The Host Unknown Podcast - Episode 154 - The Broom-cupboard Episode
Episode Date: June 2, 2023Voting has closed for this years European Cybersecurity Blogger Awards has closed. Did you vote with your conscience, or did you vote for us? This week in InfoSec (08:33)With content liberated from t...he “today in infosec” twitter account and further afield30th May 1972: John Postel published RFC 349, Proposed Standard Socket Numbers.RFC 349https://twitter.com/todayininfosec/status/1266805406707232768 1st June 1999: Shawn Fanning and Sean Parker release the filesharing service Napster. The service provides a simple way for users to copy and distribute MP3 music files. It became an instant hit, especially among college students. Just over 6 months later, on December 7, 1999, the Recording Industry Association of America (RIAA) filed a lawsuit against the service, alleging mass copyright infringement. Eventually this lawsuit forced the shutdown of the company on September 3, 2002, but not before the popularity of downloading digital music was firmly entrenched in a generation of Internet users. Rant of the Week (16:32)Amazon Ring, Alexa accused of every nightmare IoT security fail you can imagineAmerica's Federal Trade Commission has made Amazon a case study for every cautionary tale about how sloppily designed internet-of-things devices and associated services represent a risk to privacy – and made the cost of those actions, as alleged, a mere $30.8 million.The regulator on Wednesday charged, via the US Dept of Justice, two Amazon outfits with various privacy snafus.The e-tail giant’s Ring home security cam subsidiary was accused of “compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.”“Not only could every Ring employee and Ukraine-based third-party contractor access every customer’s videos (all of which were stored unencrypted on Ring’s network), but they could also readily download any customer’s videos and then view, share, or disclose those videos at will,” reads the FTC's complaint [PDF].The document goes on to describe how “a customer service agent might need access to the video data of a particular customer to troubleshoot a problem, that same customer service agent had unfettered access to videos belonging to thousands of customers who never contacted customer service.”Another nightmare: “Although an engineer working on Ring’s floodlight camera might need access to some video data from outdoor devices, that engineer had unrestricted access to footage of the inside of customers’ bedrooms.”Ring staff weren’t trained on how to handle private data. And some abused it, horribly, according to the consumer watchdog.The complaint details one employee who, the FTC said, “viewed thousands of video recordings belonging to at least 81 unique female users,” and “focused his prurient searches on cameras with names indicating that they surveilled an intimate space, such as ‘Master Bedroom,’ ‘Master Bathroom,’ or ‘Spy Cam’.”The employee spent more than an hour a day on this revolting stuff, undetected by Ring, for months, it was claimed.When a female coworker reported this activity, her supervisor “discounted the report, telling the female employee that it is ‘normal’ for an engineer to view so many accounts," the FTC noted. Billy Big Balls of the Week (29:42)Pegasus-pusher NSO gets new owner keen on the commercial spyware bizSpyware maker NSO Group has a new ringleader, as the notorious biz seeks to revamp its image amid new reports that the company's Pegasus malware is targeting yet more human rights advocates and journalists.Once installed on a victim's device, Pegasus can, among other things, secretly snoop on that person's calls, messages, and other activities, and access their phone's camera without permission. This has led to government sanctions against NSO and a massive lawsuit from Meta.The Israeli company's creditors, Credit Suisse and Senate Investment Group, foreclosed on NSO earlier this year, according to the Wall Street Journal, which broke that story the other day.Essentially, we're told, NSO's lenders forced the biz into a restructure and change of ownership after it ran into various government ban lists and ensuing financial difficulties.The new owner is a Luxembourg-based holding firm called Dufresne Holdings controlled by NSO co-founder Omri Lavie, according to the newspaper report. Corporate filings now list Dufresne Holdings as the sole shareholder of NSO parent company NorthPole.Dufresne Holdings has removed "a number of directors and officers" across NSO and is involved in the company's day-to-day management, the Wall Street Journal added.An NSO spokesperson meanwhile said "the company is managed directly by our CEO, Yaron Shohat. The lenders are currently in a process of restructuring the shareholders." The company has not only faced criticism over its Pegasus spyware implant, US and European officials over the past couple of years have cracked down on NSO in particular, and commercial spyware in general.Reports keep emerging about Pegasus and other surveillance technologies being used in ways that decidedly violate NSO's claims that it only sells the malware to legitimate government agencies "for the purpose of preventing and investigating terrorism and other serious crimes."It is that time of the show where we head to our news sources over at the Infosec PA newswire who have been very busy bringing us the latest and greatest security news from around the globe! Industry News (37:34)Romania’s Safetech Leans into UK Cybersecurity MarketNine Million MCNA Dental Customers Hit by BreachRansomware Gangs Adopting Business-like Practices to Boost ProfitsHuman Error Fuels Industrial APT Attacks, Kaspersky ReportsNigerian Cybercrime Ring's Phishing Tactics ExposedPentagon Cyber Policy Cites Learnings from Ukraine WarAmazon to Pay $31m After FTC's Security and Privacy AllegationsHMRC in New Tax Credits Scam WarningHorabot Campaign Targets Spanish-Speaking Users in the Americas Tweet of the Week (44:04)https://twitter.com/securityweekly/status/1664335258655784960 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
talking about my spelling mistakes
oh dear but tom you sound absolutely awful still i can't believe that uh it's been like
months you still got that cold yeah it feels like it well it's not cold anymore but
i'll tell you what one minute i'm i'm shivering like gordon the gopher and
next minute i'm sweating like Ruddy Phillips Schofield.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome, welcome one and all to episode 154.
