The Host Unknown Podcast - Episode 156 - The Smashing Security Takeover Episode
Episode Date: June 16, 2023This week in InfoSec (12:01) With content liberated from the “today in infosec” twitter account and further afield12th June 1989: Callers to a Florida probation office were connected to a phone s...ex line. Southern Bell officials said it was the first time their switching equipment had been reprogrammed by a hacker. Phrack #27https://twitter.com/todayininfosec/status/166841728111263744115th June 2004: The first mobile phone virus, Cabir, was discovered. It infected devices running the Symbian OS and spread via Bluetooth. 68% of you are thinking "Symbian OS? Never heard of it." Learn how it got its name and how it spread in a stadium in Finland:First smartphone malwarehttps://twitter.com/todayininfosec/status/1669380905662545921 Rant of the Week (21:09)Capita wins £50M fraud reporting contract with City of London copsCapita, which is still dealing with a digital break-in that exposed customers' data to criminals, has scored a £50 million contract with the City of London police to run contact and engagement services for the force's fraud reporting service.The five-year agreement kicks off in 2024 and the territorial cops responsible for law enforcement in the financial district of the capital (aka the "square mile," – the Met looks after Greater London) have an option to extend it for a further two years, should they wish to do so.The work will see Capita provide an "end-to-end customer management process" to potential victims of fraud when they contract the service. The current iteration receives upwards of 350,000 calls and 2.3m unique visits to the website annually.In a statement, Capita pledged to "deploy" its "customer experience model for identifying, managing and monitoring customers using data and specialist coaching to support potential victims of crime."EU boss Breton: There's no Huawei that Chinese comms kit is safe to use in EuropeEuropean Commission's own networks to toss Middle Kingdom boxes amid calls for total replacementEuropean commissioner Thierry Breton wants Huawei and ZTE barred throughout the EU, and revealed plans to remove kit made by the Chinese telecom vendors from the Commission's internal networks."We cannot afford to maintain critical dependencies that could become a weapon against our interests," he declared in a Thursday speech.The Chinese vendors' presence in foreign networks has been a point of concern for years. There are concerns that backdoors in Huawei equipment could allow China to spy on foreign nations, given Chinese law requires local businesses to share info with Beijing. However, Huawei has repeatedly rejected the claims of backdoors, insisted it follows the law of the land wherever it operates, and denied that Chinese laws would see it sell out customers.Those protestations haven't stopped the US, UK, and at least ten EU countries from banning the manufacturer's kit from their networks. ZTE has also run afoul of regulators. Billy Big Balls of the Week (32:17)US mother gets call from ‘kidnapped daughter’ – but it’s really an AI scamAfter being scammed into thinking her daughter was kidnapped, an Arizona woman testified in the US Senate about the dangerous side of artificial intelligence technology when in the hands of criminals.Jennifer DeStefano told the Senate judiciary committee about the fear she felt when she received an ominous phone call on a Friday last April.Thinking the unknown number was a doctor’s office, she answered the phone just before 5pm on the final ring. On the other end of the line was her 15-year-old daughter – or at least what sounded exactly like her daughter’s voice. Industry News (42:07)Data Flows Between UK and US to be Simplified Under New AgreementOfcom Latest MOVEit Victim as Exploit Code ReleasedGMicrosoft Pays $20m to Settle Another FTC COPPA CaseNo Zero-Days but PGM Flaws Cause Patch Tuesday ConcernMFA Bypass Kits Account For One Million Monthly MessagesEuropol Warns of Metaverse and AI Terror ThreatEU Passes Landmark Artificial Intelligence ActMalicious Actors Exploit GitHub to Distribute Fake ExploitsLockBit Makes $91m From US Victims in Two Years Tweet of the Week (50:49)https://twitter.com/InfoSecSherpa/status/1062036305146724354https://twitter.com/fesshole/status/1662495137992175617 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I am recording.
I am recording.
Because let's face it,
we jab away,
we've had to get another intern in
and the last one didn't work out yet again.
So hopefully we've got someone better this week.
Have we?
We do.
The highly recommended,
someone who's top of the game
and someone who carries a Smashing Security podcast,
Coral, welcome to the show.
You're listening to the Host Unknown Podcast.
Hello, hello, hello.
Good morning, good afternoon, good evening from wherever you're joining us.
And welcome.
Welcome, one and all.
Welcome, dear listeners, to episode 166 of the Host Unknown podcast.
Welcome one and all.
So Carole, welcome to the show.
Yeah, so hi, hello.
So I know, yeah, so Carole rang me this morning saying she was far too busy getting her hair dyed
or something like that, or creosote in her fence.
So she's subcontracted it...
What was the other way around? Creosote in her hair.
She's subcontracted it out to me, I'm afraid.
Hello, it's...
What?
It's Graham Clewley, yes.
Co-host of the award-winning Smashing Security podcast.
At the moment.
Well, actually, Carole's on holiday, isn't she?
She is.
We know this.
So, yes, welcome, Graham.
She wouldn't come on anyway.
Let's be honest.
No, she wouldn't.
We asked her twice before, before we asked you, Graham,
and she said no.
She only went on holiday to avoid this, I believe.
Exactly.
Yeah, that's right.
Graham, thank you very much for stepping in.
Well, that's my pleasure.
And thanks to Javad for stepping in for me last week.
That was really good of him.
It was.
He finally turned up for an episode.
Yeah, it was great.
Yeah, yeah's great. Yeah. Yeah, exactly. I mean, this does herald the start of the reverse takeover of the Host Unknown podcast by Smashing Security.
I think there's a land grab.
There's been a counteroffensive by Smashing.
