The Host Unknown Podcast - Episode 157 - The Special Guest Star Episode
Episode Date: June 23, 2023This week in InfoSec (10:26)With content liberated from the “today in infosec” twitter account and further afield17th June 1997: A group of users organised over the Internet cracked the Data Encry...ption Standard — the strongest legally exportable encryption software in the United States to that point — after only five months of work. The United States at the time banned the export of stronger encryption software out of fear that it would be used by terrorists, but companies designing the software claimed such restrictions were worthless because foreign countries offer much stronger programs. The US eventually relaxed certain restrictions but to this day still claims to exert authority over encryption technologies under the commerce clause. 17th June 1983: The movie "Superman III" was released. Gus Gorman lands a data entry job at Webscoe Industries, hacks into its computer systems, and funnels all of the half-cents into his next check, accruing $85,789.90. This type of crime would later be named "salami slicing".https://twitter.com/todayininfosec/status/1405615484091916294 Rant of the Week (15:16)FTC accuses DNA testing company of lying about dumping samplesThe Federal Trade Commission has alleged that genetic testing firm 1Health.io, also known as Vitagene, deceived people when it said it would dispose of their physical DNA sample as well as their collected health data.To make matters worse, the FTC also alleged in a consent order made public last week that the company didn't secure the information properly, and further, that it changed its privacy policy retroactively without properly notifying or getting consent from people whose data the company had already collected – people who had signed a different, earlier version of the policy.Under the proposed settlement, Vitagene/1Health.io will have to sharpen its data protection practices and put into place procedures to keep them sharp, as well as a pay a fine. The company has neither admitted nor denied any of the allegations. Billy Big Balls of the Week (24:29)Reddit confirms BlackCat gang pinched some dataReddit this week confirmed ransomware gang BlackCat, aka AlphaV, broke into its corporate systems in February.The crew just the other day had bragged it stole 80GB from the biz, and had demanded the social media company pay $4.5 million to keep a lid on the data as well as ditch its controversial API pricing changes.A spokesperson for Reddit declined to comment on BlackCat's specific boasts, and insisted it's not the result of a fresh intrusion. The theft happened a few months ago, and was the result of a "sophisticated phishing campaign" against its staff that Reddit said it encountered on February 5 and disclosed on February 9. See also: Reddit hackers demand $4.5 million ransom and API pricing changes Industry News (31:14)US Offers $10m Reward For MOVEit AttackersSmart Pet Feeders Expose Personal DataSecurity Researchers Uncover New Spyware Implant TriangleDB#InfosecurityEurope: Hackers Are the Immune System of the Digital Age#InfosecurityEurope: It’s Time to Think Creatively to Combat Skills Shortages#InfosecurityEurope: Drones Contain Over 156 Different Cyber Threats, Angoka Research FindsRedEyes Group Targets Individuals with Wiretapping MalwareUS Justice Department Launches New National Security Cyber SectionApple Addresses Exploited Security Flaws in iOS, macOS and Safari Tweet of the Week (41:36)https://twitter.com/tarah/status/1671691691965939712----Back up story: Mark Zuckerberg is ready to fight Elon Musk in a cage match Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I heard we won some awards this week, Tom.
Well, I picked up a couple of awards this week
at the European Security Blogger Awards on Tuesday night.
Give me a T. Which categories?
It was Most Entertaining Blog or Podcast and Best All-Rounder.
Nice. We've not had that one before.
And we still don't, actually, because I had to pick them up on behalf of Smashing Security
and it was utterly, utterly humiliating.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome, welcome one and all, dear listeners, to episode 157.
161.
Of the Host Unknown podcast, titled The Special Guest Podcast.
The special guest episode. Jav, welcome back.
Thank you. Thank you for having me as always
back on my own podcast well you know we've had the professionals in so we thought we we give
the amateurs another go didn't we andy absolutely no what is it no we've had the cowboys now we're
trying the indians yeah it doesn't have the quite same ring when we say Pakistanis, does it?
No, it doesn't.
I'll give you creative liberty on that one.
Okay.
Oh, dear.
Well, I mean, if it was in 19, I don't know, 46 would have been all right.
So, anyway, Geoff, how are you?
We haven't seen you for a long time again.
I know, I know.
I was in the lovely Cape Town last week, which is an amazing place.
Next note to self, don't go in when it's their winter,
when everything is covered by clouds and you can't see the mountains.
