The Host Unknown Podcast - Episode 155 - The Really Late Show
Episode Date: June 9, 2023This week in InfoSec (10:21)With content liberated from the “today in infosec” twitter account and further afield8th June 1989: The beta release of the Bourne Again SHell (Bash) was announced as v...ersion 0.99. 2 months later Shellshock was introduced into the Bash source code and persisted in subsequent versions for over 25 years.v0.99 release announcementhttps://twitter.com/todayininfosec/status/16664875253203189883rd June 1983: Would You Like to Play a Game?The science fiction film WarGames is released. Notable for bringing the hacking phenomena to the attention of the American public, it ignites a media sensation regarding the hacker sub-culture. The film’s NORAD set is the most expensive ever built at the time at a cost of $1 million dollars. Not widely known is that the movie studio provided the film’s star, Matthew Broderick, with the arcade games Galaga and Galaxian so he could get first-hand experience before shooting the film’s arcade scenes. Rant of the Week (17:16)Barracuda Urges Replacing — Not Patching — Its Email Security GatewaysIt’s not often that a zero-day vulnerability causes a network security vendor to urge customers to physically remove and decommission an entire line of affected hardware — as opposed to just applying software updates. But experts say that is exactly what transpired this week with Barracuda Networks, as the company struggled to combat a sprawling malware threat which appears to have undermined its email security appliances in such a fundamental way that they can no longer be safely updated with software fixes.Barracuda tells its ESG owners to 'immediately' junk buggy kit Billy Big Balls of the Week (24:45)US govt now bans TikTok from contractors' work gearBYODALAINGTI (as long as it's not got TikTok installed)The US federal government's ban on TikTok has been extended to include devices used by its many contractors - even those that are privately owned. The bottom line: if some electronics are used for government work, it better not have any ByteDance bits on it. The interim rule was jointly issued by NASA, the Department of Defense and the General Services Administration, which handles contracting for US federal agencies. The change amends the Federal Acquisition Regulation to prohibit TikTok, any successor application, or any software produced by TikTok's Beijing-based parent ByteDance from being present on contractor devices. "This prohibition applies to devices regardless of whether the device is owned by the government, the contractor, or the contractor's employees. A personally-owned cell phone that is not used in the performance of the contract is not subject to the prohibition," the trio said in their update notice published in the Federal Register. The rule would apply to all contracts, even those below the "simplified acquisition threshold" of $250,000, purchases of commercial and off-the-shelf equipment, and commercial services so get ready to wipe those company phones, cloud services providers and MSPs that do business with Uncle Sam. AND British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attackBritish Airways, the BBC, and UK pharmacy chain Boots are among the companies whose data has been compromised after miscreants exploited a critical vulnerability in deployments of the MOVEit document-transfer app.Microsoft reckons the Russian Clop ransomware crew stole the information.British Airways, the BBC, and Boots were not hit directly. Instead, payroll services provider Zellis on Monday admitted its MOVEit installation had been exploited, and as a result "a small number of our customers" – including the aforementioned British trio – had their information stolen.Zellis claims to be the largest payroll and human resources provider in the UK, and its customers include Sky, Harrods, Jaguar, Land Rover, Dyson, and Credit Suisse. In a statement posted on its website, Zellis blamed the MOVEit vulnerability for the security breach, and noted "all Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate." Industry News (34:33)Clop Ransom Gang Breaches Big Names Via MOVEit FlawFBI Warns of Surge in Deepfake Sextortion AttemptsCisco Counterfeiter Pleads Guilty to $100m SchemeCyber Extortionists Seek Out Fresh Victims in LatAm and AsiaLazarus Group Blamed for Atomic Wallet HeistInterpol: Human Trafficking is Fueling Fraud EpidemicMicrosoft Brings OpenAI Tech to US AgenciesPharmaceutical Giant Eisai Hit By Ransomware IncidentEspionage Attacks in North Africa Linked to "Stealth Soldier" Backdoor Tweet of the Week (43:58)https://twitter.com/elonmusk/status/1666964082363371520https://twitter.com/sawaba/status/1666930930714279942https://www.forbes.com/lists/most-cybersecure-companies/ Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Now, before we start, is everybody okay?
Well, I am. I'd be a lot better if I knew what was happening next year, September.
Hey, I told you it's a surprise. I'm doing something nice for you guys.
And I don't want to get your hopes up because there's always a chance a person might get cancelled, especially with comedians these days.
But there's a guy called ****
and it's something called the **** tour or something like that.
I've got us all tickets to go see him.
So I didn't want to ruin it, but as you asked, that's what I paid for.
I think I might be using the beep.mp3 on this particular intro.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining
us and welcome. Welcome, our dear listeners. Welcome, Jav and Andy, to episode 150...
One...
Five...
Sixty!
One, six, nine!
He's all over the place now.
Of the Host Unknown episode.
I'm going to say right now, this episode is going to go out really late,
so I apologise in advance.
Here's your early warning.
