The Host Unknown Podcast - Episode 128 - The Higher Average IQ Episode
Episode Date: November 11, 2022This week in InfoSec (08:27)With content liberated from the “today in infosec” twitter account and further afield4th November 2005: Microsoft AntiSpyware was renamed Windows Defender. https://twi...tter.com/todayininfosec/status/11914785556343234565th November 1993: The Bugtraq mailing list was created by Scott Chasin.In 1995 it became the property of SecurityFocus, in 2002 Symantec acquired SecurityFocus, and the last message was posted to the list on February 25th, 2020, with no explanation from Symantec.Bugtraqhttps://twitter.com/todayininfosec/status/1324497907245109248 Rant of the Week (16:17)Twitter Chief Information Security Officer flies the coopTroubled social media giant Twitter has lost the services of its chief information and security officer to cap off another chaotic week following its acquisition by Elon Musk.Lea Kissner used their former employer’s platform to post: “I've made the hard decision to leave Twitter. I've had the opportunity to work with amazing people and I'm so proud of the privacy, security, and IT teams and the work we've done.”They later posted, “I've loved this job and we got *so* much done, but here we are.”Chief privacy officer Damien Kieran and chief compliance officer Marianne Fogarty are also said to have exited. And, separately, it's reported that the world's richest man has told Twitter staff that work-from-home is banned, and that tweeps need to work 40 or more hours a week from the office from now on.Blue Badge ScamsIf you teach your user base, verification means something specific, it will be hard for them to unlearn it. We learned that it's rare for a verified account trying to phish us. Changing the meaning of the check is a security issue.Blue Badge impersonationsThe new check mark system has resulted in Threat Actors successfully impersonating Twitter and defrauding users out of moneyAlthough the account is now suspended, it rapidly got 35,000+ retweets and 4,990 likes.A simple $8 investment can result in thousands of dollars stolen.Self-certifying complianceThe idea of engineers self-certifying compliance with an FTC consent decree jumped out to me as patently absurd. So I found and read the consent decree. This thread discusses how this policy violates that decree and why I believe these people had no option but to resign. Billy Big Balls of the Week (27:14)Apple limits AirDrop in China after its use in protestsApple has placed time restrictions on AirDrop wireless file-sharing across iPhones in China after the feature was used by protesters to share images opposing the Chinese government, Bloomberg reports.The “Everyone” option in Airdrop is now limited to a ten-minute window for users in China. After the ten minutes have passed, AirDrop’s device-to-device sharing will switch back to “Contacts Only,” making it harder to distribute content to strangers en masse. These new time restrictions have been introduced by Apple just weeks after the service was used to spread posters opposing president Xi Jinping.The AirDrop restriction was included in the public release of iOS 16.1.1 on Wednesday, despite nothing about it being mentioned in the release notes. 9to5Mac readers were quick to discover that the restrictions seem limited to iPhones purchased in China. Industry News (34:38)Medibank Refuses to Pay Ransom After Data BreachSwiss Re: Cyber-Insurance Industry Must ReformSEC Announces 'Enforcement Action' For SolarWinds Over 2020 HackInstagram Influencer Gets 11 Years for Money LaunderingMedibank Confirms Data Stolen in Breach is Now Available OnlineCouple Get 40 Years for Navy Espionage PlotMalware Redirects 15,000 Sites in Malicious SEO CampaignMajority of Security Managers Lack Threat Intelligence SkillsNew Lenovo Notebook Models Affected By UEFI Firmware Vulnerabilities Tweet of the Week (42:54)https://twitter.com/Ox4d5a/status/1590578121526611968 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So I am glad that you could make it to my podcast this week.
Always a pleasure having you on.
Well, I know it seems like if it's not one, it's the other, right?
So I have dusted off a couple of, well, one extra jingle to make this all worthwhile. you're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening from wherever you are joining us
and welcome to the host unknown podcast welcome to andy's Podcast featuring members from Host Unknown.
You know you have missed some yourself, you know. Oh, by the way, episode 128.
Oh, 132.
It's like having a parrot on the show. It's great. You just press the buttons and off they go.
press the buttons and off they go.
So we are Jav-less today.
We are, well, we're distinctly, well, we have distinctly less hair.
I was about to say, we're definitely hair-free.
Hair-free.
Hair-free, care-free, absolutely.
I think, is Jav still, he's in Florida, isn't he still?
Yes, he is, down to Miami now.
Right. Interesting how he goes out the week before the midterms.
Florida, you know, goes very, very Republican,
despite everything that's happened.
And now he's flying back.
You know, I'm just saying, I'm asking the questions, that's all.
