The Host Unknown Podcast - Episode 119 - Andy Who?
Episode Date: September 2, 2022This week in InfoSec (09:07)With content liberated from the “today in infosec” twitter account and further afield30th August 1999: The previously unknown group Hackers Unite claimed responsibility... for disclosing a vulnerability in Hotmail that granted access to all of its roughly 50 million users' email accounts.13 years later Microsoft rebranded Hotmail, renaming it Outlook.Hotmail Hackers: 'We Did It'https://twitter.com/todayininfosec/status/130021271765612134431st August 2014: A user of the message board 4chan posted leaked photos of actress Jennifer Lawrence and numerous other celebrities.Jennifer Lawrence and Other Celebs Hacked as Nude Photos Circulate on the Webhttps://twitter.com/todayininfosec/status/1300537361676283905 Rant of the Week (20:21)Here's how 5 mobile banking apps put 300,000 users' digital fingerprints at riskMassive amounts of private data – including more than 300,000 biometric digital fingerprints used by five mobile banking apps – have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers.Symantec's Threat Hunter Team said it discovered 1,859 publicly available apps, both Android and iOS, containing baked-in AWS credentials. That means if someone were to look inside the apps, they would have found the credentials in the code, and could potentially have used that to access the apps' backend Amazon-hosted servers and steal users' data. The vast majority (98 percent) were iOS apps.In all, 77 percent of these apps contained valid AWS access tokens that allowed access to private AWS cloud services, the intelligence team noted in research published today. Billy Big Balls of the Week (28:45)Twitter starts testing an edit button, but you have to pay for itTwitter is now testing its highly requested Edit Tweet feature. After years of memes and jokes, editable tweets will be available to some Twitter Blue subscribers later this month. The feature is currently undergoing “internal testing” and appears to mimic Facebook in its edit style, with a linked edit history for tweets that we saw in leaks earlier this year.“Tweets will be able to be edited a few times in the 30 minutes following their publication,” according to a Twitter blog post. “Edited Tweets will appear with an icon, timestamp, and label so it’s clear to readers that the original Tweet has been modified.” Industry News (36:45)Cryptominer Disguised as Google Translate Targeted 11 CountriesBaker & Taylor's Systems Remain Offline a Week After Ransomware AttackICO Pursues Traffic Accident Data ThievesUK Imposes Tough New Cybersecurity Rules for Telecom ProvidersEvil Corp and Conti Linked to Cisco Data Breach, eSentire SuggestsGolang-based Malware Campaign Relies on James Webb Telescope's ImageMicrosoft Finds Account Takeover Bug in TikTokStandards Body Publishes Guidelines for IoT Security TestingApple Releases Update for iOS 12 to Patch Exploited Vulnerability Tweet of the Week (43:42)https://twitter.com/SunTzuCyber/status/1565192484380188672 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So that last show, the quality was bad, the audio, the stories, the running order.
It was just a car crash.
Well, sorry you feel that way.
I mean, we've done the best we could with the podcast.
What do you mean, we?
I'm talking about the Smashing Security podcast.
What do you mean, we? I'm talking about the Smashing Security podcast.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are. Join us and welcome to episode 119 of the Host Unknown podcast. As you can probably gather, Andy is not with us this week. So
this week, the role of Andrew Agnes will be played by Mr. Javad Malik. Heaven knows that's a tough role to fill. Well, it's a big role to fill.
Well, it's just big.
Oh, Jeff, how are you?
I am dying with man flu.
Have you got bird flu?
I've got man flu.
Hopefully it's not bird flu.
Oh, my God, it really is serious.
It is serious.
It's worse than bird flu, COVID.
It's worse than monkeypox.
It's the absolute worst.
In fact, it's monkeypox, COVID and bird flu all rolled into one, isn't it?
Yeah, yeah.
I mean, you might as well just give birth.
It would be less painful.
Oh, yeah, of course.
Birth is so easy.
It's overrated.
I mean, like...
It can't be that bad.
I mean, there's a lot of us on the planet.
There is.
Quick disclaimer, these are jokes, by the way.
These are not the honest held beliefs of this team.