Yeah, this is your early warning that it's gonna be coming out
a bit late uh we're just all so busy at the moment aren't we all right yeah oh hey there's
jeff doing his uh oh no there's someone so i might for for reasons i won't go into i'm inside the
house as opposed to my office today and i'm using my other machine and my other
backup microphone so there might be some sounds of people trying to escape the basement but please
ignore them it's all part of the show it all just sounds like excuses yeah just because he's too
cheap he doesn't sound proof his basement like everyone else no that's right yeah oh i'm sorry
not all of us can afford, like,
high-quality insulation on our basements.
I mean, like...
Anyway, talking of poor excuses,
Jav, how are you doing this week?
Oh, wow.
That was a good one.
That was a good one.
I'll give you that.
I don't know.
So, other than, I think, us,
as we were talking prior to this recording, I think we're all in the Arnie resurgence phase.
It's watching FUBAR, looking forward to watching the Arnold documentary.
And yes, yeah, there's a new trailer for Expendables 4 out.
So I think this is very much our era.
The 80s have a lot to the cinema yes exactly
so um so actually you know and i don't know whether this was and i haven't tried it because
i haven't had time to go on netflix but there was a little clip i saw on on youtube and it was arnie
saying you can now go into foobar mode on Netflix.
And basically they used AI to put his face on characters from other TV shows.
No.
And if you see it, it's really well done online.
It's just look for it, like foobar mode on Netflix.
Is it select shows or have they managed to do it for any show you want to watch?
I don't know whether it's actually something we can even access or whether it's something I've just done
for the trailer on YouTube but it is great and I thought okay stuff like this I could see AI doing
yeah you're right for that stuff AI making decisions no no. Yeah I was just saying i was i was watching the the arnold uh documentary last night and
you know from my sofa as i as i as i drank sort of tea and was eating a chocolate bar i felt very
inspired actually uh so he's quite an inspirational guy i have to say did you get the pump did you go
for the pump this morning did you like Did you do some push-ups?
Is the pump bar the little
equivalent of a Mars bar?
Because if so, yes,
I did.
Andy, how about
you? What have you been up to? Talking of Mars
bars.
I have
some mint twirls on their way to me
in transit at the moment i've got my dpd notification it'll be here with me it's uh
have you not had one yet i've not had one yet no even i've managed to get hold of yeah i didn't
realize not a box oh well i've got a box coming so i didn't realize uh yeah they were out i don't
know how i missed this uh and then it's well i know exactly how i've missed it i've not been
looking at the cash and carry for for a while um but i have seen like whilst i was navigating all
these things there's a collaboration between nestle uh well between two nestle products
kit kat and Mint Aero.
So there's a Kit Kat Chunky with a Mint Aero, the bubbly part,
cream at the top of it. Ooh.
And, yeah, I'm a big fan of mint chocolate,
so I am looking forward to this one.
And I thought Marvel had the best collaborations.
This is just something else.
They've got nothing.
They've got nothing on Nestle at the moment.
And if you've just joined us, welcome to Host Unknown Confectionery Podcast.
Indeed.
But obviously, this time of year, the sun is about to come out in the UK,
so I'm very nervous.
I'm happy about the mint swirls arriving today,
but I have deliberately held off the Kitkat arrows because of the heat over the
next week but the 12s will be just as bad because they'll just melt into like a solid lump
ah but the heat's not coming until today right so they're already going to get here
the other stuff it's going to be sitting in transit over the next couple of days and
ah yeah i got you now that's the sign of a true connoisse be sitting in transit over the next couple of days and uh yeah i got you now
that's the sign of a true connoisseur who's actually checking the weather before audience
said said confectionery and uh and as you can tell you know this is uh top tip number one of many
in today's confectionery podcast yeah exactly if you want hints on how to get all the best crap, you're on the right show.
Andy's got a special refrigerator which keeps chocolate at the right temperature, humidity, everything.
It's like a repurposed cigar humidor.
Exactly.
Instead of cigars, they're mint twirls.
I would have that stuff if it wasn't just for Cadbury's.
If it was for proper chocolate, yeah, maybe.
But yeah, as we all know, I'm sure we all know the history of Cadbury's
and it got special dispensation from the European Union
to be counted as chocolate across the EU.
It didn't quite meet the thresholds.
Yeah, but Cadbury's does hold a special place in many British people's hearts.
Exactly.
And that's why we forgive it.
Hershey's, on the other hand, that American crap, doesn't even meet the Cadbury's threshold.
The one with added vomit.
Exactly.
Yeah.
So what is your sort of favourite chocolate of choice?
Oh, my favourite chocolate.
Do you know what?
I change a lot.
I'm malleable.
It depends what mood I'm in, but I'm a big fan of mint chocolate.
You have the breaking strain of a Mars bar.
I do.
And I do like, do you know what?
I like almond Snickers.
I used to be a big fan of the Piedmont Snickers.
Yes, as I well know.
As you well know, it used to fuel my diabetes habit.
I think one time you brought back about 50 bars for me.
It was like a whole suitcase.
You know that scene in Pulp Fiction where you slide a briefcase across the table?
It opens it and it's like, are we good?
It's like, I'm just staring at it.