158.
Of the Host Unknown podcast.
We dedicate this episode to the broom cupboards.
Since we're all being taken back to our childhoods, whether we like it or not at the moment this week in the news.
And talking to children.
Jav, how are you?
Very good, thank you.
Very good.
Well, you could have gone the other way there, Jav, right?
Either talking to children or talking to pedos.
You did all right.
Wow, wow. There's still time for you, Andy. Wow, wow.
Such a low blow. There's still time for you, Andy.
Don't worry.
You know, just like, you know.
Whilst morally wrong, it was not illegal, Tom.
I'm just saying.
True.
Very true.
Jeez.
This is the standard we're going to start with.
So, talking of morally wrong, Jeff, how are you?
Wow.
Okay.
Tom, Andy, Suella, Braveman, all in the same list in my books yeah
we're all dead to you i i am uh really good um yesterday um i took my son to see the eiffel tower
in paris nice oh i was gonna say what the the one in Legoland? Yeah, you know, I'll tell you what.
It's probably cheaper to go to Paris, isn't it?
Yeah, it is actually cheaper to go to Paris, yes.
Definitely.
But no, it was a gorgeous day in Paris yesterday.
We just went in the morning, like got a 7 o'clock train from King's Cross.
And we got like an 8 o'clock train from Paris back.
So it was a wonderful day.
Really hot.
It was like 30 degrees or something.
And we just walked from the station to the Eiffel Tower,
catching the sights along the way, went on a river cruise and came back.
Was that all the riots and all of the rubbish?
Unfortunately, like, you know,
we even got our matching like fluorescent jackets and
everything and we thought we'd we'd blend in but there were no riots um you know that
we didn't get pickpocketed that we know of and uh yeah you didn't get the true parisian experience
i was gonna say yeah yeah we didn't but it was a lovely day and you know? When your son turns around and says to you when you're on the Alpha Tower,
like, Dad, you've made my dream come true.
This is the best day of my life.
Oh.
You know, it sort of like melts your heart.
And I was going to do the Homer Simpson say, like, so far, so far.
But I knew that was going to be a lie.
So I was like, okay, yeah, just stick with the memory, son.
It's all downhill from here, son.
Yeah. Oh, lovely, lovely, yeah, just stick with the memory, son. It's all downhill from here, son. Yeah.
Oh, lovely, lovely.
Andy, what about you?
How have you been getting on?
Well, I can't top that story, can I?
No, no.
Yeah, the peace, love, happiness.
Yeah, Narm.
We call it Narm.
No, I haven't.
Yeah, no, I can't top it.
How about you?
How was your week?
It's been that bad, has it?
Yeah.
Well, it's just nothing exciting, really.
I've got a temporary crown fitted.
Was that earlier this week or was that last week, actually?
I think that was last week, actually.
Yeah, so I'm going to get that replaced.
Yeah, that gets replaced on Tuesday.
So by this time next week week i will have a gold tooth
oh what i know i know right and it's yeah i would be looking like a g but it's um you got the choice
right there's three types you can either get the porcelain zirconia or the gold um and the truth
is the gold is the best practically because it's uh yeah it's better on the rest of the other teeth
and it's the strongest of the materials
and it doesn't have to be as thick as the others.
And so because it's one of my molars, it's at the back,
potentially people won't see it.
So as long as I don't get mugged and have it extracted for whatever.
In fact, I don't think it's worth what I'm being charged for it,
but I'm sure it's of value to someone. But in fairness, the worth what I'm being charged for it, but, you know. Well, yeah, yeah.
I'm sure it's of value to someone.
But in fairness, the mugger won't have paid for it.
Yeah, that's true.
That is also true.
So it's simple economics, really.
The economic model is fairly straightforward on that.
So just out of curiosity, how much does a gold model weigh?
I mean, because, like, if you have it installed and then you get on the way to get it.
That's a good question.
That's a good question.
Do you know what?
