The Host Unknown Podcast - Episode 120 - The End of an Era
Episode Date: September 9, 2022This week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield6th September 2011: Luis Mijangos received a 6 year prison sentence. His crimes included se...xtortion, stealing financial info, and webcam monitoring. California's "Sextortion" Hacker Sentenced to Prisonhttps://twitter.com/todayininfosec/status/13027700884712980493rd September 1995: The online auction site, eBay, is launched as “AuctionWeb” by Pierre Omidyar. The first item sold, a broken laser pointer, wasn’t actually intended to sell, but rather to test the new site, itself started as a hobby. Surprised that the item sold for $14.83, Omidyar contacted the buyer to make sure he knew the laser pointer was broken, to which was replied, “I’m a collector of broken laser pointers.” From that first $14.83, Omidyar is now worth billions of dollars. Rant of the WeekHalfords slapped on wrist for breaching email marketing lawsBike and car accessory retailer Halfords has found itself in the wrong lane with Britain’s data watchdog for sending hundreds of thousands of unsolicited marketing emails to members of the public.According to the Information Commissioner’s Office, it fined the business £30,000 for dispatching 498,179 messages to folk that hadn’t provided consent - equating to a £0.06 penalty per each email.The decision relates to a direct marketing mailer that Halfords sent electronically on July 28, 2020 concerning a ‘Fix Your Bike’ government voucher scheme. This gave recipients up to £50 toward the cost of repairing a cycle in any approved retailer in the UK.Unsurprisingly, Halfords' marketing email urged the individuals to book a free bike assessment and redeem their voucher in store, meaning this was marketing designed to generate income for the company. As such, the advertising of the service meant Halfords couldn’t rely on ‘legitimate interest’ to send the mail, which the ICO said it had done. Billy Big Balls of the WeekHow the ‘man in black’ was exposed by the Russian women he terrorisedA Russian police officer's takeaway food order was the breakthrough clue which helped a group of women, who had been terrorised by him, reveal his true identity. The women, mostly aged between 19 and 25, had attended a rally in Moscow in March against Russia's invasion of Ukraine. They were quickly rounded up by officers and put in the back of a police van.Most of them didn't know each other, but despite the circumstances the atmosphere was upbeat. They even set up a Telegram group chat as they travelled across the city to Brateyevo police station.What happened next was far worse than they anticipated.Over the next six hours they suffered verbal and physical abuse that, in some cases, amounted to torture - one woman says she was repeatedly starved of oxygen when a plastic bag was put over her head.The abuse was carried out by the same unnamed plain-clothes officer - tall, athletic, dressed in a black polo neck. In their group chat, they gave him the nickname the "man in black".Two of the women, Marina and Alexandra, secretly recorded audio on their phones. In one, the officer can be heard shouting about his "total impunity".But if his aim was to intimidate them into silence, he would fail. Industry NewsKeyBank's Customer Information Stolen By Hackers Via Third-party ProviderLondon's Biggest Bus Operator Hit by Cyber "Incident"Meta Fined $400m in Ireland For Children's Privacy BreachInterpol Busts Asian Sextortion SyndicateUK Privacy Regulator Fines Halfords for Spam DelugeInterContinental Hotels Confirms Cyber-Attack After Two-Day OutageNATO-Member Albania Cut Ties With Iran Over Cyber-AttackThe North Face Warns of Major Credential Stuffing CampaignResearchers Reveal New Iranian Threat Group APT42 Tweet of the Weekhttps://twitter.com/SwiftOnSecurity/status/1567378788991868928https://twitter.com/ememess/status/1567544425869606913 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
The We've reached the Coughlin Brothers mortuary.
We are deeply sorry we are unable to come to the phone right now,
but if you leave your name and number, we'll get back to you as soon as is humanly possible.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening
From wherever you are joining us
And welcome to episode 120
The end of an era
124
Of the Host Unknown podcast
We know it was Her Majesty Queen Elizabeth II's favourite podcast. She wasn't able to make it to come on air with us, unfortunately,
in the few years that we've been online,
but we now know that it will forever never be.
And long live the King.
Indeed.
Talking of kings, J Jav how are you
oh my back is hurting
my neighbours are being
really noisy because they're getting a
garage converted in the back
of their garden
and why are you laughing
have you just become old man
Malik all of a sudden
my back's hurting the neighbours are noisy
so been a good week then Malik all of a sudden. My back's hurting, the neighbours are noisy.
So, been a good week then, has it?
Yes.