It's like, hey, Andy, we good?
I'm like, yeah, we good.
It's like, close the case again. right yeah we're good just like close the case again
um but yeah no talking of bad habits anyway so how are you oh very good very very good
how did you were you in my bedroom last night um yes not too bad coughs clearing up feeling a
little better works getting very very busy i busy. I got up extra specially early this morning for just that.
Not unlike yourself, as I understand.
Indeed.
Half four start for me.
Sorry, what?
Half four start for me.
Half four.
No, that's just wrong because that's normally when you finish.
Yeah, but this morning I had to take the dog out
because of, as four mentioned, heat wave coming.
It's not healthy to take the dog out.
The temperature difference at half four to half six
is probably not that great.
So the dog can't eat two hours before free running
or two hours after free running.
So there's a big window where he needs to have his breakfast.
Bloody hell.
Yeah.
God, I wish I looked after myself half as good as you looked after your dog.
I know.
There's a lot that goes with it.
I was going to say, mind you, the free running part, you know,
that was it.
I was out at that point.
So, yes, it was.
But, yeah, it's been good.
It's been good good i got back into
london again for the first time in a very very long time so that was that was a little bit better
as well so slowly getting back into the groove and talking of the groove let's see what we've
got coming up for you today uh this week in infoSec takes us back to the time Shell was born again.
Run to the Week is a bold strategy to increase sales. Billy Big Balls introduces us to Bring
Your Own, D-A-L-A-N-G-T-I, or Be Your Delankey. Industry News brings us the latest and greatest
security news stories from around the world and Tweets of the Week
advertises an unintended
pwned-to-own competition.
So,
let's move very swiftly
on to our favourite part of the
show, the part of the show that we
regularly call
This Week in
InfoSec. this week in infosec
it is that part of the show we take a trip down infosec memory lane with content liberated from
the today in infosec twitter account and further afield and so i actually was going to talk about ed snowden this week it's it's 10 years
this week since the um first leaks hit the press but when i was looking yeah i know 10 years actually
really depressing when you realize that you know all we've learned since then is that no one will
stand up for your privacy uh apart from you um big companies wait make way too much money off your data to care about it
and the government will just access everything anyway,
even when there's laws supposed to be in place
to protect you.
So I thought I'm going to avoid that
to avoid depressing everyone.
Well, I'm glad you didn't talk about that
because, yeah.
I don't want to bring you down.
No.
But our first story takes us back a mere 34 years,
which was a time before I was born,
when on the 8th of June, 1989,
the beta release of the Born Again shell,
aka Bash, was announced as version 0.99.
And as we know, this is... so when a computer boots up you've got
the kernel which recognizes all the hardware and allows each components talk
with each other and in order to interact with that they put a shell on it this is
typically for units computers which operates outside the kernel or around
the kernel like a shell if you will which allows you
to interact with the computer whenever you want so why am i talking about shell because it was
two months later after this release 34 years ago that shell shock was introduced into the bash source code and it persisted in subsequent versions for over 25 years until its
discovery in 2014 when obviously shell shot was rated as a critical vulnerability due to the
escalated privileges afforded to attackers someone was playing the long game they were i did i was
thinking how am i going to tie this back in?
But that whole thing, yeah, people may have been accessing this for 25 years
without any knowledge on that.
Wow.
So, you know, that's all the gnome terminal console.
Is it iTerm on Mac?
I forget, that bus shell, you know, that prompt that you get, the dollar sign waiting for your input.
Oh, yeah, yeah, yeah.
Not that anyone knows what to type in. No one on this podcast knows what to type into that shell.
You say that, you say that. Just a couple of weeks ago, I was playing around with Terminal and I was asking ChatGPT to help me type stuff into there and nothing worked but
you didn't know what to type in you simply copied and pasted yeah I came up with the prompts so I'm
like a manager like you know how you say you don't need to do the nose stuff you just need to know
what to tell your team that's pretty much it it's like an entire bangalore like you know brain but at least i know to ask human beings and not bloody
chat gpt you know i used to it's like i'd get onto like a uh system and i'll just press up to see
what the last commands that someone else and just keep scrolling through them until something looks like uh something i'm familiar with oh yeah yeah list that directory yeah do that
uh but alas our second story takes us back a mere 40 years to the 3rd of june 1983
if i was to say would you like to play a game? Would you know instantly what I was talking about?
It was when the science fiction film War Games was released.
And War Games was obviously notable for bringing the hacking phenomena
to the attention of the public.
And it ignited a media sensation regarding the hacker subculture.
And at the time, the film's NORAD set was the most expensive set
ever built at a cost of a million dollars.
Wow.
That was Matthew Broderick, wasn't it?
It was, yeah.
But it had everything, like, you know, how he broke in
to change his grades with the, you know,
he looked under the desk for the password on a post-it note.
That's right.
All the classics.
I always remember being very jealous of the acoustic coupler he had for his phone.
Yeah, but that seems to be bigger in the US than it was over here, though,
wasn't it, those sort of couplers?
Yeah, mainly because we had, well, BT or the post offices it was back then,
so the telephone system was not wonderful.
