The Host Unknown Podcast - Episode 158 - The Highly Reviewed Episode
Episode Date: June 30, 2023This week in InfoSec (11:36) With content liberated from the “today in infosec” twitter account and further afield26th June 1997: Communications Decency Act Declared UnconstitutionalThe US Suprem...e Court ruled the Communications Decency Act unconstitutional on a 7-2 vote. The act, passed by both houses of Congress, sought to control the content of the Internet in an effort to keep pornography from minors. In an opinion written by Justice John Paul Stevens, the Supreme Court ruled the act a violation of free speech as guaranteed by the US Constitution. 29th June 2007: The phone that changed everythingNearly 6 months after it was introduced, Apple’s highly-anticipated iPhone goes on sale. Generally downplayed by Old Word Technology pundits after its introduction, the iPhone was greeted by long lines of buyers around the country on that first day. Quickly becoming an overnight phenomenon, one million iPhones were sold in only 74 days. Since those early days, the ensuing iPhone models have continued to set sales records and have completely changed not only the smartphone and technology industries, but the world as well. Rant of the Week (19:19)Miscreants leak texts and info siphoned by Android stalkerware app LetMeSpyIt's bad enough there's some Android stalkerware out there with the not-at-all-creepy moniker LetMeSpy. Now someone's got hold of the information the app collects – such as victims' text messages and call logs – as well as the email addresses of those who sought out the software, and leaked it all.The stolen data has been circulating online for at least a few days, we're told, and the spyware's users – those who got the app to put on someone else's device – reportedly include government workers and a ton of US college students.The Polish developer of the app said the information was swiped in a "security incident" that happened on June 21, when someone obtained "unauthorised access" to its website's databases.Yes, we appreciate the irony of the maker of a phone-monitoring app that boasts about secretly collecting call logs, text messages, and whereabouts while remaining "invisible to the user" admitting that someone else gained unauthorised access to their information. Billy Big Balls of the Week (28:33)Network security guy in extradition tug of war between US and RussiaA Russian network security specialist and former editor of Hacker magazine who is wanted by the US and Russia on cybercrime charges has been detained in Kazakhstan as the two governments seek his extradition.Nikita Kislitsin, an employee of Russian infosec shop FACCT, was detained on June 22 at the request of the US, according to a statement by his employer."According to the information we have, the claims against Kislitsin are not related to his work at FACCT, but are related to a case more than ten years ago when Nikita worked as a journalist and independent researcher," the statement reads."We are convinced that there are no legal grounds for detention on the territory of Kazakhstan."FACCT is not under investigation and has not been charged with any wrongdoing, the org added. It has has hired lawyers to defend Kislitsin, and has also sent an appeal to the Consulate General of the Russian Federation in Kazakhstan "to assist in protecting our employee," according to the statement. Industry News (34:27) Are GPT-Based Models the Right Fit for AI-Powered Cybersecurity?Over Half of UK Banks Are Exposing Customers to Email FraudSubmarine Cables at Growing Risk of Cyber-AttacksThird-Party Vendor Hack Exposes Data at American, Southwest AirlinesEncroChat Bust Leads to 6500 Arrests in Three YearsVPN and RDP Exploitation the Most Common Attack TechniqueLockBit Dominates Ransomware World, New Report FindsCharming Kitten’s PowerStar Malware Evolves with Advanced TechniquesMIT Publishes Framework to Evaluate Cybersecurity Methods Tweet of the Week (43:14)https://twitter.com/UK_Daniel_Card/status/1674094965348073474 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
One of many reviews we've seen this week.
Oh yeah, I mean I know we normally get a lot, but...
Yeah, no, this one is actually probably my favourite.
Go on, who's it from?
Jav.
What, Jav did us a review?
I mean, I know he's a guest on the show.
He said, give me to have it ready and to hand.
I thought one of you was going to read it out.
So, it's from Marshall Tipsy, who said, just listen to the podcast.
Is Marshall Tipsy like a rapper name?
It should be, yeah.
This is about, you know, after he's had a few drinks, he's Marshall Drunksy.
Wee!
Anyway, he says, if you want to know how apparently javad got kicked off his own podcast
have the words industry news bird into your brain or be left contemplating billy big balls
as a reference then listen solid five out of ten yes
you're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening from wherever you are join us and
welcome welcome one and all welcome dear listener welcome the casual listener
welcome listeners who are going to leave us a review on our podcast welcome to episode 158
162 of the host unknown podcast gentlemen welcome how are we jav how are you obviously uh feeling
top of the morning after having this called your podcast minutes after you told us you're not going to be attending next week either again
again do you think elon musk is at spacex every single day or at tesla every single day no he's
got he's got multiple ventures or at twitter every he's at twitter every single day but
putting that aside but you know people have when you reach a certain level you have multiple
ventures multiple balls you need to keep j when you reach a certain level, you have multiple ventures, multiple balls.
