The Host Unknown Podcast - Episode 117 - Now With Trigger Warnings
Episode Date: August 19, 2022This week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield18th August 2003: The Nachi worm began infecting Windows computers to remove the Blaster wo...rm and patch the vulnerability Nachi and Blaster exploited. Yes, you read that right. Yes, this happened. Gotta love it!https://twitter.com/todayininfosec/status/116314272574033100817th August 2007: Drew Curtis, founder of http://Fark.com, accused Darrell Phillips, reporter at Fox13, of hacking into the social networking news siteOn getting farked?https://twitter.com/todayininfosec/status/1162868155015761920 Rant of the WeekPC store told it can't claim full cyber-crime insurance after social-engineering attackA Minnesota computer store suing its crime insurance provider has had its case dismissed, with the courts saying it was a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of total losses.SJ Computers alleged in a November lawsuit [PDF] that Travelers Casualty and Surety Co. owed it far more than paid on a claim for nearly $600,000 in losses due to a successful business email compromise (BEC) attack.According to its website, SJ Computers is a Microsoft Authorized Refurbisher, reselling Dell, HP, Lenovo and Acer products, as well as providing tech services including software installs and upgrades.Travelers, which filed a motion to dismiss, said SJ's policy clearly delineated between computer fraud and social engineering fraud. The motion was granted [PDF] with prejudice last Friday. Billy Big Balls of the WeekJanet Jackson music video declared a cybersecurity exploitThe music video for Janet Jackson's 1989 pop hit Rhythm Nation has been recognized as a cybersecurity vulnerability after Microsoft reported it can crash old laptop computers."A colleague of mine shared a story from Windows XP product support," wrote Microsoft blogger Raymond Chen.The story detailed how "a major computer manufacturer discovered that playing the music video for Janet Jackson's Rhythm Nation would crash certain models of laptops."Further investigation revealed that multiple manufacturers' machines also crashed. Sometimes playing the video on one laptop would crash another nearby laptop. This is mysterious because the song isn't actually that bad.Investigation revealed that all the crashing laptops shared the same 5400 RPM hard disk drive."It turns out that the song contained one of the natural resonant frequencies for the model of 5400 RPM laptop hard drives that they and other manufacturers used," Chen wrote.The manufacturer that found the problem apparently added a custom filter in the audio pipeline to detect and remove the offending frequencies during audio playback.CVE-2022-38392 Industry NewsCritical Infrastructure at Risk as Thousands of VNC Instances ExposedThree Extradited from UK to US on $5m BEC ChargesSoftware Patches Flaw on macOS Could Let Hackers Bypass All Security LevelsWater Company Says Supply Safe After Ransom Group ClaimsMicrosoft Disrupts Russian Cyber-Espionage Group SeaborgiumHealthcare Provider Issues Warning After Tracking Pixels Leak Patient DataBug Bounty Giant Slams Quality of Vendor PatchingSuspected Russian Money Launderer Extradited to USHackers Deploy Bumblebee Loader to Breach Target Networks Tweet of the Weekhttps://twitter.com/dildog/status/1560025574437015553 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I'm on holiday this week so I have not been reading any stories, nothing of interest has
happened so I'm gonna like what they call do an Andy and take it easy this episode.
How are we going to tell the difference between this episode and every other episode?
That's the secret.
You read the show notes for the first time as we're going
through the show you're listening to the host unknown podcast
hello hello good morning good afternoon good evening from wherever you are joining us. And welcome to episode 117-ish.
121.
Of the Host Unknown podcast.
We've got to give Andy his airtime every week.
It just makes him feel better.
Yes, welcome, welcome.
I'm the only one that can count on this show.
I actually went through every episode, I'm telling you.
I'm telling you.
Yes, but the number you give is the number of episodes that you've published.
The number I give is the number of episodes that we've recorded.
Is it actually an episode if it isn't published?
If I've given the time time it's an episode what if if it's published and it's got no views
what's your position on that or listens or downloads or whatever indeed indeed well you
know the podcast being published is probably the the internet is its first listener and obviously the uh
you know the government well yeah yeah exactly i mean it's a win-win for our chinese handler
so uh i trust you dear listener are well it's been uh well it has been uh both a hot week and a wet week so um hopefully you are
both uh cool and dry at the moment uh jav talking of uh cool and dry how are you yes yes so i've
got this week off so i'm joining you on my day off um so get you you mean you're not going shopping absolutely honored you could join us i know i know
you're welcome so um yeah no i actually woke up today and i i was like merrily going about my
business and then suddenly i was like oh it's today friday what's what i'm meant to be doing
today and i'm like, record the podcast.