I have pictures of me like they have those like big giant frame in metal frames
where if you stand in front of you and take picture, the table mountains meant to be perfectly.
It's like a Polaroid moment.
Oh, the Kodak moments.
Yeah.
Yeah.
All you can see is clouds behind me.
But that was that.
Was it business or pleasure?
It was business.
It was business.
Just went for it for a couple of conferences, events.
Yeah.
And yeah, caught up with our south south ifrican team
which was uh very nice um wonderful wonderful people there obviously then i got back and um
a couple of things i was like completely like i've been like completely under the weather the last
few days so which meant i missed two days of infosec do you know what i think the only
reason you missed infosec was so you didn't have to go to the awards and and face our ire for not
only being a judge on there but us being nominated what three times four times something like that
and us not winning i mean what's the point of you being a judge if you're not going to help us out?
You know, maybe if you start...
Maybe if it was my podcast and not a podcast I was only a special guest on.
Do you know what's happened here?
Is that people have been listening to this.
They've been hearing Graham.
And voting for Smashing.
Exactly. It's the only explanation.
It's the only explanation.
It's got nothing to do with quality.
Absolutely not.
Or content.
Or content.
Or delivery.
Exactly.
Or professionalism.
Nothing to do with any of those things.
No, no.
And then I did manage to make it in yesterday.
You did.
Last day of FinFest.
But I did what?
You know, one of the worst.
The cardinal sins, I think,
of attending an event.
I literally turned up,
done my talk,
and then left.
Yeah.
So I had to watch
your piss-poor performance,
but you didn't come and watch
my piss-poor performance,
did you?
No, by the time you were on stage,
I was home on the sofa,
knocked out, snoring.
Yeah.
It was just...
Well, which wouldn't have been too dissimilar if you'd watched me,
in fairness.
No, no, no, no.
But my sofa's far more comfortable, that's all I can say.
You were on a sofa rather than a chair.
Yeah.
Well, it's good to have you back as always, as always.
Talking of things that grow back, Andy, how are you?
Not too bad, thank you.
I unfortunately missed three days of InfoSec this year.
Yes, yes.
We knew your promise of, I can probably come in on Thursday afternoon,
was an utter, utter construction of lies.
It was said with optimism uh at the time but uh
yeah no i i um yeah just been one of those weeks without using the word busy it's been
absolutely crazy yeah yeah i can well imagine i can well imagine so busy busy uh doing your highfalutin job and i don't know delivering
reports to boards and stuff like that well you know just walking the corridors carrying a folder
walking quickly sorry can't stop gotta run let's walk and talk yeah or put something in my diary
we'll catch up later yeah exactly get your people to talk to my people yeah we take this offline yeah um yeah no that was um other than that i've actually i don't understand the weather
we've probably had it's been the hottest week of the uh year in the uk so it's been bloody hot
actually yeah and i've i've had the worst cold hay fever last week got so much pain from sneezing too much that i had to um
take painkillers uh at one point you know the the flu tablets which have got like ibuprofen in them
you've reached the age where you sneeze and pull a muscle is what you're saying well luckily i've
not pulled a muscle yet but although you know talking age, I did meet up with some old school friends
on Tuesday night, I think it was.
We went out for dinner.
I see you waited to meet up with your old school friends
when you were svelte and slim and good-looking.
Oh, no.
I catch up with these guys every year.
Okay.
Yeah, unfortunately it's not a – yeah, it wasn't an ego boost.
But no, we did eat Dirty Burgers at a place called Burger and Beyond.
And I think, Jav, you pointed out that there was so much, you know,
there's so much oil on the plate that it was at risk of being invaded by the US.
But you know what actually tasted good?
It was like Rice Krispie fried chicken.
Rice Krispie?
Yeah, they put Rice Krispies in the batter,
so, you know, that extra crunch.
What?
It works.
It absolutely works.
Is that like the American southern equivalent
of deep-fried Mars bars?
Quite possibly, yeah. worked is that like the american southern equivalent of deep fried mars bars uh quite possibly yeah but i've never heard of that rice crispy batter no but obviously because it's not
you know the uk's got health standards it wasn't chlorinated chicken yeah so maybe it'll taste
different if you are american but yeah highly yeah I've not had that for a while.
So I look forward to that again.
But yeah, I mean, talking about the worst parts of English culture.
Tom, how are you doing?
Yes, nice one.
Nice one.
Very good, very good.
This uncultured swine.
Yes, so I was at InfoSec.
All three days?