Mission accomplished.
Exactly.
He, yeah, he sort of, I think he buys into a lot of the Miami, you know,
it's, oh, it's severe weather warnings.
There's no one around.
Oh, yeah. It's literally what we call autumn in the UK.
Yeah.
Those videos he sent, it's a bit of rain.
So what?
Get over it, man it man yeah that's right
I could do the same yeah yeah yeah I could do the same just out my hotel window now yeah
so yeah I'm I'm I'm recording this with you uh remotely from a hotel I'm using my brand new I
say brand new but fairly new travel rig to try and get over sound problems
whilst i'm on the road because i'm traveling most weeks at the moment so hopefully this one won't
sound quite so bad and the quality is much better to um you know what we're used to when one of us
is not in our preferred location well exactly in fact it's much better with jav not here generally
i mean he records from his garage which is kind of like hard surfaces everywhere.
I don't get it. It's like he does sound like he's recording from the sweat box in a US prison movie.
And if you ever miss any of what Jav talks about, you can see it on TikTok two days later.
Because he's that lazy. He just regurgitates it.
it on tiktok two days later yeah because he's that lazy he just regurgitates it and if you can't wait two days just wait until the following day for the uh eric and jav show or whatever the
jerek show that's right the jerek show the jerek show yeah you can just watch it there i mean we've
we've done it we've done the jerek show straight after we've done one of these right and it is the
same stories yeah literally
he copies and pastes listens to what we talk about and then just yeah claims your credit for his
ideas anything you think I know I know we know other podcasts that do that as well but yeah but
moving so if you're um Andy how's your week been it's been good it's been busy I uh I think I say
I think I've passed my six month probation at a new job.
Your past still lets you in the building.
Exactly that. Right. No one said anything.
To be fair, my boss is traveling. She's in, you know, traveling around Asia this week.
But yeah, she'll be in Africa next week. So I'm still not going to see her.
But yeah, my pass still works so you know
either the JML process isn't working
or I have passed my
probation. Either way
I'm counting it as a win.
Although six months is a long probation.
They really weren't sure
about me. I was going to say were they really
taking that much of a chance?
No it isn't. I thought it was a long probation as well but no fortunately I did check. I'm not the only one that much of a chance. No, it is a challenge.
I thought it was a long probation as well,
but no, fortunately I did check.
I'm not the only one that was on a six-month probation.
A few.
Everyone else with a criminal record is as well.
Oh dear, jacking those cars as a teenager
was never a good idea.
So how's your week been?
Yeah, good. Good, very good.
So what have I been up to?
I wasn't here last week, was I?
I think the week before that, on the weekend,
I'd just gone to Comic Con with my daughter.
Oh, yes.
It was really good fun.
You went as Captain Underpants, didn't you?
That's what I threatened to go as, yeah.
And then she saw me, you're not wearing your outfit.
I said, it's on underneath everything, don't worry.
But it was really good, took a few photos, that was nice.
I saw some good ones.
That Buzz Lightyear was particularly impressive.
It was, it was.
There are some amazing
costumes they're like oh my god how these things are made at home i don't know uh but it's a good
laugh it was a good laugh bought some got some you know posters and christmas presents and stuff
like that and some signed copies of books it was it was really good um this week uh yeah like you
busy um uh did a few i did a webinar earlier in the week.
I'm in the middle of arranging a small sort of conference forum-y thing
for work, which is going to be week after next,
and trying to throw some proper work in there in between.
But, yeah, very busy.
But in London this week, I'm only up one day next week,
and then I'm in most weeks for the next couple of three weeks, actually.
So busy, busy.
So this travel rig is going to get some use.
Yeah.
Do you know what?
When I was looking through some stories earlier, I think that we –
oh, not that I think.
I know we have missed IrisCon this year.
Don't, don't.
IrisCon yesterday, B-Sides Deli today. Yeah. uh don't don't iris con yesterday besides delhi today uh yeah no it came around quickly didn't
it i did you somewhere i was the iris con towards the end of the month yeah but i well it's it's
november at some point isn't it mind you we're halfway through but yeah i was i was invited to
besides i was um trying to get my visa uh applied for a conference visa because
that's what you're supposed to do and i didn't have the right paperwork for it and by the time
that was discovered there was no time to get another appointment because the appointments
are literally fully booked for a couple of months at a time um so yeah missed it absolutely gutted like I say it kicked off this morning
so yeah
after Iriscon yesterday
and missing that
and then missing
B-Sides Deli today
I'm rather upset
all geared up to go
at last
but we won't let the mood
bring everyone down
no
no
right shall we yeah sorry No, no.