That's right, I need to turn up late for something.
Yes, yes, exactly, exactly.
I don't know why you keep referring to what we have as the show notes.
It's the teleprompter.
It's like the words that you're meant to read as you go through it. So why do you hate on me for reading it while we're on this show?
Full stop.
Oh, dear.
Yeah, please don't read everything out, though, Jav, all right?
There are some rather personal notes in there.
So, Jav, just hit refresh on the show notes for me, would you?
So you've had a good week week off you've been been traveling anywhere
i went up to blackpool to see blackpool tower and uh we were queuing up to see the tower
and two of my kids were like that was really high we're scared and my wife was like this line is moving really slowly i can't be bothered to wait
so we saw the tower from outside uh at the at the footpath level and that's it
well i mean you did go there to see the blackpool tower so i guess technically you know mission
accomplished yes yes good good thanks thanks for the dead air uh
talking to dead air andy hey it's the fonz again i'm doing good i um do you know what this week i
have been you know i did sort of leave all sort ofias, but on TikTok the last couple of weeks, I'm sure Jav can attest, there's been more and more compilations of people's Be Real accounts.
So Be Real is another sort of social network app where it randomly messages you once per day.
So once every 24 hours, it'll send you a message and you've got two minutes to take a photo of where you are and what it does it will take a photo of your front and back cameras at the same
time and that's it you've got no time for a filter you've got no time for anything else
you can't view your friends photos until you've posted your own and your photo is only live for
24 hours before it's deleted sorry and adverted commerce deleted
well obviously it's still sitting on their server you can still see it but no one else can
um so you know people can't stalk your account they can't go back you know sort of five years
or whatever and look at what you used to do um but it's actually an app that i'm enjoying because
there's no commentary on it like you don't have to speak to anyone it's literally a proof of life app like
you know are your friends still alive yes no so you tried to get me in uh jav to to join this i
did i know you took absolutely zero interest no that's right but jav was the same with tiktok
though i did read about people for instance having to take photos during their grandmother's funeral
and things like that.
Yeah, that was a funny one.
Yeah.
I mean...
The notification came in, right?
What are you going to do?
Well, exactly.
It's like people think that this is some kind of, you know,
Uber being that, you know, demands that they do what they're told.
Otherwise, it'll be some kind of ritual sacrifice.
I mean, like... What happens if you don't respond? demands that they do what they're told otherwise it'll be some kind of ritual sacrifice i mean like
what happens if you don't respond you can post late it just tells everyone how late you were
so it'll say like you know this person posted five hours late or whatever but you know at that
point it's a case of well you know now that person's had time to prepare for the photo and
they're probably like you know making sure they've got a nice good backgrounds and all that kind of stuff
that's that's the whole point is yeah the mother has stopped weeping in front of the the coffin
hey like do it for the clout so so now you've explained it it it makes sense, and I'm going to try it out.
I didn't understand the concept when you explained it.
What are you like?
No, this is...
You know, if it wasn't inconvenient
and you didn't have to do it at weird times,
it wouldn't be fun.
I mean, this is like...
So I don't know if you remember Casey Neistat, the YouTuber, like the godfather of YouTube, who perfected the daily vlog format.
He started his media company called Beam, which is Be Me.
And that was a similar thing, but it was like short videos.
But the way the videos would work, you just pick up your phone and hold it to your chest and it would start recording so no filter no nothing so you'd be
like where you were ultimately it didn't take off but it was acquired by cnn and he got like a few
million out of it and what have you but this is like taking that concept but making it real. It is be real.
But this is brilliant.
I'm going to download it right now so you two carry on talking
and ignore any sounds.
It will tell you if someone screenshots your photo as well.
So it's only there for like 24 hours.
What about if you take a photo of your phone with the photo on it?
Then the FBI agent agent is looking through your
camera oh god i can't believe jack i honestly thought honestly thought you weren't gonna do
it jav and then look you know just set your time zone to European and at some point during the day it will, you know.
It's you two millennials, I tell you what.
Or Gen Zers or whatever.
So let's hand over to the baby boomer.