Yeah.
Well, someone, speaking of like a bit of phone stuff,
there was like in the 80s, I think, and this is one of my dad's friends.
And like he got a BT answering machine.
And the answering machine came with a remote that if you were away from home,
you could punch in your PIN number, put it on the receiver of the phone and you could remotely
access your answer phone and it would play back oh that's right yeah and what what what he found
out is that you could take that remote put it against a public pay phone and dial a number and
it would make a free phone call for you basically yeah so it was
that was that called like the the dtmf or so the the dialing tone yeah dtmf is something you find
on um dating sites i think oh no that's dtf no but it was yeah it was using the dial tone
frequencies to to to whatever so it's easier than whistling the codes in.
Oh, we didn't have Captain Crunch over here.
We didn't need that shit.
No, we had Jimmy Savile.
Yeah.
Oh, okay.
Tom, do you want to get us out of this?
Thank you, Andy, for this week's...
This week in InfoServe. Sketchy presenters. Weak analysis of content and consistently average delivery
but they still won an award like and subscribe now
haven't heard that one in a while i had had feedback just before the show that we've been playing
our new jingles too much.
I thought I was getting value for money, but, you know.
Right, shall we go to the next part, the angry part,
the part that is known as...
Listen up!
Rant of the week.
It's time for Mother F***ing Rage.
Okay, we all know that companies, hardware companies, software companies,
they, you know, things go wrong with their products
and they send out patches and update stuff.
And, you know, firmware updates, well, firmware updates
have been the boon of this show many a time
as we've upgraded our equipment just before we go live
and find that it all goes wrong.
You know, so these things happen, you know, and if there's equipment that's not quite performing,
then a firmware upgrade is what's, you know, what's required. And that's fine. You know,
we don't always get things right first time on super complex systems. And also if it tests okay
in a, you know, in a lab, it doesn't mean it's going to work in real world
situations. And so that's an iterative process. And Barracuda, who are a network security vendor,
they know this very, very well. And many of their products have been out there.
But they've recently come across a zero-day vulnerability, which has basically urged Barracuda to tell its customers
not to just update a firmware or whatever,
but to completely remove and decommission an entire line
of affected hardware, as opposed to just applying a software update um so barracuda
networks has struggled to combat a a a spreading malware threat which appears to have undermined
its email security appliances in such a fundamental way that they can no longer be safely updated
with software fixes.
Now, this is so wrong on so many levels.
Wow.
One, surely, surely there must have been some kind of basic testing
around some fundamental security vulnerabilities
and how to safely recover hardware or even to day one,
it's, you know, put it back to factory settings so that it can then have a new update applied or
anything like that. But to tell it's, you know, these email security gateway owners to, you know,
our advice is to basically unbolt the system from the equipment from your
systems and place it carefully in the bin is terrible that is i mean it has to have been quite
a big decision to to make that because who would buy another one from them well yeah this is
one from them well yeah this is um like i'm actually stunned at this one because yeah like what is so because you know i've repurposed hardware for things that it wasn't designed for
right in the old days it's you know you can load something else onto a piece of hardware people
that use old macs and load windows onto it or, you know, loading Checkpoint onto, like, old Linux boxes,
stuff like that.
But what is so fundamentally wrong with these appliances
is that you cannot reinstall a different operating system.
And even if it's to the point where, you know,
you have to return it to Barracuda and the vendor has to do it
because there's some sort of proprietary connection,
like, these boxes must be so compromised turn it to Barracuda and the vendor has to do it because there's some sort of proprietary connection. Like it,
these boxes must be so compromised and we don't even know how long they've
been compromised for either.
Yeah.
But if it's been so compromised,
how on earth could it have been got so bad if it wasn't built in,
at least in some kind of fundamentally,
you know,
better way.
Terrible way.
It's terrible.
This is, yeah, I can't.
Can you imagine being given a Windows laptop, let's just say?
That's a pretty complex piece of machinery, right?
And then being told, actually, it's got malware on it and it's so bad,
you're just going to have to dump the laptop.
Yeah.
That's unfeasible.
But if you think about the sort of – so Barracuda is, you know,
it's used by businesses, you know, who have to go through budget cycles
and, you know, justify why they want equipment.
And so I just think they've already spent this money,
and now they have to go back and say,
look, bad news, boss.
We need to chuck out these 12 boxes that we purchased.
Vendors said they're no good.
I need another however much.
Half a million, whatever.
Yeah, it's phenomenal.
Well, the phrase nobody ever got fired for buying ibm i think people may
get fired for buying barracuda yeah so i know that uh rapid seven have done analysis and say there's
they've detected approximately 11 000 vulnerable esg devices still connected to the internet
gee well it's not surprising if you can't afford to pull it out
because that's the thing.
If you pull it out, you've got a gaping hole, right?
In fact, your systems may just stop working
because it's an email security gateway.
Presumably, it's in line.
So therefore, things need to run through it.