Any more back passage shenanigans?
Well, the neighbours, because they're having
their garage built, like knocked down
and built properly, the full width,
like how I've done,
they've got one of those mini diggers coming in and out
from the side, the access road.
And because it's been raining all of a sudden,
summer's just like slammed on the brakes and it's been raining.
It's just like a muddy puddle, a massive...
It's impossible to get through there.
So, you know, I'm going to have a word with them It's impossible to get through there.
I'm going to have a word with them to make sure they repair
the road before they finish.
Victor Meldrew Malick.
Incredible.
I was going to say something that i've completely forgotten what it was andy how are you are you are you feeling old and grumpy uh i'm not feeling old and grumpy but
obviously i won't run it too much but it has been an emotional week uh obviously it's been a week
we received some sad news and uh even though we always knew the day would come and uh you know the protocol which has been practiced over and over i don't
think you can ever really prepare for the emotion when um obviously operation stanford bridge was
finally executed um and this is the you know we we received the news that thomas tuchel became the
21st manager since uh the year 2000 of chelsea Chelsea FC to be sacked.
I thought you were talking about Troy Hunt releasing his new book.
No, I mean, very sad news to hear that.
I saw the Cliff Notes or the sort of intro for it.
It's a collection of blog posts, I understand.
Not just the Cliff Notes.
We've read it all before if you've read his blog well exactly
the only
thing I'm worried
about to come out
of this is
Jav getting
any ideas
you know he's
got a long
history of blogs
yeah
and there's
always the
potential of
you know
Javad the movie
a collection of
YouTube videos
which
oh that is genius isn't it oh that is such a good idea you know, Javad the movie, a collection of YouTube videos.
Oh, that is genius, isn't it?
Oh, that is such a good idea.
We're going to see him lose weight,
gain weight, gain more weight,
lose a little bit of weight,
gain more weight.
See his beard getting whiter and whiter.
It's going to be like watching Oprah Winfrey.
Yeah.
Oh, dear. Hopefully, he will ask us to, you know, write some forenotes for it. yeah oh dear but yeah
and then
hopefully
he will ask us
to you know
write some
forenotes for it
or you know
foreword
yeah
yeah forewords
don't read this book
yeah
seen it all before
seen it all before
it's copied content
it's claiming credit
for other people's work
yeah
come on Troy you know in fairness mate publishing a bunch of blogs that's the sort of thing He's claiming credit for other people's work. Yeah. Come on, Troy.
You know, in fairness, mate, publishing a bunch of blogs,
that's the sort of thing Jeremy Clarkson does.
You know?
I mean, really, really.
Hopefully, hopefully you've got some original content in there from Scott Helm.
Hopefully he's done a chapter or two for you.
Yeah.
Yeah, we hope.
We hope.
Well, Lass, how's your week been going?
Well, do you know what?
I've decided to
take up uh extreme running mountain climbing and sub-aqua diving this week uh all to justify
your new apple purchase absolutely i need that new apple watch ultra or whatever it's called
uh and the only way you can have one of those on your wrist and not look like a bit of a knob is if you do one or all of those extreme sports.
Yes.
Okay, yeah, no, it makes sense.
So you are selling items, I guess, to fund this,
or are you just going to add it onto the credit card?
No, I'll be selling items.
Although, no, in all seriousness, I'm not going to get that new big fat ultra watch.
I think they're going to make my skinny little wrists
look even skinnier.
We're waiting till Christmas.
Yeah, well, I may well get the new Apple watch.
I don't know.
But that's almost certainly the new AirPods, AirPods Pro,
maybe the iPhone, and unlikely the watch.
Right.
See, I'm really tempted with the new AirPods,
but I do like my old AirPods, AirPods Pro, right?
Yeah.
But they're going to get even cheaper now, right?
If they still sell them.
If they still continue to sell them.
Oh, there'll be places that have got stocks.
Oh, I guess, yeah, Amazon and all those sorts of things.
Yeah, yeah.
So what, you just buy a new pair of the old ones?
Yeah, just for a backup.
OK.
Why not sell those?
No, hang on, that's not good.
Do you know what?
I would never buy anyone secondhand AirPods.
No.
No.
Well, no, in fairness, you can disinfect them and buy new silicon tips right
uh yeah but you know what yeah no i wouldn't but the new ones sound good you know with their sort
of adaptive noise cancelling and noise transparency and you know blah blah blah that's why they look
pretty cool they look pretty cool and come look pretty cool. And come on.