How's your week been?
Well, I managed to chew my food without breaking my dentures.
And the care home, the staff have been nice to you.
They're lovely. They're lovely.
They're such wonderful people, apart from Mrs Nybaum.
Oh, my gosh, she's a bitch.
Never liked her.
So, yeah, interesting week.
Obviously too hot and then too wet, obviously.
But, yeah... title of your sex tape
is it
yeah
do you know what
I think I will
I'll take that
I'll take that one
yeah
too hot
too wet
but yeah
today's my last working day
and I've got a week off, which is going to be nice
Yeah, fantastic
So I'm not sure what's going to happen next week
Oh, okay, that's how you tell us, right?
Yeah, well, just like you have last week
Yeah, I'm sure that we'll start recording at some point before midnight
and we may get a show out by the following week, who knows?
Yeah, exactly
Exactly before midnight and we may get a show out by the following week. Who knows? Yeah, exactly.
Exactly.
Right, shall we see what we've got coming up for you today?
Well, this week in InfoSec can go and get fucked.
Rent of the Week tries hard to find the value in cyber insurance.
Billy Big Balls. Janet Jackson.
Yes, that Janet Jackson
is the muse for a new CVE.
Industry News brings the latest
and greatest security news stories
from around the world
and Tweets of the Week
is a new security certification
you didn't know you qualified for.
OK, time to move on to our favourite part of the show show the part of the show that we like to call
this week in infosec
it is that part of the show where we take a stroll down InfoSec memory lane
with content liberated from the Today on InfoSec Twitter account and further afield.
So our first story takes us back to practically yesterday, just 19 years ago,
to the 18th of August 2003, when the Narchi worm began infecting computers to remove the blaster worm and patch the
vulnerability which nachi and blaster both exploited so the original blaster worm which
i'm sure we've covered around this time in previous years was around in the wild um so from
the 11th of august 2003 and it's believed to have been created after security researchers from the Chinese group X-Focus reverse engineered the original Microsoft patch.
This is obviously following repeated notifications by the manufacturer that you should install this
patch because it could be really bad if you don't. So whilst Blaster was rapidly spreading
through networks infecting Windows 2000 and Windows XP machines there was light at the end of the tunnel. So the Narchi worm which is also known
as Welchia I believe began exploiting the exact same RPC vulnerability as a
blaster worm. However unlike blaster it first searched for and then deleted
blaster if it was present and then downloaded and installed the security
patches from Microsoft that would prevent further infection by blaster if it was present and then downloaded and installed the security patches from microsoft that
would prevent further infection by blaster and then to clean up after itself the worm was programmed
to self-remove on the 1st of january 2004 or 120 days after processing whichever came first
so a worm which we place in the chaotic good category.
And I feel like we just don't get good viruses anymore like we used to in the old days.
What did the nachi worm actually do?
It's like blaster, but it patched the machine instead.
So it exploited the RPC.
It was a turf war.
Pretty much, yeah.
But it was like, you know, get rid of this stuff.
Like, we don't need...
In the old days, viruses used to be good.
You know, I say good.
They used to be funny or, you know, they'd shut the machine down.
There was a purpose to it.
Yeah, Friends of the Show clearly talks about that, doesn't it?
You know, in the good old days.
The good old days.
It's all ransomware this, ransomware that.
And, you know, so many virus writers sold out and cashed in
just what used to be a good bit of harmless fun.
Well, that sounds like everything these days.
What was once harmless fun is now getting middle-aged men
hooked onto apps that demand that you record whatever's happening.
So there was something like this happened last year
where there were some vulnerabilities
in some Microsoft Exchange service.
I think we might have covered it.
And a court order allowed the FBI to go and remove...
To exploit it and then patch it.
Yeah, to exploit it and then patch it.
And there was a big hoo-ha about like,
oh, it's not yours so you
shouldn't do it but i think it's it's cut from the same cloth of that virus it goes in and it like
you know fixes your shit for you um i you know it's not a rant of the week but i'm struggling
to see which side of the fence to land on and this one to to be honest. I think that might be a theme of the show,
looking forward to your show notes.
So anyway, our second story takes us back a mere 15 years
to the 17th of August 2007,
when Drew Curtis, the founder of Fark.com,
accused Darrell Phillips, a reporter at Fox 13,
of hacking into the social networking news site.
