The Host Unknown Podcast - Episode 145 - The Being Shouted at Episode
Episode Date: March 24, 2023This week in InfoSec (12:47)With content liberated from the “today in infosec” twitter account and further afield22nd March 2018: The city of Atlanta announced it was victim to a ransomware attack.... The attackers demanded $51,000 worth of bitcoin to release the encrypted data, but Atlanta didn't pay the ransom. Whether or not to pay ransom isn't a simple or easy matter, but this proved to be expensive. https://twitter.com/todayininfosec/status/1638513067259510786 21st March 2001: SMBRelay and SMBRelay2 were released by Sir Dystic at the @lantacon convention in Atlanta, Georgia. The tools were developed to carry out SMB man-in-the-middle attacks on Windows machines.SMBRelayhttps://twitter.com/todayininfosec/status/1638327435434291201 Rant of the Week (19:43)https://twitter.com/keewa/status/1638853767448735744 Billy Big Balls of the Week (29:08)Journalist opens USB letter bomb in newsroomJournalists across Ecuador have been targeted by explosive devices sent through the post.One presenter, Lenin Artieda, was injured when he opened the envelope in the middle of the newsroom.He said the explosive device looked like a USB drive. He plugged it into his computer and it detonated.The Ecuadorean attorney-general's department confirmed it had opened a terrorism investigation into the letters on Monday.It did not name the specific news outlets targeted. However, at least five different organisations across Ecuador were sent the letters.The government has condemned the attacks, describing freedom of expression as "a right that must be respected"."Any attempt to intimidate journalism and freedom of expression is a loathsome action that should be punished with all the rigour of justice," it said in a statement.The interior minister, Juan Zapata, said the devices were all sent from the same town. Three were sent to media outlets in Guayaquil and two to the capital, Quito.While Mr Artieda was injured by the device, others sent through the post failed to explode or were never opened.Police carried out a controlled detonation of one of the devices sent to TC Television, prosecutors confirmed.From 2017, Mr Self Destruct v1 Industry News (36:51) Ferrari Reveals Data Breach Ransom AttackJust 1% of Dot-Org Domains Are Fully DMARC ProtectedBreachForums Shuts Down After Admin's ArrestMalicious ChatGPT Chrome Extension Hijacks Facebook AccountsUK Government Sets Out Vision for NHS CybersecurityNew Post-Exploitation Attack Method Found Affecting Okta PasswordsChina-Aligned "Operation Tainted Love" Targets Middle East Telecom ProvidersUK Parliament Bans TikTok from its Network and DevicesIRS Phishing Emails Used to Distribute Emotet Tweet of the Week (44:52)https://twitter.com/evacide/status/1638957449909788672 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So there was some, I got some kind of response on Mastodon from my special guest appearance on Smashing Security this week.
Okay. Were they asking why you were moonlighting on another show?
You know what? I would have taken that. I would have taken that. I spoke about TikTok.
And, you know, and I said a few things, you know, I said a few things that I still stand by. But across across three different toots, this this person, I'm going to quote it.
I was exceptionally disappointed with the dangerously irresponsible discussion of TikTok on this week's episode.
Tom seemed to blame racism for why TikTok is being targeted globally,
which is at best blissfully ignorant of the adversarial nature
of the Chinese government in the modern world.
Sounds like the sort of thing a racist would say.
Exactly. I'm not a racist, but you can be wary of a dictatorial regime
with a well-documented record of espionage without being racist.
That's one part of it.
The next part, as a security-based podcast you should be aware of
china's actions in the world including a bunch of links electoral interference facebook industrial
espionage facebook pressure pressuring their diaspora uh i'm gonna have to look that one up
disappearing yeah exactly uh diaspora isn't that a type of vase for flowers? I'm not sure.
Disappearing CEOs, cyber war, supporting Russia and so on. This is not racism. It's just fact.
China is dangerous. And then the final part, in conclusion, they don't say that, but if the CEO of the company behind TikTok is threatened with disappearance, you'd better bet he's going to give the Chinese regime whatever they ask for.
With TikTok being on a third of devices out there, it's an actual real tool that could be used as part of a cyber initiative.
Please, I love your show.
Well, Graham and Karel show.
But you need to be responsible with facts if you're going to discuss serious issues.
You're listening to the Host Unknown Podcast.
Hello, hello, hello.
Good morning, good afternoon, good evening
from wherever you are joining us.
And welcome to episode 145 of the Hostamon podcast, which we're going to be entitled, which we're going to be calling the being shouted at episode.
It was quite a surprise to see. I saw them come in in real time as well.