All three days.
Well, in and out, to be honest with you,
because I did have a bunch of meetings that just wouldn't go away.
But yes, I was largely there for all three days.
Obviously picked up our colleagues' awards.
I nearly said our awards then.
What should have been our awards.
But it was lovely meeting up with the folks,
Shan Lee, friends of the show, Brian Honan, Rick Ferguson,
Eleanor Dalloway, Stuart Colson, Lee Munson, you know, a whole bunch.
And I know I've left out just about everybody.
There was also this fellow I haven't seen for ages who I met yesterday
and bought him coffee and a snack as well.
We had a little catch-up.
And then he just went home.
I can't remember.
I haven't seen him for so long.
James Mackey?
I can't remember.
Anyway, I think he's been on holiday because he was very tanned.
Anyway, but I think he's been on holiday because he was very tanned.
But, yeah, so it was really nice, actually,
especially after the damp squib of last year, you know,
with the train strikes and stuff. But I tell you what, walking around,
I don't know half of the companies there anymore.
They're all, you know, lots of new startups and all that sort
of thing and you know new acquisitions waiting to happen i just didn't recognize half the names it's
it's a real change yeah so that actually later on in industry news there's a story i didn't include
but it it was from a company i'd never heard of and then later I saw that that company had actually won best new
security, best boutique
security provider or something. Right.
Never heard of this company
whatsoever. Yeah.
Gentlemen, I think we're officially
out of date. Yeah.
Exactly. I would say officially.
Yeah.
Gentlemen, you've just had the realisation that we're
long out of date. Yeah, exactly. just had the realisation that we're long out of date.
Yeah, exactly.
And talking about well past its expiry date,
shall we see what we've got coming up for you this week?
This week in InfoSec tells a tale of Desi's dastardly demise.
Rant of the week is another slap on the wrist for losing your spit.
Billy Big Ball's show Reddit's woes are still continuing.
Industry News brings us the latest and greatest security news stories
from around the world.
And Tweets of the Week is a story of layers and possibly cages.
So let's move on, shall we, to our favourite part of the show,
the part of the show that we like to call...
This week in InfoSec.
So, sorry, just before I run into it,
the intro for Tweet of the Week,
story of layers and possible cages.
I mean, I've got that Tweet of the Week
and I can't even see the uh the link there but at last uh it is that part of the show we take a stroll
down infosec memory lane with content liberated from the today infosec twitter account and further
afield and our first story does take us further afield and we shall go back a mere 26 years ago to around the year I was born,
when a group of users organized over the Internet cracked the Data Encryption Standard, which was also short to DES,
the strongest legally exportable encryption software in the United States at that point. And they did it only after five months of
work. And then the US at the time banned the export of stronger encryption software out of
fear that it would be used by terrorists. But companies designing the software claimed such
restrictions were worthless because foreign countries often offered much stronger programs.
The US eventually relaxed certain restrictions but to
this day still claims to exert authority over encryption technologies oh please
this is the old good old days of pgp isn't it when philip zimmerman was in a lot of trouble
with the u.s government yeah and if you were an illegal immigrant all you had to do was get
tattooed with the keys for triple days and then
they couldn't export and they couldn't pick you out of the country.
That damn loophole.
But I mean,
even now,
like we still see governments talking about,
oh,
you know,
we need a backdoor to all encryption because think of the terrorists,
think of the,
you know.
Yeah.
We need to be able to smash these rings.
No, that's another podcast and film you're thinking of the website our second story takes us back a mere 40 years
to the 17th of june 1983 when the movie superman 3 was released uh and Gordon landed a data entry job at Websco Industries.
He hacked into its computer systems and
funneled all of the half cents into his next check accruing eighty five thousand
seven hundred and eighty nine dollars ninety cents.
And this type of crime would later be named salami slicing.
Ah, good old Richard Pryor, wasn't it, Gus?
It's the best example of salami slicing, right?
It absolutely is.
Well, there was that and there was also Office Space,
which done it as well.
Yeah, but more people have watched Superman 3 than have watched Office Space.
Come on.
Yeah, I mentioned yesterday about
smashing up some equipment Office Space staff
and I was just met with blank looks.
Muddy, you do work
with very young people.
You work with uncultured swine
cut from the same cloth as Tom
Langford.
I've watched Office Space.
Come on.
Who doesn't make references of, like,
you don't have the sufficient amount of flair
or anything like that, or beating up the printer?
Come on.