If you just pull it out, it's not a simple thing to, I don't know,
just push two network cables's not a it's not a simple thing to i don't know just push two network
cables together with a coupler i mean it's it's a little bit more fundamental than that right
yeah so you either have an unofficial off-site backup of all the traffic that goes through it
or you just allow everything through yeah yeah yeah the the only thing, the other theory I could think of is they were repurposing
some Huawei equipment within it and they were like, oh,
if this gets found out, we're going to get decommissioned from everyone
or something big like that.
Like they're using components that are just like hardware within it
that you can't change.
Yeah.
In which case you do a you do a a free replacement service
right you take the hit product product that's the phrase exact phrase i was looking at yeah
but but not to fear because i've done a quick internet search and um sc magazine uh uh gave
barracuda web application firewall a five-star rating in their Applicator Security Product Group test review.
And it's been designated a best buy from SC Magazine.
So, folks, everything is good.
I saw it on SC Magazine.
And as I think Jack Daniel once said, he goes,
SC Magazine give away more stars than the Milky Way.
SC Magazine give away more stars than the Milky Way.
More stars than a reception teacher class.
Yeah.
Reception class teacher, yeah.
Well, maybe what they should send out is some SC Magazine's five-star rated stickers to go over the, you know,
onto the devices just to promote confidence
or something.
Well, anyway, Barracuda, dear me,
you used to have some really good parties at RSA,
but blimey, now we know where the money was actually coming from.
That was Rant of the Week.
This is the Host Unknown podcast,
the couch potato of InfoSec Broadcasting.
Right, Jav, over to you, my good chap, for this week's
Big Balls of the Week.
So we have got two balls of the week and the first one i'll go over quite quickly because
we've spoken about this uh topic in the past and i don't want to get mine and andy's blood
pressure above the the already unhealthy level it's normally hangs that but u.s government But US government is Biodalanga Tingi, which is not a Tamil phrase.
It stands for bring your own device as long as it's not got TikTok installed.
And what they've done is they've extended the ban from employees to contractors' work gear.
So even those that are privately owned.
So if it's an electronic that's used for some government work, anything,
it better not have any bite dance bits on it.
And this is an interim rule, but we all know how interim rules are, isn't it?
We're still on an interim 20% tax hike, aren't we?
Yeah.
VAT.
But it was jointly issued by NASA, not NASA, the NSA,
the Department of Defense and the General Services Administration,
which handles contracting for US Fed agencies.
And they say prohibit TikTok or any successor application or any software produced by ByteDance
from being present on the devices.
So this would apply to all contracts, even those below the simplified acquisition threshold
of $250,000. contracts even those below the simplified acquisition threshold of 250 000 so this could
be purchases or commercial off-the-shelf equipment you know so basically you could go to you know you
could order like some hardware or software or whatever and it's like oh do you have tiktok
do any of your employees have tiktok on their machine and do they use on their phone and are they using that phone to to
maybe like conduct work business to look at to look at an email yeah so if you're selling them
envelopes and and your cleaner of uh of the company that sells the government envelopes
has got TikTok on their on their phone uh in which to check their schedules for working at said company, that's banned.
Yes, it is.
But I would, just one thing, Jeff.
So where it says the interim rule was jointly issued by NASA,
the DOD and the General Services Administration,
I looked at that publication on the Federal Register.
It did actually come from NASA,
the National Aeronautics and space
administration oh i thought yeah that's not a typo that is actually nasa which i have no idea why
nasa you know signing this because they have department very very crucial department of
defense contracts that basically pay for their entire operation.
They don't want the aliens to learn some of our dance moves.
Yeah, this is I just don't get it.
I mean, they're happy for Facebook. You know, who have all been.
I mean, we've done this to death, I know.
But, you know, all the companies that have been proven to be spying on you who swear blind that they're not the ones that constantly get fined for misuse of data.
They're like completely fine with yet the one company that's saying, look, completely transparent.
Here's our code. Use anyone you want to analyze here.
We know we have more security than anyone.
You know, we're putting in all these processes and they're like
no definitely bad yeah i don't get it and you know what beyond that like and and this is one
thing that got me on tiktok when andy kept mentioning it it's like the community is a
positive community on there by and large it's not like twitter for example where you post something
and it devolves into like hatred and there's racism and extreme right wing agendas.
You know, just a lot of extremism on there. There's a lot of like, you know, everything's like a horrible experience on a lot of these other platforms.
Whereas I'm like post a video on YouTube and watch the comments come in.
It's just, you know, on any like you look at some of these.
It's like Mr. Beast posted a video about how he helped people restore their vision or something.
And he got so much hate for it.
And then you go on TikTok and people are just doing silly stuff.
And there's like, you go, man.
More power to you.
It's just a very positive community.
Yes, queen.
Yeah, exactly.
Exactly.
But anyway, moving quickly on to the to the second ball that is big
from Billy. British Airways, the Beeb, Boots are amongst the companies whose data have been
compromised after villains, miscreants, people up to no good,
exploited a vulnerability in deployment.
There's an application called MoveIt,
which does some file transfer stuff.
They like to move it, move it.
That's bizarre.
Do you know what I like to do?
Yeah.
Move it, move it.