Oh, well, no.
Tom actually does hold on to these beliefs.
Let's cancel him, everybody.
What, again?
So how's your week been?
So my week's been okay i was actually like took advantage of
the long weekend that we had because monday we there was a bank holiday here in the uk and as
you you're well aware that and as i keep telling every all of my colleagues in america we are the
queen forbids us from working on a bank holiday so even if I wanted to I'm not allowed by law to
reply to any emails but I took a couple of extra days off and the whole family went up to
Bournemouth Beach for a few days. Ah right yeah Bournemouth's nice. It was very nice very nice
yeah the hotel we stayed in and and this is where you know this is why people say you know what why do people have
issues delegating tasks and i'll tell you why i have issues delegating tasks so we there's family
friends of ours and we normally go together because like kids get on and you know what have
you everyone's got some company and i let the the gentleman who shall remain nameless, book everything.
And I think he managed to book us into a hotel in 1989.
It was absolutely dire.
It was terrible.
I will send you some pics, Tom.
But it's like, you know, when you're a kid and you,
you know, in the 70s and 80s, you have those floral pattern carpets and really, really dated bed sheets.
It was really, really bad.
Please tell me there was a cathode ray tube television.
No, they were modern TVs, but they were so small.
It was like a 13-inch TV on the wall, and it had the old aerial cable and a cable TV cable coming in, and it was trunk.
The trunking was like there's plastic trunking on the outside of the wall that hadn't even been painted.
The sort of thing you do when you rent a house.
Yes, yes.
And what was it?
The TV remote didn't have a cover for the battery thing,
so you would just throw tape around it.
It was honestly the worst thing ever.
But then I...
Oh, excuse me.
But then I picked up the news and I saw that Tom Langford had died.
So then I felt a bit better about myself.
Yes, it's true. I got a Google alert yesterday saying that Thomas Langford died peacefully.
A few days prior. And I was like, oh, my God, is this like the sixth sense?
You know, am I just walking around interacting with
people and thinking that i'm alive you know but no this particular gentleman was was born a little
after me in 1922 oh oh oh young chap wow yes exactly exactly no stamina no stamina whatsoever But yes, it was an interesting one.
It was pondering one's own mortality through my namesake.
I think it was in the US somewhere, actually.
Well, rest in peace, Mr Langford.
Yes, indeed. Indeed. Indeed.
So you do sound a little under the weather so uh um are you going to be doing many of the stories today or should i just throw them all your way
none your way uh well you you can throw some my way how how much how legible i will be
um or how much sense i'll make won't be much so as you said in the beginning
i am playing fully the role of andrew agnes today i am a method actor so i'll even give
no value whatsoever and in fact we haven't even decided who's doing what stories have we yet so
who knows what could happen while we decide decide about that, how was your week?
It was very good.
It was very good.
In London, Tuesday to yesterday, busy days, busy evenings.
It was good.
It was very good fun.
Making progress.
You know, it's slow and steady wins the race, but we're slowly getting there.
So, yes, I guess what I'm saying is I haven't been fired yet.
Well, you know, if you are thinking you're going to get fired,
look at what Mudge has done and just copy the playbook.
Your last 90 days, just think of it like that in every aspect.
So start gathering material to
throw your employer just start start stealing stuff basically should they should they want to
fire should they end up firing you yeah so so take a hard drive in and start start storing all those
documents well i i'm not going into the hows and the whats and the whys i'm just talking about
principles yeah you don't want to get technical because i know you're not too technical are you
what's a hard drive
what are these electronic records um yeah yeah i. And apparently the fat orangutan incriminated himself on his social platform, didn't he?
Apparently so. I have not read into any of that.
So he showed a picture and then basically said, this is not how the files were stored.
basically said, this is not how the files were stored.
They were stored in cartons.
And the FBI just threw them down on the floor to photographically share what they found.
We weren't even allowed in the room while they did this.
So you admit to having them in your possession then.
Oh, man.
So, you know, any future employers of me, your possession then. Oh, man.
So, you know, any future employers of me,
I will not admit to having any previous employers' documents on me.
A wise move. Wise move.
Indeed. Indeed.