I'll actually ask him on Tuesday when I go back.
Ask him what the street value is.
Well, you need to account for your weighing scales,
like discrepancies.
Yeah, if I take out some weighing
scales as i walk into the uh he's gonna be wondering why i'm carrying weighing scales yeah
yeah because apparently you did like you know put on a few pounds um over the last few i did well i
did i was saying yeah so i do uh i i wouldn't say i've become an unhealthy obsession to weigh
yourself sort of like every other day um but i tend to do that anyway just to keep track of you know see what foods inflame me and which ones don't
and i did yeah i put on just over three kilos at the weekend um that had nothing to do with you
know just trying certain foods that had to do it was i ate all the junk foods i had uh in fact
started the weekend yeah friday fish and chips, Saturday Chinese, then followed by kebab.
Then Sunday was pasta, followed by the largest desserts you could find from a dessert parlor,
which has opened up in my neighborhood, which is going to bankrupt me and help me.
And kill you all at once.
Yeah.
But yeah, no, I've managed to shed most of it again this week
because it's just water weight, right?
So it's as I retain all that.
Is that right?
It does make you freak out as you see those scales jump.
Yeah, but then you just go for a big poo after all of that.
And that kind of.
You think.
But yeah, no, I'm not going to get into how much poo actually weighs,
but, you know, I could tell you.
Anybody who's been on a diet weighs himself before and after a big poo.
Exactly.
Those 30 grams just aren't really worth it.
No, 30 grams.
Very disappointing.
But anyway, talking about poo.
Yours was made out of styrofoam.
That was your week, Tom?
Yeah, so first week back at work.
Not a full week, obviously, but Christ, I'm knackered.
This thing is not shifting at all.
So I'm still having problems breathing and coughing and stuff so so actually my my week has been um sort of overshadowed by uh
an irresistible urge to fall asleep at my desk on a regular basis so uh yeah not great so i'm i am
hoping that the next few days and the weekend is going to see me right because uh i'm back up in
london back and back in the saddle next week you the saddle next week. You'll never be right, Tom. No.
You'll never be right.
No.
Well, I never was in the first place, in fairness.
Exactly.
So we shall see.
We shall see.
And much like we shall see how I am after the weekend,
shall we see what we've got coming up for you today?
This week in InfoSec takes us back to the day
the music industry changed forever.
Rant of the Week plays privacy-failing bingo with Amazon.
Billy Big Balls is NSO Group asking us to meet the new boss, same as the old boss.
Industry News brings the latest and greatest security news stories around the world.
And Tweet of the Week is a glimpse of our AI future.
is a glimpse of our AI future.
So, without further ado, let's move on to our favourite part of the show,
the part of the show that we like to call...
This Week in InfoSec. It is that part of the show.
We take a stroll down InfoSec memory lane with content liberated from the Today on InfoSec Twitter account and further afield.
And our first story will take us back a mere 51 years to the 30th of May 1972,
years to the 30th of May 1972 when John Postel published RFC 349 which was the proposed standard socket numbers. So for those of you who are unaware RFC stands for request for comment
and it's pretty much how anything gets done on the internet these days and I realize I have no
notes in front of me so i'm going to
click on the link and take us through to what that rfc looked like uh and so um john actually
uh posted this thing this is a like proposed standard socket numbers i propose that there
be a sar and in brackets he says me maybe me who hands out official socket numbers for use by
standard protocols.
And this SAR should also keep track of and publish a list of those socket numbers where host-specific services can be obtained.
I further suggest that initial allocation be as follows.
And so he then proposed that, you know, socket 0 to 63 were your network-wide standard functions.
64 to 127 were host-specific functions.
128 to 239 reserved for future use.
And 240 to 255, any experimental function.
And then he went on to actually propose six of them for,
sorry, five of them for telnet file transfer,
remote job entry, echo, and discard.
So all of these sockets that you know,
and I don't think it's actually taught
so much these days that you know like smtp is port 25 and necessarily 43 something like that
443 yeah yeah see close enough but yeah like i'm pretty sure that back in the day if you did your um cisco ccna you pretty much had to remember every
point between zero and yeah 10 24 it's one of those useless things of you know you have to
remember these because you're not always going to have the internet at your side exactly yeah
yeah but uh yeah just imagine it like if this guy hadn't done this and taken the lead like
everyone would be saying oh i'm using 25 for this i'm using 25 for this yeah so you know rfc's are useful people they are it's interesting
that the proposal only went up to 256 as well because now they're up in the thousands aren't
they oh they go yeah but they're reserved like uh you know 10 to or 1 to 10 24 uh and then above
that it's pretty much every man for himself
yeah
speaking of RFCs I just had a quick
look at what RFC 1 was
and
that was on
7th of April 1969
and
by Steve Crocker
and it was
network working group
request for comment one for host
software.