You mean the stuff that Samsung's had for two years?
Yeah, but Apple are doing it right.
Samsung's had folding phones
that have got creases down the middle of them,
for goodness sake.
That's what happens when you fold something.
Well, and that's how I guarantee you
when Apple release there is it
ain't gonna have a crease in it bullshit and it'll be called the eye crease the eye crease
whatever the new iphone has got what is it called the floating island or something like that which
is really bizarre but yeah i don yeah, I don't know.
I don't know.
But, yeah, if you just joined us,
welcome to the Host Unknown Apple versus Samsung podcast,
also known as Tom versus Jav.
So shall we?
Let's see.
I don't care.
I don't care about the technology.
I just care about proving you wrong about everything you say.
And that's how it should be.
You know, everything, you know,
despite all the trials and tribulations of the week,
everything is as it should be
because Jav is just here to disagree.
Well, not always, but...
Just in public so shall we see what we've got coming up for you today
this week in infosec takes us on a trip down infosec memory lane right into the week confirms
the cost for your next non-gpr compliant marketing campaign billy big balls is a story of how the
hunter became the hunted. Industry News
brings the latest and greatest security news stories from around the world and Tweet of
the Week is a talking point on cyber security roles.
So let's move on, shall we, to the favourite part of the show, the part of the show that
we like to call...
favourite part of the show,
the part of the show that we like to call...
This week in InfoSec.
It is
that part of the show where we take a stroll down
InfoSec memory lane with content liberated
from the Today in InfoSec Twitter
account and further afield. And so our first story takes us back 11 years to the 6th of September
2011 when Louis Magingos received a six-year prison sentence. His crimes included sextortion,
stealing financial info and webcam monitoring. You know that type of thing that we
always say can never happen, it's really difficult and you'll know if someone's monitoring because
the red light will go on your camera. So this Santorana man hacked dozens of computers to
obtain personal data and in some cases demanded sexually explicit videos from female victims in exchange for not distributing
other images and on this day he was sentenced to 72 months in federal prison and the judge at the
time US District Judge George H King said the defendant engaged in psychological warfare and
cyber terrorism and what a toe rag I, and he specifically admitted that in late 2009
he used malicious software to hack into a girl's computer
which gave him control over her webcam
and then allowed him to take photos of her,
you know, unbeknownst to her.
That happened to Miss Teen USA, something like that,
I seem to call, and then she became
a bit of a poster child
to push for law changes
as a result of it
Do you remember, it was around that time
it got really popular, wasn't it?
Sort of 2007 onwards
Was when all the vendors
were handing out the webcam covers
Exactly, yeah
Which I think Know Before are still doing, aren't they, Geoff?
He's reading ahead on the show notes to figure out what he's got to talk about later.
Okay, fair enough.
Yeah, actually, he's completely missed that.
It's so obvious that, you know,
Jeff's preparation involves scrolling down while I'm doing the talking.
But, yeah, you know, in addition to like stevie financial info uh this
guy you know read people's emails ims watch them through their webcam on their microphones
and then use the information you obtain to um you know play psychological games with them
so basically everything your company sysadmins can do yeah yeah without the exploitation without
the exploitation you know there's there's been
a sociopath and there's been a psychopath the sociopath is going to do this sort of
shit and you know just sort of think uh dirty old man the psychopath part revels in it and
you know and tries to take advantage of the situation and you know mentally and emotionally tortures the uh you know the victims
so you know when when when you're when you're worse than a cis admin you know you've crossed the line
i always find it fascinating how you understand the fine line differences between certain
definitions it's almost as if you're preparing for your day in court.
Well, Your Honour, I resent the term.
Forewarned is forearmed, as far as I'm concerned.
So moving swiftly on,
our second story takes us back a mere 27 years
to the 3rd of September 1995,
when online auction site eBay was launched by a guy called Pierre Omidyar and it was originally known as Auction Web with the first item sold being a
broken laser pointer which wasn't actually intended to sell but was posted to test the new site
which in itself was started by Pierre as a hobby.
And so surprised that someone found it
and then purchased the item for $14.83,
Pierre actually contacted the buyer
to make sure he knew that the laser pointer was broken,
to which the buyer replied,
I am a collector of broken laser pointers.
Do you know what?
There's something for everyone on eBay.
From that first $14.83,
obviously Pierre Omidyar is now worth billions of dollars.
But the reason I stuck this in here was actually quite, I think,
because just, I mean,
eBay changed the way that people understand fraud, right?