They've got some Western help, and they're pushing their way through.
help and uh they are they're pushing their way through whilst hosts unknown are just deliriously unaware of of of how poor we're doing in contrast we keep telling everybody that we're doing a lot
better you're doing brilliant you're up to episode 160 or 156 depending on how you count i mean
the typical podcast only lasts about eight episodes doesn doesn't it? So, I mean, I think Host Unknown is doing tremendously well.
We are.
Well, do you know what?
We use it as just a way to catch up every week, to be honest with you.
Well, I mean, hey, but you don't have to release it, you know.
I mean, please, please.
There's definitely four that haven't been released that we've recorded.
There's one, one that hasn't been released. Hence, it's really 160 episodes that we've recorded. There's one, one that hasn't been released.
Hence it's really 160 episodes that we've, well,
we've certainly contributed to.
There's only one we haven't released.
Anyway, so Graham, how has your week been, dear sir?
Oh, it's been wonderful.
It's been wonderful.
I've been doing a little bit of furniture moving
from one house to another.
That was an experience.
How the other half live, eh?
Two houses.
I've been driving a man van.
I felt very manly indeed.
And in fact, when I got there, the rental company said,
oh, your van's broken,
so we're having to give you this enormous mega van instead.
Is it a panel van i had to oh i
had to i had to eat two yorkie bars oh did you put a copy of the sun in the dashboard
get a ginster's pie at the station and then call everybody a wanker as you drove past
i was totally there i was totally there yes. No, I've had a great week.
Thank you very much.
Very good.
Very good.
Glad to hear it.
All in good spirits and ready for the weekend.
Yes.
Good.
Yes.
Good.
Good.
A good summary there, I say.
Andy, how about you?
How has your week been?
Without using the word busy.
Well, I was going to say, it's been very active this week.
I have delivered anti-bribery and corruption training this week.
What?
Is this Poacher Town Gamekeeper?
You've been delivering that to your auntie, have you?
That's nice for her.
Yes.
Yeah, no, it's a mandatory training module, obviously,
that most companies have to go through.
Yeah.
But I believe it's every three years my company does live sessions
rather than CBTs.
Wow.
And so, yeah, I don't know how,
but I was roped in to be one of the trainers.
What?
But I will hand full credit to my compliance colleagues.
They provided a perfect script and everything.
So it's pretty much like this show for you, Tom.
You just turn up and read what's on the screen.
It is.
That's pretty much what I did.
I turned up and read what was in front of me.
Here is our bribery and corruption expert, Andy Agnes.
Yes.
Dance, monkey, dance.
But no, it's good.
So I work for an international company.
Lots of people, they all brought their own sort of stories to it,
you know, in terms of instance where, you know,
we don't pay bribes for stuff.
You don't pay facilitation payments.
Look out how they're disguised and things like that.
But, you know, there's one guy that when he was travelling
across West Africa was told that he needed papers to prove he didn't have hiv um and so knowing it
was a scam that they were after money they said that's okay we'll take your blood uh and do the
test ourselves if you don't want to pay for it so you know that's an example of a circumstance where
you do you know you you should pay um you know to avoid any
sort of danger but no very good real life examples that people brought to it so you so there are
occasions when you do pay to make sure you don't unalive yourself indeed yes where you are at very
where you are very um at real danger of physical harm um I can take them a lot. Here's my company credit card.
Here's the pin.
Crack on.
Exactly.
And then just, you know, report it afterwards,
explain what happened.
Yeah.
Yeah.
But no, very interesting week.
Very busy as well.
I had to buy this laptop.
It fell into my pocket.
It was the only way I was going to make it out of the shop
without getting arrested.
And this is what you've done, right, in the past?
I mean, it's a defence, right?
A weak one.
But talking of corruption and weakness, Tom, how's your week been?
Yes.
Oh, I love it.
I love it.
Yes, it's been a good week.
I've started another couple of projects,
which I've just posted into the WhatsApp chat.
Graham, I shall share with you in a moment
because you're on a different channel, of course.
But, yeah, I watched the film Tetris the other week,
which is on Apple TV.
I like that.
Absolutely fascinating.
It's 50% real and 50% pure fabricated drama,
but, you know, the underlying story is real.
And it got me very, you know, got me thinking about, you know,
the old Nintendo Game Boy.
So I went and bought one off eBay.
Huh.
Only 30 quid, something like that, 35 quid.
Bargain, absolute bargain.
Yeah, and it worked, had Tetris in there.
But as described, the screen was a bit crappy
and, you know, dead pixels and all that sort of stuff.
So I thought, oh, I'm sure there's some mods you can get on here.
So I've ended up replacing the battery with a USB-C rechargeable battery,
replacing the power strip and power distribution,
replacing the backplane that supports the LCD,
and replacing the screen itself.
So, yeah, that was a fun evening.
This sounds a bit like Trigger's broom from Only Fools and Horses.
I was thinking exactly that as I was building it,
because I was thinking, oh, i was building it because i was thinking
oh i could you know they do these customized cases for it as well and then it's like hey
and with all the leftover bits i could make a brand new game boy but i ended up spending three
times as much money again uh actually maybe four times as much money again on all the modifications. So, yeah, it was an expensive little whim, to say the least,
but it was good fun.
And the actual insides of it are incredibly, well, just so simple, really.
It's just a small chip, et cetera, et cetera.
But it was good fun.
And then I was away at a summit, the Istari Compass Summit,
which is obviously an InfoSec thing.
And that was until yesterday.
And then I did a little photography gig in Bristol.
Oh, lovely.
Which was good.
A little corporate.
They had a little formal black tie event, this company,
and they needed a photographer, and my friend subbed it out to me.
Cheers.
What did you have for lunch every day, Tom?
I think we've got the detail for everything else.
