The Host Unknown Podcast - Episode 149 - It's That Man Again (Again)
Episode Date: April 28, 2023This Week In InfoSec (09:00)With content liberated from the “today in infosec” twitter account and further afield23rd April 2008: Microsoft announced that some of its antivirus tools had mislabele...d Skype as adware for several days due to a bad definition update. 3 years later Microsoft bought Skype for $8.5 billion.Microsoft mislabels Skype as adwarehttps://twitter.com/todayininfosec/status/1253558642537713664 26th April 1999: Chernobyl Virus Melts Down PCsThe first known virus to target the flash BIOS of a PC, the CIH/Chernobyl Virus triggers its payload on this day, erasing hard drives and disabling PCs primarily in Asia and Europe. One of the most destructive viruses in history, it is estimated that 60 billion PCs were infected worldwide causing $1 Billion in damages.The virus had been created exactly one year earlier on April 26, 1998 by Taiwanese student Chen Ing-hau and set to trigger its destructive payload exactly one year later. It began to spread in the wild and was first discovered in June of 1998, given the name CIH due to the author’s initials discovered in the virus code. From this time forward it was reported that a variety of companies accidentally distributed the virus through various downloads, updates, and CDs.When the virus triggered on this date it just happened to coincide with the date of the Chernobyl disaster in 1986 and therefore the press began to call it the Chernobyl virus, even though there has never been any evidence to show that this date was chosen intentionally for this reason.My memories of Chernobyl/CIH here: https://nakedsecurity.sophos.com/2011/04/26/memories-of-the-chernobyl-virus/ Rant of the Week (17:35)International cops urge Meta not to implement secure encryption for allWhy? Well, think of the children, of courseAn international group of law enforcement agencies are urging Meta not to standardize end-to-end encryption on Facebook Messenger and Instagram, which they say will harm their ability to fight child sexual abuse material (CSAM) online.The Virtual Global Taskforce was formed in 2003 and is currently chaired by Britain's National Crime Agency. The VGT consists of 15 law enforcement bodies, including Interpol, the FBI, the Australian Federal Police and other law enforcement agencies from around the world. In its letter [PDF], the VGT said reports from tech industry partners play a key role in fighting CSAM content, with Meta being its leading reporter of abuse material.But the taskforce thinks that will end if Meta continues its encryption push. "The VGT has not yet seen any indication from META that any new safety systems implemented post-E2EE will effectively match or improve their current detection methods," the taskforce said. Billy Big Balls of the Week (28:07)After 13 years, Google has finally added syncing to Google Authenticator in iOS and Android. By adding sync, you no longer need to worry about losing access to your online accounts. If you lose your phone, just restore them on a new device.All good, right? Err…https://twitter.com/mysk_co/status/1651021165727477763Yes, Google syncs your 2FA codes via HTTPS. But Mysk found out they weren’t end-to-end encrypted. In short, Google can see your 2FA codes. Furthermore, anyone who can access your Google account (such as law enforcement) can access your 2FA codes.Oh dear…https://twitter.com/christiaanbrand/status/1651279598309744640In response, Google said it had:“We’re always focused on the safety and security of Google users, and the newest updates to Google Authenticator was no exception.”“Plans to offer E2EE for Google Authenticator down the line.”“Right now, we believe that our current product strikes the right balance for most users and provides significant benefits over offline use. However, the option to use the app offline will remain an alternative for those who prefer to manage their backup strategy themselves.”What impressive balls of Google to introduce this new feature to a security/privacy product - after 13 years! - and brazenly do it in an insecure way.! Industry News (37:43)American Bar Association Breach Hits 1.5 Million MembersThousands of Social Media Takedowns Hit People SmugglersYellow Pages Canada Hit by Cyber-Attack, Black Basta Claims CreditUK Cyber Pros Burnt Out and OverwhelmedQuad Countries Prepare For Info Sharing on Critical InfrastructureCritical Flaw Patched in VMware Workstation and FusionMan Arrested for Selling Data on 300 Million Victims to RussiansMicrosoft Blames Clop Affiliate for PaperCut AttacksAPT Groups Expand Reach to New Industries and Geographies Tweet of the Week (45:06)https://twitter.com/vxunderground/status/1651384225692786689 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So Jav is continuing his suspension this week
For insulting our Indian listeners
Well really still
They were very offended
Well obviously
What are we going to do this week
We've got a subcontractor in
Oh have we
Well hopefully better than the last ones we've had
Well I mean the last one we had was Jav
So what hope have we got really
Let's face it.
You're listening to the Host Unknown Podcast.
Hello, hello, hello, and welcome to the latest episode of the Host Unknown Podcast, episode 149. My name is Graeme Clewley.
Hello?
Hello.
Hello? Hello? Hello?
Hello?
What happened there?
You crashed the jingle, man.
I was talking over it like a DJ would.
They're not used to working with jingles in real time, Tom.
This is the problem.
You think they're professional.
Play it again.
Play it again. This is the difference between studio artists and, you know, people know people that do live gigs this is you know that they just don't get it
right right right listen and learn graham listen and learn
you're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening from wherever you are joining us.
And welcome, one and all, to episode 149 of the Host Unknown podcast.