Right.
Shall we?
Yeah, that's right.
You can tell when Jav's on the show because all you get is this sort of
outpouring of breath in the long, so...
I hate you guys.
Yeah, that's right.
That's all he says.
It's like every other sentence
the amount of editing it takes
when he's on the show
it's dreadful
alright shall we see
what we've got coming up
for you today
this week in InfoSec
talks about rebranding
rant of the week
is a look at the shit show
going on over at Twitter HQ
Billy Big Balls
is something we're
on the fence about.
Interesting news brings the latest and greatest security news stories
from around the world, and tweet of the week will be us, i.e. Andy,
trying to verbally explain a visual meme.
Excellent.
So let's move on, shall we, to our favourite part of the show,
the part of the show that we like to call...
This Week in InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane
with content liberated from the Today in InfoSec Twitter account and further afield.
And as there is only two of us this week, I shall rush through so we can get straight to the main content.
This is more of the canapes which come around before the main show, right?
But this is the crudities.
The bumbley toilets.
The bumbley toilets.
the bumblebee toilets the bumblebee toilets
so as you know
I do that lead up so I can mentally
work out in my head the
amount of years between the date
and the story
so our first story
still using a calculator
takes us back a mere 17 years
to the 4th of November 2005
when Microsoft
anti-spyware was renamed Windows Defender.
Now at the time you probably remember you'd get that sort of little icon which came up in the
bottom right hand corner of your you know your XP machine or your 2000 and yeah yeah going on from
that. It looked like a little castle or like a brick that's right yeah
yeah and you know everyone's like this is rubbish right you know it's never going to replace
um anti-malware um because it was purely about spyware right it wasn't it didn't seem that great
at the time it seemed very narrow in focus didn't it yeah but you know, I mentioned this because obviously it did rebrand, you know, say 17 years ago.
But today, Windows Defender is actually a pretty decent agent.
I am a convert to it, having understood the capabilities it's got.
You know, it can do your anti-malware, your anti-spyware.
Yeah.
It can do your web reputation protection uh you know defending going to websites
you can actually do categorization blocking yeah all part of the um uh m365 stack yeah it's
absolutely fantastic it's definitely in the top three up there of you know um epp and edr and
potentially even xdr as well yeah with all and that's it. The data it's got knows what patches are missing
for your machine.
That's centralized reporting.
And if you run in a Microsoft environment anyway,
dare I say the phrase, single pane of glass,
but you have a lot of data in a single portal.
Yes.
A lot of usable data as well.
So yeah, like I said said back in 17 years ago
would not have expected this to have been a product that survived i logged on to my microsoft
account my personal microsoft account the other day and there is still a license in there for
windows um was it was it defender was it it might have been when it rebranded as Defender as like a beta user.
So I got a lifetime free, you know, license for it.
Of course, you know, you don't need it anymore because it's all just built in, right?
You don't get a separate licensing for it per se.
But yeah, it's still there in my account.
It's still, you know, so it's funny that this should come up right now.
Yeah. still there in my account it's still wait you know so it's it's funny that this should come up right now yeah no and also yeah if you have a um subscription to um office 365 you can uh obviously make use of it play about with it yeah yeah if you can work out the azure portal yeah i mean that's
another they keep renaming parts of that as well so that that's uh yeah that's another story altogether um however
right so our second story takes us back a mere 20 must be 29 years to the 5th of november 1993
when the bug track mailing list was created by scott chasson So in 1995, it actually became the property of Security Focus. And then in 2002,
Symantec acquired Security Focus. And the last message posted to the list was as recently as
February 25th, 2020. And there was no explanation from Symantec in terms of why it stopped. But
back in the day, so back in 1993,
this is where you got your vulnerability information from.
There was no websites with fancy logos.
There was no sort of push notifications. There was no sort of balloons that popped up proactively
on your desktop saying, hey, you need to install these patches.
You had to subscribe to this mailing list,
and people would post
issues with software to this mailing list um and it was it found i mean this was the thing if you
were an assist admin you were subscribed to this uh you know it had back in 95 had 2,500 subscribers, had over 40,000 by February 2000.
Wow.
Yeah, back then it was huge, absolutely huge.
And then obviously the usual controversy with any sort of vulnerability disclosure
is the fact that it went to everyone.
Someone posted some credit card information.
So they started moderating it um as of 96 um you
know i think it was so someone then actually sat down and moderated all the content before it went
out um and then yeah as you know the internet grew email became less of the i guess the most
effective way of delivering this information um yeah. And so, yeah, Semantic, although they didn't, you know,
give any information about why, you know, they stopped doing it,
there were rumours about it just being very difficult to moderate.