Shall we see what we've got coming up for you today uh with some proper music playing at
the moment as well i might hasten to add none of this modern noisy rubbish that was on there last
week uh so this week in infosec takes us on a trip down infosec memory lane rant of the week
takes phoning a friend to a new level bill Billy Big Ball says you can edit history to your liking.
Industry News brings us the latest and greatest security news stories
from around the world.
And Tweet of the Week gives us applicable wisdom from Sun Tzu.
OK, so let's go to our favourite part of the show,
the part of the show that we like to call...
This Week in InfoSec.
Why don't we split this?
Why don't you take the first one and I'll take the second one?
I think the second one's definitely more my line. Oh my god just because it's easier it's not as technical
i only know the second story as well but okay the first story takes us to 30th of august 1999
a mere 23 years ago the previously unknown unknown group, Hackers Unite, claimed responsibility for
disclosing a vulnerability in Hotmail that granted access to all of its users, roughly
50 million email accounts. Now, these guys were not malicious hackers, they announced the whole to the Swedish media.
Well it was the 90s, none of the hackers in the 90s were malicious right?
No, no, no they weren't. They basically disclosed the whole to the Swedish media to draw
attention to what they say is Microsoft spotty security reputation.
And anyone...
Which it was the 90s, so yes, it was.
Yes, yes.
They said that we did not do this hack to destroy.
We want to show the world how bad the security on Microsoft really is and that
the company nearly have monopoly on all computer software.
A 21-year-old Swedish member of the group SET,
whose nickname is Darkwing, and...
What is that?
Darkwing is... Is it Dick Grayson?
And he graduates from Robin and becomes Darkwing.
Ah, yes, I saw that on Titans.
Yes, that's right, superhero.
I think it's Dick Grayson. It's one of them, anyway.
Yeah, it's one of them. Yeah, I think it is Dick, yeah.
But, you know, how little has changed?
I think this is still an issue that many researchers,
we call them researchers these days,
security researchers run into these days,
is that they find a vulnerability, they try to disclose it,
they don't really get very far with it,
they then go public with it,
and then this whole, you know, argument ensues.
It's, I mean, with the bigger companies,
I think with the advent of bug bounties
and what have you,
things have slightly gotten better.
But this mentality
or this whole underlying issue
still happens.
And what was interesting in this story,
which was on Wired,
they said that Microsoft started scrambling to fix the problem
at 2 a.m on the day it was released and had the initial fix up at 10 a.m
wow and a subsequent variant of the problem was fixed around noon so within about 10 hours you
know microsoft had um fixed the issue and then uh the incident, and this is something that I think is relevant,
and it's relevant then as it is today. The incident did not faze Wall Street. In the late
afternoon trading, Microsoft's stock was at $92.25, down one point. So, yeah, security incidents didn't cause any issues back then.
They don't today.
And 13 years later,
Microsoft rebranded Hotmail,
renaming it to Outlook.
Yeah.
It was very confusing when Outlook first came out.
I must admit.
It was.
Hang on, Outlook.com.
But Outlook is my mail client that's not what it was very odd
very odd i mean a 10 hour fix is actually not bad it's just a shame that they did it on the back of
um being told about it told about it told about it and then it go in public yeah yeah exactly
but then again what what year was it that bill Gates went on his security spree, as it were?
That was a few years later after that, wasn't it? The early noughties?
The trustworthy computing one? 2002?
Yeah, that's it. The trustworthy computing, yeah.
Yeah, yeah. Thank you, Google, for saving me.
Oh, dear.
Right, I'm going to take the second one.
So 31st of August 2014 is probably a date etched into many male teenagers' brains
into many male teenagers brains because it was for many of them probably some kind of sexual awakening subsequently branded the fappening a fap being a
euphemism for a little bit of self-love. So the user of the message board 4chan posted leaked photos
of actress Jennifer Lawrence and numerous other celebrities.
And it turns out that these were photos that were stored on,
I think it was iCloud, wasn't it?
It was.
that were stored on, I think it was iCloud, wasn't it?
It was.
And they didn't have 2FA or MFA enabled on the accounts.