So can you actually, I don't know what the person's name
is yeah i i think it's a hacker name it's weird i don't know right okay the funniest thing about
this is that they're coming after you who absolutely hates tiktok anything related and
the fact that you're defending tiktok in discussion is, the irony is not lost on me, trust me.
No, no, no, exactly.
Exactly.
You know, and God knows, and even Graham made the point as well,
like, you know, how many Chinese cameras are there in the UK Parliament?
In fact, probably US federal buildings everywhere.
You know, even your iPhone is made in China, blah, blah, blah,
et cetera, et cetera, et cetera. You know, it's... I mean, the part... everywhere you know even your iphone is made in china blah blah blah oh etc etc etc you know
it's i mean the part china do disappear people right that is yeah that does happen
however facebook will actually just hand over the data for money like you don't need to you
don't threaten zuckerberg you just say, I will give you $50 for all of this data.
You wave a wad of notes under his nose.
He smells it and works out how much it is by smell alone
and then hands over the required number of records.
He licks his lizard eyes and works out how much.
It does amuse me like the arguments
that are up for about this tiktok being such a danger like i don't understand how people are
going to get mind controlled by tiktok it's no you know i just don't get it what this
what greater threat they produce and i know a couple of weeks ago jab included a link in the
show notes for i think Citizen Lab did the report.
Oh, that's right.
Between Facebook, Instagram and TikTok.
And they are literally identical.
They all gather the same information.
They all do the exact same thing.
It's just that one's not American.
One of these kids is doing their own thing.
Yeah, that's right.
That's right.
I do find
it very very odd and and also to come after someone like that and you know it's one thing
to say no I think you're wrong no no I disagree with that you know but to to well effectively
call me dangerously irresponsible I mean I know I'm dangerously irresponsible, but not in this case.
It's just like Al Capone going down for tax evasion, right?
Of all the things to get you on.
And it's your defense of TikTok that is your undoing in the industry.
I have many, many skeletons in my cupboard.
Your credibility is at risk because of your defense of tiktok
so yeah i mean you can find it on on on the toot site if you want to i'm certainly not going to be
out in this particular person that's fine you disagree whatever but uh but the funniest part
was and uh smashing security did uh did respond which was more than i did
you know i tend to avoid wrestling with pigs because uh before you know it you realize the
pig's enjoying it right but uh um but smashing responded with thank you for your feedback mappo
we agree that this is a complicated issue yeah it. But we do think it's important to point out
that there is much more Chinese tech
integrated into our lives
that does not seem to create anything
like as much anxiety amongst governments,
which I think is very true.
Here's the kicker.
However, I think it's fair to say that,
like most things,
this is all our guest Tom's fault.
Dodging that bullet, Neo Star.
Absolutely, absolutely.
So when you post this show, can you actually tag him in your toot?
I mean, I could.
Just so we get that one extra download.
Yeah.
All about numbers, baby.
Just for the week absolutely absolutely you know and
dude dude if you're if you're out there and you you know if you if you want to send us a little
soundbite you know we we tend to ask for 60 seconds or less in fairness because we like the
sound of our voices more than yours i'm sure but send us a soundbite it's cool man you know it's
I'm sure but send us a soundbite it's cool man you know it's it's all good play it unedited yeah we will if it's under 60 seconds yes if it's under 60 seconds but yeah do I in fact yeah I'll
tag you in the on on the toot site um on this and uh uh yeah and check out our back catalog and
you'll be surprised at how much Tom does not care for TikTok.
I know. I know. In fact, I suggest you start an episode, whatever it was when we started, and download them all.
Tell your friends, get them to download it. You know, it's almost like, well, we don't have sponsors to keep happy, let's face it.
So, yeah, it was quite a week i mean but uh fair enough you know we we if we all agreed
with each other it would be a fairly dull world wouldn't it indeed it would be so absolutely
but otherwise other than that andy how was your week uh busy i bet you didn't know i was gonna say that right no right
end of the financial year audit committee uh met a few people for in fact lots of eating this week
uh went out for lunch on wednesday oh now we know why it was lunch on thursday and then went out for
a meal in the evening thursday evening so it it was, yeah, lots of socialising and eating.
Nice.
It comes with work.
It's all life balance, right?
Well, it is.
It is.
Otherwise, it would be boring, right?
Exactly.
And how, oh, should we actually mention that we've taken Javad off air
for the month of Ramadan?
Yeah, exactly, because he's a miserable git when he comes to.
Yeah, exactly.
When he's hungry.