You need to keep juggling. You choose your deputies wisely.
A lesson that I'm trying to learn. I'm struggling.
But, you know, so can I just say, you know, that that's that saying that if if you if you have to bring the Nazis into an argument, you've failed.
If you bring Elon Musk into an argument, surely the same principles apply.
Well, if you're comparing yourself to Elon Musk, it's not a good look, dude.
Did you just call Elon Musk a Nazi? Is that what you're saying?
No, didn't. Did not say those words at all.
So to use your own words against you, if you have to bring the Nazis into an argument,
Tom, I think you've already failed.
an argument. Tom, I think you've already failed. Uno reverso. So aside from comparing yourself to,
well, I was going to say slightly unhinged celebrities in the world. How are you doing,
Joe? I'm doing good. And I'm very hinged because, as I was telling Andy, I don't think... What, you're on the dating site, Hinge?
No, no, no, no, no, no, no.
The alternative version, unhinged.
Unhinged, yes.
The crazier, the better.
Oh, that suits you down to the ground, Jack.
It's like you have to put, like obscure facts about it like obscene facts like
unhinged facts you know what's your favorite bunny boiling recipe on there and that's how you get
get matched but no um i i was very mature and grown up this week uh i i fold my self-assessment
this week so i'm good to go for another year what with your tax as well yeah wow so you
and me we are hosts are known as two-thirds up to date on their tax yes yeah we will hit 100
compliance by 2nd of february 2024 roughly two to three days after the deadline exactly you can take that to the bank jav you must have had a really quiet week if you if you
if you got that done no you know it's late this year normally i get mine done um you know
sooner in the year as soon as like the p60 comes out and everything i just like
get all my paperwork together send it off to
my accountant who's who's awesome and uh you know every year i'm like ventures have you got if you
need an accountant to file everything from a p60 well he's learned lessons in the past well this
is true we ascertained that last week yeah no there's p60s there's other ventures i have on
the side like you know like many like bill gates has many
ventures out there oh we're off again philanthropy yeah yeah i see how he's moved on from musk to
gates though yeah soon soon i'll reach someone i'll meet i'll reference someone rich who you
two approve of but clearly you two are like
anti-capitalists and like you hate hate the establishment and hard work and anyone that
tries to make something off themselves no i like tim cook well tim cook just inherited it from daddy
job so you know he didn't do anything himself do you know what's interesting i you know tim cook
was was was a nobody right before
he still is well before he became the boss of a three trillion dollar company before that because
nobody had really heard of him but i i saw something the other day and somebody was saying
you know when um when steve jobs first had apple and he basically drove it into the ground and then
got fired etc etc you know he was the wrong man for the job and
he came back the second time and he he was the right man for the job and all that sort of thing
he said basically the only thing that changed was that you know steve jobs is full of vision and
creativity and just out there thoughts the only difference was he had somebody who was not full
of vision and creativity and you know and all that sort of thing but who was not full of vision and creativity and, you know, and all that sort of thing, but who was very solid on delivering product and doing this and getting, you know, getting the tech right and all that sort of thing.
And that man was his COO, Tim Cook.
So it's quite interesting that, you know, actually, Tim Cook has now been elevated to a role where you need that massive amounts of creativity and vision when his strengths were elsewhere.
You know, it's funny you mention that,
because, Tom, isn't that why we brought Andy on here?
Because we thought he's the bland one.
No one really knows him.
I'm the Tim Cook.
I'm the only one that gets shit done around here.
But he fails on the one thing that we did bring you on to do.
Which is?
To get stuff done.
Hang on.
Hang on.
This is the man who barely turns up.
Like I said, I'm trying to set a legacy here.
Trying to build something that will outlive me.
If I have to be here for this to run,
we do not have a a a valuable
offering like you know apple a fruit fly is going to outlive you did did apple die when steve jobs
passed no it carried on because he built something that was bigger than himself and that's what i'm
trying to do here and if you two deputies understood what i'm trying to do here. And if you two deputies understood what I'm trying to do for you.
Do you know what?
I've got a better idea.
I know the future of my podcast here.
Remember when Angus Deaton got sacked from Have I Got News For You?
And they just got new people every week.
We'll just rotate every week.
Yeah, exactly.
Just give the podcast out and just get three new people every week.
Yeah.
So which one are you are you the editor of private eye or a washed up comedian andy i'm a washed up editor
well in which case with all the words that are left over that makes me the comedian that can't
be right well yeah it's one
of those things people laugh at you not with you but you know you get the same end result for the
people observing well exactly i just bring joy to their lives right it's all good so talking of uh
washed up and joy um so andy uh how are you doing how's your week been good i've had to uh pop some
strepsils i've got a sore throat um
going on so it's not going to go well with my coffee which i grabbed just before the show
but um yeah no it's uh another busy week as we approach these summer months yeah um yeah i think
lots of people just getting stuff done before we sort of i might say take a break for the summer
but you know how things slow down naturally as people go on holiday.