And what socks were you wearing?
Oh, I got these brilliant penguin socks my mum got me for my birthday.
So I've been wearing those this week. Are you guys going to InfoSec next week?
Oh, hell yes.
I am actually not.
So I am actually delivering more training on Tuesday and Thursday of next week.
And Wednesday I've got a board meeting.
Are you not going to be there at all?
No, I thought I was going to do Thursday, but the ABC training is so popular.
I thought I was going to do Thursday, but the ABC training is so popular.
I received an email yesterday from compliance asking if myself and a colleague can deliver another one on the Thursday.
You should have said no, but I'll do it the following Thursday.
No, mandatory training.
I've got an audit committee the following Thursday.
So, yeah, busy man these days.
Come on. Just, you know these days. Tuesday? Come on.
Use your imagination here, Andy.
But it's at the Excel Centre.
It's so far out. It's so hot.
It's full of vendors.
That's the thing. It's all about cyber security.
I find that terribly dull.
You go there for the networking, right?
I'm not very good at that.
Look, I hope you guys do well at the awards.
You should do. I mean, Jav's taken this week off to sort out
who's going to win it.
He's actually in s*** at the
moment. Is he? He is.
Can I say that? Is it
secret? He's in s***, isn't he?
Not anymore. Not anymore, yeah.
I never know whether we should
talk about where he is or what he's doing.
He's in another country. He's out of the doing. But yeah. He's in another country.
He's out of the country at the moment.
He's away from home.
There you go.
Away from homes.
Yeah.
Yeah.
Anyway, what have we got coming up today?
Yeah.
Right.
So talking of stitching people up at home, what have we got coming up for you today?
Talking of stitching people up at home,
what have we got coming up for you today?
Well, yes, this week in InfoSec asks Graham to educate us on the first mobile phone virus.
See, there's a reason why we get Graham on.
Rant of the Week proves that getting hacked
doesn't actually lose you business.
Billy Big Balls is another use for AI.
Industry News brings the latest and
greatest security news stories from around the world. And Tweets of the Week is the greatest
phishing campaign idea. So let's move on to our favourite part of the show, the part of
the show that we like to call...
This Week in InfoSec
It is that part of the show where we take a trip down InfoSec memory lane
with content liberated from the Today in InfoSec Twitter account and further afield.
And our first story takes us back 34 years to a time before i was born
on the 12th of june stretch that calculator noise out for you know i know the 12th of june 1989 when
callers to a florida probation office were connected to a phone sex line.
And Southern Bell officials said it was the first time that their switching equipment had been reprogrammed by a hacker.
And this is actually a great story.
So it's taken from issue of Frack, Frack issue 27, where callers were trying to dial
the probation office and instead heard a smorgasbord of sex talk
from a panty woman named Tina.
Does that mean she was wearing more than one pair of pants?
I think a smorgasbord is a plate of cheese, isn't it?
Is that the right...?
So she was wearing multiple pairs of pants whilst eating cheese.
Sounds pretty sexy to me.
You know these Floridians though, right?
Florida woman.
Yeah, so Southern Bell telephone officials said a computer hacker
reprogrammed their equipment over the weekend,
routing overflow calls intended for the local probation office
to a New York-based phone sex line instead.
And people were calling the Department of Corrections and getting some kind of sex palace at Thomas
Sourbuss.
They should have called it the Department of Erections instead.
Ho, ho!
But no, one of my favourite quotes is a Southern Bell spokesperson saying, we're very alarmed
as a feat would require someone
with considerable computer knowledge.
And then went on to do the whole doomsday scenario
of the implications of such a computer breach
are considerable.
Intercepting corporate communications,
uncovering unlisted phone numbers
and tampering with billing information
are all plausible consequences
of a computer security
breach at the phone company so when was the 14 year old arrested so there's no follow-up from
this story i can't find any further info from this um so yeah i mean i would look for anyone
that was on probation for computer crime or you know phone freaking sometime around May of 1989.
Where was Kevin Mitnick around this time?
I think he was probably somewhere with, who was the world's number one hacker?
Oh, Gregory.
Gregory D. Evans.
Gregory D. Evans.
Yeah, him and Gregory D. Evans were probably, you know, out causing mayhem somewhere, whistling tunes down a phone,
you know, rerouting millions of dollars or something.
But alas.
Is Gregory D. Evans still on the circuit?
Is he still around?
I've got a feeling he is.
I've not heard about him for a long time.
Anyway, sorry.
He's probably got um restraining
orders against every major news publication from mentioning his name or something i don't know
but uh our second story takes us back a mere 19 years can you believe it was that long ago
that the first mobile phone virus kabir was discovered and it infected devices running the symbian os and spread via bluetooth
and uh a lot of people are probably asking what the hell is symbian os and it's not that device
tom no not that one oh no okay that vibrates um i'm yeah i'll be able to afford one of those one of these days
so i mean as we have an expert with us this week i thought maybe graham could take us home and tell
us a bit more about symbian and how the hell does it spread via bluetooth oh well well symbian was
the operating system oh sorry yes kabir was the name of the virus. So this was on Nokia phones, of course.
Solid phones. Well, yeah,
they were pretty decent phones. They had Snake.
Their battery lasted forever. Not like modern
phones. My phone barely lasts a day.
So it's...
You probably want one of those older ones instead.
But yeah, it would spread around. You do use it all the time,
Graeme. I mean, like...
I don't know.
Those 3am texts from the toilet are getting a little bit sort of,
you know, tiresome, if I might say so.
I just sometimes need some medical advice, Tom.
That's why I send you those images.
It's the same as always, push harder.
So, yeah, so it would display this message,
Kareeb, on your screen, as I recall.