So for those who don't remember its popularity in the early noughties, Fark was created in 1999 by obviously this guy called Drew Curtis.
And originally Fark contained no content except for an image of a squirrel with very large testicles if you recall and um I don't recall that you don't okay well that squirrel image is no longer used
in the production area of the site but I was surprised the site was still running but that
image can also be found on the server's 404 page so when you hit a site that a page that doesn't
exist you'll get presented with a squirrel with the large testicles um so fark was launched it's basically a way of sharing news
postings uh with friends rather than numerous emails you go yeah um and the first story posted
uh the first story ever posted on fark was about a fighter pilot who crashed while attempting to
moon another fighter pilot.
You know, totally worth it.
So, you know, its popularity the first year, it had sort of like 50,000 page views.
And then it went, you know, a million the year after.
You could post links and then, you know, there were forums that were added as lots of sites went through in, you know, the early noughties.
But, you know, its popularity grew.
of sites went through in you know the early noughties um but you know its popularity grew um they i think by the end of 2007 they were averaging around 52 million page views per month
from four million unique users so quite a quite a successful site in its heyday um so anyway this
was this all about whether you know he accused this guy of trying to hack into his site.
So Darrell Phillips worked for Fox.
What's his name?
Curtis is basically saying that this Trojan kept being sent to them.
It was designed to capture passwords and give people access to the Fox servers.
And in one case, it actually succeeded,
giving this hacker passwords to a file server and one of the FARC employees' email accounts.
And they tried to break into the web servers and other emails.
Unfortunately, that didn't work.
But they were able to trace the hacker back to a particular IP address
connected to this Comcast high-speed connection.
And how did they trace the hacker back
in those days, we asked? Well, at the same time, the suspect, Darrell Phillips, already a FARC
member, had logged into several other user accounts on FARC, either ones he'd created or
ones which he had somehow managed to get access. But this guy also purchased, using PayPal,
get access um but this guy also purchased using paypal um a subscription to the premium area of farc which is called total farc um and throughout the entire process he had the exact same ip address
as the hacker i was gonna say not the sharpest tool in the box but he was a reporter at fox
so yeah so and you know the suspicion is around this time um philips uh station
had launched their own news aggregator site called on memphis.com um obviously a fox affiliated one
um and they're saying that the hacker looks to have been searching for source code um and
moderation tools um so it was entirely possible that they entirely possible that the intent was just to see
how other people were doing it and sort of rip off code,
which, to be fair, a lot of people did in those days.
It's entirely possible that he was looking to steal stuff.
Yeah, but a lot of people did that in those days
to sort of give their site a one-up.
Isn't that what Trump's Truth Social is?
Wasn't that ripped off from code
from someone else it looks very looks suspiciously like uh another sort of short short site which
allows you to post you know 140 characters at a time yeah put a little put a little tick next
to your name if they think that you're a premium person oh dear excellent
thank you Andy
for this week's
this week
in InfoServe
you're listening to
the double
award winning
host
unknown podcast
okay
time now to move on to this week's...
Listen up!
Rant of the week.
It's time for Mother F***ing Rage.
So much like Jav said about trying to work out which side of the fence to stand on for this particular thing,
I'm the same with this one. So the headline reads PC Store,
and that's a shop that sells PCs,
not a policeman in the UK called Store,
surname Store.
PC Store told it can't claim full cybercrime insurance
after social engineering attack.
So a Minnesota computer store is suing its uh crime insurance provider
it's had its case dismissed bottom line is sj computers alleged in their lawsuit
that travelers casualty and surety company owed it far more than it paid on a claim for nearly six hundred thousand dollars
in losses due to a successful business email compromise attack a bc attack so what it came
down to is sj computers became a victim of social engineering and lost a bunch of money
and claimed for it on their cyber insurance.
The cyber insurance company or the traveller's casualty said,
nope, we're not paying this because it was from social engineering
and that's not covered by your policy.
And when they appealed, it was thrown out in court.
So part of me thinks, my God, you know, people selling these cyber insurances are just wiggling out of every single opportunity to pay.
One of the quotes from the case was,
SJ Computers did not suffer a penny of financial loss when the bad actor hit send on his email messages.