People disappear, don't they, in these holidays and stuff.
So projects go on hiatus and stuff, yeah.
Yeah.
Yeah, it's all kind of...
Yeah, no, nothing too interesting for me,
other than obviously I did enjoy that review.
And do you know what?
I've got a nitpick because, you know, like I say,
I do try and keep the show going.
But, you know, it's difficult working with you clowns.
Last week, Tom, you posted episode 167 online.
Do you want to check again? Because I believe that's been corrected.
Oh, OK. So this is what you did when you logged in.
I saw you logged into the show notes and there's like a 10 minute delay before you actually join the studio this morning so i assume you read the top part about how last week was
mislabeled went to go and change it and then came and joined the studio how am i doing so far
yeah not bad not bad actually although you you make a um you know a quite a large assumption
that i read the show notes i did not see that statement until just
now but i always log into uh into our podcast platform just to make you know see how we did
on stats for the week and all that sort of stuff and and then saw the sudden jump and oh i'll best
change that so okay so yeah i was worried yeah i can easily add four to every uh podcast episode i was going to struggle
if we had to subtract six going forward every month i was thinking oh god this is going to be
a nightmare it goes in one way only yeah i was going to say you you were doing really well apart
from the assumption that i read the show notes so oh dear and talking of massive assumptions, Tom, how are you this week?
I've got really massive asses.
Yeah, very good, very good.
I'm on holiday today.
I'm going away for a long weekend down in Sidmouth, of all places,
but there's a cheeky little Airbnb down there,
which I've been to a few times before, which is lovely.
So I won't be back at work until Wednesday,
much to the chagrin of everybody
who's been booking meetings with me recently.
So, yes, I'm just sat here in my pyjamas,
chilling, thinking I've got a pack.
So, yeah, the sooner we get this shit over with,
the better.
All right, let's do it then.
What are we waiting for?
All right, all right.
Shall we see what we've got coming up for you today?
This week in InfoSec, thanks the First Amendment for easily accessible porn
Rant of the week is pot calling the kettle black
Billy Big Balls is a US versus Russia tug of war
Industry News brings the latest and greatest security news stories from around the world
And Tweet of the Week asks the value of a lock screen so let's move on to our favorite part
of the show the part of the show that we like to call this week in infosec In InfoSec.
It is that part of the show where we take a trip down InfoSec memory lane with content liberated from the today InfoSec Twitter account and further afield to the 26th of june 1997 when the communications decency act was declared unconstitutional uh that's right the u.s supreme court ruled that the communications
decency act unconstitutional on a seven to two vote so the act passed by both houses of Congress sought to control the content of the Internet in an effort to keep pornography from minors.
It's always about the children.
And in an opinion written by Justice John Paul Stevens, the Supreme Court ruled the act of violation of free speech as guaranteed by the U.S. Constitution.
as guaranteed by the US Constitution.
So the internet being a truly international thing,
but the US think they can control it all?
Or is this just a... Yes.
Well, you know, back in 97, right?
So this was, I think...
Kind of basic stages.
Yeah, but there was this great site back then
called Satire Wire
that sort of did fake press releases yeah um but i mean
there's been i worked at a place that um there was a fake press release about how bill gates had um
patented zeros and ones so no one else could use them and uh we sent it around the office
and like our ceo at the time he literally read it going out the door and he was off to present
somewhere and he actually off to present somewhere
and he actually opened with like you know the way things are going he goes i've just read that bill
gates patented all the zeros and ones on the internet and it's like no no that's a joke right
it's a joke um but no anyway back to the point yeah satire why i did a story and it was like
titled um americans annoyed with all this international
shit on the internet it was just it was so true back then like you know the u.s thought they were
the only people that's not even satire though i mean that's i told you they are still poor yeah
but uh yeah no but i think had it been because it was so early on right and um you know we were
still paying for dial up Internet back then.
Right. You know, we're getting it sort of three hours on a monthly basis. We didn't have any of that concept.
So I think had this had they managed to get controls in early on, it could have shaped it would have delayed the inevitable.
I don't think it would have stopped it, but it definitely would have potentially slowed it down.
it but it definitely would have you know potentially slowed it down or or even just as you say it would have would have shaped how how the internet is sort of perceived and managed etc
yeah but yeah interesting interesting i think it's this this this whole sort of as you say it's
it's about the protection of the children and all that sort of thing and sometimes you think oh god
you know the puritanical americans are going to be all over this.
