The Host Unknown Podcast - Episode 144 - The Other Peoples Work Episode
Episode Date: March 17, 2023This week in InfoSec (06:13) With content liberated from the “today in infosec” twitter account and further afield15th March 2000: The movie "Takedown" was released in France as "Cybertr@que". It... is based on the capture of Kevin Mitnick Takedown on IMDbhttps://twitter.com/todayininfosec/status/1636083404117557248 16th March 1971: The first computer virus, Creeper, infected computers on the ARPANET, displaying "I'M THE CREEPER : CATCH ME IF YOU CAN." It was named after a villain (the Creeper) from a 1970 episode of "Scooby-Doo, Where Are You!"https://twitter.com/todayininfosec/status/1636516584394203137 Rant of the Week (13:20)What happens if you 'cover up' a ransomware infection? For Blackbaud, a $3m chargeBlackbaud has agreed to pay $3 million to settle charges that it made misleading disclosures about a 2020 ransomware infection in which crooks stole more than a million files on around 13,000 of the cloud software slinger's customers.According to America's financial watchdog, the SEC, Blackbaud will cough up the cash - without admitting or denying the regulator's findings - and will cease and desist from committing any further violations."Blackbaud is pleased to resolve this matter with the SEC and appreciates the collaboration and constructive feedback from the Commission as the company continually improves its reporting and disclosure policies," Tony Boor, the outfit's chief financial officer, told The Register. "Blackbaud continues to strengthen its cybersecurity program to protect customers and consumers, and to minimise the risk of cyberattacks in an ever-changing threat landscape," Boor added.For perspective: the South Carolina-based firm – which provides, among other things, donor management tools to nonprofits – banked $1.1 billion in revenue in 2022, resulting in a $45.4 million loss. This settlement is the least of the biz's concerns, we imagine.Slap on the wristHere's what happened: back in May 2020, Blackbaud experienced a ransomware infection, quietly paid off the crooks, and didn't tell customers about the security breach until July 2020. And when the software company did notify customers, it assured them that the "cybercriminal did not access…bank account information, or social security numbers," according to the SEC order.By the end of that month, however, the SEC claims that Blackbaud personnel discovered that the miscreants had accessed unencrypted donor bank account information and social security numbers. But the employees allegedly didn't tell senior management about the theft of sensitive customer data because Blackbaud "did not have policies or procedures in place designed to ensure they do so," the court documents say. Make of that what you will. Billy Big Balls of the Week (23:09)1st Story (short, follow the link):Microsoft support 'cracks' Windows for customer after activation failsIn an unexpected twist, a Microsoft support engineer resorted to running an unofficial 'crack' on a customer's Windows PC after a genuine copy of the operating system failed to activate normally. It seems, this isn't the first time either that support professionals have employed such workarounds when under pressure to timely close out support tickets.A South-Africa based freelance technologist who paid $200 for a genuine copy of Windows 10 was startled to see a Microsoft support engineer "crack" his copy using unofficial tools that bypass the Windows activation process. 2nd Story:A company who actually followed disclosure requirements (and puts TikTok in the same bucket as Meta and Google):Cerebral admits to sharing patient data with Meta, TikTok, and GoogleCerebral, a telehealth startup specializing in mental health, says it inadvertently shared the sensitive information of over 3.1 million patients with Google, Meta, TikTok, and other third-party advertisers, as reported earlier by TechCrunch. In a notice posted on the company’s website, Cerebral admits to exposing a laundry list of patient data with the tracking tools it’s been using as far back as October 2019.The information affected by the oversight includes everything from patient names, phone numbers, email addresses, birth dates, IP addresses, insurance information, appointment dates, treatment, and more. It may have even exposed the answers clients filled out as part of the mental health self-assessment on the company’s website and app, which patients can use to schedule therapy appointments and receive prescription medication.According to Cerebral, this information got out through its use of tracking pixels, or the bits of code Meta, TikTok, and Google allow developers to embed in their apps and websites. The Meta Pixel, for example, can collect data about a user’s activity on a website or app after clicking an ad on the platform, and even keeps track of the information a user fills out on an online form. While this lets companies, like Cerebral, measure how users interact with their ads on various platforms and track the steps they take afterward, it also gives Meta, TikTok, and Google access to this information, which they can then use to gain insight into their own users. Industry News (32:43) UK's New Privacy Bill Could Mean More Work for FirmsBlackbaud Settles $3m Charge Over Ransomware AttackMI5 Launches New Agency to Tackle State-Backed AttacksHumans Still More Effective Than ChatGPT at PhishingTick APT Group Hacked East Asian DLP Software FirmHumans Still More Effective Than ChatGPT at PhishingNCSC Calms Fears Over ChatGPT ThreatUK Joins US, Canada, Others in Banning TikTok From Government DevicesUS Government IIS Server Breached via Telerik Software Flaw Tweet of the Week (40:30)https://twitter.com/william_whyte/status/1635198775152234496https://twitter.com/J4vv4D/status/1636055929199140864?s=20 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I mean, again, you're trying to claim credit for someone else's funny work.