But I don't remember this ever being in the wild. So, yeah, so it would display this message, Carib, on your screen, as I recall.
But I don't remember this ever being in the wild.
It was hyped up to Kingdom Come by F-Secure in Finland,
of course, home of Nokia.
And F-Secure, if I remember rightly, way back then,
they really were sort of pushing hard, weren't they, for the mobile malware threat.
And they were like, we're the only people with a mobile antivirus,
even though there aren't any mobile viruses.
So when Kabir came along, they were like, oh, finally.
Jumped all over it.
Finally.
But I don't think...
So are you saying that Mikko Hipponen's whole career is built on a lie?
I'm not... Mikko's a lovely chap.
I'm not saying...
We're friends of the show, Mikko Hipponen, definitely.
I don't think he's ever been on the show.
You can't really call him a friend.
You can still be a friend of the show and not be on it.
He definitely did something for us once.
He did an outro for us one time.
He did, that's right.
That's nice of him, that's nice of him.
Hi, Mikko, if you're listening.
I know you're not.
I doubt he is.
I mean, he's got a day job and everything.
But then there were new variants of Kabir written. you're not. I doubt he is. I mean, he's got a day job and everything. But yeah, but yeah,
so,
but then,
then there were new variants
of Kabir written.
There was a Brazilian hacker,
I think of the 29A
virus writing gang
or maybe 29A
wrote the original version
of Kabir.
Anyway,
people kept contacting him
saying,
have you got the source code
because we want to write
a mobile phone virus
and he didn't have it.
So what he did was he wrote his own versions from scratch and released those so so there are there is source
code for kabir out there but it's not the original one and um yeah i think uh he was just trying to
encourage others but that's you know hopefully anyway i'm sure f secure is great you know
finland wonderful but symbian you don't really hear about that anymore, do you?
Because everyone's using
Palm OS.
Or was that just you, Tom?
Palm OS was brilliant.
You liked
the Palm, did you?
I did.
The Palm did work for you.
You put it in the docking station and it syncs
all your Outlook Express contacts nicely.
But only when you press the button.
Yeah.
Yes.
And the graffiti handwriting recognition.
Oh, yes.
Yeah.
It was very, very good.
There was that Apple Newton as well.
Do you have an Apple Newton, Tom?
Sorry, talking about this on the podcast.
Like I could afford one of those now.
No, unfortunately not.
But, yeah, they were great.
The technology just wasn't ready for it, if you see what I mean.
It was just too big.
But in fact, I do believe Steven Seagal used one in one of his films.
To detonate a bomb?
I think he hijacked a train.
I was going to say to text Vladimir Putin, his buddy.
That's right.
To look up dieting tips.
Anyway, a quick word from our sponsors of F-Secure
and Freedom, Freedom VPN.
If you need to watch TV in a different country
or are worried about people snooping on your technology.
Do you call it Freedom?
I call it Freedom.
It's Freedom.
It's Freedom, isn't it?
Freedom E.
Freedom E.
Yeah, Freedom.
There you go.
Miko, if you're listening, drop us a line.
Yes.
God, he's taking charge and everything at the moment.
Anyway, excellent.
Andy, thank you very much for this week's...
This week in InfoSword.
You're listening to the host unknown podcast,
Bubblegum for the brain.
Listen! Whoops, let's try that again okay now that's not you uh going off early again is it oops oh it doesn't happen often i put the numbing gel on and everything this morning
this has never happened before it's going to the ranty part you know i'm gonna have to leave this
in the recording now,
otherwise it makes no sense whatsoever.
It's time for...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
Good news, of course, is that I can spend even less time editing this.
Right, so I've got a choice of two stories.
I'm really not sure which to go for,
so maybe I'll just do a very quick rant on both.
So first one, Capita.
Capita wins a £50 million fraud reporting contract
with the City of London cops.
Now, Capita, you may recall,
we've talked about Capita a few times here.
A massive data processing company,
outsourcing company, et cetera.
a massive data processing company, outsourcing company, et cetera, they recently had a breach of a lot of personal data.
Very, very high profile.
Lots and lots of chit-chat going on around poor practices know poor practices etc etc uh but they have still won a uh a 50
million pound contract with the police kicks off in 2024 and the cops responsible for law
enforcement in the financial district of the capital so that is the City of London Police, have an option to extend it for a further two years,
should they wish to.
What they do is that they provide end-to-end customer management process
to potential victims of fraud when they contact the service.
Currently, they receive about 350,000 calls
and 2.3 million unique visits
to the website annually.
So does this mean that when we register the fact
that we've been a victim of fraud,
that we might actually get someone to call us back?
I think that Capita will lose a lot of the calls which come in,
therefore improving the numbers.
Boom, there we go.
City of London, please report.
So as per usual, I am slightly torn on this one.
So you would think, and I know how long these negotiations go on for,
these negotiations started well before Capita had a push.
At least 18 months ago right
yeah exactly and i'm sure the the execs at capita who were doing the negotiation have been you know
doing an awful lot of um uh smoothing of ruffled feathers at the city of london police that you
know are we choosing the right people and all all that sort of all that sort of stuff um and i'm sure that um you know the city of london police are completely up to date on
their um anti-corruption and embezzlement training and all that sort of thing and so they felt that
it was you know still perfectly okay to go ahead with this now the problem with this some of this
of course is that there are many companies and and we've seen this time and time, there are many companies that
are either too big to fail, or you have to be of a certain size in order to play in a certain
market. And certainly in governmental and very sort of extremely large scale
projects, there's only so many companies that you can work with. And Capita is one of those.