Going all the way back to, you know to the fake email, enter your details here.
We looked at all the kind of common scams, the non-delivery scam, right?
Where they sort of say they didn't receive it.
The scams where the seller ships stuff with an incorrect name on the label.
So they've got like a registered post stuff and the person receives it and says,
oh, there's no one here by this name and you know sends it back um the empty box scam uh you know where they put a brick in the box and say well you signed for it here you go it's like
you know it you've obviously taken the product um counterfeit goods so um just just on it how's
it an empty box if they've put a brick in it? Oh, that's exactly what I was thinking.
Okay, well, technically, you know, known as the empty box,
what you're getting is just a box and a brick.
Yeah.
What if it was a brick that you actually bid on?
Is it still an empty box?
It's a good deal.
No, in that instance, it's a good deal.
Okay, okay, I'm just checking, asking for a friend, that's all all yeah um what else we get like counterfeit goods payment outside of ebay uh
outside of ebay so uh the fake customer scam um you know where the victim calls a number the
scammer pretends to be ebay customer service and you know gets their details um and what the other yeah gift card scam uh you
know buying stuff on there but then yeah and the classic one i used to love in the early 2000s was
the overpayment offer um you know where you lift something and someone sends you a check
for much more than you know the value of the item and it was because it took so long for checks to
be processed by the bank in that you know the money can of the item. And it was because it took so long for checks to be processed by the bank
in that, you know, the money can appear in your account,
and it wasn't until the bank sort of checked, you know, 21 days later
that, you know, it was a fake check
that they then take the money back from your account.
So when you say this was your favourite,
are you running through a playlist of yours from the old blog book?
Are you reliving through, you know, through old blog playlist of yours are you are you no are you reliving through you know through
old blog posts of yours it's i wish in early 2000s we did a lot of uh the company also actually sold
a lot of dvds and cds um around pubs like including the breweries exactly that yeah but we used to
flood ebay where counterfeit items would show up and ebay actually
had a program back then for the vero program like the verified yeah ebay you know ebay rights
ownership or something so you know we'd withdraw counterfeit items and you can actually get copies
of of the dvds that we sell cheaper on ebay than you could through our own site um purely to you know dissuade other people from profiting on it
yeah yeah uh yeah so no i've got to do it and we did often get all these sort of scams and
you know the whole pay by check thing was brilliant it was uh you know you'd get all
these brilliant company checks that um yeah people just ripping off but uh yeah no ebay is i think
it's sort of highlighted to the to the average home user a whole world of scams that existed out there i did use it to pay off a tax bill once because i
got hit with a you know because hmrc decided to go back about five and a half years and go
oh by the way you owe us you know however much and that was when i first went on ebay back in
back in the day but uh since then it's become a little bit of a cesspit of scum and villainy.
Yes. Says the man who walked past Waitrose to go to Iceland.
Ambrosia custard ice cream. So what I'm saying about Iceland, Ambrosia custard ice cream.
I used to use eBay so much, and then I discovered Amazon.
And what really tipped it for me was the first time I had an issue
with a product I bought, I wanted to return it.
And how easy Amazon just made the process.
It literally was click here, print off this label,
and took it to the post office.
And by the time I got home, I had the money refunded.
Makes the scam so much easier yeah I know I know I mean I'm sure there's an Amazon warehouse with loads of
bricks in it not knowing what to do but uh it was so well it was really good um and then slowly
slowly I've sort of weaned myself off eBay. Also, because the ratings or the feedback on eBay means nothing to me.
It's like everyone's like five stars, A++++.
Excellent eBayer, five stars.
Would recommend.
Yes, yes.
Speaking of which, please leave us one of those comments as a review for our podcast.
And subscribe, in fact. Indeed.
I've got to say, Javi, you're sounding a little bit clippy and robotic.
Is that because your neighbours are being really noisy?
It's the Jav AI. Jav's not really here.
We're doing a weekend at Bernie's, Tom.
Weekend at Bernie's?
Weekend at Jav's. Don't draw attention to it let's just move on
excellent that was
this week's
in InfoServe
in 2021 you voted
us the most entertaining
cyber security content amongst our peers.
In 2022, you crowned us the best cybersecurity podcast in Europe.
You are listening to the double award winning host unknown podcast.
How do you like them apples?
Very good. And now let's move straight on to...
Listen up!
Rant of the week.
It's time for Mother F***ing Rage!
OK, I need to breathe a little here.
There's a major injustice being done in the world.