No, no, no.
So they just posted a legit picture from their certificate that they got issued at Oxford University.
You quote tweeted it.
And said, this needs to be added on a CISP certificate.
Adds nothing.
Adds nothing to it.
That makes it cybersecurity relevant.
Without it, it's just any certificate.
I am making this show relevant to cyber security and our audiences.
And you are just watering that down to a point where anyone listening would be like,
what is this show even about?
Andy would love to water it down if he could just get into his Twitter account.
Yeah.
You're listening to the Host Unknown Podcast.
Hello, hello, hello.
Good morning, good afternoon, good evening from wherever you are. Joining us and welcome to episode 144.
48. Nine, whatever, and welcome to episode 144. 48.
9, whatever, of the Host Unknown podcast.
Welcome one and all.
Welcome, dear listener.
We trust you are all well, lovely and looking forward to your weekend.
I know we are.
Well, I am definitely.
I don't know about these two.
Andy's a workaholic and, well, I don't know about Jav at the weekends.
Who knows?
He's probably still working, aren I don't know about Jav at the weekends who knows he's
probably still working aren't you Andy? Jav? Yes I am. Yeah right there you go there you go how are
we Jav how has your week been? It's been great I've been mum and dad for most of this week as
my wife has gone on a girly trip to Istanbul. Oh, wow. Yeah, so...
Oh, I thought we were just going to refer to you as they from now on.
Not yet, not yet, Satan.
What?
I still didn't get that, but whatever.
Oh, so you're home alone, basically, except not.
I'm home alone with all four kids, so yeah.
Yeah, that's right. yeah yeah that's right so
uh so you'll be nipping in and out on the podcast to try and make sure they're all okay right
just keep counting make sure there's still four yeah that's right whenever it used to happen to
me I used to say I guarantee at least one of them will be alive when you come back.
No, honestly, it's not hard work at all.
I don't know what my missus and I are talking about.
Careful what you say.
We are recording.
Okay, I'll leave it at that.
But, no, it's been a good week.
Good.
Andy, what about you?
What's been on your plate this week?
Work, work and more work.
It's been one of those crazy weeks as we come towards the end of the financial year.
Yeah.
Every single deal is obviously the most important, biggest deal.
I'm getting buzzed at all hours of the day.
You know, which is funny. Yeah, which I just, I don't know.
You're smarter than me what do you think i don't actually say that obviously oh i thought you were asking me i was like wow
this early in the morning i'm like uh remember dicaprio and catch me if you can when he
impersonates a doctor and he's just like do you concur yeah i'm just doing a lot of that this week and people seem to be happy but yeah no happy st patrick's day i did chill out guys i've
actually got you some gifts here oh really didn't get to the post office this week i've been glued
to my seat all week oh is it patrick's day today it is St. Patrick's Day, so yeah. So it's going to be late, but, you know, it's still good.
Hey, hey, I'm happy for that.
Is it Happy St. Paddy's Day or St. Patty's Day?
Paddy with a D.
Paddy, come on, stop with the Americanisms.
But Patrick is with a T.
Yes, but Paddy is with a D.
I don't make the rules, Jav.
Come on, this is the English language.
You know the rules are completely weird.
Okay.
I'll let...
I'll let you get on with it.
So, Jav's Andy with kids.
Andy's busy with work.
And I was at a photography exhibition yesterday it was really good spent a bit of money on a few things a couple of reflectors a few
little uh mini lights uh you know a couple of hard cases for for some equipment not villi jones
but uh yeah it was it was lovely it was very. When you say you dropped a little bit of money.
No, it was only a little bit, in fairness.