SJ Computers would never have suffered a penny of financial loss
if the CEO had not opened those email messages,
or if the CEO had asked the purchasing manager about them,
or if ERI Direct had answered its phone when the CEO called,
or if ERI Direct had promptly returned the voicemail message left by the CEO, or if the CEO had waited to hear from
ERI Direct before paying the invoices. So I'm actually on the side of the cyber insurance
company because do we have to ensure stupidity? and and the ceo who should know better than this
normally it's the ceo who's been um who's the one who's been impersonated to send
these messages to prompt people to pay for you know to make payments etc etc but when the ceo
decides that actually oh i have to pay eri direct because
according to this uh email i've received i owe them lots of money and we're going to be in trouble
if we don't pay etc ridiculous ridiculous i actually i've made my mind up i'm on the side
of the insurance here it was wound me up just just that. So this has been thrown out, and rightly so.
There is also, I guess you could say, small print, for want of a better term.
And basically, travellers agreed to settle with a cap of $100,000
rather than the $600,000 they've actually lost,
which I think, frankly, they should be making the most of.
They're lucky they got anything back at all.
So, yeah, folks, read your cyber insurance documents.
Find out what you really are covered for,
especially now as there's a lot of changes in your cyber insurance coverage
that's going on.
And also, really, don't do dumb crap like this,
like transfer $600,000 to a company just because they said,
send us $600,000, especially if you're the CEO.
So, Jav, what's your opinion?
I think I've got an idea.
You siding with big corporations and stamping on the little man.
That's the little person.
Well, you've got lots of experience with that.
True to form.
True to form.
True to form.
That's all I say.
And Jav being the little man.
Absolutely.
See, I mean, this is why Andy, he gets these fishing things all the time.
They're apparently from HMRC saying you owe us tax or a self-return.
And he just throws them in the bin.
But Andy's got a very good system of not getting compromised by those.
And I think the primary approach to that is don't open your emails.
Exactly.
Can't get phished if you don't read email no no that's
genius genius i think this is where it it you know cyber insurance really breaks down because
when you look at how do companies actually get breached yeah number one by all measure is some
form of social engineering and if you're not insuring against it, which a lot of them won't,
then you as a company have to think, well, is it really worth taking out this insurance?
Or, you know, what are we actually defending against?
Because, OK, maybe you're protected against some downtime in the case of a DDoS attack or something.
But, you know, a lot of these insurance companies are now putting in
in place lots of clauses so like you know do you have a patching policy in place are you more than
you know what that x period behind on your patches will cover you by anything more than that and
you're not covered uh many asking for like multi-factor authentication to be put in place
and all those kinds of things so yeah I mean so say you have all of that right yeah like
you've got all of these conditions that the insurer and like to be fair to i'm actually
leaning with jab on this one because you have all and remember last week we're talking about this
new uh mfa for t yes yes like that right so you've got everything right all of these systems
right absolutely everything's in place but then one of your employees clicks approve you know on a uh you know like a push notification they
didn't expect like if i was insured i'd say well that's a social engineering they fell for you
you're no longer covered yeah you would not lost a penny had your employee not clicked approve you
would not have lost a penny had you been able to detect the lateral movement of the account
that was compromised, you know, et cetera, et cetera.
Yeah.
As always, Tom is wrong, but it makes sense.
You're sending $600,000.
It said because the fraudulent invoice included a change
of bank account information, the CEO called the vendor for confirmation
but got no response before the deadline listed on the invoice like anybody
ever pays invoices on time and this is the one time the ceo decides to drop 600k
to meet a deadline come on that's ridiculous he just wanted it off his desk. He did not apply due diligence.
He needed to have waited for that message, for the response from the company. End of story.
It was incompetence.
Why should he take more time than he needs to? He's paying a hefty premium every month for insurance.
I'll tell you why he should take more time. I can give you 600,000 reasons
why he needed to take more time.
Quite apart from the fact,
the attack was sent
because it was the purchasing manager
whose account was compromised.
Why didn't he pick up the phone
to the purchasing manager
and say, why are you giving me
this now and by the way why are these bank account changes come on you know 600 grand you talk about
a real ideal world scenario they're probably paying like half million invoices on a monthly basis
probably they probably have like invoices come to them all the time they they're trying to keep on top
of things trying to keep a business running you know in an ideal scenario yes oh i should have
called them i should have picked up on these red flags i should have done that you know but you
know when people are really working and they're trying to keep a business running they'll just
do whatever they'll take shortcuts they'll they'll cut corners and what have you so
yeah you know absolutely not saying
cuts and cutting corners and all of those absolutely when it comes to 600k we're fine
well 500k if you if you count the 100k that they've recovered so
it's not that bad it's not that bad
it's about 15 less bad yeah exactly see
i can see that andy's on the side of the of the little man here or the little big company here
but uh jav i can see you you're just doing it for the clout here. No, nothing like that, Apple.