I mean, in fact, you know,
we weren't even, you know, you even said
before the show, should we mention Jav not
being here? And he's kind of like, well,
I mean, you know, people might notice by
around about the 40 minute mark, I don't
know.
So, yeah, no, we have taken him off air
because we just would not do that to you,
dear listeners. He is one of the grumpiest mofos you could ever...
Oh, my God.
I remember that conference well.
Oh, my days.
He was grumbling to himself, wasn't he?
Yeah.
I think me sitting with that giant box of flumps, marshmallow flumps in front of us,
and you leaning over from one side,
me leaning over from the other,
probably wasn't helping him.
I mean, what a snowflake.
I know.
But how was your week?
Anyway, you were a premier.
I was.
In fact, I was with Javad last night.
Okay.
Obviously, I have the sundown, yes it's a lot more tolerable because as as you probably uh recalled andy he invited me to the
premiere and not you i don't know why didn't invite me no i there was even an empty seat next
to me what the hell was that all about but it was um as we all know he works for no before and they have um part of part of
their awareness campaigns and stuff is a series of films called the inside man and they're i guess
you could call sort of like netflix style dramas which are um infosec education as well yes and
they're uh written directed by friends of the show jim shields and the premiere
this was season five and so it was a 12 10 minute episode so it was a proper you know full-length
movie in that sense with like 10 chapters in it and the premiere get this was in the odian leicester
square like proper proper the film dungeons and dragons were kicked out and had to do it in like a temporary
structure in the middle of leicester square in the rain whereas we were in um in the od in leicester
square proper you know i took a picture of it big screen out front it was good it was really good
um it was odd walking out of the auditorium and seeing like you know the baddie of the film just sat
there as he or not sat there he stood up and walked into the toilets and i thought oh my god
he's going in for a pee what's he gonna do oh no no no he's an actor tom he's an actor but and then
just everywhere i looked there were people who were in the show but yeah it was very good. It was good fun, I have to say.
Good drama.
Brilliant.
It was very, very enjoyable.
So if you happen to have Know Before's stuff
and you get access to it, I'd highly recommend it.
I'd highly recommend it.
Superb.
Yes, yes.
And then Jav disappeared. I i mean he said he wasn't even
going to turn up this morning so yeah as you say as you say so shall we talk about um no i'll
rephrase that so talking about turning up talking to turning up and yeah talking to turning up and and just phoning it in
shall we see what we've got coming up
for you this week
this week in InfoSec takes us back to a time
when it would have been cheaper to pay the ransom
Rant of the Week explores
the grind culture Gen Z
are afraid of
Billy Big Balls makes removable media
policies worth their weight in gold
Interesting news brings
the latest and greatest security news stories from around the world
and tweet of the week is a
message from the Electronic Frontier
Foundation's Director
of Cyber Security.
Ooh.
So,
let's move on to
our favourite part of the
show. It's the part of the show that we like to call...
This Week in InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane
with content liberated
from the today in infosec twitter account and further afield and our first story takes us back
a mere five years to the 22nd of march 2018 when the city of atlanta announced it was victim to a
ransomware attack the attackers demanded 51 US$51,000 worth of Bitcoin
to release the encrypted data.
But Atlanta did not pay the ransom.
Good.
Indeed.
And also back then,
I mean, what,
we're talking five years, right?
This is before the peak of Bitcoin,
wasn't it?
Yeah.
Not actually that much,
you know, all things considered.
Well, 51 grand.
Yeah.
I mean, that's almost what they charge a private individual these days.
It is.
Well, yeah.
I mean, whether or not, you know, to pay the ransom isn't a simple matter.
I think we're about to find out.
We're about to.
In this case, it actually proved to be an expensive one.
So this occurred in March 2018.
By June of 2018, the city had spent $2.7 million on contractors
in order to try and recover that data.
But unfortunately, those costs spiralled and was, you know,
re-estimated at $9.5 million.
But then it actually transpired the following year's accounts they actually spent 17 million dollars on the recovery i think contract is just taking a piss aren't they a lot of lunches or
something you know the contract day rates are like, right?
Actually, I know big... We've all worked for big enterprises, right?
We all know that this stuff is expensive.
I don't think any of us have spent 17 million on something like that ever.
No, but you know what?
When you've got a whole city by the short and curlies...
True, true. You can just print money and i suspect
you know the procurement teams potentially you know maybe i don't know i'm just speculating but
maybe they were not you know in the best position to realize to negotiate people they needed yeah
yeah um i mean that that 17 million dollars that's got Mandiant written all over it.