I mean, it wasn't a commercial medium, wasn't it?
Was it?
No, not at all.
So it was, you know, run by, well, not even volunteers,
but people who were passionate about this.
Although back in 96 or 95 or whatever it was,
or sorry, 93, there's probably only like seven vulnerabilities
in popular usage anyway.
But it does go to show quite how things like this start from people just being passionate about wanting to do the right thing.
Yeah. And remember, it wasn't even sort of platform specific either.
You know, so it wasn't like you subscribe here for your Microsoft vulnerabilities or your Linux or your BSD.
It was everything.
Everything. Yeah.
And it still fitted on one page of A4.
Yeah. Plain text.
Yeah.
Still fitted on one page of A4.
Yeah, plain text.
Yeah.
Oh, dear, no, but, yeah, if you're a fan of ASCII art,
then it's probably because you used to subscribe to mailing lists that included them.
God, ASCII art, I remember that.
I remember trying to convert images to ASCII art and, you know,
to try and look like I was clever and shit like that.
Oh, my God.
I'll just generally copy it from one person's email to someone else's.
Yeah, that's pretty much what it came down to.
I remember trying to do an ASCII art email footer once
and just gave up.
It was just so painful.
The formatting was always screwed up.
I think I'll just wait until I become a manager
and get someone else to do it.
Excellent. Well, thank you, Andy.
That was this week's...
This week in InfoSec.
Are you ready? Here it comes.
You're listening to the Host Unknown podcast
with your award-winning hosts, Tom and Andy,
and insert name here. Finally used it.
I think that's the first time we've used that one.
Right, shall we move on to this week's...
Listen up!
Rent of the Week.
It sounds like mother f***ing rage.
of the week.
It's time for Mother F***ing Rage.
So unless you have been
living under a rock
for the last,
well, year really,
but in reality
the last week or two,
or you were already
on Mastodon,
you will know
that there's
just a few little problems
going on at Twitter.
A few changes going on at Twitter. A few changes going on at Twitter.
A few changes since our Lord and Saviour Elon Musk
went in to bought out Twitter for $44 billion.
Sorry, someone's going on holiday, I tell you.
$44 billion.
And then just went on what seemed like an executive rampage,
would be the only way I could put it.
Apparently he was doing things like demanding to review lines of code
with people, getting stats on the amount of lines of code
that people have written and using that as a performance statistic.
All that sort of stuff.
Then massive, massive layoffs.
Something like 50% of the workforce was laid off.
Although apparently they're now trying to entice some of them back because they realise they might have got rid of some of the some of the ones they need.
Some of the good ones. Some of the good ones. Yeah. Funny that, isn't it?
that make no sense whatsoever, included online spats between Musk and various celebs and anybody else who he deems worthy of chatting to
about charging for the platform, and then all summed up in a scheme
that is so rapidly rolled out that it changes hour by hour
that has resulted in a vast amount of criminality and theft.
It just beggars belief.
So, for instance, not only has the CISO left, Leah Kistner,
the CISO left, but the chief privacy officer has left.
Isn't there someone of data ethics also left?
Yeah, the chief compliance officer.
Chief compliance officer, yeah.
They've all left, literally just resigned and gone.
Oh, that's right.
He's come in and said that Twitter,
which is in its employee handbooks and all that sort of thing,
saying it's a remote-first organisation,
has come in and said everybody now needs to work from home.
And if you want to work from home, you can resign.
Everyone needs to work from the office, you mean? Yeah, 40 or they need to work from the office yeah yeah 40 or more hours a
week from the office from now on i love the 40 or more um when asked how that that we're going to
deal with you know how we're going to deal with you know all these challenges that have been
self-made he i can't remember the phrase he used but basically he said we we just have to man up
we just have to you know knuckle down and get on with it which is is not very helpful he then tells
everybody that you know well you know twitter may because may go bankrupt but don't worry i've sold
a whole bunch of tesla stock to try and shore it up. So, you know, you can thank me later.
It's just...
I mean, the whole...
Yeah, it's complete shit.
The share price has tanked.
Ad revenue has tanked.
Unsurprisingly, and I think this does make me laugh,
all of the major car manufacturers
have dropped their advertising on Twitter.
Funny that.
The blue badge scam thing.
So, God, now, first of all, he wanted to charge $20.
Stephen King picked him up on that.
This is the blue badge, the much coveted,
you only get one if you're given one blue badge,
and you have to justify your existence, you know,
and prove who you are.