So, bike and car accessory retailer and windscreen wiper fitter,
Halfords, has found itself on the wrong side of the law, it would seem,
with Britain's data watchdog, the ICO,
for sending hundreds of thousands of unsolicited marketing emails
to members of the public
uh unsurprising really i mean halfords are not the greatest of uh of of retailers out there they're
not they're not brilliant uh and have you have you noticed their their stores are really smelly
i haven't been to a halfords for a long time, obviously. I only went, I think the last time I went was about nearly two years ago.
They just smell of rubber.
I don't know why.
Were you standing in the tyre section?
Yeah.
Actually, it was the battery section because I was buying a battery,
a car battery.
Anyway, according to the ICO,
Anyway, according to the ICO, the Halfords find the business a whole £30,000.
I'm saying that again, £30,000.
I counted the zeros here.
Just £30,000 for sending nearly half a million messages to people that had not consented to have their details used.
And that equates to just six pence penalty per email.
Now, to do the maths here, you haven't got to get much of a return to
actually find that that is that's worth it right almost um but the decision it's relating to a
direct marketing mailer that halford sent on july 28th 2020 so it's taken over two years to even get to this point concerning a fix your bike
government voucher scheme, which gave recipients 50 quid towards the cost of repairing your cycle.
And Halford said, hey, you know, did you know you got this? You could get this voucher.
The marketing email urged people to, you know, get the voucher and bring it to halfords uh
showing um that actually the marketing was designed to generate income for the company
and so therefore even though halfords had said that they were sending these emails under the
banner of legitimate interest on the under the gdpr
it wasn't it was not legitimate interest it was clearly for the financial benefits of the company
you know for instance legitimate interest could be if you bought a bike from us in the last year
we found out that you know dave in the uh in the bike building business has been putting the wrong brakes on it
and you need to bring your bike in to fix it.
That's a legitimate interest,
not there's a voucher for fixing your bike,
come and spend it with us.
And I find it shocking that marketing companies
or marketing departments are still struggling with this.
I don't understand.
GDPR is so new, though, right?
Oh, so new.
I mean, it's really straightforward.
There's very clear rules.
There's very clear layouts and structures and all that sort of thing and and yet it
still happens and they think they can get away with it which is bizarre given you send it out
to half a million people you know at least one of them is going to have a reasonable idea as to
what's acceptable and what isn't right so yeah very, yeah, very, very odd, very bizarre behaviour here from Halfords.
Although entirely does not surprise me in the slightest,
to be honest with you, which is terrible, which is terrible.
So basically you're saying that it's potentially worth it,
6p a person, that's how much it's going to cost you.
That's the other part that
that's the message this is sending 30 grand is nothing to accompany the size of of half is they
just got a fire day from maintenance and bike building and they've made that money back straight
away unbelievable yeah absolutely unbelievable shocking extremely shocking indeed i didn't hear any of that
story because for some reason my laptop decided to kick me off and now i'm back and i can't get
crisp work i know because we can hear the um the drills in the background
ah no worries anyway whilst i calm down from this uh we will do our best to continue the recording
despite your noisy neighbours and your sore back.
Rant of the Week.
Feeling overloaded with actionable information?
Yep.
Fed up receiving well-researched, factual security content?
Yes!
Ask your doctor if the Host Unknown podcast
is right for you.
Always read the label.
Never double dose on episodes.
Side effects may include nausea,
eye rolling and involuntary swearing in anger.
Okay, let's take the doctor's advice and move on to Jav and his.
Okay, so this is quite, I've read this story, I was fascinated and traumatized by it at the same time.
But as you know, Russia decided to invade Ukraine. And despite what some of the media will have you believe,
not every Russian is in support of the invasion.
So there was a rally in Moscow in March against the Russian invasion of Ukraine.
And it was mainly made up of women aged between 19 and 25.
And they were quickly rounded up by officers and put in the back
of a police van as would happen in a state like that. I say that as if something like that wouldn't
happen in the UK given the way the government's going but that's neither here nor there.
Well that's it that depends on if they've entered the country illegally or not.
Or well you know or whether you want to strip them
of their nationality yes absolutely okay so most of these women didn't know each other but they
ended up chatting and they set up a telegram group as they traveled to the police station
they thought they'd get a slap on the wrist and let go. But over the next six hours, they suffered verbal and physical abuse
that some of them said amounted to torture.
One woman says she was repeatedly starved of oxygen
when a plastic bag was put over her head.
Christ on a bike.
Yeah.