And I'm trying to remember now how the passwords actually got out.
I think it was just a bit of good old cracking. But as a result, there was a flood of images of naked, semi-naked,
suggestively posed photographs of various celebrities. Obviously, a large, a huge kickback
in the media, but what I remember most from this was actually the thing that, Jav,
you take a lot of pleasure in doing,
which is the victim blaming that came out of it.
And everybody's...
Sorry, what?
Excuse me.
I was waiting for you to pick up on that.
The only victim I blame is when you get hit by a bus.
See? See, listeners?
We see his true colours come out.
When he hasn't got Andy to temper him.
No, but, no, seriously,
there was a huge amount of victim blaming.
Oh, these celebrities shouldn't be complaining if they, you know,
those photos wouldn't have been leaked if they hadn't taken them, etc, etc.
But, of course, it was a massive breach of privacy.
And I think it was probably one of the first things,
first sort of incidents of its nature that paved the way for things like revenge porn laws
and things like that, so that it is actually illegal to post nude photos
without the person's explicit approval, etc.
So it was a good thing in a sense but yeah very very dramatic at
the time and i think it definitely made it made uh mainstream news as well yeah yeah no it was a
really really unfortunate uh incident and you know it's it was really sad for all the people
impacted because there were so many celebrities in that.
And it's just like, you know, these were personal pictures that people took for their partners or for themselves or what have you.
And, you know, it's not the first time something like this has happened
because, like, you know, everyone's heard about the Pam and Tommy tape
that got stuck.
Or the, what was that, Blue Peter presenter,
the one who had his video leaked as well.
Oh, yes.
He had a threesome, didn't he?
Yeah, yeah.
And anyway, these things have,
I think it's the sheer volume and the ease
at which these pictures were accessed.
And I think there might have been some,
what do you call it some PA or some
publicity sort of shared accounts basically with their PAs or their publicist or agency or what
have you that that caused it so which is why they couldn't set up MFA on it and sometimes it's just
really easy to forget how like you take a picture and everything's suddenly like uploaded from your
camera roll to iCloud and synchronized across every device and what have you yes as you've
experienced in the past yes so uh so yeah I think it's it's uh it's it's right that you know we've
had all these laws like revenge porn and everything put out there but it's just so difficult like for the average person out there they they enable all
their sharing features as as default anyway because it's easy if you lose your phone if you
get a new phone everything's still there if you move from your phone to your desktop everything's
still there i actually read this story not too long ago about this this uh these parents and um they were worried about a spot on
on on their son's private area somewhere around there there was a spot or a boil or something
so the father took a picture sent it to his wife and she sent it to the doctors. That's right, it was an infant, wasn't it? Yes, yes.
And, yeah, guys, you know, getting caught up in all sorts of child porn sort of accusations.
Yeah, yeah, yeah, exactly.
And, well, the moment we as a society move away
from objectifying naked bodies and, you know, personal lives, the better, as a society move away from objectifying naked bodies
and personal lives, the better, to be honest with you.
I mean, jeez, it's not like we haven't got one of our own, is it?
No, I mean, I objectify myself every day and that's all I need.
Quick 30 seconds every morning, then a shower.
Excellent, thank you.
That was this week's.
This week in InfoSec.
In 2021, you voted us
the most entertaining
cybersecurity content
amongst our peers.
In 2022, you crowned us
the best cybersecurity podcast
in Europe.
You are listening to the double award winning host unknown podcast.
How do you like them apples?
Indeed. Right. Let's get to the angry part of the show, shall we?
And it's the part of the show that we call.
Listen up. Rant of the week. It's time for Motherf***ing Rage.
All right, I'm going to take this one as is tradition. So, five mobile banking apps put
300,000 users' digital fingerprints at risk. How, you might ask? Well, as I rapidly try and read ahead on this document,
what actually happened was, so these are apps, they contained private data, biometric
digital fingerprints used by these apps. And it was basically down to developers leaving hard-coded credentials in their code,
in their Amazon Web Services code.
So Symantec found this out.
It's their Threat Hunter team.
And it discovered 1,859 publicly available apps, both Android and iOS,
containing baked-in AWS credentials.