Surely we covered that in
This Week in Info six weeks
ago.
Maybe six weeks and a year ago.
Yeah.
Jav probably wasn't here so he wouldn't remember.
I wasn't here definitely.
Yeah.
Wow, 69. and even if he
was it was only in body not spirit yeah it's probably ramadan back then um but our second
story takes us back a mere 24 years to the 1st of june 1999 when sean fanning and sean parker
released a file sharing service, Napster.
Bullshit, man. This cannot be 24 years ago.
That service provided a simple way for users to copy and distribute MP3 music files.
Obviously, it became an instant hit, especially among college students.
And it was just over six months later on December 7th, 1999, when the Recording Industry Association of America filed a lawsuit against the service
alleging mass copyright infringement.
And sadly, that lawsuit forced the shutdown of the company
on September 3rd, 2002, so nearly three years later.
But not before the popularity of download and digital music
was firmly entrenched in a generation of internet users uh and the world of music changed forever yeah yeah no this this was great because
this is what sowed the seed in in steve jobs's mind about the value of digital music downloads
and then he went and lobbied artists and and record labels to make their their music digitally available for for what became like
the the the music store for for apple and uh they're way ahead of the the game in that regard
and uh i think like you know whilst it it may be in in legal gray areas it had its roots, but it... There was no legal grey area.
It was outright illegal.
No, I mean, like, you know, the argument was
if I went and bought, you know, the Michael Jackson cassette
and I lent it to you and you had your two-tape player
and you made a copy, it was just the same as that.
It was the legal grey area.
Yeah, this is different.
I remember downloading Soundgarden's Black Hole Sun from some random...
It was just great to find individual songs that you hadn't heard for a long time.
It was just fantastic.
Just sitting there
you know only two hours until you got this individual track yeah like playing it about
100 times on loop i remember getting the uh through work actually it was it was the diamond
rio mp3 player yeah yeah they were giving out prizes a lot weren't they i got one through work yeah
they had some weird memory uh but you could store like 12 songs on it basically an album yeah i
think it was 32 meg or something like that yeah the diamond rio was it diamond rio yes yeah it's
it's the diamond rio and it yeah it was i remember wow, this is the future of holding an album in one place.
And it didn't skip, did it? It wasn't like, you know, CDs.
It wasn't like a CD because it was all solid state.
And you didn't have to turn it over like, you know, the end of the tape.
You didn't have to flip the tape around.
Yeah, exactly.
Unless you had one of those fancy tape players which would automatically reverse at the end.
So the only issue with those auto reverses
were that quite often one side, the songs were,
you know, there could be like a minute of dead space.
Yeah.
Because they didn't line up.
You know, you couldn't have so much on one side
and not on the other.
Yes.
Yeah, so it's useful when you're going to sleep.
Yeah.
These kids will never understand the hassles we went through
oh my god do i saw something the other day i think it was on twitter or whatever and it was a
um a thing that said uh when when streaming services forget that they're only just slightly
more convenient than pirating it's true it's true yeah excellent thank you andy for this week's
this week in infosur
30 nostalgic 30 ranty 30 ball and 30% terrible at maths.
You're listening to the award-winning Post Unknown Podcast.
Listen up!
Rant of the Week.
It sounds like mother f***ing rage.
So Amazon Ring, Alexa, are accused of every nightmare IoT security fail you can imagine.
So the America's Federal Trade Commission, the FTC, has made Amazon a case study for every cautionary tale about how sloppily designed Internet of Things devices and associated services represent a risk to privacy.
That's pretty. That's a pretty big accusation to make there.
And they've made the cost of these actions as alleged.
And if the FTC is saying,
this is exactly how you don't do stuff,
this is absolutely outrageous,
it's sloppily designed, etc.
Guess how much they have charged Amazon as a result 50 quid yeah it might
as well be 30.8 million dollars that's it that's it which is what's actually happened? Well, you know, Amazon sell a variety of home security things.
So I think Blink is one of their brands. But the most popular one is Ring.
And in fact, I think Ring is is the one that is most often cited in news.
is the one that is most often cited in news and we we ran a story a little while ago about local law enforcement asking ring neighborhoods to collate you know to access their footage
accessing it directly as well yeah yeah so they can but the front door ones anyway so they could
see out into the public spaces etc so they are pretty So they are pretty endemic around.
In fact, I've got it set up in my gaff at the moment
with the front door camera and the burger alarm
and stuff like that.
The bedroom camera.
Which meant reading this really annoyed me,
as you can imagine.