So I'm going to have to ask you to come in at the weekend.
Yeah, the jumping to conclusions, Matt, you know.
Tell us what exactly you do here.
Didn't you want to do a talk where you made reference to a flux
capacitor yes we're met with blank stairs that well in in fairness i i misread the audience it
was at a university and they were all students so um yeah this was like 20 years ago yeah no the
teacher the teacher did turn to me the lecturer she turned to me because you do realize these
kids were probably born the year that the film came out?
Was it Abertay or somewhere else?
No, this was in London somewhere.
I can't remember which university.
City University, I think.
Okay.
North Acton Primary School.
No.
Very good.
Very good.
Thank you, Andy, for...
Very good.
Very good.
Thank you, Andy, for...
When listeners leave the Host Unknown podcast in favour of another security podcast,
they raise the average IQ of both audiences.
You're in good company
with the award-winning Host Unknown podcast.
Every podcast is going to talk about us being award-winning i'm
just saying sorry every every every podcast every jingle yeah right let's move on
all right so the headline reads,
FTC accuses DNA testing company of lying about dumping samples.
So as we know, there are many, many companies out there
that take your sputum that you send to them in the post
and they put it through their DNAna samplers etc and build
up a data profile about you um you know finding out lots and lots of lots and lots of interesting
stuff about you such as you know your genotype data um you know whether you're going to be
developing certain health conditions such as high LDL, cholesterol,
high triglycerides, obesity or blood clots. Yes, yes, yes and yes. And they keep that data. And of course, it's very sensitive. You know, it could be used nefariously. It could be used for
profiling. It could be used for all sorts of stuff. And, you know, it's also used to help track down your ancestry.
And many, many a family has been met with a stony silence
when it turns out that certain children don't belong to certain parents
without the people necessarily knowing,
or in fact the son is actually fathered by the next-door neighbour.
knowing or or in fact the son is actually fathered by the next door neighbor um so it's it's a very sensitive uh sensitive deal so what's happened is that this company called onehealth.io which also
is known as vitagene uh basically took all this data and deceived people
when it said it would dispose of their physical DNA sample
as well as their collected health data.
So not only did they keep their physical samples on file,
but the actual derived data, which is potentially more valuable,
the physical DNA is going to expire after a time.
But they dropped this data on, drumroll please, an S3 bucket,
which, as you can probably imagine, drumroll please,
was exposed to the internet.
Even though AWS introduced a new set of controls in 2018
that basically were a bunch of blanket policies
blocking public access to cloud storage
so that you can just apply them to your S3 buckets
to stop it from happening.
But even though that was possible,
it was left open to the public. Now, it gets better. It gets even better. When they also, when they realized that they were
obviously sitting on a goldmine, they changed their privacy policy retroactively without properly notifying or
getting consent from people whose data the company had already collected people who had signed a
different earlier version of the policy base bottom line is the ftc have got these folks banged to rights. So you can imagine the FTC are going to be handing them
a pretty damn hefty fine, right?
Yeah?
You'd hope so.
You'd hope so.
So, so, according to the FTC order,
and there is a link in the show notes to the actual PDF,
and there is a link in the show notes to the actual PDF,
the FTC basically proposed a settlement of $75,000.
That's going to kill the company, surely.
And to extract a promise from the company to police its data protection.
Well, as long as they promise.
Oh, my God.
Oh, my God.
This company, that's probably like a day's worth of profits or something like that.
That sounds to me just like the cost of doing business.
This is appalling.
This is absolutely appalling.
This is the most private of people's data. The fact that they might derive only certain indicators from it doesn't mean that they can't derive further data from it, not only from the physical samples, but also from the actual stored data that they've taken from it.
they've taken from it, $75,000.
And for something where they knowingly went back and changed a privacy policy so they could use this data,
you know, more than people actually signed up for.
See, I think that's my favourite part is, you know,
you've got a privacy policy in place and it's like,
this isn't going to let us do what we need it to do.
Let's just change it.
Yeah.
Yeah. But, you know, they're perfectly us do what we need it to do. Let's just change it. Yeah. Yeah.
But, you know, they're perfectly within their rights to change it, right?
So that everybody who signs up, whether they read it or not,
and, you know, that's a whole other argument in of itself.
But everybody who uses service from then on is technically signing
that updated agreement.
But not the people who signed the previous one.
Yeah.