It's sometimes quite refreshing to see, you know, courts ordering just basically in favour of more fundamental rights of free speech.
I'm quite amazed that that even happens sometimes.
Yeah, well, I do think there's a story about Justice John Paul Stevens.
He was found hanged, wearing stockings with whipped cream on his nipples.
No, no, that's allegedly.
Orange in his mouth, plastic bag in his head with a buddy inside.
Yes, exactly.
The bag.
Yeah, and a gerbil just running loose around the room.
Which Thomas got filed under goals.
running loose around the room which tom has got filed under goals our second story takes us back a mere 16 years and i didn't even have to do the calculations
on this one because it is my anniversary the 29th of june 2007 when the phone that changed
everything was released and so this is nearly six months after it was introduced.
Apple's highly anticipated iPhone went on sale.
And it was generally downplayed by old world technology pundits
after its introduction.
But the iPhone, yourself included,
the iPhone is obviously greeted by long lines of buyers around the country.
In the US, we saw in the news on that first day, and it became an overnight phenomenon.
One million iPhones sold in 74 days.
Obviously, since those early days that the following iPhone models continued to set sales records and completely changed not only the
smartphone and technology industries, but the world as well. I'd suggest it's changed everything
from the way products are packaged, you know, the way they're marketed and advertised,
you know, the way products are, the actual and layout and uh things like that of products
even down to instruction manuals do you know what i mean i think it's changed a huge broad range of
things as a result because if you if you note the instruction manual on your on your iphone it's
like four pages long and that's it and it's all just pictures yeah and the other thing is the um obviously the the sort of app store platform that they've got
yeah where they do that sort of secure test or say secure test you know it's a um what's the word
it's a closed operating system yeah so yeah everything's sort of sandbox so the apps that
you run on it like one you have to know what you're running, but all the apps have to be approved before they go live.
For the security world, it's really helped end users unknowingly.
We're going to see that in the rant of the week, actually.
Indeed.
I was a massive, was it the Microsoft Windows CE platform?
Oh, yeah.
I think my last phone was the O2 XDA2,
which was like a little flip thing with a keyboard and all that sort of stuff.
But I had all of those, you know,
except I had to reboot them roughly every 36 hours
because you couldn't make a phone call every now and then.
And I was thinking oh
this is just you know this is ridiculous you know and then i happened to be walking through
regent street and just dipped into the eye the apple store just to see what all the fuss was
about i picked this thing up and sort of swiped and played and it was like this is incredible it
was a massive difference i had no interest in apple
whatsoever but literally picking up that phone completely changed the way i thought the light
shone down on you it was like you could hear the choir in the background it was almost like angels
singing it was incredible but the responsiveness and the clarity and i, I look back at the old iPhone now and it looks clunky and dark and pixelated.
But back then it was stunning.
So I got a friend to buy one when he was in the US for me.
And the rest is history.
Indeed.
All right, excellent.
Andy, thank you very much.
This week in InfoServe.
The host unknown podcast.
Orally delivering the warm and fuzzy feeling you get when you pee yourself.
Ah.
All right, let's move on to this week's...
Listen up!
Rant of the week.
It sounds a mother f***ing rage. so as i just indicated we're going to be talking about an app for the android uh which doesn't
have the same wall garden approach and therefore has a slightly more loosey-goosey approach to what apps can be on there but there is an app out there called let
me spy with a capital l m and s because that's that's if one thing that apple taught us is that
you can capitalize letters randomly um so let me spy and what this package does is it allows you to install this onto someone else's phone it then hides itself
and records everything that happens on that phone uploads it to a website that you log into
and download and get access to what all the data so basically it's stalkerware right stalkerware yeah that's exactly what it is exactly was now of course
they're um you know they're saying that it's you know for valid you know legal use only and in fact
i do recall there was a there was an app uh and services for uh iphone this before the whole sort
of find my thing kicked off with iphone um that allowed you to track phone and i
actually found we used it where i was working because uh basically we had a tea leaf in the
office who was stealing phones and ipads and laptops so i stalled this software and found
that you know basically within two days of it going missing it turned up in spain um so um which
of course meant we couldn't do anything about it. But so there is a valid use
for it. But on the whole, if you're dropping something like this out onto, you know, onto the
Google platform and it's really there for, you know, stalking your partner, your, you know,
whomever, some famous celebrity, if you can can get access to the phone anyway, not great,
not great, but, uh, it turns out that,
um, the information that has been gathered by this,
uh, stalkerware has actually now been leaked.
So not only is it bad enough that they steal someone else's data now
everybody's data who's had it stolen is now available online uh it's been circulating for
the last few days and the spywares users those who've got the app to put on someone else's device
reportedly include government workers and a ton of u.s college students because of course you know college
students are extraordinarily woke and they uh they would never do this sort of thing anyway
um but it's a it's a polish app uh the uh incident happened on june 21st that's literally just over
a week ago when someone obtained unauthorized access to its databases.