So the deal was that, or the deal is that effectively you you you can have cameras
including your front door camera and you can set up triggers so you can record things when actions
happen where it notices movement or when alarms are enabled or disabled or or whatever and these
are all stored in the clouds and you pay for this it's something like i think it's 8.99 a month um pounds so
probably probably about ten dollars a month um you know on the proviso that you pay for a service
you expect a certain amount of um uh of service if it's relevant, but Ukraine-based third-party contractor could access every customer's videos, all of which were stored unencrypted on Ring's network.
And they could also download those videos and then share or disclose them as well.
So anybody, any employee in Ring could access all of your recordings that were made so you know
that there's there's that one wing employee in your friend group who's the uh yeah he's he's the
one that you look forward to in the group chats he's got the best content right yeah yeah yeah
exactly but yeah and then you find out that it's actually your house that he's... Yeah, yeah, exactly.
Wow.
So, you know, when he's suggesting you go to the doctor for that skin rash on your back that you've never mentioned to him.
Yeah.
Your wife's cheating on you, by the way, dude.
Yeah, exactly.
So the document, there's an FTC complaint.
The document goes on to describe how a customer service agent might need access to the video data of a particular customer to troubleshoot a problem.
That same customer service agent had unfettered access to videos belonging to thousands of customers who never contacted customer services.
So there is a use case for people to access videos, right?
We understand that.
You know, it's like you can't
get your bank to help you if they can't access your account you know it's a simple thing and they
they therefore will see certain stuff about you including your videos that's you know that's
that's part of the quid pro quo um for instance an engineer who's working on you know an outdoor
floodlight camera ring floodlight camera, might need access
to the video data to confirm that everything's working, the stream's working, etc. But that
engineer also had access to all of the other footage from all of the other cameras in the house.
in the house um for instance bedrooms uh one employee the who the ftc said was accused of viewing thousands of video recordings belonging to at least 81 individual female users and focused
and this this is where it just gets rot well not, more wrong, focused his prurient searches on cameras with names indicating
that they surveilled an intimate space such as master bedroom,
master bathroom, or spy cam.
Wow.
Now, I do have questions here.
One, obviously, that is absolutely wrong.
Two, why are you putting a ring camera in your bathroom?
Don't get it.
Don't get it. But that's another matter entirely if you're an airbnb host yeah which well that that's a whole other round
wow um but not only this the employee spent more than an hour a day on this undetected by ring only
an hour only yeah well they did have a day job as well.
Yeah, but their day job should be like running a Discord server.
Exactly.
It gets worse.
It gets worse.
How could it possibly get worse?
I'll tell you.
I'll tell you.
When a female co-worker reported this, her supervisor discounted the report telling the female
employee that it is for an engineer to view so many accounts probably not wrong i think
if you know if you think about the average yeah if you think about specific accounts if you think
about the average engineer that you know and if they had this level of access i think it'd
be quite normal to for that engineer to be yeah that's yeah not quite the point of making but i
see where you're going with that this is absolutely disgusting but i would say that uh this is blown
out of proportion what we should be worrying about are those IOT camera manufacturers from
China,
because they're the ones that are sending all the data to the,
the,
the Chinese government and,
uh,
you know,
who knows what they're doing and they're the ones that need to be banned.
I mean,
this is just like a blip on the radar.
It's,
it's good old US.
At least it's,
it's being watched by Americans.
Yeah.
Well, that's right.
You know, if they, like, this is going to get swept under the carpet, right?
This is like, was it $30 million?
It's getting swept under the carpet to the tune of $31 million.
Yeah, absolutely nothing.
Now, if Amazon had changed their logo to a pride flag, that would draw attention to it.
And, like, you know, the South of the US would go crazy.
They would boycott Amazon that way.
But no, good old voyeurism.
It's a God-given American right, dagnabbit.
Oh, dear.
Not good.
I just, you know more if it was amazon is just so prevalent it's hard to not
use it but i just every day something else is going on with amazon saying don't use us we're a
dodgy fucking company well you, you know, I mean...
The alternative is Alibaba.
Yeah, exactly.
Which is China.
China.
Or have one of those stickers put on your window,
like this is a neighbourhood watch area.
So that scares off all the criminals.
It's like 24-7 surveillance.
We just don't necessarily have access to the footage ourselves
but someone from amazon is watching yeah exactly exactly if you come in here then amazon might be
watching yeah you know the thing is like to andy's point and like this this is like like going back
when you know say like andy was a sysadmin like i had admin rights like him and his team don't
incriminate me okay no i'm
just saying okay so i'm sure he ran teams where like there were guys like young kids on there
like in their 20s and if you have access to everyone's like shared folders like all their
all their drives then who wouldn't like at 6 p.m when they're waiting you know for their shift to
end just like say oh i wonder what so-and and so in account has got on their shared drive and then look and see if they've got you know anything
anything of any interest whatsoever like oh they've been writing a poem let's put this down
let's like you know if someone's got this here you know when you give young kids uh access unfettered access to to stuff they're always going to like start having to poke
around nowadays it's just that the only difference is that the the level of information they're
getting access to is actual real-time video audio within people's homes as opposed to their corporate
sort of like share drive and and also which which is un um un not unsanctioned what's
the phrase i'm looking for the the people are unaware that they're being filmed yeah yeah people
are unaware i mean there's no consent there at all and stuff i'm just saying the behavior
that's what i was looking at the behavior of these people has not changed. It's not changed in 20 years.