And that's how you do it, Graham.
Very, very professional. Well done.
Graham, welcome. How are you?
Oh, I am absolutely gorgeous.
Let's be honest.
That's why we get you on, the perfect face for our podcast.
Well, I thought it was time that your podcast had a bit of a refresh, to be honest.
I thought what you really needed was a middle-aged white guy
to join the team of two middle-aged white guys.
join the team of two middle-aged white guys.
I like how you two are banding me in as middle-aged with you two as an example of what middle age is.
And he's not a white guy, apparently.
Oh, yeah.
No, I'm white presenting, but I am absolutely African.
Oh, OK.
Well, you know, that's all right.
You're one of us, I think.
That's the important thing.
Anyway, it is wonderful to be here. Oh, OK. Well, you know, that's all right. You're one of us, I think. That's the important thing. One of us.
It is wonderful to be here.
What a lovely-looking studio you have here.
It is, isn't it?
It's very similar, from your perspective,
as the Smashing Security one, isn't it?
Well, I suppose so, yes.
I am at my desk rather than actually in your studio.
OK, destroy the magic if you want to.
Yeah, our listeners don't just believe everything we say
without questioning, you know.
You have to question everything we say on this podcast.
Yes, you do.
We're like the chat GPT of podcasts.
We are susceptible to hallucinations.
We don't read the notes.
We just make stuff up and then call you out if you tell us we're wrong.
It's as simple as that.
It's as simple as that.
So, Graeme, we trust you are well.
Smashing has been looking after you well too.
Yes, Smashing Security, that's the name of my podcast, everybody.
I just tell the 18 people listening.
Including Tom's mum. insecurity that's the name of my podcast everybody i just tell the 18 people listening including i think we actually the duchess uh yeah refer to as a duchess um i think we probably publish the phrase smashing security more than you do yes i think we do on this podcast obviously
we we share a reddit channel don't we? So this is where people may know us.
We do.
Thank you for all the insults which appear there.
Of course, we did sponsor that episode long, long ago.
And it appears that we're still benefiting
from that early patronage of your show.
You did.
I mean, it's amazing how much 25 quid,
how many actual mentions of your podcast you get for that, really.
It's quite impressive.
No, you did help bankrollers, I have to say.
It did make a difference.
I just hope some other company will come along now.
Tom, you're now a man on a payroll.
Could you not get your own company to sort of support you?
No, he keeps all of that.
So this is the thing.
Everyone keeps their own contacts to siphon cash for themselves everyone's got these side gigs we're like those panhandlers
right you sort of you beg for money and as soon as there's money in the pot you take out the gold
ones and just like leave the coppers in there and keep shaking yeah i hope that someone takes pity
yeah yeah i would have put it slightly differently, but yes, that's basically it.
That's basically it.
So,
yes.
And we also,
we,
we also invited your co-host and a co-founder,
Carl Terrio on the show as well.
But unfortunately she's,
well,
she said absolutely no way.
I do not want that stain on my,
do not want to be associated with that show whatsoever.
We're a bit like the Royal Family.
You know how they're not allowed to travel on the same helicopter?
It's the same with Carole and I.
We're not allowed to go on other people's podcasts together
just in case it boosts their listenership.
This is what happens when you've got sponsors.
Income.
Or a hostile takeover of said
podcast by graham and and carol you know next week it's just gonna be graham carol and me and
i'm gonna be like andy what's going on and then the week after there'll be no show link
yeah it'll just be like follow us on uh you know we've moved to yes uh andy how are you how's your week been i'm
quite busy i hear yeah it's been a busy week obviously uh in the world of security on the
world of um what do you say people security i think global events uh political events in sudan
have caused um you know a flurry of activity for those people working in that sector.
Yeah. So, yeah, what a busy week. Other than that, not particularly interesting.
Other than BAU, I can't talk about any other project. I've been doing nothing. It's not like
you. I don't have a hobby of like building lego or anything you know i'm just a hard worker
tom is that right you mean you you have a toxic culture whereby you have to just work 14 hours a
day in order to absolutely the bare minimum there are 24 usable hours in every day tom and i've told
you and jab this in the past uh and i think that you know you could probably be a bit more productive with your time. What's the name of that drug you take?
Which one? Adderall, cocaine, modafinil.
Modafinil, absolutely.
It's kind of just mixing it up.
This is a joke, by the way, for my colleagues and employer.
I'm happy to submit to a drug test.
I do not consume performance-enhancing drugs.
Absolutely.
Look at pictures of Andy from last year to this year
and tell me this man is not living healthily compared to before.
I mean, a veritable racing snake you are.
But how's your week been?
I'm talking of snakes.
Very good.
Just got back from London yesterday.
A little bit under the weather, if I'm honest.
I'm really not feeling it. So I'm on light duties today.
Age-related illnesses?
Quite possibly.
Your hip playing up as the clouds come over?
I'm a bit tired out. I do that big exhale when I sit down in a chair now
and I grunt when I get up out of it.
The highlight of my day is a bowel movement.
I mean, what can I say?
And that 3 a.m. call of nature is just starting to bug me.
But then again, I know, Graham, you have the same 3 a.m. call of nature.
Well, not 3 a.m., 5 a.m. for me.