So there is an irony here of somebody making stalkerware
that boasts about secretly collecting call logs, text messages, etc.,
admitting that someone else has gained unauthorized access
to their information.
I wonder how they got access to it.
I wonder if somebody installed their own app onto it.
That would have been a massive irony, wouldn't it?
So, call logs, messages, geolocations, IP addresses, payment logs.
Texts, hashed passwords, blah, blah, blah.
So, there's a bunch of stuff up there, right?
So, according to the article, there are some government employees, although and I'm trying to find which of these government employees.
Yeah, because I found it when I first looked, because I actually did read the article.
They're not from the US where you would imagine. God damn it.
where you would imagine um god damn it you can never find the data when you need it those those those people at um smashing now look a lot more professional to me
um anyway so yeah they're from foreign governments um elsewhere i think it was the philippines
etc uh as well as a whole bunch of, as I say, US students.
The actual software is now out of date.
It only runs on Android 4 to Android 7.
I don't know.
Is that recent?
So you're getting wound up about not much, yes.
11 or 12, I think.
What are we on there?
But then this is the, I get confused with Android because they just make up numbers.
It's not like they go make up numbers. They do.
It's not like they go one to ten.
Is this KitKat or Crunchy?
Yeah, this is like chunky KitKat.
Oh, chunky, yeah.
Collaboration.
It also says in the story.
Mint 12.
It also says in the story,
a glance at the dump database looks like none,
it doesn't appear like any of the above users have actually used
the product in any capacity so you know it's one of those things like if you look on the on the
official google store it's not there no because it's only available for android four to seven
yeah and then so you know you have to get hold of someone's phone,
know their PIN or password to log in,
go to the app store, download the app.
Which is exactly what happens in abusive relationships, right?
Yeah.
If you've got, yeah.
It's also not that difficult to get someone's PIN, Jeff,. No. No, it's... I just think, you know...
How do you think we know about where you really are next week?
Yeah.
Yeah, yeah, yeah, yeah.
So I think it's just like, just again, as always,
Tom Langford sensationalising,
starting off by blaming Android for its flaws and everything
and missing the whole point altogether.
Oh, what's the point?
If you... You know, it's one of the Microsoft 10 immutable laws of security.
If someone has physical access to your device,
it's no longer your device.
Right.
How does that help the abused spouse in a relationship?
Well, if someone's got physical access to your device,
it's no longer your device.
And I think that's the...
Yeah, but how does that help somebody in an abusive relationship who's being stalked and being you know emotionally and
financially and and physically manipulated well it doesn't and and the thing is that the the whole
point is that you know technology is always in that scenario there's no technology that can
that can help you uh even simple things like so just put up with it sorry
yeah yeah it's just the way it is you guys are just such like ignoramuses well we're not the
ones you said that we missed the point that i missed people people and people have used like
the the apple um you know the the trackers or the iPhone, you know, find my phone and or like the synchronize or that kind of stuff to do the same thing anyway.
So what are you going to say? Oh, Apple's got a bad product or the security is not there.
No, the fact is that if someone can access your device, what we need is better education and better help and better support for people in those relationships.
And self-defense classes. Yeah. Yes.
for people in those relationships. And self-defense classes.
Yeah.
Yes.
And also products that don't get hacked
and release vast amounts of data,
including call logs, messages, geolocations, IP addresses,
payment logs, user IDs, email addresses,
and customer account password hashes.
That is a good starting point, yes.
that is a um a good starting point yes i think we can all agree that this this let me spy i mean just purely the name right
let me spy this is this is a a complete shit show of a company that's just doing something
for for the crack without putting in any kind of decent controls
about how the software that they release can be used and managed
and abused without acknowledging that it can be used in such a way.
And then failing at the very basics when it comes to protecting the data
that they are hoovering up from these,
I think in this instance, roughly 10,000 phones.
So, you know, to me, I think this is something that's worth getting a little bit angry about, right?
Indeed.
Yeah.
Yeah, Jeff.
Rant of the Week.
Yeah Yeah Jav
You get it
Rant of the week
We are officially
The most entertaining content
Amongst our peers
We were last year anyway
Yeah exactly
Well we still are
You know
Those peers
I don't think we've managed to
To take out all of the people
Who voted for us last year
Yeah Yeah Exactly Exactly Right Jav I don't think we've managed to take out all of the people who voted for us last year.
Yeah.
Yeah, exactly.
Exactly.
Right, Jav, your turn.
It's time for this week's...
Billy Big Balls of the Week.
Yes, yes, yes.
And we have a great Billy Big Ball of the week this week.
And Tom, if you want to... Just the one?
Yeah.
This is a huge ball.