Nothing like that.
Anyway, that was this week's...
Rant of the Week.
Feeling overloaded with actionable information?
Yep.
Fed up receiving well-researched factual security content?
Yes.
Ask your doctor if the Host unknown podcast is right for you
always read the label never double dose on episodes side effects may include nausea
eye rolling and involuntary swearing in anger all right jeff your time for the stage it's time for
yeah so you know this is the point where andy's probably thinking oh i've revoked his access to
the show notes he can't possibly do this and he thinks really this is my first rodeo
no i know that uh i can still see your name on the uh on the watch you'd obviously copied and
pasted everything out when I made that guess.
Did you seriously lock him out?
I did.
Absolutely revoked his access to the... But I know that he had already copied and pasted the content out.
This is my Indiana Jones moment where I reached in and grabbed my hat as the pillow was coming down.
Oh, man.
See, I should have just kept quiet and just done it.
Yeah.
But like a typical villain, you can't have one monologue and gloat.
You should have just gone with, you know, no, Mr. Malik, I expect you to die on your ass.
Oh, dear.
Anyway, Billy Big Balls of the week.
I think it's a bit of an inadvertent Billy Big Balls,
but we'll say it all the same.
So, if you're a fan of pop,
then you are probably familiar with Janet Jackson's, yes, the sister of the late deceased Michael Jackson.
Sorry, I blanked on the name there.
So she released a song in 1989 called Rhythm Nation.
And it is the cause of a cyber security vulnerability.
I'm sorry, you sound like a real dad. She released a song in 1989 called Rhythm Nation.
Okay, thank you. And the thing is that if you play this song on old Microsoft laptops, it causes the laptop to crash.
Now, I know we've been talking for many years, like the world has been talking for many years about how there's certain tracks you play backwards and you can hear about satanic rituals or verses in that.
This is proof that you know
there's definitely something untoward in these music tracks. There was an investigation and
there is a cvu associated with it 2022 38392 and what it is is that the the song contains the natural resonant frequency of certain 5400
rpm laptop hard drives. I wondered why Twitter was talking about resonant frequencies of hard
discs this week. Ah yes so it was basically that and the frequencies caused the hard drive to crash.
So it's like a really lame superpower, but it's really cool.
Yeah, so I thought that that is just like quality. quality so no word on whether like the ci is now working on sending certain music cds to
iranian nuclear power stations hey check out this latest banging tune it's called all right
granddad what's a cd yeah well you know what i mean
i think i mean mp3 don't you or in case, M4V, which is whatever you send me.
At airports, they could be playing certain songs on arrival
to make sure that people aren't carrying particular equipment,
which could be vulnerable to these.
There you go.
Yeah, yeah.
And I guess mostly North Korean hackers
coming in with their Windows XP laptops.
Yeah.
Not the fact that the flight originated in North Korea.
That's the red flag.
We're just playing music at the airport for everyone.
Now, not that I'm suggesting that anyone do this,
but this happens on old laptops, running Windows XP, what have you.
What are the chances that if you went and blasted this out in a hospital somewhere,
you'd cause another WannaCry?
All right, if next week's story is about an attack on some nhs trust that's happened because of this
we're we're pointing the finger straight back at you jeff for putting the idea so yeah i would
have actually gone with atms rather than hospitals but you know whatever yeah oh well yeah but uh i
thought it was uh really really interesting and i'm sure like you said Tom there's going to be all these resonant frequency experts cropping up saying this is my time to shine I've been preparing my
whole life for this oh dear yeah they were saying that it's between 2000 and 4000 hertz which puts
it right in the sweet spot for music or something like that? What are they talking about this for? Now I know. Now I know.
Anyway,
I kind of like that.
I wonder if Janet actually knew that.
Can you imagine if she actually is some kind of cyber criminal genius?
Yeah.
Brilliant.
Anyway,
thanks, Jeff,
for this week's
Billy Big Balls
of the Week.