It was only... Not my usual camera respect.
Like, in context to what?
What are you comparing it to?
Very low three figures.
What can I say?
And I did pick up some birthday presents for my son as well.
I thought you were think you say for myself
yeah yeah well somebody's got to buy them for me you know you know so so yeah it's it's it's good
but yeah bring bringing bringing all that stuff back on the train was was interesting to say the
least I look like a bloody hobo pulling my bag with everything kind of strung to the outside of it.
But, you know, it's a small price to pay for photographic excellence.
And talking of excellence,
shall we see what we've got coming up for you today?
Well, this week in InfoSec takes us back to a time when someone would have gotten away with it
if it wasn't for those pesky kids.
Or around to the week explores the cost of doing business.
Billy Big Balls thinks a crack is worth a thousand support tickets.
Industry News, of course, brings us the latest and greatest security news stories
from around the world.
And Tweet of the Week is a worthy disclaimer.
So let's move on, shall we, to our, well well multiply confirmed favorite part of the show the part
of the show that we love to call this week in infosec
it is that part of the show where we take a stroll down InfoSec memory lane
with content liberated from the today in InfoSec Twitter account and further afield.
And I am having severe issues attempting to log into Twitter,
and it's thrown all kinds of errors.
I can't even view it unlogged in.
Therefore, I'm just going to have to read the the one liner of the show notes i've got and
let you click on the link to take you to it so it was uh this day no it was the 15th of march 23
years ago uh on uh the year 2000 when the movie takedown was released in france as cyber track
and it was based on the capture of Javad's longtime work colleague Kevin
Mitnick. Capture? Was he a criminal? Apparently so. So Jeff, I'm sure you get asked this question
all the time and I think people probably think we're joking but you do actually work with Kevin
Mitnick, don't you? I'm employed by a company. Okay,'t want to talk about it i get it i get it okay
are you on first name terms with him the company that employs me also pays kevin mitnick and
is that right my attorney's nodding at me yes okay
okay i shall move swiftly on there to our second story which takes us back a mere
52 years uh to the 16th of march 1971 when the first computer virus creeper infected computers
on the arpanet displaying i'meper, catch me if you can.
And it was named after a villain, the Creeper,
from a 1970 episode of Scooby-Doo, Where Are You?
So hang on, when it was the ARPANET,
it was just the military, right?
So this was, some soldier somewhere wrote this.
Right, okay, so I've got some friends that serve and if you think that uh soldiers are not beyond
this type of well yes so yeah there's guys that um had competition see who could eat the most
ration packs when they were bored uh in afghan i think you know one of them managed to eat like
16 000 calories and got taken to sickbay um the other guys where they shave off their eyebrows for oh
yeah no dares uh you know that kind of thing where they give themselves like reverse mohawks
um the reverse terry nutkins so they shave like the back and like yeah so yeah i mean if if if
someone in the military did this it's like you know i'm completely that's quite impressive yeah it's quite impressive the one we used to do with the with the ration packs was used to get
this orange um powder that you put in your in your water bottle so it would make orange juice out of
basically a liter and a half of water or something like that and so the the dare was that basically
you poured the entire contents of this packet of dehydrated orange crystals onto your tongue
and you had to hold your tongue out for as long as possible.
So there's a row of you writhing in pain as the thing desiccates your tongue.
I'm sure that didn't do us any harm whatsoever.
That's a great soundbite I'm going to take out
of this part.
So just to add a bit of
colour to this story, like you were
joking about, it wasn't soldiers that actually created it.
So Creeper itself
was an experimental programme
written by Bob Thomas
in... Oh, someone's clicked the link!
In 1971.
Well, he's got a Twitter blue, isn't he?
He can click the link.
No, no, no.
I can't.
Okay, okay.
I can't use two text message authentication.
Okay, okay.
Back focus.
But that wasn't the...
So it was designed to move between mainframe computers.
And then there was the later version by Ray Tomlinson,
and this was designed to copy itself between computers
rather than simply move.
And this self-replicating creeper is generally accepted
to be the first computer worm.
Did you just send Graham Cluley a text message
whilst we were talking?
Yes.
Yeah.
Yeah, exactly.
Exactly.
This gets more interesting.
This is really interesting.
So Raymond Tomlinson, who...
Of course it's interesting.
I wouldn't talk about it if it wasn't.
