable he felt. Yes. With your analogy there about Apple, Jav, the one thing I would say is that the latest iPhone doesn't call Tim Cook a knob. No, because they've got Siri under their nose.
Starting point is 00:28:19 There's no way that Zuckerberg could show emotion at all. He just hasn't learned that. No. I mean, he would send a command to his central processing unit to release some saline-based liquid to exit from one of his eye socket holes. Yeah. Oh, wow. No, but I think, like, you know, you say all this,
Starting point is 00:28:44 and, you know, you're not wrong in that you know facebook has been known for collecting data but how's that different from alexa or siri or google like you know it's they they all could they're all always listening they're all collecting information that's how they they're all wired recommendations on what to buy and what to do and hey it looks like you're heading towards you know this shop again or or like andy you're running low on haribos would you like me to order some more for you you know it's that's the name sugar-free haribo replacements thank you very much they're called jello sweets is it really is that the name? Yeah.
Starting point is 00:29:28 It's your favourite kind, isn't it, Jab? Yeah. So you're absolutely right. All this is about gathering data, and many, many other companies gather data, and we talk about those companies and we rant about them without a shadow of a doubt. I think the interesting angle here is that people think that it's backfired when actually it's doing exactly, exactly what Zuckerberg wanted it to do. You're right. You're right. So there was I was reading some tweet by a popular YouTuber, tech YouTuber, and they said that whenever they read in a tweet by a popular tech YouTuber and they said that whenever they release a video
Starting point is 00:30:06 Reading a tweet by a popular tech YouTuber and they said you know what, I don't like giving other YouTubers any props because I don't want people going to anyone else and they said that when they make a video
Starting point is 00:30:22 they deliberately get a small fact wrong. So they'll call, you know, something, you know, by the wrong name or they'll they'll miss, you know, call it AC current, the DC current, whatever. And it goes, the reason for that is that people love to jump into the comment section and just correct him. Oh, you're such an idiot idiot how could you make this mistake clearly that's that that's the red wire and you called it the blue wire and you know what i did because it's normally a small engagement but that's what boosts the engagement and that's what the algorithm likes and that's what bumps it all the way to the top and that's how i get like you know hundreds
Starting point is 00:30:59 of thousands of views per video and this is exact same strategy here isn't it this is it like let's get the chat what to say something mean about zuckerberg and the whole world will you know love it i'm i'm you know i'm quite impressed that you've taken it to such levels that the entire contents of all your youtube videos are entirely wrong jav and no i know i'm just like i've gone extreme i'm like that let's just i that you know if it works for Alex Jones I mean yeah that's very true very true on which
Starting point is 00:31:32 well on which note we shall say rant of the week you're listening to the award winning host unknown podcast the show which smashing security sets their out-of-office team. Okay, Jav, over to you now. I think you've got a couple of Billy Big Balls.
Starting point is 00:31:58 You have an entire sack full, let's say, of Billy Big Balls for us. Billy Big Balls of the Week. sack full let's say of billy big balls for us yes i do have an entire sack full today for you dear listeners so prepare yourselves twilio discloses a data breach and so twilio the big internet company they got breached after an SMS phishing attack on employees, or as we like to say, a smishing attack on employees. So they were sent text messages to their phone, which they impersonated Twilio's IT department, asking them to click URLs containing the words Twilio, Okta and SSO. So it all looked very legitimate.
Starting point is 00:32:48 And that's the problem with the phones. It's like, you know, you just see the words. It's really hard to inspect where the URL is actually taking you or, you know, people can't be bothered. And also the phone, you're checking them at all odd hours of the day and night, even when you're bleary eyed first thing in the morning. What? Oh, IT needs me to change to change it okay let me click on this so they clicked through and it took them to uh surprise surprise a a landing page created by the baddies and um they then um entered in their id and password after which they were, what's the term, 2FA spammed or what have you. So basically, the criminals started to log in with those credentials. And every time they logged in, the employee would get pushed a 2FA code, not a 2FA code, like one of those approvals.