It's just what they've got access to.
Yeah, it's not.
So you just need better sort of like controls or safeguards
or mechanisms in place to prevent that from happening.
And this isn't, I mean, in this case, Amazon or Ring has got caught doing this,
but you can look at pretty much any company that handles any sort
of data and i'm pretty sure you're going to find employees in there that are going through and
looking at everything and this is like one of those sides of the cloud storage space or whatever
that no one really talks about or you know everyone just uploads everything online and they they just
assume everything's just secure well we we assume because amazon's a big
company and we're paying money for a service that it would be secured and given that it is
effectively it's personal data right the inside of our homes etc is personal data where amazon
and ring fell down was that they put in zero controls internally to manage that expectation.
Yeah, but even the police get caught looking up, you know,
women that they pull over.
Oh, God, yeah, because there are creeps everywhere, right?
Yeah.
But, again, it's about having the controls in place
to make sure it doesn't happen.
And, you know, well, it's logging.
If somebody's looking up, you know, if a policeman's looking up women that he's pulled over,
then actually there should be something in place
that correlates that information.
Yeah.
So, anyway.
So AI maybe could help, yeah?
Is that what he's saying?
Yeah.
It can extract the spy cam footage quicker
than post it to the Discord channel automatically
that's right
that's Jav's take from this
Andy said that
we should use technology to make this easier
for the snoops
unbelievable
excellent thank you
that was this week's
rant of the week
if good security content were bottled like ketchup,
this podcast would be the watery juice
which comes out when you don't shake properly.
In a niche of our own,
you're listening to the award-winning
Host Unknown podcast.
Indeed you are.
We might not be able to...
Well, we can say award- winning for as long as you want
But there are awards coming up
Don't forget that
Vote for us, both of you
Can we put a link in the show notes?
We can, I shall do that again
I shall do that again, link us in the show notes
And it's now time
For Jav and his
After that very disappointing um rant by by tom um let's go on to something a bit more interesting
pegasus pusher nso gets a new owner um so people are probably aware of the NSA group, the spyware maker.
They make Pegasus, amongst other things.
They only sell to governments, though, right?
Allegedly, they only.
Yeah.
Yeah.
But with £30 and Companies House, you can register yourself as a government entity and they will sell to you.
So, you know, they secretly snoop on your phones.
It's like a really nasty piece of spyware.
And it's led to sanctions against them by governments
and a massive lawsuit from even Meta.
But the NSO group has a...
I'm sorry, can I just say...
Yes.
If you're being sued by Meta...
By Meta.
Yeah, I was thinking that.
For, you know, poor privacy practices and for snooping,
you are in the real shit, aren't you?
Well, all it means is that you're eating their lunch.
I mean, that's what it is.
Like, you know, Meta's like, we want to want to sleep on people it's our god-given right uh we're american made
uh but you are you are not so you know we're gonna see you um but yeah it's the the irony i
don't think is lost on on anyone who follows meta with any degree of privacy in mind.
But, you know, Pegasus, the NSO with their Pegasus,
they love targeting human rights advocates, journalists,
opposition leaders of governments and what have you.
But the Israeli company's creditors, Credit Suisse and Senate Investment
Group foreclosed on NSO earlier this year. The story was broken on the Wall Street Journal.
And essentially, it forced NSO into restructuring the business and change of ownership after it ran into various government
ban lists and ensuing financial difficulties and and i think this is where the big balls moves
comes into it like if you have been banned by governments meta is trying to sue you um you know
your your creditors are like like they don't like competition that's
yeah yeah we don't want anything to do with it you'd say like you know what it's been a good run
but no let's just restructure everything
uh so now the new owner is a luxembourg-based holding firm called Dufrents Holdings, controlled by the NSO co-founder Omri Levy.
And now they list Dufrents Holdings
as the sole shareholder of NSO parent group North Pole.
This is like getting really confusing.
Meet the new boss, same as the old boss.
Yeah.
Dufrents Holdings has removed a number of directors and officers across NSO
and is involved in the company's day-to-day management.
The NSO spokesperson, meanwhile, said the company is managed directly by a CEO,
Yaron Shohat.