You'd done it.
I just don't have access to the actual link.
Was an American computer programmer who implemented the first email program on ARPANET.
So that's why he had access to ARPANET and he done it.
And that's where he released Creeper.
But then he also created Reaper,
which was the first antivirus software designed to delete Creeper.
Oh, now that is interesting.
So he made the first worm and then he made the first antivirus software.
And John McAfee was a little kid.
Look up to him and say, this is genius.
I could do this.
Well, I was going to say, did this fellow then charge a subscription fee for said Reaper?
You know, it's almost as genius.
I used to work for a company which, on the business-to-consumer side,
we would sell personal information to anyone who subscribed for it.
And then we had a B2B side where we would offer identity verification solutions to companies
to make sure that the people
using this data was
all this stuff
is entirely legal as well.
At the time, Your Honour.
It still is.
Really?
Under certain conditions.
Under certain conditions, yeah.
The condition being if you do it,
we'll send you down.
No, heavily regulated.
But yeah, no, entirely legal to broker information like that.
Wow.
Well, thank you, Jav.
I mean, it's fascinating what happens when you actually are able to click on the link that you originally...
That Twitter blue is paying for itself.
Exactly.
I know, I know.
I'll expect to see the expense claim for it come through into Host Unknown Towers forthwith.
All right, brilliant.
Thank you for this week's.
This week in InfoServe.
You're listening to the award-winning Host Unknown podcast.
It's better than tinnitus.
I always forget how much of a direct statement that is.
It's quite an interesting one.
Right, let's move on to the angry ranty part, shall we?
Listen up!
Rant of the week.
It's time for Mother F***ing Rage. so i think this was one of the earliest stories that we covered wasn't it back when we first kicked off oh not first when we second kicked off this podcast back in um sort of may
oh no uh august 20 2020 something like, I think it was. When did we
start the podcast? April or so, wasn't it?
April, May? Well, actually,
2014. No, no,
I mean the proper time.
The reboot. Yeah, exactly.
Like with Doctor Who, when it originally
started in 1959 or
something, but everybody considers
it having started again
in 2005 2005 we did
actually delete the original series didn't we because there was some i think you know i drank
a lot in those days no no i think that was me oh no you did you did as well in fairness but yeah i
think i think mostly it was there's one night we're actually about to go home and then we just
decided to go and get some champagne in a bar instead oh my god yeah well i think we did that a couple of times that was you too not me yeah exactly yeah yeah i remember that
i remember that and we bought one bottle and then went well i might as well get another one
well since the first one was your round i best get my round in
jeez oh my god not good not Anyway, I do recall we covered this.
So it's about a company called Blackboard who experienced a ransomware infection in May 2020.
Not uncommon. You know, it was certainly the I wouldn't say the early days of ransomware,
but it's when it was becoming more and more of a of a commodity.
ransomware, but it's when it was becoming more and more of a commodity. What they didn't do was what you should have done, which is basically deal with it and hopefully recover and inform
customers and not negotiate with criminals and all that sort of thing. What they did was they
quietly paid them off, didn't tell the customers about the security breach until a whole two months later.
And then when they did tell them, it assured them that the cyber criminals did not access bank account information or social security numbers, according to the SEC investigation.
investigation. By the end of that month, so by the end of July 2020, so it's more like August,
Blackboard personnel actually discovered that the criminals had accessed unencrypted donor bank account information and social security numbers. But the employees who discovered it didn't tell senior management, allegedly, about this theft of this sensitive information because there was no policy or procedure in place for them to do so.
Which kind of tells you two things. One, there's a company that doesn't have any idea how to run its business from a policy or procedure perspective.
any idea how to run its business, you know, from a policy or procedure perspective. And two, the calibre of people it employs that do not think that it's relevant to escalate the theft of personal,
sensitive, confidential information of people who it holds accounts for, too.
Shocking. Well, anyway, let's fast forward shall we blackboard has agreed to pay
three million dollars to settle the charges that it had made misleading disclosures about this uh
ransomware infection um they did steal over a million files. So that's basically $3 a file.
And a million files belonging to 13,000 cloud software slingers customers.
Now, the thing here, though, is that although Blackboard are going to hand over the cash they are doing so without
admitting or denying the regulators findings the sec's findings so basically they're saying
we did nothing wrong but here's three million quid just to keep quiet that's called that's
called doing a prince andrew isn't it? I think it is, except it's...