Starting point is 00:33:42 And they kept doing it. And they started phoning them up saying, hello, we're calling from the IT department and you've got a push notification. Please click yes, because that is all part of the security of your account. So eventually they wore them down and one of them clicked or a couple of them clicked yes on those MFA notifications and gave the criminals access to their accounts. And this may be a successful attack. Yes, a successful attack. Why did somebody's misfortune make you laugh, Jack?
Starting point is 00:34:21 I see what you're doing there. I see what you're doing there it made me laugh because I was sort of like hung my head a bit when at RSA a few months ago no less than three keynote speakers trotted out the erroneous stats that MFA protects against 99% of all attacks, which is, and actually, if you look into that stat, it's not even the accurate attribution. I think it's originally a Microsoft
Starting point is 00:34:57 quote, but it was account takeover. So it protects against 99% of account takeover so so it's it's it's used really erroneously and and uh out of context in many things and and then I was like haha where's your MFA now um so the question is then like well I'm not hating on MFA I I think it's as a technical control it's one of the best controls out there that gives you the most fundamental and it addresses a huge amount it gives you the yeah it's real return on investment for it yeah you need to be realistic about the limitations of what it is and how you implement it and especially you need to look at whether they what you have implemented is phishing resistant because if you can still like bombard people with all these notifications and we've heard stories in the past a lot people just saying i just say yes to everything because that's what i've been told
Starting point is 00:35:55 to um yeah you know you desensitize them to it so how can you do it correctly and for that we turn to cloud flare uh cloud flare said someone tried to pull the twilio phishing tactic on us too can you do it correctly? And for that we turned to Cloudflare. Cloudflare said someone tried to pull the Twilio phishing tactic on us too. So what happened is that their employees also received text messages claiming to be from the company's IT department and they fooled them into logging onto a fake web page designed to look like Twilio's own sign-in page and surprisingly these domains were registered literally within the hour prior to those text messages going out so it was a well thought out and coordinated campaign but they failed because they used those hardware keys like a YubiKey or something like that that you have to pop into your machine and that's your second factor it doesn't text you a code
Starting point is 00:36:56 it doesn't have a pop-up notification so there was nothing that they could give to the criminals to to get them to log on so a good example of a phishing-resistant form of MFA. So security over convenience. Yes. Yes, that's right. And, yeah, don't ask me what happens with it. Well, security and convenience. Yeah.
Starting point is 00:37:17 Well, yeah. It's not convenient to carry a hardware key around, honestly. But we all know the push to authenticate is far easier yeah yeah i don't know i'll leave mine in my laptop i'm just saying snap it off yeah plug it in snap it off yeah okay as long as there's a bit you can press we're all right in there yeah exactly so wasn't Twilio something else beforehand? Didn't they rename themselves? I don't remember.
Starting point is 00:37:55 I thought they were a certain... Weren't they a malware company? Is it McAfee? Were they McAfee? No. No. No. Founded in 2008. Okay, I'm thinking of something else.
Starting point is 00:38:12 What did McAfee rebrand as? I don't know. They split into two different companies and maybe one of them split into two different companies. It's Mcfee's all over the place yeah you're thinking of trellis that's who i'm thinking of began with t stupid name means nothing aren't they that that like dance group or something you think of the trello the um the mood? No, I'm thinking of Skrillex.
Starting point is 00:38:46 That's who I'm thinking of. You mean the people who wrote our intro tune without realising it? Oh, dear. And on which copyright note we will end on, and thank you, Jav, for this week's... Billy Big Balls of the Week. We are officially the most entertaining content amongst our peers. That's an old one. All right, let's do something else then.
Starting point is 00:39:19 Let's do... Attention. This is a message for our friends over at Smashing Security. We call you listening again. This is the Host Unknown podcast. OK, with time rapidly running out, it is time. And what time is it, Andy? It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire, who have been very busy bringing us the latest and greatest security news from around the globe.
Starting point is 00:39:53 Industry News. Meta takes action against cyber espionage operations targeting Facebook in South Asia. Industry news. Number of firms unable to access cyber insurance set to double. Industry news. Smishing attack led to major Twilio breach. Industry news. Health advisor fined after illegally accessing medical records.