But it does go to show that sometimes having a breach is not going to affect your bottom line
at all. Because frankly, business carries on as usual. And there an awful lot of of air cover being provided by
you know marketing and crisis communications and all that sort of thing and also frankly i'm sure
the cso of the city of london police is thinking thank god it was them and not us more than anything
much like every cso around the world when they when they hear about a uh a potential breach
but it does you know you you would like to think that there's either a delay
or a little bit more deeper analysis as to if Capita are the right company
for this, et cetera.
So, yeah, slightly confusing that they win quite such a large contract
quite so quickly after the breach.
I mean, let's face it, they could have announced it in six months' time
once we've all forgotten who the hell Capita were.
So can I ask a question about this?
So Capita, my understanding is, from what you've said,
is that they are going to provide this service for the City of London
fraud police so that if you're a victim of fraud,
you contact the City of London and the City of London get back to you.
And you rather cynically said, does that mean that victims
are actually going to get a call back?
Well, I would argue that, yes, there's actually an increased chance
that they will because if Capita are in charge and they lose people,
the fraudsters will get hold of this data, and they are absolutely bound to get in contact with these victims
and say, can you go to this link and give us some more information?
We want to follow up on this.
I think this is a win all round.
I love your use of the phrase, you rather cynically said,
and then launched into that.
But it's true, isn't it?
Somebody with a track record of losing sensitive data
is now being tasked with handling really sensitive data
about people and organisations that are in all forms of distress.
Yeah.
Or maybe it's one of these things where the City of London,
if they lose this data, they can say, well,
you can't prove it came from us because Capita have already lost this data
in the past.
Oh, nice.
You know, maybe it's like damage limitation.
Nice little double bluff.
I like that.
I like that.
Yeah.
Yeah.
And also they can say it wasn't us that lost it.
It was Capita.
You know, nothing to do with us, Governor.
So yeah, I know there are limitations on who you can use, etc.
But the optics of this are not great at all.
And very quickly, the next one, the EU boss Thierry Breton has said that there's no way that Chinese comms kit is safe to use in Europe.
God, that's a stretch, that one, isn't it?
So basically, Thierry Breton, he's the European commissioner,
wants Huawei and ZTE barred throughout the EU and reveal plans to remove kits made by the Chinese telecom vendors from the commission's
internal networks. Well, all I can say is good luck with that. Secondly, it's kind of, you know,
if you were going to do this, you may have wanted to do this maybe 15 years ago.
Yes, exactly. You have to rip all that stuff out.
And also in many cases, and in fact, funnily enough,
at this summit I was at, we were talking about Huawei itself.
And there are governmental organizations that actually take apart equipment,
certainly equipment that's used in sort of critical environments.
They take apart that equipment
at a component level and test and scan, et cetera, et cetera,
to make sure it is what it says it is and does what it says it's going to do,
which unfortunately takes about nine months per piece of equipment,
apparently, which slows down an awful lot of things.
But the thing is, it's kind of like this ship has already sailed, right?
Removing this is like trying to remove TikTok from a teenager's phone in Utah, is it?
I can't remember.
It's going to be almost impossible.
It's already far too deeply embedded.
And if you really want to do something,
then you need to be ring fencing that equipment and using it in either non-critical environments
or environments where you can monitor every single activity that's going on. But yeah,
it just seems to be that there's an awful lot of China bashing at the moment and some of it is valid and much of
it just seems to be real knee-jerk reactions to things like this can't agree more yeah and like
where are you gonna stop it's not just your network devices your your routers your like the
chips in your hardware, even your car.
It's your iPhone.
Yeah.
It's everything.
Yeah, exactly.
Just because the chip in your iPhone is designed by Apple
doesn't mean somebody somewhere hasn't dropped something into it.
Yeah.
The likelihood is extremely small because they would lose
vast amounts of income as a result.
And there's nation-state consequences.
I think the risks for things like this are just too great.
I still remember when they shoved that U2 song onto the iPhone.
Was it the whole album?
I think it was the whole album, wasn't it?
But do you know what?
I was like, get a grip, grip people you've been given a free
album if you don't want it delete it yeah but didn't most people have like this 16 gig iphone
at the time which is just like so delete it if it can't come down it can't but tom's you could say
get a grip people china's only making remote backups of your CCTV footage for you.
Sorry, hang on.
We're relating a U2 album to unknown Chinese backups of my CCTV.
OK.
Some people find President Xi being less offensive than Bono.
That bongor
bloke.
Anyway,
that was this
week's
rant of the
week.
The host
unknown podcast
orally delivering
the warm and
fuzzy feeling
you get
when you
pee yourself.
Right, Graham, Orally delivering the warm and fuzzy feeling you get when you pee yourself. Ah.
Right, Graham, it's over to you, and I can't find your special jingle.
This is terrible.
What's going on?
Oh, no, I think I've got it.
Have I got it?
Have I got it?
Have I got it?
No, where the hell's that gone?
Can you not put your finger on my colossal cojones?
No, I can't. I can't. What? What?
Gigantic gonad.
What?
This is a problem.
So Tom actually just labels these things by numbers
rather than any sort of description.
They're just numbers on his board.
Well, no, no, no.
In fairness, I think this particular one, one is it i don't know what's happened
here and now pretend none of that has ever happened dear listener it's time for
how lovely.
Well, thank you. That was worth the wait, wasn't it?
That's what you said.
Well, anyway, so hello, everybody.
It's my real pleasure here to announce that I am giving my Big Bulls,
Billy Big Bulls of the week to an American mother.
Her name is Jennifer DeStefano.
to an American mother.
Her name is Jennifer DeStefano.
And this week she testified to the US Senate regarding the criminal use of some technology.
And I'll explain to you what happened.