Yeah, well, I was going to say except it's with taxpayers,
not with that.
It's not with taxpayers' money.
Maybe it is.
Who knows?
And here's the thing.
Blackboard is pleased to resolve the matter with the SEC
and appreciates the collaboration and constructive feedback
from the commission as the company continually improves
its reporting and disclosure policies
continually surely they should have fixed them back in 2020 continually my goodness
we can turn this into a positive learning experience i know yeah mealy-mouthed words
i think is a phrase i i picked up from you jam mealy-mouthed words just it's appalling it's
one thing for things to go wrong it's all about how you react afterwards and blackboard have
reacted very very poorly um what what did blackboard do i can't remember now i might
even have to click on a link to find i think they provide some software for schools and that's right it's a pun on blackboard yes of course of course
yes um uh so so yeah this is this is a u.s company where there is a you know the educational
standards are not at the highest levels in the first place.
Schools are handing over what little money they have.
They can't even afford to pay teachers properly.
The little money they have to companies like this.
And they are just, well, just pissing it into the wind, frankly.
Over to you, Jav. I'm looking forward to what you've got to say about this one.
So I'm just surprised when you went that they had bad policies,
they had no policies in place.
I'm surprised you didn't take the opportunity to direct them to your blog
where you had resuscitated as of late.
And you did write a detailed but, you know, coma-inducing blog.
I did say up front in fairness that this is
probably the most boring blog you'll read but it is quite important it is it is it is important
so tom langford.com for those of you who who don't know go there and you can read his blog on
on uh on documentation you too can fall asleep in five minutes or less or your money
back yeah yeah you just need to do an audio version of the blog post and that'll be like really good
yeah what's the opposite yeah i'll get steven right you know that american comedian to read it
out yeah no i mean i i think overall the conclusion i agree with but you know as always
you you love to get a bit of victim blaming in there oh they didn't have policies it's like
it's like you're the type of person that after someone gets beaten up and mugged on the street
you're like well it's your fault for not learning bra learning Brazilian jiu-jitsu, mate. I mean, like, how ridiculous it is that you weren't, you know,
this is how you react when someone tries to pull your phone away.
You are clutching at straws here, Jab, but bravo.
I am, I am.
But I can't just let you get away with it.
Admire the dedication to disagree.
Absolutely.
I mean, hey, this is, you you are you are fulfilling your your
job duties to the uh to the fullest extent here is it malicious compliance that's it
but uh yes it is it's not great is it it's not great and i it it also it's it's far too many
companies are doing this sort of thing you know we, we'll pay this to settle this matter out of court,
you know, but we're not saying we did anything wrong.
The fact that, oh, I don't know.
I think part of it is the public, you know,
the public purse is not very,
is not as fat as the private company's purse
when it comes to legal fees.
And so, you know, the public companies, you know,
the equivalent of the ICO or in this case, the SEC,
they have to, you know, it's better that they take the money
in order they can continue to exist than it is to actually see this
through to what should be the logical end
and a far greater fine.
I mean, this is a 1.1 billion
revenue company.
This is not a massive
sorry, this is not
a small
company by any stretch.
We're in the wrong business.
We are.
They lost 45.4 million
as a result of this
in their revenue.
But I guarantee you that's been more than made up.
And I wonder if that 45 million includes this 3 million. I don't know.
Probably not. I'm sure they sandbagged that money back in 2020 anyway.
So, yeah, it's so disappointing. So disappointing.
Rant of the Week.
This is the award-winning
Host Unknown podcast.
Guaranteed to be a solid
five out of ten
at least once a month
or twice your money back.
And you can take that
to the bank.
Now, you've been very kind
to me on that one, Jav.
So I will cut you just a little bit of slack on that one jav so i i will i will cut you
just a little bit of slack on this next one so over to you for
so this next billy big balls there's two stories today and the first one is a short one so i'll just make this quick microsoft uh a a software
company that that you know does windows um you might have heard of it um so when you buy windows
you have to buy a um copy of the operating system or office or what have you and spoken like a man
that's never used windows in his life wow blimey that's really trying to fit in the gaps here he's got no idea what he's talking about
you're coming here for the educational side of security and
jav's nailing it nailing it to the floor like jelly on the wall
honestly it just like seems like such an alien concept to me like you buy the laptop surely
you should have the software and everything the operating system on it as basically and like
it should give you surely just open it and the apple lights up and it's good to go
exactly i just don't understand this, like, you know, ancient, ancient technology systems.