Oh, has it got a little bit like that? Okay.
Yeah, so we won't bump into each other.
You start going to bed at 3 instead.
That's right.
Yeah, I do recall I did suggest that perhaps we should, you know,
call each other when we're next there in the middle of the hours.
At least we've got someone to talk to.
But yes, yes, we're all good.
We are all good.
Anyway, so talking of bowel movements,
shall we see what we've got coming up for you in this week's show?
This week in InfoSec takes us back to a move out of the acquisition playbook.
Rant of the Week asks Meta to think of the children.
Billy Big Balls is a tale of 2FA.
Industry News brings us the latest and greatest security news stories from around the world.
And Tweet of the Week is a
criminal group with a
moral compass, no less.
So, let's move on to
and here's a phrase you may have heard, Graham,
our favourite part of the show, the part of the show that
we like to call
This Week in InfoSec.
This sounds familiar.
It is that part of the show where we take a trip down InfoSec memory lane
with content liberated from the Today on InfoSec Twitter account and further afield.
And our first story takes us back a mere 15 years to the 23rd of April 2008, when Microsoft announced that some of its antivirus tools had mislabeled Skype as AdWare for several days due to a bad definition update.
And what was wrong?
They weren't wrong.
So what was interesting is that three years after this event, Microsoft bought Skype for $8.5 billion.
So if you think back then, OK, all these companies have got Skype.
All of a sudden they've been told, hey, this software is malware.
Get it off the machines.
And the reason I bring this up is that Microsoft's defender just this month accidentally mislabeled Zoom as malicious.
this month accidentally mislabeled Zoom as malicious.
Are we on the lip of an acquisition of Zoom?
This is what I'm wondering. So, you know, just 15 years.
You heard it here first, folks.
Yeah.
So if Microsoft acquires Zoom in the next three years,
I think, you know, maybe they've sort of, you know,
spread some seeds of doubt. They're trying to make out that it's, you know maybe they they've sort of you know spread some seeds of doubt they're
trying to make out that it's you know potentially malicious software corporates don't want it on
their machines uh you know get that price to a little take a little dip and then i mean it would
make sense because the zoom tech is more reliable than what is now teams tech, right? The Microsoft Teams. The actual video platform is more stable.
Potentially.
Yeah, I guess, yeah.
It is disastrous though, isn't it?
When an antivirus company misidentifies a piece of software.
I remember way back in the 90s,
Norton Antivirus detected PKZip,
which everyone had at the time on their computers as being,
oh, what is that? I think they thought it was the Maltese amoeba virus or something like that.
And so the most embarrassing one of all, and I have to admit that I was working for the company
at the time when that happened, was when Sophos antivirus detected itself its own automatic updater as malicious quarantined its own auto
updater not allowing sophos to update the definitions i'm laughing now this destroyed
this destroyed so many companies it was the worst worst event which ever happened in our company
history um because it we couldn't do anything about it.
It was like, well, how do we push out the update?
Because we've just been hacked at the bloody thing on everyone's computer.
Go back and send out the floppy disks again.
Exactly.
Fax people an update.
Maybe we'll do that instead.
I shouldn't be laughing.
Very sorry for those people who were running software sentivirus.
It wasn't me.
I'll tell you what, Andy.
We don't get this kind of in-depth analysis with Jav on the show, do we?
We just get a few grunts and groans every now and then.
And also, you know, the question of what is an antivirus as well,
that's one that, you know, he comes up with.
So just out of interest,
did you look for a scapegoat at the time in the office
in terms of who was responsible for that?
Or was it still quite collaborative?
They were very good, actually.
I never found out who it was who'd allowed...
So basically it was a mistake in QA.
Apparently in QA this had been picked up.
I think someone pressed the wrong button or something
and allowed it to be pushed out.
So I'm sure the person was identified.
But no, they weren't sort of hung and quartered and pilloried.
I'm sure they felt terrible because so many people worked so many hours for weeks trying to recover from that.
And it cost the company a fortune.
Brilliant.
So how do you think your interview for Host Unknown podcast is going at the moment, Graham?
I think he's getting
a bit too hung up on detail Tom I don't know what you think
but he's bringing relevant
content he's talking about real life
examples and you know applying them
to reading beyond the headlines
I mean what the fuck
what's that yeah
I'll lose interest as the show goes on
I'll be contributing less
this is the virusy bit so i
thought i could add something here we generally lose interest as well as it goes on but uh so
yeah carol starts her story on smashing security i tune out at that point you know you're gonna
slot right in here so that's our second story takes us back a mere 24 years to the 26th of April 1999 when the Chernobyl virus melts down PCs.
Were you about to correct my pronunciation of Chernobyl?
No, no, I'm not Ukrainian. I wouldn't dare to do that.
I thought there was going to be an interjection there.
So this was the first known virus to target the flash bias of a pc
um and it triggered a payload on that day erasing hard drives and disabling pcs primarily in asia
and europe uh obviously because you know the u.s benefits from the rest of the world you know
fixing the mess before they get online um but it was recorded as one of the most destructive
viruses in history and it's estimated that 60 billion PCs were infected worldwide, causing a completely finger in the air figure of $1 billion in damages.