If you work hard,
research stories with
diligence and deliver
well-edited, award-winning
studio quality content
for high-paying sponsors,
then you too can be
usurped by three idiots
who know how to think
on their feet.
You're listening to
the award-winning
Host Unknown Podcast.
Yes, you are. And it is now that time of the day that we all look forward to. And what time of the
day is it, Andy? It is that time of the day where we head over to our news sources over at the
InfoSec PA Newswire, who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
Critical infrastructure at risk as thousands of VNC instances exposed.
Industry News.
Three extradited from UK to US on $5 million business email compromise charges.
Industry news.
Software patches flaw on Mac OS could let hackers bypass all security levels.
Industry news.
Water company says supply safe after ransom group claims.
Industry news. Microsoft disrupts Russian cyber espionage group Ciborgium.
Ciborgium.
Ciborgium.
Industry news.
Healthcare provider issues warning after tracking pixels leak patient data.
Industry news.
Bug bounty giant slams quality of vendor patching.
Industry News.
Suspected Russian money launderer extradited to US.
Industry News.
Hackers deployed Bumblebee loader to breach target networks.
Industry News.
And that was this week's rather faltering...
Industry news.
Huge if true.
Huge if true.
So, Andy, that Microsoft disrupting the Russian cyber espionage group,
what were they called?
It's a good question.
I mean, some people say seaborgerium.
Some others might say seaborgium.
Some may say...
I have absolutely no idea.
I don't even... Do you know what?
Had I paid attention to this,
I would have given it to someone else to read out.
Yeah.
Oh, man. Oh, dear. But I can tell you they have targeted over 30 organizations mainly defense and intelligence
consulting companies uh ngos and intergovernmental if intergovernmental organizations think tanks and
higher education and if you're just uh tuning, you're listening to the Host Unknown podcast
where all three members of us are breaking in teeth for horses.
So the story which I enjoyed was this.
You know this one about water companies,
says supply safe after ransom group claims.
Yeah.
So it's about a UK water company uh sought to reassure
the public their supply is still safe after hackers said that they had hacked into the company been
there for months and could manipulate the industrial processes at the the firm's plant so
this is about south staffordshire plc um which owns south staff's water in cambridge water um so
you know the hackers got in they got a whole load of data and stuff like
that. However, the ransomware group that actually broke into it, CLOP, I believe, they actually
posted all of this information stating that they had hacked into a completely different water
company. I think they said they had owned Thames Water or something, which is a much,
a very different organisation altogether.
And so all the claims when they first went public
were about how they'd hacked Thames Water and all this stuff.
And another water company said,
it's okay, we weren't hacked.
No, so it was Thames Water, like,
guys, this isn't us, we've not been hacked.
Meanwhile, the hackers are out there saying, yep, yep, it was 10 words like, how's that? Guys, this isn't us. We've not been hacked. Meanwhile, the hackers are out there saying,
yep, yep, it was.
To the point where South Staffs have now actually
put something on their website saying,
yes, it is us, not them.
But yeah.
I mean, even ransomware gangs make mistakes.
Well, I mean, they've made a whole bunch
of life choice mistakes, let's face it.
So I'm looking at this bug bounty giant.
Yeah, I was looking at that as well in front of Workout.
I was like, is it Bug Crowd? Is it HackerOne?
No, it is Trend Micro's Zero Day Initiative.
Oh, that well-known bug bounty group.
Apparently, they're responsible for nearly 64%
of all vulnerabilities disclosed in 2021.
Yeah, but does that make them a bug bounty group?
I don't know.
64%? Really?
I find that quite difficult to believe.
When it says responsible for nearly 64%? Really? I find that quite difficult to believe. When it says responsible for nearly 64% of all vulnerabilities disclosed,
is that just not what they've...
I mean, it's going to include stuff like the virus,
the malware attempts to exploit as well, right?
Not just...
Bug bounties.
Yeah, not like application deficiencies.
That seems to have been twisted a little bit.
Well, that's what you've got a marketing department for, right?
They're not wrong in the way that they phrased it.
It's just how it's interpreted.
Lies, damn lies and statistics.
Exactly.