Anyway, there was a South African-based freelance technologist who paid $200 for a genuine copy of Windows 10.
And upon putting in the key and everything, it just wasn't working.
So he called up Microsoft, the official support like it's proper microsoft
and the engineer couldn't get it to work so he ran unofficial tools to crack the copy and bypass
the windows activation process that sounds like a real fuck it ticket closed type situation that is i mean brilliant i like that
it's just like microsoft like their own engineers are like yeah forget it let's just like bypass
this whole process but if you see like the guy is actually so he's watching this happen
through remote screen sharing and it's's like, he's like,
hang on a second.
Did you just crack it?
Like the guy's like,
yeah.
But did you see that?
He actually said that he contacted like their company to say like Microsoft support agents saying like,
hang on a second.
This is like,
I paid for this.
This has just been cracked.
Right.
And Microsoft support,
I replied,
they're like,
man,
this is the second time someone's reported that guy doing this.
Oh my God.
Oh, my God.
I thought this was just one of those rare,
extraordinarily rare edge cases where, you know, this is the only way.
But no, it seems like this guy probably just isn't quite competent enough
to fix an issue.
No, no, no.
He's probably one of the most efficient people on that support desk.
He's closed the most tickets,
but he's made Microsoft the most vulnerable as a result.
Successfully failed.
Task failed successfully.
Yeah, that's the one.
This is like those Ponzi schemes.
It's bound to fail eventually,
but in the process, you can make a lot of money.
He just needs to get out like as long as
he's out within like 18 months with the record number of tickets closed it's like yeah he's good
oh i'm just praying his next job is at apple and then maybe he can like get some free free like
free like operating systems from apple that would be so good oh wait anyway moving on to the next story cerebral is a company a mental
health startup um they um specialize in mental health and they collect a lot of information
from people i suppose i think it's andy that says like this the millennials are the generation that
normalized speaking about your problems or something along those lines.
Yeah.
So there's a lot of these services online, especially since lockdowns and everything.
A lot of these services moved online and people got like, oh, this is really good.
So they said that they inadvertently shared sensitive information of over 3.1 million patients.
What?
The data includes everything from their names, phone numbers,
email address, birth dates, IP address, insurance information,
appointment dates, treatment, and more.
This is just a colossal, colossal mess up.
You know, there's a self-assessment app on the company's website,
which obviously collects this.
Patients can use it to schedule therapy appointments
and receive prescription medication.
So, all good. Who did they share it with because i'm not i'm refusing to read ahead so uh they shared it via their um
how was it is why the the tracking pixel um that or tracking tools that they use since 2019.
And they shared it with all of our favorite companies,
Meta, also known as Facebook, Google, and TikTok.
So TikTok is in the same bucket as Meta and Google in this story
and this case.
The information got out through use of its
tracking pixels
and
that's what all of these companies used to
develop. So clearly
we're all going to turn a blind
eye to the fact that Meta and Google
have got this data but of course
China
China has this information and oh my gosh, what are they going to do?
They're probably going to send targeted videos to mental health patients
and mind control them into voting for whoever the person doesn't want them to vote for.
Well, maybe the young perp jiggly dancing will cheer them up.
You never know.
Or maybe give them, like, body dysmorphia.
I don't know.
I don't know why this story was in the Billy Big Ball section
or who put it there, but I'm struggling to find out.
I think you know who put it there, and I'll tell you why.
Because they actually admitted to sharing the data.
Like, they actually held their hands up
and they were completely transparent in everything.
Unlike Blackboard, which Tom shamed horrendously.
They didn't try saying, you know, no...
They didn't try...
See, what they could have done was say,
want to make it clear,
no credit card data was compromised as part of this breach,
which is a standard go-to clause for any company that's been breached.
Ignoring the fact that you've got names, phone numbers, email addresses,
birthdates, IP addresses, insurance information, treatment,
and all of that stuff, as long as your credit card's not compromised,
focus on the positives, people.
Did they actually say that there's no credit card in front?
No, they didn't.
This is what I mean.
They actually just full transparency, like, you know,
we got severely rolled over and everything got taken.
Oh, I see.