Now anybody can get one for $8 after he had a little spat with Stephen King.
Bargain. Absolutely bargain, that price.
Have you got one yet?
No, no, I haven't.
And I believe Cluley's trying to work out how to get rid of his
so he doesn't look like he's paid $8.
And so I think this is part of where some of these scams
have come up this week, right?
So you made this massive change.
You've got the people responsible for compliance, security,
and, you know, that type of, you know, corporate governance stuff.
They've actually quit.
And then, you know, you spend every industry spent
or every sort of social media platform spent all this time teaching users that verification, a verified account means something.
Right. And that's the that's the problem.
Now, anyone can be verified.
Yeah. And that also means that Twitter itself was impersonated and prompting people to basically follow this link and pay your eight
dollars and you'll get your blue badge and that's resulted in thousands and thousands of dollars
being stolen from people um uh this there's something in here about self-certifying compliance
now that there is no effectively no compliance team whatsoever the engineers have
been told that they have to self-certify themselves with uh any uh ftc um you know
standards that are handed out which in itself is laughable um they're they're obviously
you know in all of their standards etc etc., says about running an effective
and well-maintained information security plan.
Well, they're obviously not doing any of that.
You are speechless, aren't you, on this one?
How can somebody come in?
The only thing I can think of is that he's a shareholder of
mastodon yeah he's oh he's laundering money right he needs to burn money quickly yeah exactly i
don't understand how it can come in and make all this oh and he said uh he's always been saying
that you know when i'm in charge of twitter you know comedy, comedy will not be banned. And he's effectively banned and blocked anybody who's impersonated him
in the name of comedy.
It's just, it's, do you know what?
This reminds me of the first few months of the Trump presidency.
Oh, the executive orders.
Yeah, executive orders and appointment of cronies
and all of the weird self-aggrandizing shit that was going on.
That's this.
I don't know about you, Andy.
I mean, I know you're not massively active on the social medias
apart from TikTok, but I'm still on there.
But even me, the laziest man
in the world is considering you know moving on from twitter to that hellhole called mastodon
which has been described as like a bunch of minecraft servers with portals between each server
which immediately just fills me with dread um you know i actually have a mastodon account i signed up god knows how
long ago back when it was cool no back when the first uh sort of everyone's gonna jump ship from
twitter occurred um and i can't remember what sparked that there was something that sparked
that and everyone says oh mastodon let's go privacy i think that was it was the privacy issue
um but actually i think it's gonna be like facebook though like you know lots of people and everyone says, oh, Mastodon, let's go, privacy. I think that was the privacy issue.
But actually, I think it's going to be like Facebook.
Lots of people want to jump ship, but there's just nothing better.
No, no, that's right.
Usability is not there with everyone else.
Although let's not finish on Twitter.
What about Facebook?
You've just let go 11,000 people.
Yeah. With Mark Zuckerberg saying that running Facebook is quite upsetting
because people are always angry at him.
We'll perhaps try and pretend to be a slightly more normal human being then, Mark.
Although, to give credit where it's due,
the Facebook severance packages are significantly
better than the twitter ones which are basically you got a month and then you're on your own um
although you know there's still some controversy over the facebook ones but
yeah social media's platforms are nosediving at the moment it would seem yeah so yeah some links in the show notes there but
blimey to lose so many senior execs to lose well to to lose half your workforce that's pretty damn
careless especially when you go looking for them again afterwards i just i you know i don't have
the energy reserves to get as angry as i need to about this because you know he even said about
you know oh I'm being you know every single little move I make is being analyzed by the
media and blah blah blah says the man who deliberately had himself filmed walking into
the twitter hq holding a sink in order to let that sink in message.
You know, he's...
Which is a stolen gag anyway.
Well, exactly, exactly.
And, you know, so for somebody who courts the media
to then complain that the media are reporting on his every move,
he's good at building space rockets.
He's average at building cars,
although he's pretty good at,
you know,
breaking norms,
but he's a terrible CEO of,
of Twitter.
Terrible.
You know,
maybe time will prove me wrong,
but yeah,
I,
he's awful.
He thinks cause he can put something in space.
He can do anything.
I think is what it comes down to.
And that was this week's somewhat low energy rant of the week.
Rant of the week.
You're listening to the award-winning Host Unknown podcast.
Officially more entertaining than smashing security. In your face! Oh, we might have to fight over this one, Andy,
or we could do it together.
It's time for this week's...
Although I do think what's interesting
is because Jav's not here,
we're actually not going to be talking about a criminal.
Indeed.
But, you know, I'll tell you what, you give the headline for this story.
Okay.