It doesn't sound like much now.
No, it's like a rude tweet that someone publishes
the virus had been created exactly one year earlier on april 26th
when the student i'm not even going to try and pronounce his name said it to trigger
this destructive payload exactly a year later and it began to spread in the wild and was first discovered in June of 98.
But it was given that name just because that was the anniversary of the Chernobyl disaster.
But there's absolutely no evidence to say that this date was actually chosen intentionally for a reason.
Yeah, it's just like the Michelangelo virus. There's nothing inside the virus which actually links it other than the date.
And so it got given that cool name.
It was Chen Yinghao, who was a Taiwanese student, I think, who wrote it.
Yes.
And it was an extraordinary virus at the time because it reflashed the BIOS chip.
So effectively, it caused sort of hardware damage.
Your computer was just a useless lump of plastic.
So like installing McAfee.
Yeah.
Well, without bath salts and a load of gin, yeah.
It was...
Yeah, it was...
And that guy, he was...
I think he was arrested by police.
And he eventually ended up working for some technology company writing
drivers or something.
So he did end up
getting a job despite
all this. But yeah, it was a nasty
virus.
All I remember
of this is the jokes at the time of
how do you know if you've been too close
to a Russian nuclear reactor?
Because Chernobyl fall off.
Dang it.
Goodness gracious.
Exactly.
That was...
This Week in InfoServe.
People who favour the Smashing Security podcast
are statistically more likely to eject USB devices safely.
For those who live life dangerously,
you're in good company with the award-winning Post Unknown podcast.
I do like your jingles.
It's almost like we knew you were coming on the show, though.
That was a good one.
One of our new ones.
Thank you, Andy, and thank you to your man for doing those.
The jingle man.
He does a good job.
He knows what we like, doesn't he?
He does.
I'm desperate to find out who he is so we can have some counter-jingles.
Jingle wars.
Yeah, jingle wars.
You know, the cool kids have rap battles.
We have jingle wars.
Right, let's move on to the angry part, shall we?
Listen up!
Rant of the week.
It sounds like mother f***ing rage.
So, you know, the part that makes me angry about today's rant of the week
is that I have to side with Meta and Facebook.
Ooh.
Oh, it just leaves such a bad taste in my mouth.
So the headline is,
International cops urge Meta not to Implement Secure Encryption for All.
So we know we know that there's this big thing about companies and infosec professionals and anybody sensible, really,
who knows that end to end encryption is very important for privacy and security reasons.
And the governments that are trying to put back doors in basically
don't understand the fundamentals of encryption by putting a back door in it's effectively not
fully encrypted and it just allows for the encryption to be broken uh best case or to
be completely destroyed and all of your data uh accessed by nefarious parties, including your current government, whether you like it or not.
So and one of the key stories, one of the key arguments put is won't somebody think of the children and how the, you know,
child sexual abuse material online is being spread around.
child sexual abuse material online is being spread around and if we implement or don't implement backdoors etc we're going to find it harder and harder to track down this material
a new international group of law enforcement agencies are now urging meta not to standardize
end-to-end encryption on Facebook Messenger and Instagram which they say
will harm their ability to fight child sexual abuse material online so this uh virtual global
task force the VGT which sounds like something from Thunderbirds was actually formed in uh 2003
and is being chaired by Britain's National Crime Agency, who I would have thought
would have known better, to be perfectly honest with you. In fact, I think there was a tweet I
saw the other day about, you know, this hot take by the NCA is not a good one. But it does comprise
of 15 law enforcement agencies, including Interpol, the FBI, Australian Federal Police,
agencies including Interpol, the FBI, Australian Federal Police and others from around the world and it's said that reports from the tech industry partners play a key role in fighting
CSAM content with Meta being its leading reporter of abuse material but they think that this will
end if Meta continues its encryption push.
The VGT has not yet seen any indication from meta that any new safety systems implemented post end-to-end encryption will effectively match and improve their current detection methods, the task force said.
So many things wrong here, not least me having to back Meta up on this. But I think if this is – oh, my God.
Do you see?
I'm just blown.
But, Tom, let me have a sit down. Have a sit down, Tom.
Have a sit down.
Have a word that's original.
Do a nice jigsaw.
Hang on.
Let me sit down.
There we go.
And then, so, surely if you've got nothing to hide,
you won't have a problem with the government monitoring your communications, Tom.
You see?
I like where you went with that.
It's not got anything to do with what you've got to hide now
under your current government,
but what you have to hide now under a future, you know,
more fascistic or corrupt government.
And what about countries where those governments are already in place?
Look, Tom, the good news is that we're not going to get a new government.
We're going to keep this one forever.
So don't worry about future governments.
Did you not hear what I said about fascistic governments?
Fascist states, et cetera.
But yes, and it's, what this is doing is,
as usual on things like this,
it's using headlines and scare tactics
and, you know, won't somebody think of the children,
et cetera, et cetera, to address something,
to address a symptom of something
rather than the underlying cause. So, you know, child sexual abuse material, unfortunately,
has been an issue throughout humanity, humanity's lifetime, I think, you know, in one form or
another. And that has obviously, you know, the form it's taken has obviously changed with the
rise of the internet and encryption and all that sort of thing.