So they're saying we got this wrong, not, you know,
yeah, we're doing this.
What are you going to do about it?
Yeah.
No, they were like no no we
really mea culpa okay okay yeah that's probably doesn't make it any better for people that have
you know got those 3.1 but you know they could have said you know instead of saying 3.1 million
patients they could have said a small subset of our patient list or, you know, a number of our patients or a number of our clients.
God, somebody's done the research on this story.
No, I just looked at the notice and I thought, yeah, it's like, wow.
There's no. It's not on Twitter, is it? So you can see.
Yeah, I can read that. Yeah, there's no. Yeah, just not trying to play it down or dress it up or anything.
But, you know, I don't think we give enough credit to people
when they do come clean.
Very true.
Very true.
Yeah.
Wow.
Blimey.
Yeah.
Yeah, I agree with you on this one, Jav.
I have to say, I can't find...
I can't even make up a flaw on this one.
Very cool.
Other than disclosing that information in the first place,
which is a pretty big flaw.
Yeah, well, I mean.
And via a tracking pixel of all things.
I mean, come on.
Yeah.
Excellent, Jeff.
Thank you for.
Billy Big Balls of the Week.
We don't research the story, but let us tell you what we think based on the headline.
You're listening to Insights from the award winning Host Unknown podcast.
Do you know that was randomly selected, but very, very relevant just now.
Okay, so talking of randomly selected things and links, Andy, what time is it?
It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
bringing us the latest and greatest security news from around the globe.
Industry News UK's new privacy bill could mean more work for firms.
Industry News
Blackboard settles $3 million charge over ransomware attack.
Industry News
MI5 launches new agency to tackle state-backed attackers. Industry News Industry news.
Industry news.
Industry news.
Humans still more effective than chat GPT at fishing.
IndustryNews. Humans still more effective than chat GPT at fishing. IndustryNews.
NCSC calms fears over chat GPT threat.
IndustryNews.
UK joins US, Canada and others in banning TikTok from government devices.
IndustryNews.
US government IIS server breached via Telerik software flaw. IndustryNews. And that was this week's...
Sorry, ChatGPT wrote these...
Well, that's huge if true.
Huge, yes.
Huge if true.
Was that deliberate or complete accident?
Complete accident.
So what happened was, you may have noticed,
the show notes came through quite late last night.
And when I was putting the headlines in, I copied them back to front.
So the latest news was at the top rather than the oldest news being at the top.
So I then swapped it around and obviously just you know oh i see i see okay okay well humans are very not very effective
still less effective than chat gpt at creating show notes it would seem yeah
um so this uh what was I?
Yeah, US Jones, US Canada,
others have been banning TikTok from government devices.
And despite me not being on TikTok,
I do tend to agree with you,
both of you around this sort of, well, this furore over TikTok, but nothing else.
I don't have a problem with this particular thing,
you know, banning TikTok from government devices, as long as, you know, Twitter and Facebook are also banned
from those government devices. But I put money on the fact that they're not. Yeah, it's just,
I mean, if you want to be racist or say it for political reasons, be upfront and say it's because
we don't like China. Don't try to hide behind this smoke screen of like, think of the data, think of the privacy,
think of like, you know, everything that's in the hands of people we don't want. If that's the bar,
you're going to say that any app that leaks data, that goes, that takes data that we don't know
where it goes to a foreign government. If that's what you're applying, then there's a whole bunch
of apps you're going to have to ban
from government-owned devices.
It's not just TikTok.
But if you're open and say, like, the reason we're banning it
is because we don't like China, then say it.
And, you know, that's what they've done with Russia.
Or we don't trust China.
Yeah.
Yeah, yeah.
Yeah, exactly.
But don't hide behind this fake pretense of, like,
we're doing it for privacy or cybersecurity reasons.
Especially as I'm sure Facebook data gets sold to China or in some way or another. this fake pretense of like we're doing it for privacy or cyber security reasons especially as
i'm sure facebook data gets sold to china or in some way or another yeah the same with twitter
etc well twitter will because just so they can pay the electricity bill
it's like what what you need to be in the business of is like uh you know um war dogs but for data
so you so you buy the data from facebook you
launder it through some intermediaries ends up in taiwan or something
there you go there you go what else we got here that's of any interest so mi5 launches a new agency to tackle state-backed attacks.