Back in April, Arizona-based DeStefano
got a phone call from an unknown number,
which she, well, she almost let it go to voicemail.
She almost ignored it.
And to be honest, a lot of people do that, don't if it says if it says unknown they just ignore the call i should have
done that frankly this morning when i had a call that said post unknown javad ignores it quite
often uh anyway edward so um her 15 year old daughter was out of town skiing so she thought
well i should i'll answer because my daughter's away and it could have been an accident and when she picked up the phone it was her
daughter and as she explained she said i picked up the phone i heard my daughter's voice and it
said mom and she's sobbing away i said what happened what happened she said mom i messed up
and she's sobbing and crying and then she heard a man's voice say, put your head back, lie down.
And this guy came on the phone and he said,
listen here, I've got your daughter.
This is how it's going to go down.
I don't know if he was Jason Statham.
I was going to say, it's always a British bad guy with an American, isn't it?
They stop using Russians and just use English people these days.
And put a scar over one of his eyes.
Yeah.
Walks of mercy, Mary Poppins.
Remember me, Jennifer DeStefano.
You call the police.
You call the Rosas. You call anybody.
I'm going to pop her so full of
drugs. I'm going to have my way with her, and I'm going to drop her off in Mexico.
Oh, my goodness.
Well, that took a turn.
Whoa.
Yeah.
So, obviously, Jennifer DeStefano, like any mother,
was very worried about that and started shaking.
And in the background, she can hear her daughter saying,
Help me, Mom.
Help me. please help me.
And the man on the phone started demanding money.
And this is the first reason why I'm going to give Jennifer DeStefano
my Big Balls award is because, first of all,
the man asked for $1 million.
But she negotiated him down to $50,000.
Now, I'm fascinated.
How did that work exactly?
So he says, $1 million.
And she says, for my daughter.
She ain't worth that.
She's one of four.
She's not my favourite.
Take her.
I can make another one.
Kind of whiny.
And it's like, well, about 100,000.
No, no, no.
Still, you know, frankly, it's going to cost me a fortune when I send her to college.
So she managed to get him down to $50,000.
And so she's chatting to him.
I'm pretty impressed by that.
But the other thing she did was she put the phone on mute for a while while he's going,
go blimey governor, you know, and all that.
She puts him on mute and she screamed for attention.
She went, ha!
She was at some sort of dance studio or something.
So she screams to get other people's attention, help, help.
All these other mums raced towards her.
Did everyone else start running around going, ha,
waving their arms around like they were copying a dance move?
So everyone ran to her.
Mumsnet assemble.
Yeah, mumsnet's there.
And she says, listen, she says, oi, quick.
She says, I'm on the phone to my daughter's kidnapper at the moment.
Can you ring the 911?
Can you ring my husband and look into it?
And apparently someone did call the police.
Someone called her husband.
The husband said, I've just called our daughter.
She's fine.
And so within four minutes, everything was fine.
So there wasn't a panic.
What had happened, obviously, was this was deep faked audio, they reckon,
being used in a scam to try to fool a parent.
Presumably in a targeted attack if it was deepfaked audio,
so it did sound like the daughter.
Yeah.
And the FBI said, well, what they did was absolutely perfect.
They said, just think of the movies, slow it down,
slow the person down, ask a bunch of questions,
which can help you work out if it's a scam or not.
So, you know, say, well, how do I know it's really my daughter?
What's your favourite TV show? Who won the fa cup final in 1953 what was the most entertaining award-winning
podcast in 2022 those kind of important questions that we need the real answers to
and that can help you deal with this but but, you know, it does seem that deep fake audio
is genuinely now being used more and more in scams.
So everyone's got to be alert to it.
So I don't think many people would have had that sense of mind
to say, like, call my husband,
but, you know, from another phone while this is going on.
I think that was smart, yeah.
I have a problem with this.
Well, I was going to say, there is a question here.
Why do so many of her dance friends have her husband's number?
And I think that's something she's going to need to revisit
after, you know, this has been looked at.
So my problem with this is, you know, if this is true
and there's a reasonable likelihood that it's true,
I think it is an amazing story.
And Jennifer DeStefano has done an amazing job.
This has been, as far as I'm aware,
the only case of this happening that has been reported.
The FBI are saying it has been happening a bit.
And also sextortion deepfakes as well apparently are happening
where people take your photo and Photoshop your something.
Definitely.
But the whole allegedly kidnapping someone and emulating their voice
and all that sort of thing, the attackers wouldn't invest in this
in technology, try it out, and then it fails with Jennifer DiStefano.
I can see your difficulty now, Graham.
DiStefano.
And go, oh, no, no, this suburban housewife from so-and-so,
as she saw through it, we might as well just throw the whole game away.
Do you know what I'm saying?
So part of me, and the very cynical cynical part of me i'm afraid to say
part of me thinks this is completely made up no no so she won this is a story she's testified
in congress about this right oh sorry the u.s senate yeah um but also i can confirm that this type of thing does happen on a professional level.
Yes.
And that's all I can say.
Because you are that kidnapper.
I am that kidnapper.
I have the technology to do this.
Why is this the only case we've heard of?
Well, it may be the only case you've heard of,
but not the only one that Andy's heard of, it seems.
But the other thing is it could be a prank, though.
It could be teenagers just messing around.
Yeah, that's the other side of it as well.
Because it may not really be a serious attempt to get money,
but it could be something which has just been done by some 16-year-old
because they've got sod all else to do.
being done by some 16-year-old because they've got sod all else to do.
I mean, you know, Occam's razor says it probably happened.
And, you know, Jennifer, for God's sake, Jennifer did a bang-up, big-ball job of actually dealing with it.
But I don't know.
I don't know. I don't know.
I'm not normally this cynical.