Unless, of course they they
had that fantastic clause we reserve the right to update this policy at any time yeah yeah but
but but i believe legally unless you have a not that you're going to get away with that but you
know yeah maybe they didn't have a legal counsel to write the privacy policy maybe they just you
know you know it's like when you're a
starter i'm guessing it's some sort of stuff with a dot io address i'm guessing that you know they
started small um yeah you sort of you surf other websites you copy and paste bits and pieces of
other people's privacy policies until you've got something that reads well right yeah i mean it
looks like a small team of people and And I hear Tom getting wound up,
but I don't think there's much to get wound up about.
I mean...
DNA data?
I mean, Tom's been dishing out his DNA data for years
and, like, you know, he doesn't care about privacy or what have you.
And you know what?
Tom will point out that is all consensual.
Yeah, yeah. Allegedly. And you know what? Tom will point out that is all consensual. Yeah.
And agreed upon in advance.
Yeah.
And you're going to get a whole mix of DNA if you try to analyse it as well. This has got like 15 different distinct DNA markers.
You know what?
DNA markers in here.
You know what's interesting is there was a tweet the other day
about
these Tesco club cards
and whatever.
Halving the value of them or whatever.
Yeah, it's like they literally bring the price down
to half price of what something is
otherwise. So people
using these...
Where are you going with this?
I'm assuming it's going to be because uh tesco's mine that data exactly so they're actually making money like the more you use your card the better
the yeah which is probably clearly stated in their terms and conditions thing is what's stopping in
the future and and this is something that our good friend rowena fielding pointed out on twitter
again what's stopping in the future a health insurance company not paying out
because they're saying, ah, we can see from your Tesco club card spending,
you buy a big pack of Haribo's every week,
so therefore your diabetes is not covered or your obesity.
Fight them. Haribo doesn't cause diabetes.
That's a lie.
And also, just because you bought it doesn't mean you've eaten it.
Well, you know, I'm saying that's a lot more pertinent data.
That's a lot more actionable data than, you know, a lot of this, you know,
DNA sort of testing data, which is like, yeah, it's got some markers and stuff,
but none of it's set in stone.
It's not based on habits.
It's just what...
So what you're saying, Jav,
is that this is a perfectly acceptable business practice
and that you, for instance,
could set up your own company to do...
Oh, no, sorry, you can't.
Oh!
Oh, have we got any, like, gunshot sound effects?
There's some serious shots fired here.
I'm assuming this isn't going to make the final cut.
One Mississippi, two Mississippi, three Mississippi,
four Mississippi, five Mississippi.
Hold on, hold on.
We better just end it here.
I think I just did.
Rant of the week this is the award-winning host unknown
podcast guaranteed to be a solid five out of ten at least once a month or twice your money back
and you can take that to the bank in accordance to our published terms and conditions.
Right, I'm looking forward to this one.
Billy Big Balls of the Week.
So, the Billy Big Balls of the Week,
other than Tom Langford signing his death sentence.
Reddit, everyone's favourite alt social media site uh confirmed that ransomware gang black cat
aka aka alpha v broke into its corporate systems in february so those about who remember this was
where uh it was a quote- quote unquote sophisticated phishing attack where
someone was sent a text message saying give us your MFA code and they said okay here's my MFA code
but it wasn't that bad because the person after they they handed it over they thought maybe I
shouldn't have done it and they reported it which is exactly what we want people to do and so they were able to to lock it down pretty quickly but not before
the crew that uh the other day bragged it sold it had stolen 80 gigabytes from the business wow
and it demands that the social media company pays 4.55 million to keep a lid on the data. But more than that,
more than that, one of their demands, which I think is the real reason for all of this,
is ditch its controversial API pricing changes. And this is where it gets really interesting.
And this is where it gets really interesting. So for those of you who are unaware, Reddit has a whole bunch of third-party APIs that have been free and open for use for many, many years.
But taking a page out of Elon Musk's Twitter book, they're now like, oh, let's start charging developers for third-party apps.
charging developers for third-party apps and potentially some of these will end up costing users like you know if the pricing goes in as as suggested millions of dollars a year well not
users the the application developers yeah the app developers yeah exactly and and those people are
by and large volunteers who are just managing their subreddits.
They develop these tools to help them be more efficient at it.
They don't make any money from Reddit.
The app doesn't make them any money.
They're doing it for the community.
And now they're being asked to potentially pay millions of dollars.