Starting point is 00:40:22 Industry news. US Treasury sanctions virtual currency mixer for connections with Lazarus Group. Industry news. Predator pleads guilty after targeting thousands of girls online. Industry news. Cybercriminals shift from macros to shortcut files to hack business PCs, HP reports. Industry news. Deathstalker's vile rat continues to target foreign and crypto exchanges.
Starting point is 00:40:54 Industry news. Suspected $3 million romance scammer extradited to Japan. Industry news. And that was this week's... Industry news. And that was this week's... Industry news. Huge if true. Huge. Huge if true.
Starting point is 00:41:13 Huge. So this predator that pled guilty after targeting thousands of girls online, why didn't he just enable his self-destruct bomb on his wrist? he just enable his self-destruct bomb on his wrist? You know, there's a new, there's a prequel to that out, I think, on Disney. Yeah, Prey. Supposed to be really, really
Starting point is 00:41:36 good. I thought you were going to go the other way there. No, it's supposed to be excellent. You know, the original with Arnie was such a good film. It's among the top films ever made in history. And everything else after that has been such a terrible disappointment. It just hasn't been able to capture,
Starting point is 00:41:56 especially those Alien versus Predator movies. And so I really don't know whether I can take another one, another such disappointment by watching Prey. I keep hearing that it's very, very good. Who said this? I did just then. Didn't you hear me? Yeah, okay.
Starting point is 00:42:18 I've heard it's very good. Okay, cool. I think we should also, we deliberately avoid any sort of Black Hat DEF CON stories because we can't be arsed with that. If we're not there, it's not happening. Exactly. We've also missed out on the NHS. It's like when babies close their eyes and they think that nobody can see them.
Starting point is 00:42:38 If we don't talk about it, it's not going. It's not happening. And also the NHS hack with 1-1-1 going offline and the Cisco hack as well. You know, there's so many great stories we've not referenced this week. What was the Cisco hack? Cisco was also similar to the Twilio one, wasn't it?
Starting point is 00:42:58 It was like their MFA got... Oh. And they actually posted a really good write-up of what happened and went public with it. But I think it's because the gang that sort of hacked them said that they were going to release everything anyway. Yeah.
Starting point is 00:43:16 Cisco got ahead of it. I don't think they were. Including the invoice to Bahrain. Yeah. But, yeah, 2.8 gigs allegedly stolen from that one uh but yeah ransomware group uh tried to extort them do you know what nowadays 2.8 gigs doesn't sound like a lot does it it really doesn't no but then i don't know if you think about emails without attachments yeah i know i know but i just yeah just 100 gig that's that's that's getting quite large, right?
Starting point is 00:43:46 A terabyte, that's a lot. 2.8 gigs, I mean, you could fit that on, you know, the smallest of USB sticks you can get now. Yeah, but do you know how, I'll tell you what, we should have actually covered it, because what was interesting was the way they actually did it was they hacked um an employee's personal google account yeah and that employee's personal google account was synced obviously with the browser they used to work um and obviously all their credentials are stored in the browser as
Starting point is 00:44:17 well so then all they had to do was get the employee to accept the MFA push that went through to him, which he did. And I see it's actually, they're calling it MFA fatigue attack. That's nice. Yeah, so send a constant stream of MFA requests to annoy them in the hopes they'll finally accept one to stop them being generated. And, yeah, finally convinced them to do them being generated and uh yeah finally uh convince them to do it and they the attack has got access to the vpn um and then spread laterally through citrix servers and domain controllers wow
Starting point is 00:44:55 yeah it seemed like a very hastily put together there's been lots of questions that people have been asking on um on twitter about it uh what one of these like 2fa fatigue is one of the fakest things i've ever heard of why are proper security professionals treating this as though it's not just a weak excuse and then they they further up yes i wanted the car alarm to go off when a break-in was attempted but i heard it nine times or ombs when I went outside and handed him my keys. I seriously doubt this technically is still a theft. It's true. It's true. It's all about marketing, though, right?