So just to sort of make it a little bit more simple,
applications have to talk to other servers and other services,
and you need credentials to do that.
A shortcut when you're developing, in the early stages of developing,
is to type into the code rather than using an API or some far more secure approach.
You just type into the code, log in with this username, log in with this password.
There's no 2FA or any other kind of authentication used.
The problem with this, of course, is that that username and password is stored in clear text.
And if you look at the code, you've got the password. So I won't say it's a perfectly valid way of developing applications
because I don't think it is, but it's a very common way of doing it. And in 99% of the cases,
when the code is moved from build into testing, those credentials are removed and proper authentication protocols
are put in place. So with that data available, it doesn't take much to find out these credentials.
these um these credentials interestingly the vast majority 98 of these were ios apps now this is interesting because ios apps have to go through really quite a rigorous testing procedure through
apple in fact it's it's called it's quite draconian in some cases with lots of plenty of
developers uh developers complaining about how strict it is.
But notwithstanding that, which I think is probably another rant,
77% of those apps contained AWS access tokens
that allowed access to private AWS cloud services,
meaning, therefore, that all of the data in those Amazon S3 buckets
and cloud services, et cetera, was available to anybody who could fairly easily find these
credentials and log on to them. And five of these were mobile banking apps. Now, mobile banking or banking generally is probably one of the most regulated and scrutinized areas of Internet activity,
given the really quite devastating impact it can have when things go wrong. So to have these five banks creating applications and, in theory, quality testing them
and quality assurance of them and security testing them and not realising that something as
fundamental as having open clear text credentials within them, not finding that is frankly inexcusable and i do hope
that these banks will be held account to this because the type that well the level of suffering
this can uh this can result in for uh for the end user is awful you know loss of virtually everything
um you know it could result in the loss of the house loss of job loss of um you, loss of virtually everything. You know, it could result in the loss of the house, loss of job,
loss of, you know, loss of income, loss of savings, et cetera, et cetera.
Absolutely, you know, life-destroying.
So if you're one of those five banks and you're listening,
come and sponsor the Host Unknown podcast
so you can put your side of the story across.
So just to clarify,
I thought all of these only store the fingerprint hashes
and not the actual fingerprint mate itself.
Well, I think that's the idea, right?
Yeah, I'd be very surprised.
I mean, I find it really surprising
if they are actually 300,000.
But I think the point is they're baked in credentials,
so you could ostensibly cut and paste them and they're valid,
rather than actually using some kind of proper authentication process.
I will have to read this in more detail.
I'm not disputing the fact this is a rant-worthy topic.
I think broken authentication, exposed AWS buckets and stuff is terrible.
I'm not entirely convinced that the headline is doing justice to the severity of the issue.
That's where I'm losing a bit of it but then
I am on death's bed with man flu so I could be reading this wrong so his his um so in one case
uh a provider of internet and communication services gave out a mobile SDK, a software development kit, to its customers to use to access its platform.
That SDK contained the provider's cloud infrastructure keys exposing all of its customers' data,
including financial records, employee information, other information, etc., that was stored on the platform. And the reason it did that was because the SDK had hard-coded AWS tokens
to access an Amazon-powered translation service.
So they provided this SDK to gain access to one part of their services.
However, the token itself granted access to everything,
all of those providers' back-end systems,
rather than just the translation.
That happens a lot in misconfigured AWS buckets. all of those providers' backend systems rather than just the translation tool.
That happens a lot in misconfigured AWS buckets.
That's not the issue.
I was just curious about the fingerprints
and whether they're actually fingerprints
or if they're properly hashed and, I assume, salted,
then it's not so much of a big deal.
I mean, it's data leakage.
It's a big deal because you can
still rainbow table those
hashes. Well, not if they've been
salted.
If they
have.
Yeah, I mean, I'd be really
surprised if someone was just using a shot.
I take that back.
Nothing surprises me yeah exactly
yeah exactly but i i do think that you know yes there's there's mistakes we made if you're if
you're writing a little you know shitty tank game for ios you could possibly be forgiven for this as
long as you're not taking, you know, payment data
and all that sort of stuff. But, you know, a mobile banking app that you install and you provide your
data through, which then in the background exposes it to, you know, to anybody who's got access to
that SDK, for instance, it is just inexcusable. Rant of the week.