It is pretty horrific. The abuse was carried out by the same
unnamed plainclothes officer. Tall, athletic, dressed in a black polo neck
and in their group chat they gave him the nickname the man in black.
they gave him the nickname the man in black. So two of the women also actually recorded audio secretly on their phone and in one of them you can hear the officer shouting
about his total impunity. So afterwards the women they clearly suffered a lot like
psychologically and they didn't want to pretend like it didn't happen.
But they thought that if they just published the recordings, you know, and didn't do much,
the officers would probably think they could get away with it again.
So they banded together and they were like how can we do something about this. Then
in late March there was a massive massive data leak from Yandex food which
is like their version of Fubo. Yandex does cabs and food delivery and all this
kind of stuff. So the group had an idea. So they downloaded the data dump and they went
through to see if there had been any orders to that police station over the past year. And
there had been. And there were nine different customers. Could any of them had been the man
in black? Most of the data only included first names and the phone number.
So they used them to find social media profiles for the staff of the station
and finally they came to one of the last names on the list, Ivan, which isn't really a
Ivan, which isn't really a unique Russian name. They had his phone number but it did reveal a trail online. Six classified adverts from the Russian trading website at veto.ru
but most of the adverts only gave them the information they already knew a first name.
the adverts only gave them the information they already knew, a first name. One, however, for a Skoda Rapid car sold 10 minutes drive from the police station posted in 2018 included the full
name, Ivan Ryabov. With that, they could search for a picture and almost immediately they came across the person they recognized
So they had found their man in black through OSINT based on a data leak and
You know, so they they had
They they reported him to the authorities whether or not anything
Happens or not is to be seen but i think it's an incredibly
brave move and like you know what a horrible ordeal that these uh these these ladies were put
through and but i think you know they the fact that they band together in technology allowed them to
go about this and and identify uh that that human um you know, shit state.
It's absolutely...
Yeah, appalling.
So two things spring to mind here.
One is, what are the authorities going to do about it?
And the unfortunate thing is, it's probably not a lot, right?
But at the very least, there might be some public shaming
and hopefully his mother's going to give him a good clip
behind the ear of nothing else, right? Really not good at all. there might be some public shaming and hopefully his mother's going to give him a good clip behind
the area if nothing else right really not good at all secondly how incompetent are the russian police
that when you're detaining people and torturing them uh etc that you let them have their mobile phones. Don't give them ideas.
But the incompetence of it is...
I think it goes back to the fact that he thought he was acting with impunity.
He was like, you're never going to get me.
No-one's ever going to...
But it does go to show the kind of environment
that these people are operating in, doesn't it?
Yeah.
That they feel that they actually have such impunity, as you say.
Blimey, the stories are not great at the moment.
We've got some really unpleasant people in here.
We do.
We do.
Owen Halfordsords for goodness sake
an amazing
Billy Big Balls move
yes
by the ladies
I completely agree
in fact
I would say
this
this would fall
under
look at the size
of that thing
Carol's
Cahones
Cahones
hey
you found it
I never lost
Carol's Colossal Cajones
Never
Very good
Thank you very much Jav
for this week's
Carol's Colossus
Cajones.
Attention.
This is a message for all other InfoSec podcasts.
Busted.
We caught you listening again.
This is the Host Unknown podcast. time after time we just catch all these other infosec podcasts listening to us
um well you know i was i was actually uh caught out myself um just yesterday yes i was um i was
listening to a whole load of adverts yeah Yeah. And then the Smashing Security podcast broke out.
Really?
Yeah.
Strange.
There's like a whole podcast surrounded by all these adverts.
What time was that when you were listening?
It was that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
KeyBank's customer information stolen by hackers via third-party provider.
Industry News.
London's biggest bus operator hit by cyber incident industry news
to find 400 million dollars in ireland for children's privacy breach industry news
interpol busts asian sextortion syndicate industry news the UK privacy regulator finds halfords for spam deluge.
Deluge.
Deluge.
Deluge.
Industry news.
The continental...
Champion.
Intercontinental hotels confirm cyber attack after two-day outage.
Industry news.
NATO member Albania cut ties with Iran over cyber attack after two day outage. Industry news. NATO member Albania
cut ties with Iran over
cyber attack. Industry
news. The North Face warns
of major credential stuffing campaign.
Industry news.
Researchers
reveal new Iranian
threat group, APT
42. Industry
news. And that was this week's Indian Threat Group, APT 42. Industry News.
And that was this week's...
Industry News.
I'm interested in this spam, Delge.