I'm just saying, if it looks like Mandiant, if it smells like Mandiant,
and it charges like Mandiant, it's probably Mandiant.
Yeah, yeah, that's true. That's true.
Those swanky offices don't buy themselves, you know.
Yeah, exactly.
But, no,
$51,000 to
$17 million, that's
quite a swing.
Potentially one of those scenarios
where you'd say, you know what, maybe
we should have paid that ransom.
Just being done with it.
Because at that price you could afford to get ransomed.
God knows, I can't even
do the sums.
But, you know, significantly more than twice.
Percentage-wise, yeah.
Exactly.
Oh, dear.
But, yeah, no, big one. But, yeah, our second story just takes us back a mere 22 years
to the 21st of March, 2001,
when SMB Relay and SMB Relay 2
were released by
Serdistic at the LA
oh sorry
the Lanticon convention
yeah, Lanticon convention
or the LA-N-T-A-Con
yeah, I was reading that as
LA, but no, it's Lanticon
in Atlanta
see, I avoid the South
generally yeah, but no, it's Lantacon in Atlanta. See, I avoid the South, you know.
Yeah, generally.
Yeah, exactly.
Or those sister cousins you don't want to offend, right?
So these were tools which were developed to carry out SMB man-in-the-middle attacks on Windows machines.
And so these issues have been known since day one of the protocol being released
and this is where microsoft's famous it's not a well not actually i'll say microsoft's famous
it's not a bug but a fundamental design flaw to assume that nobody has used this method to exploit
people is silly um so it was seven years after this was discovered that microsoft released a
patch for one of the vulnerabilities that the tool exploited.
But, you know, when we talk about seven years to patch it.
Yeah. But you think like 2000s was an easygoing time, right?
Yeah, we didn't have this sort of robust. And, you know, we've mentioned it before about how Windows Update only became a you know patch tuesday only became a thing
sort of in the last five plus five plus years yeah even that long you used to have to wait
until the cds came out on the covers of magazines yeah and that was assuming no one else in the
office had nicked your um yeah msdn yeah disc yeah exactly. Yeah, it nicks the floppy disk. Yeah, exactly.
Oh, yeah, it would have been a floppy disk back then, yeah.
So it was, yeah, quite a big one.
But I think people often think of Man in the Middle of Attack,
so they hear it a lot more now with SSL.
Yeah, I think that's where it really came to prominence.
But this is, you know, these attacks were around long before Fire Sheep
and, you know, all the ssl stuff that
moxie marlin spike the thing that gets me on this though is you can tell this sadistic is not very
commercially minded because they released smb relay and smb relay 2 on the same day rather than
sort of waiting six months charging for the upgrade exactly but back then what you know people
didn't use adobe to create funky logos you know branding wasn't you know top of mind true yeah
we just didn't have the right brand consultants back then no here's this cool tool i created and
here's its successor straight away but hey have both and here's all the source code it's completely free i'm not looking
for any money on there no no it's right that's right wow very good very good thank you andy for
this week's this week in infrasound this is the award-winning Host Unknown podcast. Guaranteed to be a solid 5 out of 10 at least once a month.
Or twice your money back.
And you can take that to the bank.
So I would say you probably gathered
it's not going to take much for me to get into character for this next one.
Listen up!
Rant of the week it's time to
mother rage so i mean this could have been a tweet of the week really i mean it's actually two tweets
uh from are they tweet yes they are tweets well so i think it's a tweet of a linkedin post
oh it's a tweet of a linkedin ah there you go thank you thank you you can tell how
involved i am in these show notes but um it's uh from somebody called uh naya n-i-y-a uh founder
at tech employees i'm gonna read it out i'm doing a lot of reading today but i'm gonna read it out
uh it's in two parts so i shall comment after the first part. And then I'm going to do the second. First part, Elon Musk is under fire for building bedrooms at
Twitter HQ for employees. I don't get it. To be honest, I slept under my desk at least three
nights a week when I worked in banking. The first time I got promoted to a manager, I had to work
16 to 18 hours routinely. I'd finish work at 2 to 3 a.m., sleep on the floor, janitor
would show up at 7, I'd go shower in the gym and pick up dry cleaning to change into and back to
work. I always wore my hair up and it was always wet because I never ever had time to blow dry it.
That's how intense the grind was. I would have killed for a bed in the office. This kind of grind is highly desirable early career.
What?
What?
Oh, my God.
How does everyone not know this already?
Do they not teach this at school anymore?
Why do you have to tell people about this?
This should be ingrained in your behaviours.