This is a perfect example of like you know shooting yourself in the foot terribly it's
it's like stepping on a landmine I don't know what's going through Reddit's mind
to to propose this you know and they they're sort of like eyes are spinning with dollar signs right
so that they think they're going to get like a whole load of ad revenue don't they yeah but you know it's which they're not getting through third-party
apps no no in fact a lot of the moderators also shuttered um their sites didn't they but they
made them private went dark for a couple a good couple of days um reddit was responding with
asking for new moderators i mean some of them
come back online but yeah it's not not very good it's not it's not at all and uh you know after
twitter has kind of like lost a lot of its appeal like with the communities falling apart a bit like
you know there was that but there's still like some some people still on there some people who even like pay for twitter blue um as two-thirds of this podcast yes yes two-thirds yeah i do i do there is a story behind that
and i think i'm probably gonna start i mean like i mean like we we only need to go back a few
episodes to to hear tom like you know um and his opinions then and how how he how quickly he
changes his views,
you know, as the wind blows.
He reserves the right to change his privacy policy at any time.
Retrospectively.
Moving forwards, not retrospectively.
I was right then and I'm right now.
I think it's definitely a Billy Big Balls move on behalf of Reddit to go ahead and, you know, want to charge their app developers.
I think it's a Billy Big Balls move on behalf of Black Cat,
who ran some, or stole some data and said that was one of their demands,
saying, no, do not charge.
We're back to type now.
Jav celebrating the criminals.
I'm not celebrating the criminals.
To be fair, it's a good move.
What's the chance?
These criminals probably use Reddit, right?
Yeah, exactly.
Of course, they're human beings, right?
I think in the language of the subreddit Am I the Asshole,
ESH, everybody sucks here.
I don't know.
It'd be good to see if this ransomware gang did actually go on Am I the Arsehole and, you know, sort of lay it all out.
That would be an interesting one, actually,
although everybody would just side with the ransomware gang,
I have to say.
Yeah.
But, you know, I think that's where we are.
I think time will tell if this is a good move or not.
Personally, I think Reddit will probably make a move,
then backtrack, but inevitably damage would have been done.
And then you'll see a whole bunch of Reddit users
move to a Mastodon incident called Reddit or something,
and then they'll be disappointed.
Reddit.Mastodon.
Yeah, exactly.
And then everything will fall apart.
So that's where we are now.
It's all crumbling, isn't it?
Twitter, Reddit, they're all just falling apart.
There's no safe spaces except for TikTok.
TikTok is the safest of all places.
Billy Big Balls of the Week.
safest of all places.
Billy Big Balls of the Week.
This is the EasyJet of security podcasts.
Let's be honest, your cheap ass couldn't tell the difference between us and a premium security podcast anyway.
And we never publish at the same time of the week either,
just like EasyJet. So unlike other more professional
and accomplished podcasts. And talk of the time, Andy, what time is it?
It is that time of the show where we head over to our news sources over the InfoSec PA Newswire,
who have been very busy actually making it very difficult for me this week because they've changed
their site. I couldn't copy and paste stuff normally.
So we will be looking
for new resources going
forward. However, they've been very busy
bringing us the latest and greatest security news from around the
globe.
Industry News
US offers $10 million
reward for MoveIt
attackers.
Industry news.
Smart pet feeders expose personal data.
Industry news.
Security researchers uncover new spyware implant TriangleDB.
Industry news.
Hashtag InfoSecurityEurope.
Hackers are the immune system of the digital age. Industry news. Industry News Industry News
Industry News over 156 different cyber threats and GOKA research finds.
Industry news.
Red Eyes Group targets individuals with wiretapping malware.
Industry news.
US Justice Department launches new national security cyber section.
Industry news.
Apple addresses exploited security flaws in iOS, Mac OS and Safari.
Industry News.
And that was this week's...
Industry News.
Huge if true.
Huge if true.
Do you know what?
The amount of info security Europe stories I had to cut out
just because it was the whole thing.
It was just, yeah.
Like we said, they've been saving them up, right?
Yeah.
Really have.
I want to, this drones story, I'm not going to talk about that one,
but it did remind me of what I heard, was it last week, I think,
about some researchers were doing doing um uh a simulated
test of an ai that was allowed to fly a drone um to target uh and attack uh sort of um you know
military targets you know like so like a reaper type drone. With everything it knows, let me guess,
it killed everyone at a wedding in the Middle East or something?
No, no, it's almost as good as that.
But the AI had to ask permission from the controller
to carry out each individual attack, as it were.