Yeah, move it, move it.
Ah.
And, yeah, so Move It is used by Zealous,
which is like a huge payroll service provider.
And so their Move It installation had been exploited,
and as a result, their customers, which include BA, BBC, Boots,
all the companies that start with the letter B so I think they only got to A and B companies
before they were cut off probably but they were impacted like that and then
Zellis claims to be the largest payroll
and human resources provider in the UK,
and its customers include Sky, Harrods, Jaguar, Land Rover,
Dyson, Credit Suisse, and more.
So, yeah, so I think this is the thing.
When you come out as a Billy Big Ball and you say,
look at us, we are the biggest in the world,
we provide HR services to all of these big, big companies.
Then I think you're painting a big target on your back.
Even if the general population don't know who Zellis is,
you know, our friends in Russia or China or Iran.
Well, it's Russia in this case, isn't it?
With the clopop ransomware yeah it's it's it's
you know it it feels like it you know people have speculated that it's clop but um
again where's the proof i don't know well microsoft said so it must be true
oh yeah of course sorry i take that back um well let's say i mean if Trump said it we wouldn't
believe it if Microsoft are saying it
there's a certain element of
validation which may have
gone into it
somebody's actually thought about it
yes
so I think this
is the thing like
if you're going to go out there and say
you know it makes you a big target and if to go out there and say you you know it it makes you a big target and
if you go out there and brag about how many big customers you are or how good your security is or
how many payment transactions you you you cater for per second or what have you then you know
that's really useful information so if you're going to be big and bold about it, be big and bold,
but then don't skimp it on your security.
Yeah.
Do you know what's funny?
I had never heard of Zealous until this breach last week.
No, no, I hadn't.
I had to remind myself
who the hell Moveit were.
Yeah, I haven't heard that name
for a long time.
Yeah.
But do you know what was interesting?
For me, what was interesting
was I saw this come out out on sky news like breaking news
and it was a statement from british airways uh that sort of released it first um and i wonder
because sometimes often when you sign contracts with these big companies like ba and stuff like
that they put in a clause that they get to control the communications in the event of a of a breach um and i'm curious as to whether or not they had that clause with zealous in that
they would control the narrative uh or you know determine when it gets released yeah hadn't even
thought about it like that i have to say well i was just curious why is uh ba that did the did
the announcement first yeah because all of their staff payroll was compromised.
So every single BA employee in the UK, their details were compromised.
Yeah, but I assume it's the same for all of the other companies that were impacted.
Maybe.
I don't know.
BBC.
Yeah.
Well, excellent.
Thank you, Jav, for that lovely pair you just showed us.
That was this week's...
Billy Big Balls of the Week.
This is the Host Unknown Podcast.
Andy, we're rattling through this in record time,
and so therefore, what time is it?
It is that time of the show where we head
over to our news sources over at the InfoSec PA Newswire, who have been very busy bringing us the
latest and greatest security news from around the globe. Industry News.
Glop ransom gang breaches big names via move-it flaw. Industry news.
FBI warns of surge in deepfake sextortion attempts.
Industry news.
Cisco counterfeiter pleads guilty to $100 million scheme.
Industry news.
Cyber extortionists seek out fresh victims in LATAM and Asia.
Industry news.
Lazarus Group blamed for atomic wallet heist.
Industry news.
Interpol.
Human trafficking is fuelling fraud pandemic.
Epidemic.
Epidemic.
Epidemic.
Industry news.
Microsoft brings open AI tech to US agencies. Industry news. Microsoft brings open AI tech to US agencies.
Industry news.
Pharmaceutical giant ISAI hit by ransomware incident.
Industry news.
Espionage attacks in North Africa linked to stealth soldier backdoor.
Industry news.
And that was this week's...
Industry news. And that was this week's... I'm just looking at the FBI warns of surge in deepfake sextortion attempts.
So... FBI has warned internet users to be cautious when posting or direct messaging personal photos and videos after noting complaints about sexually explicit deepfakes circulating on the web.
So malicious actors are using the AI-based technology to manipulate benign images or videos of victims into explicit content.
Okay, so back in the day, people just used to use photoshop right yeah now now it's
with movies now it's yeah now i can do it all for you uh you don't have to be scared it's a case of
let's see what you could have done yeah it's so i remember that you know obviously friend of the
show ricey one time uh there's a photo of me at a shisha bar uh smoking on a shisha obviously had
my hand in a particular position and i had my mouth in the
sucking position and he photoshopped that to something very different he removed the shisha
a pepperami in your hand or something he did put a uh yes a giant pepper yes
and it was actually a very good uh very good uh photoshop that he did
but yeah so you remove this skill people don't have to do that anymore if you've got ai that
can do it for you yeah and also it's it's a classic thing that if you fuck up and you release
all of your all of your sex tapes and nudes and stuff you go no it wasn't me deep fake
so i think i would get to the point where it's so
good it's the perfect defense yeah but i'm thinking now if uh people if someone like sent me
one of your videos of you doing some like you know beast with two backs i would pay them to
not send them so i can see oh stop sending them to me how How much do you want? Five Bitcoin, done.