I think this person
has sort of found a time machine and come forward from the industrial revolution and there's uh you
know was slaving away in a cotton factory for 18 hours a day you know got home to a shoebox in the
middle of m1 at a handful of hot gravel and got whipped to death every night
by their father. I don't know. Monty Python-esque is to say the least. And this, you know, the first
part made me angry because, frankly, it's self-perpetuating in that other people see this
behavior. It becomes the norm. And before you know it, everybody's doing itperpetuating in that other people see this behavior.
It becomes the norm.
And before you know it, everybody's doing it.
Everybody's burning out.
And it's just absurd.
And the business, as a result, is actually unsustainable.
Because as soon as there are normal working practices put in place,
then actually they realize they're not getting as much done
because all the previous people were killing themselves to actually keep the show running and as i say normal working practices
everything collapses so it's not good it's not sustainable yeah but you know what i'm not gonna
i'm gonna play play the role of javert this week right okay
there are i think there are different work ethics versus different generations, right?
So I think, you know, Gen X is definitely of a particular type of work ethic.
And, you know, we talked about this before, you know, like millennials sort of talk more about mental health and then Gen Z want their safe spaces and, you know, non-binary, you know references to you know pronouns to be used
at all times um and i'm not criticizing any of them right i think they're just all very different
but where you have a clash is where you know you have that variety of generations working together
say like you hired one from each generation all paid the exact same so doing this the exact same job i believe you would get very
different output from you know all three of those and i suspect that on paper that output looks less
as the newer gen you know as you get closer to the newer generation well volume or quality
and i think there's well yeah i think there's a distinction there. Yeah, I think there's...
But assuming they all delivered to the same quality,
I do still think you would get more output.
Well, by the mere fact that they're working 16 to 18 hours a day,
yes, absolutely.
But they're getting paid for eight.
Yeah, but it's the difference between people that...
Everyone does the same job, but some people keep their eye on the clock and as soon as five o'clock hits they're gone i mean
they pack their bag at five to five and they sit there watching the clock versus people that would
just hang around finish what they're working on and maybe stroll out 20 past five instead yeah
i know i agree with that and and you know, and we were talking, obviously, just before the show.
And I said, we've all worked like this. Talking to work shy people, Jav.
Yeah, talking to work shy people. Exactly, Jav. We've all worked like this, just not as a lifestyle.
We've worked like this when there's a crunch, when things are busy, when there's, you know, a backlog or when there's a particular project on or whatever.
But this particular person is making out that this is normal, that this is how life should
be.
And so the rant is that it shouldn't be, right?
Yeah, absolutely.
Okay.
Absolutely.
Don't be a clock watcher.
Don't be a clock watcher.
Okay. Absolutely. Don't be a clock watcher. Don't be a clock watcher,
but also don't be this person either, you know, who,
who is the direct opposite. And, and also it's going to have, you know,
it's going to have three good years at a, at a, at a company and then be, you know, medically pensioned off. And here's, here's the thing.
I said the first part made me angry. Here's the second part. And again,
I'm going to read it out. And without wishing to assume a gender or whatever, it's quite apparent this is a woman.
mammogram a few weeks ago, probably one of the hardest days I've had in a while. I'd been going very fast, 12 meetings a day fast, but every morning when I took a shower, I could feel a
very sizable lump. I can wait another week to go to the doctor, me three months in a row. Finally
went with my laptop and my phone, sitting in the waiting room, redlining a contract. 100% denial. We found a lump and we
need to do an ultrasound now. Okay, great. But I have like 10 more pages of this contract to look
at. I could feel the tears rolling down at this point in my head. I had maybe an hour left to
live a normal life before the bottom fell out. And darn it, I was going to finish this contract.
Three hours, two mammograms and three different ultrasounds later,
I don't have cancer.
Holy shit.
Those were the longest three hours of my life.
I finished the contract and I was 100% healthy.
Was the contract worth it?
Yes.
Holy crap.
I mean, that's why i said that made me that made me sad and that this is not normal this is not normal
and the thing is that company if that company hits a downturn and needs to lose people
they'll drop they'll drop her in in an instant Maybe not in the first round because obviously she works hard,
et cetera, et cetera.
But if they need to lose, you know, get rid of her,
she'll be dropped in an instant without a single thought.
And this is where I think this is where growing professionally
comes into it, right?
You know, you work for big companies when you're young,
so you dedicate your life to them.