What we should be looking at more is the cultural change, the actual fundamental issues that we're looking to address here around, you know, why this abuse happens in the first place, why it's cyclical, why, you know, hurt people, hurt people, as it were, rather than just trying to sort of put a finger in, you know, in the dike of this and trying to stop, you know, these multiple kind of symptoms of what the issue is here.
Right.
Yeah. I also saw quite a valid argument that most people involved in CSAM already tend to practice OPSEC or else
they will get caught you know they're not sending stuff on Facebook messages yes exactly exactly
it's not like an open group yeah that's that's what I think as well is that the targets uh
is the wrong place because it's it's not be on an Instagram reel. I wouldn't imagine.
People who watch this video also watch it.
Yeah.
Although they do use these as, allegedly, as communications rather than the distribution.
But nonetheless, you know, you start, you know,
snooping into these communications, they move into something else into
something you know more more secure elsewhere or somebody you know there are clever people who are
you know child sexual predators you know as well who will create their own applications and their
own formats for this etc all it does is drive this stuff underground and actually make it even harder to find.
Whereas what we should be also doing is looking at protecting, you know,
our society as a whole and our future generations, you know,
against possible misuse of our data.
Do you think, I mean, I think we're all in agreement with you on this one, Tom,
which makes it a little bit hard to argue with you,
but do you think we're handling this issue the wrong way? Do you think instead what we should
be doing is we should be going to the police, we should be going to the NCA, sorry, NCA,
we should be going to our friends in Cheltenham and saying, hey, I run a small business.
I'm really worried about hackers seeing what I'm talking about. You know,
I recognise the need for encryption. What end-to-end encrypted messaging service do you recommend?
Which one should we be using to protect ourselves?
Because we don't want those horrible Chinese hackers
getting hold of all of our data or the Russians.
Which one are you recommending?
Here's one we created earlier, they'll say.
Ah, that'd be marvellous, wouldn't it?
Can you imagine how good the end-to-end encryption would be
on a British-born messaging system made by the government,
made by Nadine Dorries?
Now she's got some spare time.
Maybe Amber Rudd has...
Amber Rudd, she's got all the hashtags.
She can help us.
When you first log in, you get Nadine Dorries' voice shouting out,
what's my password?
This argument is just going to go on and on, isn't it?
I mean, it's...
But if the tech companies refuse to play ball, I'm not sure what...
Because a number of them, I think WhatsApp and Signal have said,
we're not going to go along with this.
No.
And, you know, we'll just not sell the software.
You know, if you force that on us,
then the software won't be available in the UK.
And then what are people going to do?
Yeah.
They'll go and roll their own or they'll find something else.
They'll VPN to whatever.
You know, it drives it elsewhere.
But like I say.
We're going to end up with a British version of WeChat,
you know, they have in China
it's going to be like
Tea Chat
you can only use it between the hours of 3 and 4 in the afternoon
how's the weather today
that's the first question
with a custard cream
how lovely
oh dear
so yes I am very angry at having to agree with Meta on this.
I'm also very angry at the NCAA and this VGT,
which sounds like a formula for a shampoo.
But, yeah, for even thinking that this is – we're still talking about this.
You know, folks, really, just get a grip, you know,
and stop thinking about the children.
Rant of the Week.
We're not lazy when it comes to researching stories.
No.
We're just energy efficient.
Like and subscribe to the Host Unknown podcast for more ESG adjacent tips.
ESG?
Yeah, I was going to say, what is ESG?
ESG, come on.
This is what it is
these days. Environmental, social
governance.
It's all about being...
Oh, is it like CSR?
Yeah, corporate and social
responsibility. Exactly.
Yeah. Environmental, social and governance.
So it's energy saving.
You are kidding me.
Go and speak to your ESG director, Tom.
You guys are so corporate.
I don't have an ESG director.
No, I just have me.
Graham, what is your carbon output
at the Smashing Security Podcast?
I beg your pardon, that's a very real question.
It depends on what he's eaten the day before.
Do you know what?
I'm actually thinking now that our show is going to be
more carbon neutral than yours.
Well, it is now you've reduced what you're eating.
Oh, dear.
It's an energy saving tip.
Let's move on to the next part of the show.
It is time for...
Graham's Giant Gonads.
Oh, hello.
That's slightly alarming.
Anyway, moving on.
Hello, chums chums.
Thank you very much.
Right, now then, I've got a question for you.
Two-factor authentication.
You've got your authentication apps, right, on your phones and on your devices and all that sort of business.
And I love the way you said phones is implorable because I have to carry multiple phones because I never migrated when I got a new phone.
The reason you've got two phones is because you can't get into your Twitter account except on your phone.
It's the only reason you have a second phone.
OK, well, look.
Look, Google.
Oh, they're lovely, aren't they?
Aren't they wonderful?
What a wonderful advertising company they are.
Google, that great ad company, they had an announcement this week and it was wonderful news because they said after 13 years
we are finally adding syncing to google authentica or authentica google authenticator
should i start this podcast again hello hello welcome
after 13 years google has finally added syncing to Google Authenticator in its iOS and Android apps.
Now, why do you want syncing in an authentication app?