It is just inexcusable.
Rent of the Week.
Attention.
This is a message for all other InfoSec podcasts.
Busted.
We caught you listening again.
This is the Host Unknown podcast.
OK, it's now time to move on to this week's Billy Sick Balls.
Billy Sick Balls of the Week.
So, Twitter has started testing a drumroll edit button.
Woof.
It's only taken a decade.
Yeah.
button. It's probably the most highly requested feature. There have been years and years of memes and jokes and everything and what have you. The feature is currently undergoing internal testing
internal testing but the billy big ball balls move here is you have to pay for it it's only available to some twitter blue subscribers later this month what yes yes yes you know it's uh
so twitter have finally started to monetize their app and they've decided to do it on the singular most requested function
in the history of Twitter.
Yes.
Yes.
Bastards.
Exactly.
And, you know, if Twitter has nothing, they have the audacity.
Let's just put it that way.
What? The audacity have the audacity. Let's just put it that way. The audacity.
The audacity.
Ah, I see what you did there.
That's very good.
Mr. Dorsey, hey?
Hey?
Yes.
Yes, we got the joke, Tom.
I need to explain it and devalue it.
Your listeners might have.
You know the average intelligence of one of our listeners, right?
You were telling me this just before the show.
Oh, man, this is such a car wreck.
Andy, where are you?
I'm kicking a man while he's down.
It's so easy.
So the feature apparently is going to be a bit like how facebook has a twitter feature
so there will be some metadata there it will show you that it's last been edited and um
i you probably can click on it and it might give you some info as to what was edited. I hope so. I have to say I hope so, because otherwise we're going to be in a realm of people rewriting history here, right?
Yes. Yes.
And, you know, this got me thinking and we sort of got to go a bit off track here because that was all I was going to talk about on that.
And it's our show and we can do what we want yeah but there's something about editing and the standards about retroactively going and changing stuff so you see normally in a good blog
or public or journalistic publication they will have at the top like edit updated show story updated
to include names of so and so or details of so and so so it's not like you can't go back and
edit something but you should give the the full trail so to speak so that yes things are kept in the integrity is maintained like the blockchain
but then i was reading a few weeks ago that stranger things and i've not seen the show yet but
they there were some there were some continuity errors in some of their earlier episodes
and what they went is they went back and they fixed them digitally and then pushed them down
so now if you start watching stranger things you'll get the correct version it's like a patch
on your on your tv show so yeah you know you know sometimes you see like, oh, there was a coffee cup left in there.
So what they might do is like digitally remove the coffee cup
and then push it out to Netflix and say,
okay, now there is no coffee cup.
So, ha ha.
Or like, was it Cargo Shorts Guy in The Mandalorian?
Yeah, yeah, exactly.
So all that kind of stuff.
And Kindle or digital books have been doing this for a while as well.
So if there's something that is incorrect, like a formatting issue, rather than publish a whole new edition or version, you just silently push it out.
So it's edited, which is from a convenience point of view and what have you, I get it.
The problem is you can easily see how this stuff can get misused, especially by some regimes.
And what have you to edit history.
And without the proper trail or evidence or the integrity maintained, you could end up with some pretty dodgy stuff or you could
have like text you know oh this we do not believe in evolution we believe in so and so therefore
this textbook now must be edited and you know imagine a government changing that so that the
curriculum suddenly changes and you know any so you don't even need to go and burn books or change documentaries
or what have you.
If the pals at me say, this is how we want it to be reflected,
you can start making small, small changes.
And I think that's what we need.
So we're not going to have big book-burning parties.
We're going to have book-editing parties.
Yeah, you just click the button and it just silently pushes out
to every device out there.