And then all of a sudden, you their balance their profits don't look good for
the shareholders so they act half the people um you know by they do it by excel they've got
absolutely no concept of who you are what you do it's like you just do it you know and then you
tend to get a bit um jaded uh you know as you go into the next job and it's like you know until you get to you know that
comes with experience it's uh yeah yeah i just this is this is both an angry and a sad rant at
the same time and you know i i think as we established right at the beginning of the show
there are lots of different opinions on this and i you know if this individual wants to work like
this then i'm certainly not
going to you know wrestle her to the ground and and stop her but really there is much more to life
there really is much more to life than this however Naya if you're looking for work um you
sound like the perfect employee I want in my team yes very true because, we know how much you work
and what time you finish in a day
so maybe you are also the wrong audience
for this particular rant
Rant of the Week
This is the EasyJet of security podcasts
Let's be honest, your cheap ass couldn't tell the difference
between us and a premium security podcast anyway.
So, with Jav not here,
we're going to have to split the Billy Big Ball's duties this week, I think.
Should we take one each, Andy?
Absolutely. It's just take one testicle each.
Let's do it.
There's an image that most people aren't going to be able to wash out their minds for a while.
Oh, dear.
So this is a story.
It's the headline.
Oh dear. So this is a story. It's the headline. It's just journalist opens USB letter bomb in newsroom, which caught my attention.
So imagine, Tom, you know that if you find a USB key or if someone posts you a USB key, right?
What are you going to do? Are you going to sit at your desk desk are you going to plug it straight in and see i'm going to hope it's porn yeah okay yeah even though it's labeled like you know staff bonuses you're going to hope it's poor i'm still going to hope it's porn
or if it says homework on it it's definitely porn
so can you imagine right say you do all of the, say you're a bit more savvy, right?
You've done the security awareness training, you know, not to plug any, you know, strange or unexpected USB keys into your work laptop, you know, while you're connected to the network.
So you think, right, I'm going to be a bit, you know, a bit more cautious about this.
You know, you go and separate yourself from everyone else.
You lock yourself in a small room.
Because it's porn.
Exactly, because it's porn.
You're air-gapped from the rest of the network, right?
Imagine the horror, right, when you plug it in
and it starts to do-do-do-do-do,
something flashes up and then it explodes,
taking your machine with you.
You mean it exploded before I did?
That's outrageous.
That's the worst come down possible in this scenario.
Billy Blue Balls of the week.
Exactly.
Whoa, the thing bloody explodes.
That's incredible.
Yeah, and so this is what has been happening across Ecuador.
People have been targeted with these explosive devices.
Or I was saying people, journalists.
Oh, right, right.
I was going to say random, but journalists.
Damn, that's bad.
I mean, I can only assume they're looking at,
if they're targeted, presumably they're looking
into a specific story or something.
But wow.
Yeah.
So they're saying it's an attempt to intimidate journalism and freedom of expression.
Well, so the government might be doing it then.
Although they are saying, as I read here, that the government has condemned the attacks,
describing freedom of expression as a right that must be respected.
So maybe it isn't, or maybe it's a double bluff. Who knows?
Yeah, sounds like the sort of thing the Conservatives would do.
Yeah.
What, go into a small room and have a wank?
And come out with a new policy, yeah.
Yeah, that's right.
God, if only they made policies with post-nut clarity.
I was just about to say that.
I just about to say that.
I had a moment of clarity.
The world might be a better place.
Wow, this took a turn.
But I see this isn't actually that random this has actually happened before hasn't it
uh so yeah i mean whether it's happened but someone has definitely created this tool before
um i don't know if the guy's name but there's a uh mr self-destruct it would seem mr self-destruct
yeah i don't know if that's what he's called the mg he goes by on twitter or they go by on twitter uh yeah and he has uh mr self-destruct version
one which is a usb key uh and when you plug it into your device and stick a link into the show
notes he's got a video of it and he did this in october 2017 um wow and so you plug it into your
laptop and it it brings up a nice little splash screen.
So something called the Optimus plays a little tune, a little animation.
And then 20 seconds later, your laptop explodes.
Yeah. Yeah. Yeah. It didn't look like that violence of an explosion.
But then again, I was looking at it through a screen and from a distance.
Yeah. So imagine if you're not expecting this. You're sitting at your desk.
You're hunched over it, right?
You're hunched, and imagine you've got one of those, let's see.
You might have even taken your shirt off.
Yeah, and you've got your, what is it,
the Android phone that used to explode a lot?
So you've got your little Android next to you.
The one that catches fire. Yeah, and whatever old end-of- life Mac battery you've got that is also due to,
you know,
likely to catch fire.
That's bulging out the bottom of your laptop.
Yeah.
Oh man.
The Holy Trinity of,
of,
of,
of,
of disappointments going on right there.
Oh, dear.