Am I? No, that's Jabs. You've been very
cynical this week. Those horrible things
you were saying about Capita
earlier.
Victim blaming
once again. This is true.
This is true. God, this is a good
one. We should get
this man on more often, you know. This is much better than Jabs. Oh, this is a good one. We should get this man on more often, you know.
This is much better than Jav's, oh, criminals are great, Billy Big Balls.
Anyway, excellent.
Thank you.
Thank you, Graham.
And I've lost it again.
Thank you.
How can I have lost it again?
Where the hell's that gone?
There we go.
Thank you again, Graham, for
Graham's
Giant
Goons.
If nothing else,
you know it's live.
This is the podcast the Queen
listens to.
And there's your pro.
She won't admit it.
She definitely won't admit it now.
Oh, God.
She's taking that secret to the grave.
There goes the knighthood.
Didn't we have another one made?
Hang on.
No, that's the ketchup one.
Oh, screw it.
Andy, I've really messed up this time.
This is where we are.
I've really messed up this time, Andy.
Yeah, I know.
And you know what time it is.
Bring back Javad.
So why not tell me what time it is?
It is that time of the show
where we head over to our news sources
over at the InfoSec PA Newswire
who have been very busy bringing us
the latest and greatest security news
from around the globe.
Industry News Data flows
between UK and US to be
simplified under new agreement.
Industry News
Ofcom latest move it
victim as exploit code released.
Industry News
Microsoft pays $20 million to settle another FTC code released. Industry news. Microsoft pays $20 million
to settle another FTC
copper case. Industry
news. No
zero days, but PGM flaws
cause Patch Tuesday concern.
Industry news.
MFA bypass kits
account for 1 million monthly
messages. Industry
news.
Europa warns of metaverse and AI terror threat.
Industry news.
EU passes landmark Artificial Intelligence Act.
Industry news.
Malicious actors exploit GitHub to distribute fake exploits.
Industry news. Lockpip makes $91 dollars from US victims in just two years.
Industry News. And that was this week's Industry News.
Huge if true. Huge if true. So this first one, data flows between UK and US to be simplified under new agreement, is missing a word at the end there.
Again.
Under new agreement again.
Yeah, so what we have, we've had the failed privacy shield.
Yeah.
We had safe harbour.
Safe harbour, that was the first, yeah.
That was the first.
We had safe harbour and it was like, no, that's not good enough.
Then we had privacy shield.
No, that's not good enough. And we had Privacy Shield. No, that's not good enough.
And now we're getting a new simplified one.
It's like, surely we can fix this.
Surely.
It's going to say whatever, you know,
the spirit of what we were trying to achieve from Safe Harbour
and Privacy Shield, that's what this one's about.
Yeah.
It's just simplified.
No detail.
Just keep it very high level.
Yeah.
Yeah. You know, rule one, don't be a dick. Yeah. it's just simplified, no detail just keep it very high level yeah, yeah
rule one, don't be a dick
yeah
and then perfect, just leave it as that
yeah, exactly
so I do find it
particularly frustrating
we're supposed to be
observing all of these regulations
and then they keep doing this
yeah it's keeping people busy that's the important thing to be observing all of these regulations and then they keep doing this. Yeah.
It's keeping people busy.
That's the important thing.
We've got Ofcom who are saying they're the latest move-it victim.
Yeah.
As well.
They like to move it.
They do.
It's a bleep it.
And I saw, because I went to the CLOP data
leak website yesterday, I saw that they have now started CLOP.
They've started releasing the names of all kinds of organisations.
Yeah, but you know what?
I thought it was going to be 21st of June they said they would release it.
No, 14th.
No, it was 14th.
It came out.
14th.
But the best part was they said,
if you've been breached, contact us and we'll start negotiations.
Like, surely you should be contacting them.
Well, hey, it's a new world out there, right?
Maybe their inbound call centre is better set up than their outbound.
Well, you know how you go into a supermarket now
and it's all sort of self-checkout?
Yeah.
It's the same thing.
They've tricked us into this thing of doing the job
that someone else has paid to do.
Now this is what the scammers are doing.
We're scaling down on our call centre,
so if you could come to us, we'll start negotiations.
I must admit, I was surprised to hear Ofcom had been here,
and it did occur to me,
what's going to happen when the ICO actually suffers a data breach?
And who are they going to report themselves to?
Is this going to be a case of recursion?
Are we going to enter some black hole?
Captain Bonner will sort it out.
Yeah.
So, yeah.
No, I'm not going to go into that.
I was going to say.
So with offcom so the thing about all these latest victims are they just the most recent one or were they all breached before at the same time as everyone else and they didn't notify
within 72 hours because this stuff would have gotten out if they had notified you know within the correct time but just because you notify the ico doesn't mean they make it
public immediately do they no there's always one employee that's going to go public particularly
yeah yeah that's very true you know one of these bodies where they don't get paid
market rates yeah interesting yeah Yeah. Interesting. Yeah.
I did see that EU passes landmark Artificial
Intelligence Act.
I don't know the detail of it because I
read the headline, but the one thing I did take
from it as I was scrolling down is
it appears that, you know, much like GDPR,
UK is going to do its own thing.
There's a big bold
line which says innovation over
regulation.
It looks like the whole of Europe is gonna do something good uh and uk is gonna wing it at least we got a catchphrase
that's good innovation not regulation was that what it was i've forgotten it already innovation
over regulation over yeah over well i kind of. I mean, at least this way we can finally get clones of ourselves.
That is really pervy, Tom, wanting your own clone.
Well, you mean you don't love yourself?
Moving on.
Moving on to what?
What have we got?
$91 million from US victims in two years.
Doesn't sound that much.