It's not quite so dramatic, though, to every device out there it's not quite so
dramatic though is it no i mean let's have a bonfire anyway right that's that seems to be
the answer to most things yeah yeah yeah pretty much so so that's all i'm saying with the twitter
edit button i'm glad that there's some sign there that apparently it will show you that it's been edited but you need to have
think about how it could be misused and what you're going to do about it yeah and i think i
think you're right as long as there is some kind of chain there as long as there is some kind of
record that shows this is what it was originally and this is what was changed and a bit like
wikipedia does yeah yeah exactly because
i remember like years ago using facebook and then um there's this joke what you could do you could
post the status something something really upbeat like oh um you know i i got a promotion at work
yeah and then you wait for your friend to say,
oh, congratulations, that's really good to hear.
And then you edit your post to say, my cat just died.
And then you reply to them and say, you're so insensitive.
And as a joke, it's fine.
But, you know, you could see how...
But that's exactly what you could do, right?
Yeah.
Yeah.
Yeah.
All right, Mr. Dorsey, if you're listening, come on, man.
It's not good. Not cool.
Billy Big Balls of the Week.
Feeling overloaded with actionable information?
Yep.
Fed up receiving well-researched, factual security content?
Yes!
Ask your doctor if the Host Unknown podcast is right for you.
Always read the label, never double-dose on episodes.
Side effects may include nausea, eye-rolling
and involuntary swearing in anger.
All right, so without Andy here,
we haven't got anybody to tell us the time, have we really?
Well, I don't know. I know that it's been at least four hours since my last paracetamol, so I can have some more, I think.
But it's also that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News
CryptoMiner disguised as Google Translate targeted 11 countries.
Industry News
Baker & Taylor's system remains offline a week after ransomware attack
ICO pursues traffic accident data thieves
UK imposes tough new cyber security rules for telecom providers
Evil Corp and Conti leak to Cisco data breach. eSentire suggests.
Industry news.
Golang-based malware campaign relies on James Webb Telescope's image.
Industry news.
Microsoft finds account takeover bug in TikTok.
Industry news.
Standards body publishes guidelines for IoT security testing. Industry news. Standards body publishes guidelines for IoT security testing.
Industry news.
Apple releases update for iOS 12 to patch exploited vulnerability.
Industry news.
And that was this week's...
Industry news.
Wow.
Huge is true.
I tell you what, I'm going to struggle.
Where am I going to get my bread and buns and my shirts made this week
if all their systems are offline?
Yeah, I have no idea.
And who the hell are Baker and Taylor?
I've never heard of them.
Don't know.
Now we've got to find out.
They're one of the country's most used milk delivery float system
or something.
Milk delivery float system?
Man, you are sick with the fever at the moment, aren't you?
Oh. Man, you are sick with the fever at the moment, aren't you? Apparently, Baker & Taylor are a library services company.
So what do they do?
It still doesn't say.
Oh, quite literally, libraries, as in where people go to read books and stuff.
Well, that's not good.
I mean, talk about hitting people where it hurts the most,
because libraries are places where if you don't have access to a computer
or if you can't afford books to buy and stuff like that,
or kids will go there if they haven't got anywhere else to go,
if their parents are working.
If their systems are offline, that's really destructive
to the people who can least afford it.
So whichever gang did that, you bastards.
Just saying.
Yeah.
Evil Corp and Conti leaked his Cisco data breach,
and then eSentai suggests.
This is like, I'm sure Cisco would have a good idea as to who it would,
because they have all the data as to what happened and what have you.
And they're looking externally, like a pundit, like at these football games.
I think if they had done this, if the manager had done this, I don't know. I just thought it was a
very funny headline.
eSentai concludes its advisory
providing a series of suggestions to help
companies protect their systems from cyber attacks.
These include having offline
backup copies
and using multi-factor authentication.
Oh, please.
That's the whole story,
you muppets.
That's how they got free.
You and I are both, well, I have been and you are in this space
where actually, you know, you're always looking outwards
as a company to see where you can sort of provide,
where you can get your name out in the press, right,
at the end of the day.
But, you know, if you do it right, you do it in a way
that is actually valuable, et cetera.
It seems like somebody at eSentire has gone,
there's a story, what can we say about it?
It doesn't mean, it doesn't matter if it's, you know,
if it's actually what happened, but we need to say something
that's going to get us to the top of the, you know,
top of the reading list.