Because, of course, if you lose your mobile phone with Google Authenticator on it,
the thing which pops up those six-digit numbers all the time, those codes,
if you lose that phone, then you're buggered because you can't log in any longer
or when you change your phone oh yeah exactly upgrade your phone or whatever it may be and you
think oh crumbs you know i i need to i need to make sure that i've kept that and so i can still
log into things so people have been moaning about this because google authenticator has been sort of
i think a standard purely because of its name and people recommending it all the time. I've never used Google Authenticator.
I use it.
Do you?
Yeah.
I've got other sites, websites.
Exactly what you're saying.
So I've got an admin panel for a website.
And the only way to migrate it to a new device is that I have to authenticate with the Authenticator app, log in, disable multi-factor authentication,
and then reset it up on a new device.
Yeah, so a full three minutes of work.
Okay, fair enough.
Such a hassle.
Such a hassle.
All right.
Well, I use an authentication app which actually syncs, right?
So I can access it on my mobile.
I can access it, I think, maybe even on my watch,
certainly on my desktop and things like that.
So laptop, everything.
I've got it everywhere.
So if I lose one device, it's not a problem.
I can still log into things.
Google Authenticator, you couldn't do that.
Until this week when Google announced,
we are now going to sync this through your Google account
so you can get the codes anywhere,
which people went, oh, bloody fantastic.
This is terrific. Well done. Thank you, Google. Thank you, Google. Thank you so much. You're looking
after us so well. You're helping us stay secure. Wonderful. Not so fast, because the smart guys at MISC, M-Y-S-K,
who I follow on Twitter and often do some interesting research,
they took a look at Google Authenticator.
They thought, I wonder how it's doing this exactly.
And it turns out that Google Authenticator is correctly using HTTPS.
Great to sync these codes.
But once you've stripped off... Once you've stripped off that,
the actual 2FA codes are not encrypted.
It's not end-to-end encrypted.
In other words, Google can see your 2FA codes.
Anyone who can access your Google account,
such as law enforcement, Andy.
I'm singling out you for any particular reason.
Anyone who can access your Google account
can access your 2FA codes as well,
which I think maybe they should have thought about
because it took them 13 years
to implement this fairly fundamental functionality.
I was going to say, isn't this a fundamental part of any kind of customer-facing security product?
Do you think in 2023, do you think that's what we would expect,
especially from an app which is meant to help your security and privacy?
I mean, quite apart from the fact that in the next two years,
Google will drop support for Google Authenticator anyway, right?
And that will lock you out permanently of everything.
Yeah, that's a good point.
So not so good, really.
So well done to MISC for having the balls to mention this.
Oh, so the big balls are with MISC on this one?
Well, are they? Are they?
Because I actually would argue that actually it's Google who has the big balls are with MISC on this one? Well, are they? Are they? Because I actually would argue that actually it's Google who has the big balls.
Because I think what they've done is they've gone against the trend.
They've thought end-to-end encryption.
Do we really need that?
They said, you know, what we're doing, we're big enough.
Our testicles are large enough.
It's like a surgeon closing up after an operation and seeing a bit left over and going,
no, I don't need that.
Don't need to do that because I'm Google.
And people will be so deliriously happy
that they can now sync.
They won't care about their privacy and safety.
So Google responded.
A guy called Christian Brand,
who's some sort of bigwig at Google.
He's media trained.
He's allowed to respond.
He tweeted that we're always focused on the safety and security of Google users.
Well, obviously not.
Yeah, quite.
We take security very seriously.
And the newest updates to Google Authenticator was no exception.
Well, yes, it was.
Apart from it was.
We plan to offer end-to-end encryption for Google Authenticator down the line,
which could be another 13 years.
Yeah.
Right now, we believe...
On our next release cadence.
Right now, we believe our product strikes the right balance for most users
and provides significant benefits over offline use.
But you can still not enable this functionality or stay offline if you want to use it the old-fashioned way.
So I think, wow, what impressive balls of Google
to introduce this new feature, not expect a backlash,
keep it hidden from us that they were doing this
until someone else spotted it,
and be so brazen about doing this in such an insecure way.
13 bloody years and they've screwed it up.
Has Donald Trump suddenly become the head of production
or head of product at Google or something?
This is a fantastic feature.
It's the best feature.
Nobody has ever in the history of features developed a feature like this.
People were crying when we released it.
They were so happy.
It's a beautiful feature.
It's a beautiful feature it's a beautiful phone uh so so this software when it actually went through testing
like apparently the absolute basics of like you know app deployment is that you would have you
know particularly when it's internet facing you'd always have you know some sort of testing like
whether it's sas das penetration testing this indicates to me that either it wasn't detected in their testing,
which is, this would fall under like OWASP top 10 sensitive data exposure, right?
Yeah, so, or it was flagged and they accepted it,
which I think this is what Christian sort of indicated.
I think it just wasn't in the spec.
I think they just simply said, we need to sync these numbers between devices.
How can we do that?
Chuck it in the Google account.
But frankly, how long?
They didn't think of encryption.
How long would it take to enable end-to-end encryption
when you're freaking Google?
Well, then it makes it harder to read the content, Tom.
This is true.
They're not going to be able to monetise it when they can't read it.