Apple limits airdrop in China after its use in protests,
which I think is a bit click-baity myself.
It is, but so this is the story that, well, what so apple so if you have an iphone you may
be aware of the feature called airdrop um and there have been stories of people you know unwittingly
receiving pictures while they're on the train or so you know it's like i've heard you know
dig pics get sent on this type of medium and like you know you get spammed with this stuff
um but you have the option to receive files from anyone and it's untraceable and i think we know we covered a
story a you know a couple of months back about the guy who sent a uh a picture of a bomb or a
plane crashing whilst he was sitting on a plane to every all the other passengers and they all
had to disembark and then search and it's untraceable and all this kind of stuff um i actually you know the other day i was in
ireland and i received an unsolicited picture when i was at this food market
it was of an extra large zucchini it wasn't no but it was actually food based and it was quite
funny it had a face in it um and it was one of those things where i was you know i was trying
to play it cool and not look around as if to say who the hell sent me that you know a straight way i saw what happened
so i got this airdrop and i was like you know play it off yeah don't look around don't look
interested don't smile just like deadpan poker face um but it did make me chuckle inside um
but you know to me that's the case of well I set my phone to receive stuff from anyone, right?
So why not?
Yeah.
So Apple are now in this feature came out on iOS 16.1.1.
So, you know, the one recent update.
But they didn't mention it in the release notes.
And it's only active in China at the moment but every device has a capability for it
and essentially if you select your phone to receive files from everyone it's only going to
be valid for 10 minutes at a time and then it'll switch back to contacts only um and i am not sure
how i feel about that like i would prefer if it went to contacts only by default
yes and then you can shift it around yeah so i think it's it's big i understand what apple are
trying to do and i do actually applaud them for you know creating this type of you know extra
safety net because i you know i i get i'm not the type of demographic that maybe receives dick pics on a
regular on public transport. No, no, it's normally when you're in your private jet and...
Yeah, exactly. Yeah, exactly that. So yeah, I'm kind of on the fence for this one.
So I think if this had this 10 minute limit put in from the outset well obviously this would be a non-story
but people wouldn't be taking the same kind of attitude
they wouldn't have started to use AirDrop
and then said wow how dare they limit this to 10 minutes
they would have gone oh that's quite a sensible thing to put in place
just limiting it to every one of the 10 minutes
the problem here is
and I can absolutely understand it, is
it appears that they have caved to pressure from the Chinese government to do this
in order to restrict the sharing of information during protests. And that would seem to be the
simplest of explanations, but they've implemented this in the latest update
and apparently will be turning it on to the rest of the world
at some point in the near future, is the last thing that I read anyway.
So has this been on their list, their Kanban list of things
we will get round to to and then had it
driven up the up the uh the line by the fact that an oppressive uh regime that actually also happens
to buy an awful lot of iphones have said hey can you do this you know or have they just acquiesced
and tried to cover their tracks by saying oh, we're going to do this for everybody now.
Yeah.
It's, yeah.
Because it is sensible.
It's almost a rant.
It is almost a rant.
But, you know, I was on a Reddit channel the other day talking about this and people were saying,
this is outrageous.
If I want everybody, you know, to be able to send me to airdrop,
that's my choice to do.
And another person was saying, well, what about kids?
So you turn it on to everyone in order to get something done
and then don't switch it off and then get sent obscene
or predatory material.
So it's, you know, there is no right or wrong answer per se,
but I think what it does come down to is the incentive
to do it in the first place.
And is it because China buys a metric fuck ton of iPhones and therefore they're going to do whatever the Chinese government tell them?
Or is it because it was always going to happen?
It's just that the plans were sped up.
Good question.
And unfortunately, at the moment, this might shock you and i'm glad jeff's not on here
but at the moment i think it's the former i think they acquiesced to china and are trying to cover
their tracks and the reason for that is i'm seeing the startings of a pattern of behavior and i had a
a little a brief you know twitter chat with our friend of the show, Rowena Fielding, about this, about privacy.
And Apple have gone all in on their privacy and advertising restrictions and all that sort of thing, which is great. like Facebook and Google, but has protected most people or everybody who owns an iPhone from,
again, sort of aggressive advertising, things like that. But in parallel, they've also now
amped up and massively increased the volume of Apple ads that you get. So it looked like they
were doing this in order to set up a competing business and in order to get more money, which really saddens me.
I thought Apple were doing this because they were the bigger company and were doing, as in, you know, ethical, ethical, morally wise, bigger because they wanted to protect their users, not because they wanted to sell them more ads of their own.