It's not two.
It's just one big one.
It's one giant one.
And I'll let you get in your digs already and say,
oh, Jav's bigging up the criminals.
But this is the ultimate master criminal.
So I think they deserve... Oh, so you are bigging up the criminal? Yes, is the ultimate master criminal. So I think they deserve.
Oh, so you are bigging up the criminal.
Yes, of course I am.
Okay.
Okay.
Just checking.
So actually it's a former editor of a hacker magazine,
a Russian network security specialist and former editor of Hacker Magazine. And what's amazing is he is wanted by both the US and Russia
on cybercrime charges.
How awesome must your moral compass be
that you don't care whose feet you step on?
You literally say, like, there's no safe place for me to go.
I don't know where to go.
I mean, is there any place on the planet where there's non-extradition
with both the US and Russia at the same time?
North Korea, maybe?
I feel like North Korea would hand over to Russia.
Via China.
Yeah.
Oh, man.
You must have really pissed people off.
When you check into a hotel, make sure you stay on floors one or two.
Yeah.
So Nikita Kislitsin, an employee of Russian infosec shop FACT,
that's with two Cs, F-A-C-C-T,
Russian infosec shop FACT, that's with two Cs, F-A-C-C-T, was detained on June 22nd at the request of the US in Kazakhstan. And now both governments are fighting over
where they want him extradited to. According to information we have the claims against uh him are not related to his work at
fact but are related to a case more than 10 years ago when nikita worked as a journalist and
independent researcher um we are going to create a meme about putin is that what it is it's just
recirculated on telegram or something and So that would explain why the Russians want him.
Why would the US want him for that?
True.
Well, it wasn't fact the thing that did all of the licensing
back in the sort of 2000s.
No, that's the Federation Against Copyright Theft.
That's a UK thing, yeah.
Oh, it was just one C.
Yeah, that was a cartel.
It was, wasn't it?
Anyway, because otherwise,
well, I'd be after him as well,
because, jeez.
Anyway.
But, yeah, so, you know,
FACT is not under investigation
and has not been charged with any wrongdoing.
So they're quick to
like you know distance themselves have washed their hands of him yeah yeah that's right that's right
so um so so it's interesting to see where I I don't know um where I don't know what the odds
are as to where they will get extradited to i think if kazakhstan knows what's
best for them they're closer to russia i think they would they would send it there but maybe
out of spite they will um this guy is gonna like just die in custody and i think that's what's
gonna solve it for everyone yeah yeah at about 4 30 p.m yeah unexpected just after tea time yeah yeah so so
the u.s uh requests uh for extradition relates to earlier charges who's accused of ransacking
social network service form spring in 2012 a mere 13 years ago. No, it's not.
11 years ago.
Stealing username, email addresses and passwords
and then trying to sell the stolen database for €5,000 a pop,
according to a 2014 indictment against him.
See, it doesn't seem like a big thing for like you know for for the u.s to
request um extradition it doesn't seem like he's done such a major thing but i don't know i don't
know there seems to be a lot more than meets the eye there always is with the u.s yeah there is
there is um so maybe he took a selfie with Snowden somewhere. I don't know.
Maybe he stayed in his house for a bit or something.
So that's the thing. And I think
that truly is a...
If there's a Billy Big Ball out there, I think
it must be
either this guy or Kim.com.
Yeah, I'm not coming back
at you for this. It's good.
It's good. It's fair.
Even if he is a criminal.
Billy Big Balls of the week sketchy presenters weak analysis of content and consistently average delivery
but they still won an award like and subscribe now Last year.
We're going to have to get something made up.
Yeah.
Just modify them.
Yeah, that's right.
Yeah.
Right.
Andy, what time is it?
It is that time of the show where we head over to our news sources
over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
Are GPT-based models the right fit for AI-powered cybersecurity?
Industry News.
Over half of UK banks are exposing customers to email fraud.
Industry news.
Submarine cables at growing risk of cyber attacks.
Industry news.
Third-party vendor hack exposes data at American Southwest Airlines.
Industry news.
EncroChat bus leads to 6,500 arrests in three years. Industry news. End of stream news End of stream news
End of stream news
End of stream news
End of stream news And that was this week's...
Huge if true.
Huge if true. Huge if true.
Huge, huge.
Some of those are getting quite hard to read.
I think you're just missing the comma.
Yeah.
Yeah, yeah.
Yeah, true.
True.
Let's see.
What should we click on?
What looks interesting?
Over half of UK banks.
Oh, I just went to that one.
Yeah.
That's quite significant so it's through patchy implementation of d mark oh for goodness sake
message authentication reporting and conformance it's a fundamental control yeah just put it in
place people come on yeah so there's three levels monitor quarantine and reject only reject Oh, yeah, just put it in place, people. Come on.