They are an ad company.
Remember, they may want to show you other similar six-digit codes,
which you might be interested in.
And there we have it.
Graham, thank you for this week's...
Graham's Giant
Go Nats
very disturbing
I love that that's awesome
you'll be hearing from my lawyer
hey we don't fold like Jeff
you can't throw it at us with lawyers
or Graham for that matter
if good security content were bottled like ketchup,
this podcast would be the watery juice
which comes out when you don't shake properly.
In a niche of our own,
you're listening to the award-winning
Host Unknown podcast.
I think that's my favourite one.
The idea of your watery juice filling my niche
is one that I don't want to contemplate.
Well, one I hear that referred to as ketchup pre-con as well.
Oh!
God.
Mum, I'm sorry.
I'm so sorry, Mum.
Sorry, Duchess.
Why won't sponsors stick with us, Tom? I't figure it out. I just don't know.
Talking of having absolutely no idea, what time is it? It's that time of the show where we head
to our news sources
over at the InfoSec PA Newswire,
as Dan Raywood's no longer available,
who've been very busy bringing us the latest and greatest security news
from around the globe.
He hasn't been available for a while.
No, no.
Industry News.
American Bar Association breach hits 1.5 million members.
Industry news.
Thousands of social media takedowns hit people smugglers.
Industry news.
Yellow Pages Canada hit by cyber attack.
Black Basta claims credit.
Industry news.
UK cyber pros burnt out and overwhelmed. Industry news. UK cyber pros burnt out and overwhelmed.
Industry news.
Quad countries prepare for info sharing on critical infrastructure.
Industry news.
Critical flaw patched in VMware workstation and fusion.
Industry news.
Man arrested for selling data on 300 million victims to Russians.
Industry news. And that was this week's... Huge, if true huge uh i am immediately drawn to yellow pages canada being hit by a cyber attack
because typically the whole purpose of a yellow pages is to publish someone's name address phone
number in plain text for anyone to search so i'm trying to think you know if you're breaking into this
company what are you actually getting and quite literally on printed paper yeah
um i think it was employees wasn't it employee data and maybe
oh you get adverts in yellow pages i guess people have paid for the adverts and right yeah so they
got personal information from servers containing yellow pages employee data and limited data this is a thing we've got graham on he knows he knows these
things he doesn't ask dumb questions like well what are they going to get from yellow pages
who just publish names and numbers anyway yeah absolutely um yeah we've been notifying impacted
individuals so i assume they just sent a copy of the pages to the
privacy regulator with a letter stapled to the cover yeah so i used to work for
a directory company in the uk and the printed paper is there just no value in it whatsoever. And even the online version is very difficult to monetize.
Purely because to have a directory site on its own,
there's no money in it because people can get that information
from so many sources and generally just connect on social media.
So I'm just surprised that a company is still running.
Yeah.
Well, they did pivot into online, didn't they?
They did very slowly, but even still, it's easy.
Like, Yellow Page is typically business data, right?
It's much easier just to Google the company name.
Yeah.
Exactly.
Yeah.
It's bizarre.
Yeah.
Good point.
I'm really intrigued by this whole paper cut.
Yeah.
I love the names of vulnerabilities and exploits and things.
I mean, sometimes they're so much fun, aren't they?
Rather than CB202327384.
Absolutely.
You know, but having a good name like paper cut, I love that.
And it also is clop, a take on, what is it?
Alo, alo.
Oh, yeah.
Clop.
For the older generation.
See, I thought paper cut might have turned like clippy a bit.
Agro.
It looks like you're trying to write a letter of resignation.
Do you want some?
Looks like you're trying to access your data.
Have you got three Bitcoin for me to unencrypt it? Now, I'm sorry for being a bit stupid. It looks like you're trying to access your data.
Have you got three Bitcoin for me to unencrypt it?
Now, I'm sorry for being a bit stupid.
What's a quad country?
Quad countries prepare.
Is that like five eyes but one less? They're the ones that haven't missed leg day.
Right.
So the Quadrilateral Security Dialogue,
aka the Quad.
And this is not something I've ever heard of before,
I'll be honest. Is this US, UK? Japan, aka the Quad. And this is not something I've ever heard of before, I'll be honest.
Is this US, UK...
Japan, India and Australia.
Formers of the US, Japan, India and Australia.
Hang on. No Great Britain?
Great Britain are excluded?
Well, I think Australia
and India count as Great Britain by default,
don't they?
Australia's like
our equivalent of Texas. How will they
possibly survive without our involvement?
And our unencrypted data.
So it's all
positive. They're looking to agree on a common security
standard because it's exactly what we
need in this world.
A common security standard. We've got 12 different security standards here. What we need in this world is a common security standard.
We've got 12 different security standards here. What we need to do is to standardize them all.
We've got 13 different security standards.
And obviously with the US there, surely you're just going to take NIST, right?
We've already got something we can reuse. Another one on burnout, obviously.
can reuse another one on burnout obviously yeah over half of uk it decision makers expect security team members to leave within the year due to burnout there's a lot going on people yeah suck
it up yeah i did a i did a webinar on this a couple of weeks ago, actually. But you burnt out from talking about it.
Did you make it all the way through?