And as a result, the ai targeted the controller and destroyed
the controller you know i i did read this story the next day they did update it to say that that
wasn't true there was some misinformation in the story and they oh no really yeah yeah oh
what was the reason i i don't know i don't know but but to andy's point andy do you
know what the difference is like from from uh between a an asian wedding and a taliban outpost
i don't know i just fly the drone
oh that's an old one tom it's an old one it's an old one it's all right it's not
it's not hashtag too soon anyway tom apple has to address exploited security flaws what's this
all about i thought apple doesn't get any viruses or exploits or anything wrong in it well then
you're a fool if you think that it's a computer-based system just like everyone else
oh wow this is tom like you know
i've never said that apple doesn't get any of these flaws never never i mean they address them
a little bit quicker than microsoft does but you know they don't tend to leave things for nine years
but um yeah yeah update your uh iphones ipads and uh, kids. Look at Tom being all defensive today.
Just like unbelievable.
Well, I was rather offensive before, but...
So you know that story about the drones that you highlighted?
So it's 156 vulnerabilities or whatever.
Yeah.
I don't know where to even start with this um
but this was the company that the company that did this research angoka
uh was selected as the most innovative cyber sme um by the department and this is one of these
i've never heard of oh this is the one this is the one you
were talking about yeah no idea who they are oh yeah I've never heard of them either so it's a
company you know what I I was just like I thought I was just being naive I thought it's some sort
of like African nation that that like their countries come out with this research no it's
it's uh no they've gone into like,
so they categorise them into
the following category, like reporting
falsified data, denying access to
real-time data, impersonation
of UAS
and its operator, tempering
with telemetry data.
Yeah, that's the only category
they list so far. So, I mean, there's a lot category they list so far.
So, I mean, there's a lot of issues with this stuff.
Interesting.
Interesting.
So what's this creatively combating skills shortage?
How about we just stop asking for five years experience on everything?
Do you know what I find annoying about these things and i've been to a lot like early in the year what's the one of those
tea sessions that yeah i know you you're a big supporter of tom and i went to you know one of
the innovation talks there then what sessions uh one of the innovation like you know security
awareness innovations you know it's something that i think you know we all like on the side
um you know we've
got a soft spot for anything that's creative and funny oh right right right yeah yeah um but no one
actually said any i everyone says the same thing you need to be creative but no one can then give
examples of you know what they started with what they ended up with and that's the thing is it it's
so easy so you just need to be more creative be more engaging be more creative okay
job done good talk but uh you've got to give examples here man yeah yeah but i i just clicked
on the on the on the story and it's like the uk currently faces a shortfall of nearly 57 000
cyber security professionals while on the global scale it's 3.4 million according to
now if you pick up a ci double sp it's going to improve your chances of filling one of these 3.4
million vacancies exactly the thing we try and do is focus on the character and the person so this
is a cso saying that what we try and do is to focus on the character and the person. So this is a CISO saying that what we try and do is to focus on the character and the person.
Oh, they actually said what they did.
And the aptitude of that individual rather than the skills and experience.
That might be very important, but perhaps secondary.
I remember saying something very similar years back and sort of saying, you know, I look for, you know, passion, et cetera, et cetera. I can teach, you know, technology skills.
And then you two taking a piss out of me for the thought of me teaching technology skills.
Yeah, exactly.
But what happened?
So you were actually someone that put your money where your mouth was, didn't you?
You actually hired many people that didn't have traditional.
Yeah, yeah, that's right.
Yeah, one of them fucking left after 18 months.
Yeah.
And they stabbed you in the back.
That's a job.
No.
I'm stepping back.
I mean, people are going to leave anyway, regardless.
Good people are going to leave.
Yeah, they are.
Of course they are.
You know, they're always going to get off.
But I think that's great because you've contributed to the industry that way.
You've taken someone.
Exactly.
You've helped skill them up.
And now they've gone off and got a better job.
Obviously, it's not like...
And this is something I spoke to someone years ago
and they ran one of those managed SOC services.
They're an MSSP.
And they were like,
yeah, we get some great students in our university
and we teach them how to run a SOC analyst.
But he goes, it's literally like a treadmill
because they're in for 18 months to two
years and then they get offered a better job and we can't really do that but they're like well
and their their whole thing was like we're confident that we can take anyone and train
them up within like three to six months to be effective in the job and said that that's just
the the cost that that's what they're happy. So I think a lot of times it's about do you have confidence
in your ability to take someone and train them?