Yes.
Yeah, you should check it.
So there's this company called Halfords, right?
Really? What do they do?
It's sort of like this place where you can get car parts and bikes and stuff.
Did they get a really big fine for what they did?
As I read, no, they basically got a slap on the wrist.
It was more like a telling off in the corner.
Oh, shocking. Shocking. I don't know. wrist is that it was more like a you know a telling off in the corner oh shocking shocking
i don't know well huge if true though yeah uh i'm trying to looking for a story which is
interesting well here's here's a business as usual here's the old here's a flip sides that
halfwoods thing so meta was fined 400 million in
ireland for a children's privacy breach yeah now i'm sure that they weren't just informed of you
know a voucher to get their bikes repaired but nonetheless 400 million feels like a little bit
more of a uh a significant amount right yeah well i think well, I think the Data Protection Commission in Ireland has actually been very serious about
dissuading people
from
not taking
regulation seriously.
I mean, you know,
400 million euro
fine, or 402 million US
dollars.
That is a proper telling off
that's something that is going to sting someone.
Yeah.
But yeah, this was what? Based on the
fact Instagram had allowed children to
run business accounts,
which showed the account holder's phone number
and email address, thus
exposing the miners' data.
How can...
How can you get...
How can you open a business account
without any kind of...
What?
Yeah, this is hilarious.
I am Mr Businessman, and I am here to do business.
Do you know what's saying that?
In the office.
Yeah, that's a big fine.
But the DPC in Ireland actually, for Meta,
this is actually the second highest fine that they've issued
relating to GDPR breaches.
Because they, in 2021, they fined Amazon 746 million euros.
Wow!
I'm surprised everybody in Ireland isn't driving a, you know,
a rice or something by now.
Yeah.
So here's a story.
It's not on the list of these things,
but I covered it in a TikTok video yesterday.
Hang on, Jav, this isn't how this works.
This isn't industry news this is this is
jav you know sledging his old um uh content yeah
i mean we know it's a slow news week but anyway go on what what what were you tick talking about
what were you jiggling in front of your your audience so cal California regulators, they're very progressive in the US, the Californians.
They are, they do a lot of good stuff that most of the other states tend to follow.
Yeah, they said we're going to ban the sale of gasoline powered vehicles by 2035. Oh that's right.
So a bit like the UK, like you know after that after that, after a certain time, you're not going to be able to buy anything that's not electric from a main dealer.
So the natural thing you would do is you'd say, well, now's a good time to go out and buy an electric car, isn't it?
But a few days later, because of the massive heat wave, it was putting a massive strain on the power grid. So California asked residents,
please don't charge your cars because we are really struggling to supply electricity to
everyone. And then someone posted a picture of someone in California. They'd gone out and bought
a petrol generator and they were using that to charge up their Tesla.
I love how you bring your high-voltage AC industrial systems
TikTok stories into an InfoSec podcast.
Well, you know what?
There is an InfoSec leak.
It's going to be an analogy, isn it it's gonna be it's gonna be it's gonna be the availability exactly you know
or it's gonna make whatever it is it's gonna make a pinging sound as it as it's been stretched
to breaking point as it pings away from you go on yes yes exactly so you might as well insert the ping in post the ping in post
there's there's availability like andy correctly mentioned there is the the whole compliance angle
where you make a rule and then there's the third point which is people will always find a way
around your stupid rules so uh, but it's availability because...
Oh, it doesn't matter. Whatever.
But it's true.
There's not a lot to talk about here.
Intercontinental hotels confirmed cyber attack.
Haven't they been hit a number of times?
No, you're thinking of Marriott.
Oh, yeah, yeah, Marriott. That's right.
I think this is like Premier Inn chain.
They got hit.
Holiday Inn.
Oh, does Intercontinental own Holiday Inn?
Premier Inn, I think.
I don't know.
We'll just keep spreading false news.
You're not coming here for the quality content.
You're coming here for the...
Let's click on this story and see what we can
glean from it while one one of the other idiots uh that he talks i mean that's what happened in
the first section all right let's let's uh let's kill that then uh thank you joan for
uh insightful and very very consumer focused-focused InfoSec review
of our industry news today.
Industry news.
You're listening to the double award-winning
Host Unknown podcast.
Ha, ha, ha, ha, ha, ha, ha.
All right, let's wrap it up now with this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And I shall wrap up taking this one home.
Our Tweet of the Week this week is from Swifton Security.
And they say,
What is your experience hiring security tool owners as a job?