But, yeah, no, obviously not condoning, you know...
Oh, God, no.
..attacking journalists.
But in terms of creative ways to get people, right,
I mean, they do not warn you about this in security awareness training.
No.
Exploding USP keys is not yeah is not your
average um threat vector is it no but it should be yeah well it is now i mean it's up there with
you know white powder in your uh white powder in an envelope and what is it grease marks on on on
paper envelopes that's not or paper packages that that's a sign of the potential for plastic exposures and stuff like that.
Beware of envelopes that smell like almonds.
Yeah.
Yeah, but bloody hell, this is...
Well, it's insanely clever and horrible all at the same time.
All at the same time.
Not good.
Not good.
Okay, well, brilliant. I think we
handled that pair very nicely,
didn't we?
Billy Big Balls
of the Week.
We don't research the story,
but let us tell you what we think based on
the headline. You're listening to
Insights from the award-winning Host Unknown podcast.
You are.
And if you thought you didn't have time for anything left,
we're still only about two thirds of the way through.
And talking of time, what time is it, Andy?
It is that time of the show
where we head over to our news sources over at the InfoSec PA Newswire
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News
Ferrari reveals data breach ransom attack.
Industry News
Just 1% of.org domains
Are fully demarked protected
Industry news
Breach forums shuts down
After admins arrest
Industry news
Malicious chat GPT
Chrome extension hijacks Facebook accounts
Industry news
UK government sets out
Vision for NHS cyber security Industry news. UK government sets out vision for NHS cyber security. Industry news.
New post-exploitation attack method found affecting Okta passwords. Industry news.
China aligned Operation Tainted Love targets Middle East telecom providers. Industry news.
UK parliament bans TikTok from its network and devices. Industry news. UK Parliament bans TikTok from its network and devices.
Industry news.
IRS phishing emails used to distribute Emotech.
Industry news.
And that was this week's...
Industry news.
Huge if true.
Huge if true. Huge if true.
Do you know what?
We should talk about the UK Parliament banning TikTok from its networking devices.
Not enough has been talked about this.
Fortunately, our country is now infinitely safer.
As a result.
Now that government...
Yes, exactly.
Absolutely.
There's no more looking at the jiggly flesh anymore on TikTok.
However, members will still be able to access the social media app on their personal devices using mobile internet connectivity in the House of Commons.
Don't they know the threat that that presents? outrageous outrageous okay here's one i'm i actually could
also be a rant of the week just one percent of dot org domains are fully demark protected
come on people come on i mean do you know uh yeah so i've got two views you go first you get your
rant out of the way so well one demC is fairly straightforward and should be done matter of matter of, you know, just a matter of course.
However,.org probably mostly used by charitable charities, small organizations who may not think they have the relevant skills to do so.
I would suggest you actually just download a few how-tos and get it done
really although in theory i would also say isps have got a job to do here they should be putting
this stuff in as well as part of the provision of those services uh but anyway do go on uh no i
think you're right so i was going to say you know of this one this one percent of the org domain i
reckon they probably are charities
that are generally using it and the statistic when you click into the article it says that
the top 100.org domains by traffic fared better um around three quarters had b mark
oh okay okay so so so we probably shouldn't just read the headline. Well, yeah, it's a novel concept, right?
However, with that, if you think, who uses a.org other than charity?
Do you remember back in the day, you couldn't get a.com,
people would buy a.net.
If they couldn't get that, they'd get the.org.
This was way before country-specific.co.uk.
So I reckon so many people register
dot orgs and never use them probably never used yeah yeah yeah which is why statistically probably
doesn't surprise me that it's that high um are they just registered to stop um squatters as well
yes yeah exactly yeah so it's probably not uh yeah it's probably a really bad headline to uh
to base the story off actually oh well we promise nothing uh exactly um china aligned operation
tainted love please tell me there was a soft sell song involved in this play it's got to be it's got to be oh again that would
be a you know something appreciated by older millennials and people of our age
so talking of people our age and relating to stories i see ferrari have revealed data breach ransom attack. So this is,
uh,
what I liked about this was that they,
um,
you know,
got ransomware,
they got held,
and they went public with it.
So instead of actually,
um,
you know,
sort of trying to negotiate or anything,
they just said,
look,
we've,
um,
well,
I mean,
they did water,
you know,
a limited number of systems in the firm's it environment.
What are the fuck are you doing?
No financial or vehicle details
were stolen, but hackers may
have been able to access names,
addresses, email addresses, and telephone
numbers.
Fair play. Ferrari, I'm pretty
sure they have the money.