Yeah, so there's three levels, monitor, quarantine and reject. Only reject will ensure suspicious messages don't end up being read by the user.
And apparently, so ProvePoint analyzed the DMARC implementation strategies of 150 UK banks
and found 30% have no protection at all.
150 UK banks and found 30% have no protection at all.
What?
And a fifth have the weakest DMARC policy of Monitor,
which provides virtually no protection to customers.
And less than half of the bank, 47%, assessed had DMARC reject policy.
I've said this before on this show and i'll say it again i know that some of these large enterprises have got you know quite complicated environments and all that sort of
thing but that's what you've got your engineers for dmark itself is straightforward even i've
managed to install dmark or implement dmark on uh you know on a domain I own. You mean you literally went to the M365 portal
and just ticked the box that said DMARC on?
Yeah, exactly.
No, there's changes you have to make to your DNS and stuff.
Well, I don't know.
I had to make some changes to the DNS.
I had to very carefully read a short document.
Are you confusing DMARC with DKIM?
Probably.
Quite possibly.
Who knows?
But these are basic controls. controls yeah they are very simple
controls yeah yeah exactly especially with like if you're in microsoft shop or something like that
it's just so easy yeah yeah i mean who's still using lotus notes in this day and age
let's be honest there's very few other solutions. It's either going to be Exchange or Notes.
There's very few other solutions in the enterprise world.
Yeah, you're absolutely right.
I can't even think of another one in the enterprise world.
I mean, do Oracle do email?
They probably acquired Lotus Notes or something.
A clunky solution that they would buy and then license.
Hey, this looks like it won't fit at all
into our environment and we'll stand out like a sore thumb brilliant once it's implemented it'll
take four years to get out so we'll just rake the money in oh dear i'd love to i'd love to you know
do they name and shame in the report?
I wouldn't have thought so.
It's publicly available data, right?
Effectively.
It is, yeah.
You just go after your own research, though.
Yeah.
Oh, God, you sound like an anti-vaxxer.
Oh, no.
You have to go to... What's it?
MX Box.
What is that tool where you just check
everyone's DNS settings and DNS records?
Oh, really?
Yeah.
I can't remember.
MX Toolbox, maybe?
Yeah, yeah, yeah.
And then just punch in the domain you want to look up.
That's it.
Pretty soon you'll be like,
oh, there's that guy on LinkedIn.
I can't remember his name.
And even though I could, I'm not going to name him.
But he owns one of these DNS companies,
and he does these really shallow scans,
and he goes, oh, this is the problem with your company is DNS
or API security or something like that.
And he's like, oh, this is why they got hacked.
And everything's down to DNS.
Oh, yes, I know.
I remember that.
But yeah, no, I'm interested in this story about submarine cables
at growing risk of
cyber attacks. And yeah,
the cyber attacks is basically someone chopping them. So
I thought it was like, don't they, don't they,
isn't there a thing where they kind of cut into the cable,
this is all underwater and then bypass the fiber and then
pop it drop a you know so that the signal's only interrupted very briefly and then drop a um like
an intercept device on it or is that that's like old school isn't it that's what he's doing like
the side of buildings and stuff yeah that's right that's right but don't you know but now that um that they are doing it on
you know submarine cables aren't they i don't know no this report is is by recorded future and
they're like based on the the russia ukraine conflict china's attitude towards taiwan and
u.s china tensions they think it's very very likely in the near-term risk environment that
cables will be target for sabotage and even espionage and what have you. So like I said,
like in February 23, two submarine cables connected in Taiwan with the outlying island
of Matsu were cut by Chinese civilian ships, likely intentionally within six days of
each other. Which is why I think, you know, if you have Starlink, an Elon Musk product,
then you won't need to rely on underground cables, you just do the satellites. Try cutting those
Chinese civilian ships. Oh, they might just accidentally crash satellites into each other.
Yeah, China's got enough up in the air to...
And, dear listener, if you stay to the end,
you'll hear an interview with Starlink founder Elon Musk
carried out by our very own Javad Malik.
So, GPT-based models for AI-powered cybersecurity.
You could not throw in more buzzwords into that headline if you tried.
Yeah.
It's nice that we've moved on from blockchain headlines.
I do feel that blockchain's a bit 2021 now.
Yeah, now it's chat GPT and AI, right?
Yeah.
Are we still worried about ml like machine learning
is that still a thing or is that too old oh that's too old no i think it is a third there
are use cases for it isn't it when you just want repetitive tasks done without any kind of
creativity there's a use cases for it there's just no headlines for it tom it, Tom. Right. Go on. One more. Anything grab your eye? MIT publishes framework to evaluate
cybersecurity methods. That's all we needed. We just needed one more framework to solve all of
our problems, I think. There you go. There you go think i think we've uh i think we've hit the
nail on the head there thank you that was this week's industry news
we're not lazy when it comes to researching stories no we're just energy efficient. Like and subscribe to the Host Unknown podcast for more ESG adjacent tips.