Someone extremely competent in security, but also with deep sysadmin responsibilities for monitoring and maintaining and advocating to the analysts and leveraging engineers.
Inside the security department?
And I know, Tom, you looked at this and said, you don't get it.
That's okay.
It wasn't actually intended to be a job a joke it
was uh genuinely I know I know I don't normally you know take to it I was actually interested in
security tool owners as a job is it a thing um you know I think I am familiar when you've got
SMEs that know particular tools but would you actually hire someone just for that job if you know what i mean so you know
would you hire like a qualis expert or a you know rapid seven expert you know to manage your
your your vulnerability scanning estate using tools uh or anything like that what was interesting it
took a real turn because somebody replied well initially with what mine was, what the fuck is a security tool owner?
But then said, are you giving that person the ability to deny
legit access to a CIO via FOB to Wireshark, Nmap, Hping, Python binary,
all of which have a known documented checksum,
only if they followed the STO's process protocols to acquire the tools.
That was a bit of a leap, wasn't it?
It was.
And this is the thing, I think people are saying,
by department, do you mean an IT department
with a jack of all trades that can respond to it?
Yeah.
It sounds really weird.
But this is, if it becomes a thing,
wouldn't it be great?
You could get paid twice.
You could be a double agent you're hired by say mcafee to be a security tool owner within an organization to only promote mcafee
products or something like that wow you know there would be that conflict of interest there i think
well and then you're placed in a company and paid by that company as well
Well, and then you're placed in a company and paid by that company as well.
So would it be like being a waiter in in America where you're paid minimum wage by the owners?
But then you get tips from your clients which supplement your income.
Oh, that is a beautiful way to put it. Yes. So it's kind of like i think you get 10 off every license yeah yeah that's
right yeah yeah yeah that could work that could work and do you know what i could see some of
these security vendors doing that bastards yeah oh dude that was swift on security i don't know
you you obviously had our day that day struggling to come up with something i'm not sure really where
you were going with that, if I'm honest.
No, but it's a good debate.
I am actually interested myself.
And I guess it's obviously going to depend on the size of the company.
But just because...
We've got plenty of security tools, though, in fairness.
And I don't mean the software, I mean the people.
Yeah, exactly.
So I will actually just change, you know, change your pace on this one. So I'll stick in a second tweet of the week as we did play the jingle twice. And this is a tweet from Michael Marshall Smith. And it just says the struggle is real. And he's posted a screenshot of an article from Crime Feed, which says, why do so many murderers bury victims in their own backyards and i like
the top response to that question which says not everyone has the trunk space or gas money to drive
way out in the middle of nowhere to dump their bodies check your privilege we're all doing the
best we can out here that sounds like a high-functioning sociopath.
Very good. Excellent, Andy. Thank you very much.
It's late of the week.
And with that thought of, you know, being thankful that one has a large boot space
and money for diesel to go out to the middle of nowhere,
we come to the end of the show.
Gentlemen, thank you so much.
It's been an absolute pleasure.
A little bit noisy from Jav.
Hopefully we can fix all that in post, but I'm sure we will.
And, yeah, Jav, thank you very much, sir.
Yeah, you're welcome.
Is your back hurting, Jav?
Is that what it is?
And, Andy, thank you, sir.
Stay secure, my friend.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, and subscribe if you hated it please
leave your best insults on our reddit channel worst episode ever r slash smashing security
uh andy uh you were right i was wrong uh ing does own uh ing does own Holiday Inn, not Premier Inn. So I'd like to withdraw my statement about Premier Inn.
You know, I'm all about facts and being truthful
and maintaining integrity of this show.
So it is not Premier Inn, it is Holiday Inn.
Yeah, I did think so.
I'm sure I don't earn points if I ever stay in a Premier Inn,
but I do at Holiday Inn. That's the only thing i could think of i'm sure i'm part
of their loyalty program so how's it is my data being breached somewhere oh no and the penny has
dropped well the problem is it's all registered to my old company uh email address i never changed it
so i can't even do like password reset or any of that stuff.
Yeah, but have they got things like your passport details?
Probably, but I lost that passport anyway.
Oh, lost.
In advantage of commerce.
No, this is when I got back from Germany one day.
Was that your Mauritian passport, your Irish passport?
Which one did you get more money for?
It was my British passport, and I think I left it in an Uber.
Although when I called the guy, he swears blind he doesn't even know who I am,
which was the dead giveaway that he had my passport.
So I did have to cancel it.