But, as I said,
whatever.
Our clients come to us for our product anyway, regardless of whether we've been breached.
It's a status symbol.
They're not going to suddenly switch to Lamborghini because Ferrari.
That's very true.
I mean, and also, in fairness, look at most of the big companies.
I'm like Sony.
I think their share price dipped a bit.
And then, well, you know, I'm still going to buy that telly i'm still gonna buy that ps5 i'm not gonna suddenly
switch to oh samsung oh god no you know so yeah you're absolutely right you're absolutely which
was it this samsung what do you remember when those cia files got released the uh the red team
oh yeah um was it samsung Samsung TVs that spy on people?
Yes.
Well, there was that story.
In fact, I was recounting it to somebody the other day
where if you plug in or if you either stream or MP4,
sorry, if you plug in a USB stick or whatever,
it actually, somebody ran Wireshark or whatever on the network
and it would phone back to Samsung headquarters saying,
this is the file, these are the files that are being watched,
you know, and very clearly show what people are watching.
So people would change the name of the files
to the name of the president.
I don't know, I don't know the name.
So the file name would read Mr.
Sang Yong sucks donkey dicks dot MP4 and stuff like that in protest.
But yeah, I mean, let's face it.
Any TV you buy today, half the cost goes into the box that it's shipped in.
And the other half goes into the actual TV,
which is selling at cost.
Less than 1% goes to the seven-year-olds that make it.
Exactly.
And they make their profit afterwards by selling your data.
So this was the Weeping Angel was the name of the tool that was used.
Yeah, the spy tool co-developed by the CIA and MI5,
which lets Samsung Smart TV put something to turn itself off
and then record your conversations.
Oh, my God.
It had to be named by somebody in MI5 who was a doctor.
Yeah, of course.
Yeah, absolutely.
Mr. Clooney, we're looking at you yeah exactly we know what you're like with viruses oh dude very good some good
stories this week yeah we're doing well without jab actually we are in fact you know i just i
have to unsettle what the uk government's uh vision for nhs cyber security is uh so i just
need to because i mean of all the things wrong with the NHS
at the moment, it's very important we get a cybersecurity
strategy out there, right?
Because we've got striking doctors, we've got striking nurses,
we've got two-year waiting lists for serious operations.
But as long as we've got a cybersecurity strategy.
As long as we put them in a room and shout PowerPoint
at them for an hour once a year,
then we're good.
It's good.
So the government's published their strategy designed to boost resilience
in the health and social care sector by 2030.
Oh, great.
We're on top of it.
I assume 2030 is when the Conservatives assume they'll be back in government.
Well, it's only 1415 now, so we should be good.
Right. Excellent. Excellent. Thank, it's only 14.15 now, so we should be good. Right, excellent.
Thank you for this week's...
Industry News.
This is the podcast the King listens to,
although he won't admit it.
Right, Andy, take us home and let's bookend this show although he won't admit it right Andy
take us home
and let's
let's bookend this show
with this week's
Tweet of the Week
and we always play that one twice
Tweet of the Week
and this week's
Tweet of the Week
is from Eva
Evaside
on Twitter
and she is the director
of cyber security
for EFF
and the co-founder of Stop
Stalkerware. I did not know that. Yeah. So she is a very reputable authority, you know, particularly
on privacy, you know, and the like. And she says, if you think the US needs a TikTok ban and not a
comprehensive privacy law regulating data brokers. You don't care about
privacy. You just hate that a Chinese company has built a dominant social media platform.
Interesting. Very interesting. And yeah, I think it's very fair to say that, like I say,
she knows exactly what she's talking about and she makes a very good point.
I think so. I think so.
I think so.
Which just goes to show this is not a one-sided conversation about TikTok.
Let's ban it because it's crap,
not because it allegedly is going to kill us all in our sleep.
Nothing wrong with TikTok.
That's really fantastic.
Nice one.
Thank you for this week's...
Well, here we go.
What a very tight and fun show that was.
So much easier with just the two of us.
I know.
It just seems to go...
Yeah.
There's no friction.
There's no carrying no you know
no no no carrying of dead weight it's just very very very easy very easy well good andy thank you
so much for your time insights and uh education this week uh thank you very much. Stay secure, my friends. Stay secure.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
And that's where your man from the toot site should go if he wants to
complain about my views on
TikTok. Stick it on
our Reddit channel, don't come
after us. Was it Mastodon? Don't come after us on
Mastodon. Yeah, put it
on our complaints channel on
Reddit. Just there. Perfect.
Perfect.
Perfect. reddit just there perfect perfect