But then I'd have wasted that money sending them to you.
Yeah.
And pretending that they were deep fakes, yeah.
Yeah.
My eyes!
Oh, dear.
Two backs, at least three.
Oh, my God.
Sorry, Duchess. Yeah, at least three. Oh, my God. Sorry, Duchess.
Yeah, sorry, man.
What else have we got here?
It's not good, is it?
They were quite wordy headlines.
Yeah, cyber extortionists seek out fresh victims in Latam and Asia.
That seems odd.
Surely they were already being extorted in those countries anyway.
Yeah, strange one.
Maybe they've just got some sort of translation plug-in
to their usual scripts.
Yeah, that's true.
We've done all the sort of Western languages.
Yeah.
Microsoft brings open AI tech to US agencies,
and it's such a wordy article.
I'm just going on the headline now,
and I'm saying it's a bad idea.
Slow down.
Well, that's the thing, right?
Yeah, so we don't trust TikTok on any contractors
of people who deliver services to US agencies.
However, this new open AI crap that we don't even know how it works yet,
we're just going to chuck it in.
Integrate it.
Everybody else is using it.
Why aren't we?
Yeah, and, Jav, there is definitely a difference
between an epidemic and a pandemic.
Yeah.
Minor differences.
No, one involves lots of shady money from dodgy government officials,
and the other one is a medical emergency.
Yeah, one's caused by 5G, and the other is...
Yeah, there's not it's not a lot again i reckon it's slow week news it's so
news week because they're saving stories for infosec aren't they yeah is that next week
uh week after okay week after oh guys i won't be here next week so you'll have to find a
replacement and don't say that you're telling us live on the show? Yes.
Okay, Graham, Carole.
Well, actually, Carole doesn't listen unless she's told to.
But, Graham, if you're around, we'll have you on, mate.
I give you my blessing to start as me.
It's like the new Aunt Vivian on the Fresh Prince,
like when they replaced her.
Everyone just carries on like nothing's happened.
I have absolutely no idea what you're talking about,
but I'm laughing anyway.
Fresh Prince.
Yeah, I know.
I have no idea.
Never watched it.
Or never watched an entire episode.
What?
Yeah.
Yeah.
I mean, it's all right.
But anyway.
Anyway, hasn't Will Smith been cancelled?
Yes. Yes, absolutely. Will Smith been cancelled? Yes.
Yes, absolutely.
We've got tickets to go and see him in September next year.
The uncancelled show.
Yeah.
I'm hedging my bets he's going to be okay again.
It's basically a cage fight between him and Chris Rock, isn't it?
I don't know whether to be excited or scared
about what's going on on September 18th.
14th, whatever it was.
Hopefully I won't be four days late.
2024.
2024, yeah, more to the point.
Advanced planning.
Yeah, I'll be somewhere in September 2023 and go,
guys, are we doing this?
Yeah, I'll be somewhere in September 2023 and go,
guys, are we doing this?
Just very quickly, I want to look at this Cisco counterfeiter pleads guilty to a 100 million scheme.
Maybe, maybe this guy was payrolled, I'm just saying,
by Barracuda because they needed some extra equipment.
Yeah, yeah.
Well, the thing is, like, when you read that story
and you look at all the effort he had, like, 15, 20 companies set up in the US,
he had, like, suppliers in Hong Kong and China, what have you,
and he had, like, 10 eBay storefronts and everything.
And I think, dude, you're putting in so much effort.
Become a licensed reseller.
Yeah, just do it for real.
Yeah, exactly.
Yeah, yeah.
It seems like he put in more effort than Avada's.
And he thought, you know, he could have made more money.
And this is why, folks, come on.
Kids, like, there's crime and then there's legal crime.
And just do it the legal way.
Yeah, he made over $100 million importing and selling counterfeit Cisco networking devices.
I'd be fascinated to actually see the financials of this
and then see it compared to his, what he would have made if he did it himself properly.
Oh, he would have made a lot less.
I'm sure the margins would have been lower.
But this goes to show that obviously if this hardware is counterfeit,
you can still run Cisco's iOS.
Yeah.
iOS because, you know, so Barracuda, what's going on?
Why can't you run it?
Yeah.
Maybe they're telling people to return the equipment
so they can sell it to this guy.
Yeah.
He's offering a lot of money.
He's going to make a lot more money this way.
Anyway, thank you.
That was this week's...
Industry News.
We are officially the most entertaining content
amongst our peers.
For another two weeks.
I did put the thing out about
voting for us in the awards
and it had already closed last week.
So our fate
is sealed. So Jav,
as our inside man, should we bother turning up?
Well, I'm going to be there.
Well, yeah, because you're part of it.
Well, man, you make it sound like it's the Illuminati or something.
If you're in it, it is, definitely.
Right, Andy, take us home with this week's...
Tweet of the Week.
And we'll always play that one twice.
Tweet of the Week.
And so this week's Tweet of the week, actually, I'm going to do two
because the first one I came across, I couldn't actually believe.
It was an image, obviously, following Apple's announcement
of their new Vision hardware, the augmented reality.