And it's called the National Protective Security Authority, the NPSA.
So that's a new acronym you need to put in your vocab and reference it often.
I'm sure all the big threat intel vendors will be.
Why can't GCHQ deal with that?
Well, NCSE.
Surely, National
Cyber Security Centre could.
That's really weird.
And why is MI...
What's MI5 launching this for? Surely
they should just be, you know,
drinking their martinis and shit like that
instead.
No idea
what this... This is all very government-based it's
announced by it is the pm announces a major defense investment and launch of integrated
review refresh so this is probably like i don't know it's how they're siphoning cash off somewhere
and it's how they siphon budget off. Yeah, it's funding some kind of
black ops thing.
I've seen it on the telly.
Yeah.
So we know that
hostile actors are trying to steal intellectual
property from the UK institutions.
The NPSA will play
a crucial role in helping businesses and universities
better protect themselves.
This is literally what the NCSE does. Yeah, This is literally what the NCSE does.
Yeah, it is literally what the NCSE does.
I find that, yeah, that's really weird.
I don't know.
Q, if you're listening, or M, can you give us a call
and just explain this a bit more?
I was going to say, I'm not sure Quentin's going to be able to help,
but maybe Mike will.
I'm not sure.
Yeah.
going to be able to but maybe mike will i'm not sure yeah and iis server breached via tellerick isn't iis very very old it is very i think that's the uh it is it's like it was um yeah it's like
the tom langford of web servers i remember installing iis servers for christ's sake i mean that's how old it is i
think wasn't the last version something like iis3 or something like that no it got to iis7 i'm pretty
sure but uh the last one i installed was iis3 yeah so i think iis6 was like the really stable
one on mt4 and then it had a tool called IOS Lockdown,
which you just ran this XE and it closed all the ports for you.
That's what we called hardening back then.
Nice.
Yeah, it's nice.
Wow.
That's really bizarre.
Yeah.
So in case you missed it,
apparently humans are still more effective than Chuck GPT at fishing.
I'm actually just reading it i um i did actually cheers yeah yeah so i messaged you yesterday jav asking for some stats on like you know what the average sort of click rate is
uh you know from phishing tests a very useful survey you managed to share thank you very much
very yeah that's not a survey that's actually all all data from our
pure data from all your your clients that buy your service not realizing you're analyzing
um everything they do and then publishing it to is that through a track
they just take it from tiktok they just yeah yeah it's just direct from China. Yeah, it comes in a container from a ship from China.
All right, very good, very good.
That was, thank you, gentlemen, for this week's...
Industry News.
You're listening to the award-winning Host Unknown podcast.
Like a real security podcast, but lighter.
All right, Andy, why don't you take us home with this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And this week's Tweet of the Week, despite Jeff trying to claim it,
actually comes from William White.
And he says, just passed the university's information security course.
I do like the certificate.
And he has posted his certificate from the University of Oxford.
And across the bottom it says,
this certificate does not imply any specific competence.
Do you know what?
They should add this to the CIWSP
certificate.
That would make this really relevant
to information security in this podcast
specifically. I might tweet
that back out. I might retweet that.
Oh, he threw a C-bomb down.
Oh, he threw a C-bomb down.
I think this is just like a standard line that should go on every certificate.
Yeah, yeah.
We should actually do that as a disclaimer.
Can we get that as a jingle at the beginning of the show?
The presenters on the show, hosts or no, does not imply that they have any specific competence i think that's kind of um
understood when people start listening you know sometimes there's things you just don't need to
it might take an episode or two but they come to the conclusion pretty quickly
yeah brilliant brilliant nice one thank you Andy, for this week's...
Well, we have careened into the end of the show.
That's flown past.
Absolutely flown past.
Gentlemen, thank you so much for your time.
Jav, thank you, sir.
Yeah, you're welcome.
And Andy, thank you very much. Yeah, you're welcome. And Andy, thank you very much.
Stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
r slash Smashing Security. I can't believe you dropped a C-bomb, Geoff.
I'm going to have to get my beeper out.
Yeah.
Yeah.
Yeah, if you could bleep that out.
It's a bit strong for a podcast.
I wouldn't want the Duchess of Ladywell to be listening to that kind of language
when she's walking her dog tomorrow on the Sunday.
She might drop the lead and the dog will run off.
Sorry, Duchess.
Then you'll be in trouble.