The lenders are currently in the process of restructuring the shareholders.
So all this saying to me is that people still want in, but they don't want to be publicly
associated with it.
So if you could make a bunch of like holding companies and shell organizations and just
funnel our money some other way, then that's all good.
But this is basically a rebranding exercise.
It is. It's a rebranding exercise it is it's a rebranding restructuring the canary as as in like mr burns is like canary is is the one in charge
uh of off the whole thing so if anything if you know a government does successfully you know
prosecute or or what have you then the canary goes to jail, but everyone else is
insulated and safe until the next Panama Papers leak, I suppose. You know, but you know, it's
reports keep piling up about Pegasus being used in a ways that violate NSO's claims that they
only sell the malware to legitimate government agencies for the purposes
of preventing and investigating terrorism and other serious oh my god I'm reminded of the movie
the dictator and in the beginning Sacha Baron Cohen's character detail he's like we will only
use nuclear weapons for peaceful and he starts laughing because he can't finish the sentence by staying in character.
I can just imagine that's how the NSA group is
when they come out with these ridiculous statements.
Oh, man.
This is brilliant.
I do love it when a company rebrands after a scandal.
So fair play to it.
Yeah.
Hey, this looks like the old company that had the scandal,
but it's got a different name
and different colour.
Different logo, different swag.
Yeah. Different structure.
Yeah.
Coincidentally, the guy in charge
has still got the same name.
Yeah, very good. Thank you, Jeff.
That was disappointingly
good and true.
So, yeah. NSO you, Jeff. That was, uh, uh, disappointingly good and true. Um,
so yeah,
NSO group,
please.
No,
it's,
is it still NSO?
It's not,
is it?
Uh,
for now.
Well,
I think we know them as the NSO group. Yeah.
Forever.
Until the new moment.
Yeah.
So NSO is owned by North Pole,
which is a hundred percent owned by Dufresne Holdings, which is based in Luxembourg.
100% owned by NSO.
Yes.
I guess it's like Meta, right?
Yeah, exactly.
It's not Meta, it's Facebook.
Yeah, exactly.
And it's not Alphabet, it's Google.
Yeah.
This is why Meta hate it.
They're like, oh, they're going to expose us.
Yeah. We're the only ones that do. people are going to start realising that we're Facebook
yeah exactly we're the only ones that do surveillance
on people without their knowledge
yeah
brilliant thank you very much
Billy Big Balls
of the week
people who prefer other security podcasts
are statistically more likely to eject USB devices safely.
For those who live life dangerously,
you're in good company
with the award-winning Host Unknown podcast.
Do either of you eject USB disks safely?
No.
No?
Never did in the old days either.
No, it just, well...
Now, zip drives, you never unplugged your iOmega zip drive
without switching the machine off,
because otherwise that would mess it up.
Well, yeah.
Do you know I've still got a couple of zip disks in my drawer?
I can't think of the low- quality porn you have on those zip disks.
It's not low quality. There's just one piece of high quality.
Right. So talking to people who don't have time to wait for their USB drives to eject.
What time is it, Andy?
It is that time of the show when we head over to our new sources
over at the InfoSec PA Newswire, who have been very busy
bringing us the latest and greatest security news from around the globe.
Romania's Safetec leans into UK cybersecurity market.
Industry news.
9 million MCNA dental customers hit by breach.
Industry news.
Ransomware gangs adopting business life practices to boost profits.
Industry news.
Human error fuels industrial APT attacks, Kaspersky reports
Industry news
Nigerian cybercrime rings phishing tactics exposed
Industry news
Pentagon cyber policy cites learnings from Ukraine war
Industry news
Amazon to pay $31 million after FTC security and privacy allegations.
Industry news.
HMRC in new tax credit scam warning.
Industry news.
Horobont campaign targets Spanish-speaking users in the Americas.
Industry news.
And that was this week's...
Industry News. And that was this week's... Industry News.
Huge if true.
Huge if true.
There's a lot of, you know, same, same, but different,
but still same story headlines here.
Well, this thing about ransomware gangs adopting business-like practices
to boost profits, that is old news
sure rebranding maybe they're maybe they're thinking of rebranding yeah you know this
this mirai bot's got you know bad reputation let's give it something
let's call it love bot yeah exactly uh yeah yeah i mean, Nigerian cybercrime rings,
phishing tactics exposed.
I don't think there's anything different here.
They're not doing anything that we...
Business email compromise.
I'm only reading the headline here.
Is this about ring cameras?
No, this is...
Yeah, no, that's not a great one.
HMRC
new tax
I mean there's tax credit
scams
every
I got a good
good one about HMRC
I did my tax return
on Monday
how early is that?
it's not due until
not due until
31st of January
I know
Jesus
what are you going to do
for the rest of the year?