And this one's from Elon Musk, and he's put up a $3,500 augmented reality from Apple and it's a picture of the
vision glasses and then he's compared it next to a $20 augmented reality picture and it's a bag of
magic mushrooms um so you know with a label make contact with UFOs and aliens indeed so I mean
that's a double check.
But as we know, Elon does like a bit of the funny stuff.
But yeah, choose.
If you want that augmented reality experience,
either get Magic Mushrooms or the Vision Pro.
You choose what's better for your wallet.
Yeah, but I can't tweet about getting the Magic Mushrooms, can I?
Oh, you can.
You just can't get the clout.
Yeah, you can't get the clout for it.
But this week's treat of the week is from friend of the show,
Adrian Sanabria, who kind of used to look like Huey
from Fun Loving Criminals.
He's also known as El Diablo.
El Diablo.
And he has tweeted,
Forbes just created a top 200 list of the most secure companies.
This will end badly.
Yeah.
And yeah, that is a list.
I clicked into it and it's, yeah, it's definitely a list of 200 companies.
Go on, any notable names on there that you go, really?
Well, and so, do you know what?
There were, right? there that you go really uh well and so the do you know what there were right and so i clicked
through to it and uh of these companies um there weren't like huge names and so they they also
include like the name of the cso who runs the company as well oh my god yeah so the industry
so intel's number one apparently the most secure company um and then you got you know various ones
uh so not like huge like the the nyman marcus group um who's sort of famous for their cookies And then you've got various ones. Not a huge one, but the Neiman Marcus Group,
who's sort of famous for their cookies, in at number nine.
And so, really, the top five, Intel, Western Alliance,
Bancorp, Virtuosa, Palantir Technologies, MetLife,
Pacific Western Bank.
So this is the world's most or America's most?
Well, so they're saying America's most, right?
But you're generally the largest companies, right?
Because a lot of these big American companies are global.
However, I was like, okay, there's some really sketchy names throughout this whole,
you know, you go through the list of 200 companies you'd never hear about.
And then I say, right, how do they do this, right?
What did they work out?
What's the criteria for this and it turns out
forbes did this uh article in partnership with security scorecard now if you're familiar with
security scorecard it's like one of these sort of ratings companies that sort of looks at your
your public um bloody security scorecard like bit site and um you know up guard and those sort of companies
and however so the only issue which comes from these companies is that the smaller your footprint
online the less um likely you are to have yeah vulnerabilities it would bring your score down right and so yeah take this
with a huge pinch of salt uh in terms of whether or not it is uh off alley but it was interesting
anyway because now you know someone's going to look at this and it's going to be like oh
most secure company is it yeah let's have a go yeah so i think the the other thing is that um you've got 200 potential security
scorecard customers or companies that have been scanned by security scorecard without their
consent um oh yeah every company gets scanned without their consent and that's why they say
it's all public stuff yeah so it's it's not not a good good showing and then second thing
is it's this is a forbes list and if anything that forbes has taught us over the years that list
their lists are toxic af you have like how many people on the top 30 under 30 have been are now behind bars like elizabeth holmes or that martin that farmer bro
guy and uh farmer bro you know the guy that bought the oh as in pharmaceuticals sorry
yeah yeah i was thinking of a guy in dungarees and a hat chewing an ear of corn. No.
And actually, I read this stat, like,
that for one year they were doing or something,
someone done a calculation that the top 30 under 30
have raised 5.8 billion in funding,
but the ones that have been accused of fraud
have been done to the tune of $18 billion.
So it's absolutely ridiculous how much money these people...
But that's the calibre of Forbes frauds articles.
Yeah, that's Sam Bankman-Fried, the crypto FTX guy.
Oh, yeah, that's right.
He made the list.
Yeah, yeah. Also, the guy from WeWork, their CEO, he made the list yeah yeah also the guy from
WeWork their CEO he made the list
and that was a week before
the company folded
yeah because yeah they're sort of cooking
the books
has it folded I mean they're still open aren't they
yeah but you know they went
to get rid of like 90% of their staff
and him
yeah
which was probably 90% of their staff. And him. Yeah.
Which was probably 90% of their payroll.
Anyway, excellent, Andy, for this week's... Tweet of the Week.
So, gentlemen, thank you so much.
We careened through that at top speed, I think.
Oh, no, we didn't.
50 minutes.
There you go.
We dragged our way through that we we persisted on torturing our listeners once again uh but nonetheless jav thank you so much for uh for your time effort and audio quality
it's always a backhanded compliment in some way shape or form
just get out yeah and a handy thank you sir stay secure my friend stay secure
you've been listening to the host unknown podcast if you enjoyed what you heard comment and subscribe
if you hated it please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
Right, so find a replacement for me for next week.
Done.
Yeah, it's already sorted, mate.
It's more like you don't realise that you are the replacement.
I don't think that's really sunk into you yet.
We can tell Graham he can come back off holiday now.
Yeah.
I'm not the clone, you're the clone.
Yeah, I know.
Graham, Jav, separated at birth, definitely.