I know it's only one of many,
but I thought Lockbit was the big daddy here.
Yeah, but I think they've also targeted people
that just don't have the money, like hospitals and stuff like that.
Oh, yes.
So they must be having a board meeting at the moment going,
why have we not hit our targets?
Yeah, what's our strategy?
We're targeting the wrong markets.
We're in the wrong vertical.
We need to go for crypto.
We need to go for tech bros.
Well, actually, we're in the no money
vertical we need to move to the money vertical yeah and also it's not as though lock bit have
filed their accounts it's not as though this is information from them as to how much money they've
made this is true this is actually just people that have uh forward. People guessing. People based upon those people who've
gone public.
Yeah, it's very true.
So that could be orders of
magnitude out, in fairness.
Could be. Very good.
Wow, we had quite a sensible conversation
this week.
Yeah, what's different?
I know. The jingles were
great this week.
It's just before InfoSec. what's what's yeah i know the jingles were great this week they were it's
just before infosec that's what it is
just before the awards are announced you've put out this stellar episode of professional podcast
if this is the most professional we can be we we're screwed. If you win, if you bloody well win this week, the award,
and all people are going to read,
oh, this host on NoShown, I've got to check that out,
and this is the episode they listen to.
That's what they've been doing the last two years or three years
that we've been winning this award, is flooding to our podcast.
I think they've come to your podcast more.
Mind you, you do live rent-free in our heads
and we constantly talk about smashing in our podcast.
You talk more about our Reddit channel than we do.
That's right.
We're co-locating that Reddit channel.
so that's right.
We're co-locating that Reddit channel.
We're giving you exposure in return for filtering complaints.
We're co-branding.
Anyway, that was this week's Industry News.
Can I play one of our new ones now, Andy?
Go on then.
If good security content were bottled like ketchup,
this podcast would be the watery juice which comes out when you don't shake properly.
In a niche of our own,
you're listening to the award-winning
Host Unknown podcast.
Right, take us home, Andy, with this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And so I've got a couple of tweets of the week.
So although this tweet actually came from 2018 originally,
nearly five years ago, it was retweeted this week
by none other than Mr. Cluley himself.
I wonder who could have put this into the show notes.
Indeed. And so InfoSec Sherpa said in 2018, I just heard about a diabolical phishing simulation.
Company faked an email from their own HR department asking users if they were tired
of phishing simulations and provided an unsubscribe
link those who unsubscribed failed the simulation i'm not sure how i feel about this i mean this is
just just like it's a no-win situation well tacky but here's the here's the thing it's kind of like
really you really think hr is going to sort of do this this way?
Really?
Come on.
I don't know.
Do you know a company?
Imagine you're new to a company, right?
So I joined a company just as a phishing campaign was rolled out,
just after, like, Ukraine, you know, stuff was in full force.
And there was a charity, like, you know for they're taking donations for ukraine
no i didn't click on it because i didn't know anything about the company but it had like
the company logo but what i didn't know was it was an old logo you know so i wasn't aware of
all the branding guidelines this was like my second week at the company and um i can see how
you know people come into it they could join a company, particularly big companies,
that are hiring sort of like hundreds of people a week.
And, yeah, they may get caught out by those things.
You know, you don't know how the company operates.
Yeah.
Yeah.
So I think that's a terrible thing.
Anyway, I thought you said you passed all the phishing simulation attacks
because you don't actually read all your email.
Yeah, I've never been done by phishing simulation attacks because you don't actually read all your email yeah i yeah i've
never been done by phishing at all like literally because yeah although now they're starting to
report people that don't report phishing emails which is oh that's just outrageous i know those
metrics are not not going to be good for me but and, you've gone from number one to last. What's going on?
Without actually clicking on anything.
I'm one of these people that I guess what I need to know
from the headline of an email.
There you go.
You've had practice, you know, 156 times, let's face it.
Indeed.
So anyway, I've got a second one here,
and this is from the fest hole account um
and someone posted i got made redundant by my company day after they announced the brilliant
news that they'd hired a laughologist i set up an email account and contacted the press
read it here and that person has posted the link to the article that the press posted but uh you imagine
your company hiring a laughologist and then cutting you know over 200 jobs
and said company was tesco bank by the way yes public record so we're not saying anything but
yeah tesco bank books laughologist to staff for staff well- wellbeing while cutting over 200 jobs.
Wow.
That's a really expensive laughologist.
Brilliant.
That should have been a rant, actually.
I think that was probably a better rant.
Anyway, there you go.
Thank you very much, Andy, for this week's Tweet of the Week.
So we have careened, crashed, and other K-words week's tweet of the week so we have careened crashed and other k words
into the end of the show um gentlemen thank you so much for your contributions much appreciated
graham thank you so much for coming in at such short notice um you know uninvited nonetheless. But yes, thank you for coming in.
Much, greatly appreciated.
It's really, you've raised the bar
and really made us think that, you know,
even special guest star appearances by Javada
are probably no longer needed.
So thank you very much.
Thank you very much.
It's been fun.
Good.
And Andy, thank you, sir.
Stay secure, my friend.
Stay secure.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
R slash smashing security.
Outrageous. So as Carole subcontracted out,
if Graham said anything libelous,
would it have been him who got sued or would Carole be responsible?
It's totally on Carole.
Totally on Carole.
I've read the contracts.
Big risk.
Big risk, that is.
They back off to each other.
That's not a problem.
Not a problem.
And we've also got a right to award it,
so I suggest that while Corral's on holiday,
we just go and sit in her house for the weekend.
Good luck at the awards, guys.
And to you, Graeme.
And to you.
It's a shame you're not going to be there.
I can't believe you're not going to be there.
You know, too many security people.