All right, Andy, time for you to take this car crash home.
It is time for...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And this week's Tweet of the Week comes from Mr Reboot,
UK Daniel Card, And he says,
lock screen enabling after five minutes.
Do you think this is good security
or do you think this creates a hostile working environment
where people are therefore more likely to act in a way
which overall has a negative security posture impact?
Discuss.
security posture impact discuss so personally i i think five minutes is far too short a time yeah five minutes is seriously five minutes have you not stared blankly at your screen for more than
five minutes or is that just me no that's what i'm saying it's far too short a time to lock
oh i'm sorry i thought you were saying it should be shorter.
Yes.
Yes.
30 seconds.
Type monkey type.
Yes.
So in the replies,
someone said I've been on several physical pen tests and that's all I need
to know about this person.
When someone starts talking about physical pen tests,
there is a certain personality type that gets unlocked.
Anyway, where the lock screen timers were too long
and I've been able to backdoor many systems,
I usually advocate for lock screen timers around one minute.
What?
And Mr. Reboot, Dan Card, replied, said, and said one minute laughing emoji what did you do
today dan well i unwrong my system 8 000 times and sent one email a productive day yeah exactly
so all we ever used to do is literally uh get on someone's machine and go to hotmail.com but mail with m-a-l-e yeah exactly you know adult content
um or you know you send the classic email to the office hey drinks are on me tonight
you know that's set it for 15 minutes but create a culture that means that when people leave their
desks they lock their laptops they just isn't that the solution rather than kicking them in the balls
every time they they stop typing for 60 seconds yeah i don't know like i i i um i i awfully agree
with you on on that particular character type jab it's that kind of somewhat um how can i put it hyperactive individual who um has no idea how how sort of
humanity works yeah yeah i mean it's great like you go on on these tests and you find stuff
and you know you can exploit it that's great but you know everything's a risk discussion isn't it
yeah what what is really the likelihood and you know what other's a risk discussion, isn't it? Yeah. What is really the likelihood?
And, you know, what other controls do you have in place?
Like, you know, how often is it that someone can wander into your office,
bypass your physical security controls, avoid CCTV detection,
get onto a machine?
You know, you start talking about layers and everything.
A complete stranger is just sitting at the
desk next to you and just sort of like morning plugging plugging usb sticks into a machine
sort of fiddling with the cables at the back yeah yeah exactly and that's assuming that it's
even a machine like that i mean the vast majority of enterprises are using laptops now right
well that's it you got a mac which which is sitting there with no USB key.
Yeah, that's right.
Don't.
Sitting there with you.
What those tools used to be called?
Remember that, like,
the hack stuff?
The rubber duckies.
Switchblade.
Not the rubber duckies.
Something switchblade.
You plug it in and it relies
on the machine auto running.
Yeah, yeah, yeah.
As soon as you plug it in,
it sees it's a cd drive
runs it and it's like you know extracts all your email and dumps it to a gmail account yeah
no it's like the good old days are gone it's you know we're still doing the same tests for it and
it's still got the same control and also you're doing a you're doing a physical red team right
and you're wandering around and you see an unattended laptop
which hasn't been locked because your lockout is 15 minutes
and you jump on it and you do your business and blah, blah, blah.
And your recommendation is reduce the screen lockout time
from 15 minutes to one minute.
You've got to question that kind of advice, right?
Surely we should be talking
about culture,
locking laptops, blah, blah, blah,
all that sort of stuff.
Yeah.
Very good.
I think that was a top one. Thank you,
Andy, for...
Well, blimey, we have barrelled into the room
at the end of the house of the show.
Don't ask me to say that one again.
I think I got lost halfway through.
But thank you very much, gentlemen, for your contributions today.
Jav, thank you.
Oh, you're welcome.
And Andy, thank you.
Stay secure, my friend. Stay secure. thank you oh you're welcome and Andy thank you stay secure my friends
stay secure
you've been listening to
the host unknown podcast
if you enjoyed what you heard
comment and subscribe
if you hated it
please leave your best insults
on our reddit channel
worst episode ever
r slash
smashing security
try not to mess it up next week guys ever. R slash Smashing Security.
Try not to mess it up next week, guys.
I was going to say, who should we get on next week?
Well, I did actually notice that you were on Smashing Security this week.
Oh, they could return the favour then, couldn't they?
Indeed.
Let's get Carola.
Yeah.
Well, I mean, she's declined like the last three times and sent her intern.
This is like Raw and Smackdown. It's like every now and then you have talent coming from one show to the other.
But it's all owned by the same parent company.
This is like the ultimate crossover event.