And it's, like, utterly irrelevant.
It is. it is indeed and uh good to see the ico
is really cracking down on the on the hardened criminals here uh alleged illegal activity took
place between december 2014 and november 2017 so three-year crime spree, where eight individuals conspired to steal personal data
from vehicle repair garages.
They stole the data in order to generate potential leads
for personal injury insurance claims.
Oh, my God.
Oh, my God.
I mean, good that the ICO is doing something,
but if they feel a little bit like HMRC at the moment,
they're going after the little people because it's easier.
Yeah, yeah, that's exactly, exactly what it feels like.
And I get it.
Everyone should abide by the law.
Everyone should pay their fair tax, which is due.
Yeah. Or whatever tax Jimmy Carr's accountant says is due.
Yeah.
Other than that, I mean, go after the ones that are stealing billions.
Exactly, exactly.
It's like they say, if you owe your bank £100,
you know, your bank, you're the one who's in trouble.
If you owe the bank £100 million, it's the bank that's in trouble.
I see what you're saying.
We need more credit cards.
Yeah, absolutely.
I'm going to do a whole bunch of credit card applications.
I'm going to write a script so that they all hit at the same time,
such that when it checks my credit reference,
the credit reference is still valid, but they're all hitting at the same time,
so they're all going to get accepted.
Would that work? We need Andy to tell us.
Well, we love how you started off the fiction by saying,
I'm going to write a script.
That's the...
LAUGHTER how you started off the fiction by saying, I'm going to write a script. That's the... By which I mean, I'm going to go on to Fiverr.
Oh, dear.
Excellent.
So that was this week's...
Industry News.
You're listening to the double award-winning
host unknown podcast.
Right, we come crashing into the last part of the show.
And let's get on to it for this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week. And we always play that one twice. Tweet of the Week.
Go on, you can
do this one. Oh,
no, go on, you do it.
Okay.
Alright, so this one,
we've got a special guest
tweeter, actually. So,
many of you know Sun Tzu,
Art of the War,
a very uh ancient chinese uh writer
that many many people still like to quote and misquote and apparently this uh sun tzu has got
an actual twitter account at sun tzu cyber god you don't want to say that without your teeth in, do you? And the tweet goes,
the enemy does not check your risk register prior to attacking.
Sun Tzu, the art of cyber war.
Very, very true. Very true.
They knew a lot in those ancient Chinese times, didn't they?
They did. They did.
Did Sun Tzu say anything about um the the
scope of systems that were they were allowed to attack indeed the scope of applicability
absolutely absolutely the enemy does not check your risk register nor and i think this is
expanded quote nor care for your scope of applicability yes yes yes yes yes that's very good very good no i think i
think it's it's it's funny but it's also very very true there's this yeah whole sense of security
that comes along with well we we done you know this this scan or we we we managed to get iso
27001 certified and whatever it might be.
Or we accepted the risk.
That is the magical phrase.
Indeed.
And it's true.
You know, we do accept the risk on these things, right?
Because we have to.
It's important.
But, yeah.
Very good.
That was this week's...
Blimey, Jav.
Just as a piece of advice,
every four hours you can take paracetamol
and then you can intersperse that two hours later
with ibuprofen.
Yes, I will be doing that.
So you basically don't need to go more than two hours at a time.
And it's a great trick.
And it'll keep you drugged up throughout the day.
So you don't have to be careful about what you say.
I mean, you might get arrested for something you tweet at some point.
But other than that, you should be fine.
Yes, I should be fine.
Yeah, thank you for that.
Folks, keep an eye out for Jav's tweets later today.
Anyway, Jav, thank you so much.
We've, well, we filled the time.
Do you know what?
We barely even mentioned him, did we?
Who?
Exactly. Exactly.
Exactly.
Geoff, thank you very much.
You're welcome.
Stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our reddit
channel worst episode ever r slash smashing security i'm gonna go lie down and die now so
thank you for coming i mean the thought of running this by myself
my god i mean it's boring enough to talking to you two alone let alone me by myself well you know it wouldn't be the first time you'd be saying this to yourself
yeah it's Tuesday