Do you have the right process in place?
And I think that's where a lot of people lack
because if you have that confidence,
then you could literally take anyone with that attitude.
And I think part of it as well is people leave jobs
to join your company.
Why can't people leave your company to join other companies?
Yeah.
And it's sort of like, oh, they're just not showing allegiance or loyalty
and they're just, you know, after everything I've given them
and blah, blah, blah.
Well, no, not at all.
If times get tough, you drop them like a bloody stone
because that's unfortunately the way that business works you know but uh yeah people they need to look after their own um their own careers
and if you can if you can give people opportunities to your point and isn't that about giving back
that's what that's what it should be yeah absolutely totally totally so yeah they should
have interviewed us basically yeah j Yeah. Jesus, violent agreement.
I know.
I know, right?
Well, it does happen occasionally.
Maybe we should have this guest back on again, Andy.
Yeah.
He doesn't have as much content knowledge as our regular.
No, this is true.
It does generate discussion. We can't talk about really sort of weird viruses from the 80s.
Right, excellent.
That was...
Industry News.
Attention.
This is a message for our friends over at Smashing Security.
Busted.
We call you listening again.
This is the Host Unknown podcast.
Had to be done.
Right.
Andy, let's have you take us home with this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And this week's Tweet of the Week is from Tara M. Wheeler, and she posts, LinkedIn job posts for head of information security at the senior manager level, who reports to a director of information services, who reports to a senior director of IT, who reports to a CIO, who reports to the chief legal tech officer, who reports to the CEO, are disheartening.
Very true.
And that's the layers part of the...
I get it now.
Now I get it.
Spans and layers.
Now I get it.
Layers and what was the second one?
You said cages.
Yeah.
But I'm used to spans and layers.
Yeah, but layers and cages because that was the backup story.
Oh, so, okay, I see where you're going with that.
So the backup story wasn't actually a tweet of the week.
I had already posted a tweet.
Originally a tweet, yeah,
but obviously Zuckerberg's not going to admit he's on Twitter, is he?
So he actually posted his response via Instagram.
Oh, did he? So, actually posted his response via Instagram. Oh, did he?
So, yeah, so this is the story.
So, yeah, so skipping over the part that, you know, it sucks.
If you're the head of information security
and you've got like 15 reporting layers between you and the CEO,
it's, you know, a feel for you guys.
But, yeah, so the back up, so it was about Zuckerberg,
who was ready to fight Elon Musk in a cage match.
In Vegas, apparently.
Well, it's the tech billionaire bull that we need to happen, right?
Yes.
So this is all because Elon Musk tweeted that he's up for a cage match if Zuckerberg is.
But wasn't it all instigated by some
fella who's got like an AOL account
and 27 followers on Twitter
wasn't it?
yeah that was the original
goaded the billionaire into it
basically goaded them together
excellent but yeah
I'm up for a cage match if he is
so Zuck's posted from
his Instagram stories
it just says send
me location and it's got like a screenshot of the tweet send me location um but yeah it's great
you know it's what billionaires do right but um here's how i picture it yeah cage match, but traditional WWF cage match.
Jeff Bezos, special referee.
Bill Gates is the enforcer.
Outside interference.
Just as we're about to get a winner, Tom Anderson of MySpace slides out from under the ring.
Oh my God, it can be.
Chair shots all around.
All the younger people don't know who he is.
It's just classic.
I built this house.
I built this house.
There's all these fans holding up signs saying Tom was my first online friend.
And you know, it's pandemonium.
Everyone's busted wide open.
And Tim Cook gets all the money because he released the show on Apple TV.
Yeah.
Brilliant.
Excellent, Andy.
Thank you for...
Tweet of the Week.
Well, we have collided at high speed into the bollard known as the end of the show.
Gentlemen, thank you so much for your contributions today.
It's been fun, I have to say.
Jav, thank you very much, sir.
Get lost. You're a dead man.
And Andy, thank you.
Stay secure, my friends.
Stay secure.
And Andy, thank you.
Stay secure, my friends.
Stay secure.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel. The worst episode ever.
R slash smashing security.
Smashing Security.
So is there any way we can sort of modify those awards
and just stick our name on them?
That's exactly what I've done.
I've scratched Host Unknown
into it. Excellent.
Excellent. With a compass.
And some blue biro ink.
Yes.
The javelin inside when he got...
Oh, piss off.
He got all his prison tattoos in South Africa.
That's why he's a bit sick right now.