Well, I'm certainly not going to be worried about doing my taxi turn.
Jeez.
I've got actually everything in place.
I'm just waiting for a couple of P60s,
and I'll be off to the races.
A couple of P60s?
How many jobs have you got?
No, no.
I'm waiting for my P60 and just like this other
document interesting something to offset your uh your tax no i have to pay i don't know why i have
to pay so much every year this year i thought i was getting money back that's what it told me
online and then i get a letter from hmrc a couple of weeks later telling me that I owe them money and I'm also being fined for not paying on time.
Well, you knew that part.
Yeah, well, it's because I do it on the 31st of January every year.
It's like tax admission day.
Yeah.
But yeah.
No, slow news week, I have to say.
Our news sources at the InfoSec PA Newswire
are recycling old content and uh it
wasn't like this when dan raywood was doing it no but you know when you go to those sites and
it's like last updated like you'd see a microsoft article and it says like last updated and it's got
a recent date but it's old content yeah that's exactly what's happened this week so PA Newswire sort your shit out they're saving their stories for InfoSec in a few
weeks time yeah you mean all the vendor pitches that disguise their stories yeah the vendors have
already written the stories for them they're just waiting for the reporter to stick their name on it
yeah yeah exactly hey that's how the world works, right? Indeed.
I mean, this is a world where we ask people like Jav and me for a commentary about current affairs in InfoSec.
Hey, that's my job.
Well, yeah, ably assisted by ChatGPT.
Yes, exactly.
You know, the day before, I was working on this spreadsheet
and I could not get this formula to work
and I was struggling with it for a while.
And I was Googling it and everything
and I had this demo spreadsheet
and everything worked on that, but not on my one.
And then it occurred to me, well, I don't know how to chat GPT.
So I put the formula into chat GPT.
I said, why doesn't this work?
And it fixed it for me immediately.
And then I said like, oh, what if I want to like inverse the order,
you know, what have you.
And it just gave, it just rewrote it for me.
And I just copied pasted it and it worked first time.
Boom.
Excellent.
But you can't see the back door that inserted like into that,
like the root kit that it's going to exploit your kernel.
It's just a pipe. It's just saying, like, send a copy to, like...
So it's just copy and paste this into...
AWS.ring.com or something. I think it looks all legit.
Yeah. It's that function which says disable.camera for some reason.
Disable.webcam warning light.
I was very impressed.
I pity the fool
who's checking out Jav's
webcam.
Did not want to see that.
You know there's a market for everything
out there. There is.
That's very true. Is it 34?
I can never remember the rule number
uh no i can't think if it's 34 or 38 i um yeah one of the two okay anyway talking to
losing interest that was this week's industry news
we're not lazy when it comes to researching stories no we're just energy efficient to Stream News.
We're not lazy when it comes to researching stories.
Nope.
We're just energy efficient.
Like and subscribe
to the Host Unknown podcast
for more ESG adjacent tips.
Time to take us home, Andy,
with...
Tweet of the Week.
And we always play that one twice. Tweet of the Week. And, with... Tweet of the Week. And we always play that one twice.
Tweet of the Week.
And this week's Tweet of the Week comes from Paul Asadorian.
Oh, OK, Security Weekly.
And they have posted a cartoon, which is great,
but you can read it out because it could be a text post.
And it is ChatGPT in the year 2042.
And the machine is challenging the user who happens to be a robot it says prove you are not prove you are not a human and the robot types in there are no more
humans and it says correct and they both laugh saying ha ha, ha, ha, ha, ha. That description was a thing of beauty, Andy.
This is our future.
There'll be no more captures in the future.
It is just machines talking to machines.
And that was this week's...
Tweet of the Week.
Well, we have tripped, stumbled,
and broken our front teeth on the pavement of the end of the show.
Expensive. Very expensive.
Yes, exactly. Exactly. We'll be getting we'll be getting the cubic zirconia implants by the sounds of it.
So thank you, gentlemen.
Jeff, thank you so much for your time, effort and contributions today.
And carrying your part of the show.
So, yeah, you're welcome.
What?
Okay.
And Andy, thank you.
Stay secure, my friend.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
Slow stumble.
Very slow.
Slow motion, like, you know, hip dislocation on Tom going on.
I'm still wondering which part of the show Jav carried.
All the parts that you were like, you know, mentally vacant for,
like wandering around like Biden, Sleepy Joe.
I love that whole thing about Sleepy Joe
and then the Republicans talk about being outsmarted by President Biden.
Yeah.
On the debt ceiling.
It's like, look, you can have one or the other, but not both.
Yeah.
He's doing the old Columbo routine, isn't it?
Just one more thing.
Just one more thing.
How did the host and...
Yeah.