So, yeah, I'm i'm on a bit of a
downer with it with apple at the moment i've got to say whatever next billy big balls of the week
this is the host unknown podcast, home of Billy Big Ball Energy.
Well, after all that, I'm completely out of energy.
So I'm just going to say, Andy, what time is it?
It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News. Medibank refuses to pay ransom after data breach. Industry News. Swiss Re, cyber insurance industry must reform.
Industry News SEC announces enforcement action for solar winds over 2020 hack.
Industry News
Instagram influencer gets 11 years for money laundering.
Industry News
Medibank confirms data stolen in breach is now available online.
Couple get 40 years for Navy espionage plot.
Malware redirects 15,000 sites in malicious SEO campaign.
Majority of security managers lack threat intelligence skills.
The majority of security managers lack threat intelligence skills.
New Lenovo notebook models affected by UEFI firmware vulnerabilities.
Is that how you say it?
And that was this week's...
Huge, if true Huge
The Medibank one
I like how the week started
We refused to pay the ransom
For this data breach
A couple of days later
How it started, how it's going
I heard the attackers were basically
Just going for it
Because of course now Medibank
Have got nothing to lose right
But they were going for it because of course now Medibank have got nothing to lose right yeah but they were going for it to make an example in order that the next people they
attack will just pay up yeah so I did hear I think the same people this morning have announced
that they have got Deutsche Bank data I understand I think I saw that this morning. It was unconfirmed.
But yeah, Deutsche Bank allegedly breached by the same access broker that sold access to Medibank data.
And yeah, they're sort of saying they've got another network access of Deutsche, a particular bank, they said.
They've got FTP shells root sql injection database
servers but they've said that look you know eda of machines are semantic you know the network
filters are xyz and they're saying they've got copies of chats file servers where 16 terabytes
of internal data reside plus share folders for every user on the network um yeah and they're saying they can provide
vdi and vpn of all passwords in a domain dump with domain admin users holy moly 7.5 bitcoin
if you want that it almost doesn't matter yeah you don't know if it's true though do you well no but
it almost gets the point it doesn't
matter how much you protect your data or encrypt it or store it or whatever you get you get the
keys to the kingdom you're screwed aren't you yeah zero trust right that's what we want yeah
yeah not just a marketing term anymore yeah so this instagram influencer this is the chap you were talking about earlier on yeah so this is um oh
what's he it's a Nigerian guy that used to like always post his like lavish lifestyle on Instagram
but it turns out he was basically just laundering um you know proceeds of of crime um he went by the
name Hush Puppy um yeah and so yeah he was arrested in dubai and extradited to the us
um but yeah he he conspired with a money launderer um and they just did a lot of whole
bet you know business email compromise schemes and yeah and uh yeah that type of thing but yeah
i think it's more about the glamour on the other side. It makes such a good story because, you know,
there's visuals that go with it.
Yes.
Yeah.
And this Swiss Re cyber insurance thing,
I think we're hearing a lot about cyber insurance needing to change
and update and all that sort of thing at the moment.
Yeah.
But I think Lloyd's's announced what was it uh from april next year that uh
yeah i'm not going to underwrite nation state attacks yeah that's right which is not surprising
really because if you're getting attacked by a nation state you've either done something really
really wrong or there's nothing you can do about it anyway. Well, it's the attribution part, right? Because this is what, who's not Cadbury's?
Mondelez.
So they got breached.
No, they got ransomware like years back, 2017, I think it was.
Right.
And they went to their insurer,
and then the insurer refused to pay out on the basis that it was,
I think it was a Russian act of war,
even though they weren't officially at war. So, yeah, the insurer refused to pay out. on the basis that it was, I think it was Russian act of war,
even though they weren't officially at war.
So, yeah, the insurer refused to pay out,
but they won that case anyway.
They literally settled just like two weeks ago,
over $100 million was the claim.
They lost like 27,000 laptops during that, got bricked. What? Yeah, it's quite
a huge, huge event.
I mean, it was...
You said 2017?
I think it was 2017 it occurred.
Yeah, and they only just settled the case.
Drunk Tom then.
That's why I don't remember.
Yeah.
But yeah.
I love this. Majority of security
managers lack
threat intelligence skills
one what defines a security
manager and two what defines
threat intelligence skills
exactly
is there an ISC
squared course that you can
take for that
yeah probably or if not an ISACA one
almost certainly right
87% of decision for that yeah it's yeah probably or if not an isaac one almost certainly right yeah
80 87 of decision makers rely on threat intelligence whether they know it or not
often or very often for vulnerability prioritization i mean threat intelligence
could be something as simple as someone saying do this one first before that one i mean it does seem to be a little bit broad
yeah but it's the headline itself hey well you know that's what we built our reputation on
you know comments on the headline not the story exactly
uh and finally just because it because it sounds cool,
Cup will get 40 years for Navy espionage plot.