If someone can explain to us what's the difference between uh this and hacker one or
what have you and between google labs or whatever the google team is that that release all the
vulnerabilities and that'll be much appreciated right into us i like the fact on the last one
that hackers are deploying a transformer to breach target networks i mean that's pretty advanced tech right there i know i
know um so do you know actually last week tom i think you made a um a snide off the cuff comment
about how uh lnk files um you know being the the method of choice um to exploit networks these days
instead of the you know any other form uh and that story that you were talking to about Bumblebee
is that the majority of their infections
are actually due to people executing LNK files.
Yeah.
Well, I don't remember making a snide comment,
but I'm sure it still holds true.
You stand by it.
I'll stand by it. Whatever it was I said.
This man has no shame.
It is impossible to shame Tom into anything.
Yeah, been there, done that. It's fine.
You know, the secret Tom has is that
whenever he feels embarrassed about anything,
he declares it, this is a kink, and moves on with it.
And that's it. So that's how he avoids shame. Because this is a kink and moves on with it and that's it so that's how we
avoid shame because because you can't kink shame no it's not allowed no not allowed to no absolutely
absolutely and one of my kinks is to make snide remarks
that was a good two and a half minutes as i recall right excellent that uh very good
nice little round up there and uh
that was this week's industry news
recording from the uk
you're listening to the host unknown podcast and we come barreling into the end of the show and the final segment
one of our favorites or at least the favorite jingle anyway it's time for tweet of the week
and we always play that one twice tweet of the week and i shall take us home with this one. And this week's tweet of the week is from DealDog of Loft and CDC fame.
And he says, announcing my new certification, CCSB, Certified Cybersecurity Burnout.
If you have worked in the industry for over a decade, it is automatically conferred and may be placed on your resume and after your name if desired.
No courses or prerequisites, just your soul.
Well, see this puts me in a bit of a conundrum.
A bit of a conundrum because if you have worked in the industry for over a decade,
you probably not want it to refer to as cyber security. You'd want it to be information security or IT security burnout.
So the funny thing is that the majority of responses to this
sort of fall into two categories.
One which says, you know, what have you burned out long before a decade?
And the other is, are there any AMFs?
Because, you know, that's how they get you.
Yeah.
And the other one is, what if you didn't have a soul to start with?
Oh, everybody's got at least one soul.
I don't know.
I mean, I know this is a joke and I don't mean to distract from it.
Oh, here we go.
Go on, let's take us down.
If we can end it with something about suicide
or dying,
then you will have achieved your aim.
Come on, let's bring the show down.
Bring the tone down before we exit for the week.
Come on, what have you got, Jeff?
All I can hear is some rope swinging
under tension from jav's microphone
that's terrible
you are such assholes i was just gonna say I think if you stay off social media, go into the office or your home office, do your job in cybersecurity and log off at five or six o'clock, you will not burn out.
Majority of people will not burn out.
I think it's social media, going to pointless conferences, engaging in pointless debate.
That's what burns you out more than the actual job.
Feeling a bit burnt out right now, Jav?
No, I'm not at all. I haven't been to a conference in ages i thought you said um
in getting involved in pointless debate oh yeah well that's just a friendly banter i think i think you're right i think you're absolutely right i think that the challenge is though is you're not
necessarily going to rise up through the ranks and And that's the same not just with cybersecurity, but any kind of sort of professional.
Oh, now you're very wrong there, because I know of many.
I believe there are many very, very accomplished cybersecurity professionals out there who we have never seen on Twitter,
out there who we have never seen on Twitter, who hardly post on LinkedIn, and who definitely don't go whoring themselves out to speak on every SNISO panel. They're just there. They do a really,
really good job in their respective organizations, and they go home and they have a life outside of
that, and they don't necessarily burn out. So to bring this full circle with what we opened with, so if a security professional doesn't talk about what they've done on social media,
have they actually done it?
Oh.
And on that note...
It's late of the week.
Right, gentlemen, thank you so much. tweet of the week right
gentlemen
thank you so much
Jav
thank you
for
well
for doing exactly
what I expected you to do
and disagreeing with me
yeah
you're welcome
and Andy
thank you sir
stay secure my friends
stay secure
you've been listening to
the host unknown podcast if you enjoyed what you heard comment and subscribe Stay secure. You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
I think we might have to publish this one with a trigger warning.
I think we might have to publish this one with a trigger warning.
Jav gets wound up at certain points.
I'm not wound up.
I just make my point passionately and correctly.
It's a well-thought-out point,
and that's after you lock me out of the show notes laughter
laughter
laughter