Starting point is 00:45:35 This is clearly a comms that has gone through the marketing channels. Yes. You know, those highly paid people doing what they do best. Yeah. If you put a recognisable tag on something, if you name it something that sort of kind of makes sense, then people become more aware of it. Yeah.
Starting point is 00:45:52 If you were to call it sending you 2FA requests until you finally accept yes, it's not really quite so snappy, is it? No, it's catchy. No. No. Anything else in here? I'm glad to see that the host unknown cyber espionage
Starting point is 00:46:10 operations that have targeted Facebook in South Asia are going well. Yep. Yeah, although I think we're going to have to pull back. They're on to us. Yeah, that's right. We had to have that conversation with Brenda unfortunately.
Starting point is 00:46:25 It's all very dull really at the moment. Yeah, that's right. I mean, we had to have that conversation with Brenda, unfortunately. Yeah. It's all very dull, really, at the moment. Yeah. Everyone's in Vegas. Yeah, shifting from macros to shortcut files. OK. The romance scammer story is quite interesting because Interpol arrested 15 suspects
Starting point is 00:46:43 in connection with the romance scam conspiracy and most of these were unwitting money mules so they were just told hey make money from home and we'll transfer money and keep 10% and forward the rest on to us and so they they like you know the group is thought to have made three million from it and yeah they've is thought to have made three million from it and um yeah they they've um yeah it's quite dull so well i think we we we covered or we we talked about that netflix show i can't remember what it's called now about the the romance scammer who um and it was in it was a in a couple of three parts i think and and you're getting halfway through it and you're thinking, how is he able to afford all of this lifestyle to show off? And, of course, what it's showing is that he's using one person
Starting point is 00:47:32 to fund the next person to fund the next person and so on. And it's absolutely fascinating how they work and how utterly convincing they are. Yeah, never watched it. The Tinder swindler. Tinder swindler, there we go. Yeah, that watched it. The Tinder swindler. Tinder swindler, there we go. Yeah, that was on. Well, it's worth watching, actually.
Starting point is 00:47:49 It's worth watching. I think they dragged it out a little bit, but it was very well done. There was that, and there was Inventing Anna. I loved that. Oh, I've got to see that. Have you yet to see that? Yeah, I'm looking forward to that one.
Starting point is 00:48:04 Right, on the note of um inventing a woman called anna let's uh call it so that was this week's industry news feeling overloaded with actionable information fed up receiving well-researched, factual security content? Ask your doctor if the Host Unknown podcast is right for you. Always read the label. Never double dose on episodes. Side effects may include nausea, eye-rolling, and involuntary swearing
Starting point is 00:48:38 in anger. Right. Andy, let's have you close the show this this week's... Tweet of the Week. And we always play that one twice. Tweet of the Week. And this week's Tweet of the Week is from Taggart.
Starting point is 00:48:54 And he said, it's a dad joke, so I'll warn you, I'm going to have a conversation with myself. I'm an offensive security professional. Oh, like a pen tester. No, I'm a sock analyst, but also I'm a offensive security professional oh like a pen tester no I'm a sock analyst but also I'm a huge jerk hang on I thought I had a but I don't
Starting point is 00:49:14 alas great one very good Andy a suitable note to end the show on. Tweet of the week. Gentlemen, thank you so much for your time this week. We've been running for many, many minutes.
Starting point is 00:49:36 Jav, thank you so much. You're welcome. And Andy, thank you. Stay secure, my you. Stay secure, my friends. Stay secure. Tweet of the week. Wait. You've been listening to the Host Unknown podcast.
Starting point is 00:50:00 If you enjoyed what you heard, comment and subscribe. If you hated it, please leave your best insults on our Reddit channel. The worst episode ever. R slash Smashing Security. Kurt is a bumpy one. You had a bit of trouble with the buttons on this week's show, didn't you? I'm always having trouble with the buttons. His hands are shaking after using a power tool for like three hours.
Starting point is 00:50:32 That hole needed to be drilled. Sure it did.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.