Love it.
Love it.
494 months because, I don't know why you'd call it that,
after attempting to sell designs for the US Navy's nuclear-powered warships to a foreign power.
Yeah, so that's a um
there's something more to this story and i don't know what it is but the wife got longer than the
husband and she was only accused of conspiracy to commit found guilty of conspiracy whereas this is
america right where you know there is no bodily autonomy for women.
Yeah, it's true.
Oh, she's penalised for being out of the kitchen.
I'll read it now. There we go.
Good old Republican judge.
Exactly. Exactly.
Right, that was this week's...
Industry News.
The Host Unknown Podcast.
Orally delivering the warm and fuzzy feeling you get when you pee yourself.
Ah.
Right, well, I'm definitely leaving this one to you, Andy,
since you have to now describe something uh visually through them through the medium of voice alone uh which is technically what describing is I guess uh time for this week's
tweet of the week and we always play that one twice tweet of the week it is so I shall take
us home with this week's tweet of the week. So this is an image of,
if you know your memes,
you will know disappointed Muhammad.
It's part of,
he's a cricket fan watching a game and,
you know,
it's very famous.
Is that where he's from?
A cricket fan?
Yeah.
Disappointed cricket fan,
also known as.
And he's sort of standing there,
like unimpressed face,
hands on his hips.
He also looks like he
should head up um a tech company in san francisco yes he could but yeah it's one of these sort of
reaction images um you know sometimes known as uh you know angry cricket fan or disappointed
cricket fan um but his name's uh yeah it's known as disappointed muhammad actor um So this is a meme and it is the picture of that guy,
disappointed Mohammed, and it's captioned,
Winrar watching you pay $8 for a Twitter blue tick.
The only thing it's missing here, there is $8 a month.
Is it actually a month?
It's $8 a month.
Oh, I did not know that. thought it was i'm sure it is i'm sure it is eight dollars a month i'm sure it is yeah no but yeah without
taking away obviously you know winrar very useful tool um particularly back in the day
um good guy winrar used to always let you use it past its trial period same as winzip right
uh yeah i think wins it did go a bit more
commercial though didn't they when they sort of grew up and realized they were embedded in big
corpse and also supported rafiles they uh they actually forced uh forced you to use them i i
i've never i never paid for wins it but i do recall the you know continue trial or something
like that yeah swapping sides from left to right
in an effort to try and get you to click on buy now or something yeah yeah we just cracked it
yeah pre pre 2007 was a different era yeah exactly excellent that was a a good one. And it's so true. It's so true.
You know, I mean, well, are you going to get a blue checkmark, Andy?
Are you just going to stick to Mastodon?
Sorry, I'm going to stick to what?
No, I shall.
Actually, I'm not that fussed.
Genuinely, I'm happy to change names depending on the platform.
Even if you get a Black Friday deal on Twitter?
I don't use Twitter enough.
To be honest, I can't remember the last time I posted.
I would also say beforehand, you don't use, you know,
before we went live, you don't use Adobe enough.
No, I don't.
It didn't stop me from subscribing for a whole year no but i did have
full access to the entire creative suite and all of the tool illustrator premiere after effects
the full works um but alas no i edited the shit out of those pdf documents
is that the sort of flex you put on a dating profile? Have full access to the Adobe Professional Suite.
Exactly.
Yeah, I'm a sucker for a good Black Friday deal.
Oh, man.
Me too.
That Amazon Prime day?
Oh, my God.
Yes, I need another tea strainer.
Shaped like a man or whatever.
I don't know.
Anyway, that was this week's...
Tweet of the Week.
Well,
that was,
that was,
that was very drama free this week,
I think,
wasn't it?
It is,
yeah.
Hopefully more upbeat than usual.
Yeah,
that's right.
Less confrontation.
Yeah.
Less,
less of the,
the,
I hate you guys.
Less of that.
Anyway, Andy, thank you so much for this week.
Stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
R slash Smashing Security.
Epic.
Yeah, I'll leave you to add in those calculator sounds then.
I did struggle with the numbers. Yeah, it's okay. You do the show notes, I'll do the to add in those calculator sounds then. I did struggle with the numbers.
Yeah, exactly.
You do the show notes, I'll do the editing.
We're cool.
I'm not entirely sure what Jav brings to the show,
but nonetheless, I think we've got it covered.
Absolutely.