Someone should give up at halftime.
No, I had to go and find a safe space.
Oh, dear.
It's a slow news week, I'll be honest.
It is.
It is.
Do you know what?
I deliberately excluded anything from RSA.
Yes. That's what a lot of the deliberately excluded anything from RSA. Yes.
That's what a lot of the content...
Having fun without us.
Yeah.
It's so irritating, isn't it,
how they keep on posting pictures of all their parties.
They're not working.
If anyone has sent their staff to RSA,
just take a look at what they're doing on social media.
They're all just getting drunk.
They're not doing any ruddy work out there.
In the evenings. Really? And they're just sleeping it off. They're not doing any ruddy work out there. In the evenings.
Really? And they're just sleeping
it off during the day, that's what I suspect.
Well, that's my conferences.
Yeah, well, that's jet lag.
I like
how RSA actually do provide
a template that you can send to your
budget holder to explain the benefits
of attending RSA.
They do the heavy lifting for you like IBM used to in the old days.
That's how it should be.
Absolutely how it should be.
Right, let's move on.
That was this week's...
Industry News.
30% nostalgic.
30% ranty.
30% ballsy. And 30% terrible at maths.
You're listening to the award-winning Post Unknown podcast.
Very good. Andy, it's over to you now.
Take us home, cheer us up a little bit after all this bad news and ranty stuff
with this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And so this week's Tweet of the Week comes from VX Underground.
And they have posted a statement from the Lockbit Ransomware Group.
And it says,
Today, Lockbit Ransomware Group ransomed a daycare centre.
When Lockbit Ransomware group administration discovered the victim they issued an apology and claimed to have fired the
affiliate and they were quoted as saying i am ashamed wow the uh lock bit administration so
this goes to show there is some uh some of these criminals do have a moral compass in terms of daycares are off limits.
Apparently so.
And apparently, yes, I was reading through some other posts.
Apparently they've got a history of doing it.
They've got rules about who you can target,
and they will disqualify any affiliates who ignore those rules.
Do you think it's because there's nothing quite as scary
as a teaching assistant?
Quite.
They're worried that some primary teacher is going to come after them.
At the end of their tether.
Makes them sit on the naughty step for a while.
Someone's got nothing to lose.
In other news, Citib bank has rebranded as the
the bank of children and medicine yeah yeah no they um idiot but i think it's this is just
common sense though right in terms of if you look at your business model you know you say look
there's no money in these daycares there's no money in these hospitals like it's important
data but we're not going to get anything from it.
So it's a waste of our time.
We don't need the noise that comes with it.
You're drawing a – no one cares about bankers, to be blunt,
and profiteers and people that crash the economy.
Target them all you want.
They've got the money.
But yeah, I like – I don't like sort of these black hat groups, but I do like the fact that they have a terms of service and they enforce them.
And they have some kind of morals, even even if even if the vast majority of them are skewed and very much criminal focused.
But are they doing this consistently, though though are we sure that they're not
allowing any attacks against hospitals and daycare centers i see this is you're asking
the questions that you assume we've researched like i say this very different vibe to smashing
over here you're doing so well graham this is showing us up this is a question for our listeners
obviously this is your homework and uh you know we will be marking it next week for the best and also actually actually you're right let me i want to mention something
else rishi sunak's wife it wasn't she just found to have shares in some kind of daycare center or
yes she yes she does she's a billionaire or a daughter of a billionaire she's loaded anyway
is the important message and you know just because you run one of these kind of things
doesn't mean that you're not actually making a shed load of money
and exploiting the fact that there aren't any other decent daycare centres in Chelsea.
And so all these people are having to bring their little Tarquins and Hyacinths to you.
So I think this is going to be the next step of this financial model where they determine which daycares have got rich backers and which ones are actually publicly run.
Look at the shareholders.
Yeah. So, I mean, obviously, these groups are always evolving.
And I assume Lockbit, their next level of maturity will be to actually qualify the cost benefit analysis that they go through.
Happy to have given them some free advice
yeah absolutely very good thank you andy and graham for the tweet of the week
so we come barreling into the end of the show uh gentlemen thank you so much for your efforts today. It is greatly
appreciated.
Graham, thank you so much
for taking the time with us.
Oh, it's been a pleasure to spend the last two and a half
hours on the line with you.
It's been terrific.
Shame we didn't hit record for so long,
but never mind.
I think it's
just as well we didn't actually yes considering what we were
talking about yes yes let's not go there no exactly exactly let's let's not misspell anybody
any anybody else's name we'll see uh and uh andy thank you stay secure my friends stay secure
you've been listening to the host unknown podcast if you
enjoyed what you heard comment and subscribe if you hated it please leave your best insults on
our reddit channel worst episode ever r slash smashing security well i think that was a good
interview graham i think i think think we did very well there.
Always a pleasure, chaps.
Now, if you can edit this show and also publish it,
as you'll see the username and passwords in the show notes,
we don't have multi-factor authentication enabled.
No, no.
Just knock yourself out.
Oh, and also, if you could give us some of your listeners as well,
that would be handy.
Log out when you're done.
Yeah, log out when you're done.
Or just close your browser, one or the other, don't mind.
See you, guys.