The Host Unknown Podcast - Episode 162 - The Do Not Google It Episode
Episode Date: July 28, 2023This week in InfoSec (05:54)With content liberated from the “today in infosec” twitter account and further afield18th July 2011: Microsoft Hotmail announced that it would be banning very common pa...sswords such as "123456" and "ilovecats". https://twitter.com/todayininfosec/status/1416957326205100035 27th July 1990: The case of United States v. Riggs was decided. Robert J. Riggs (Prophet) had stolen the E911 file from BellSouth, then co-defendant Craig Neidorf (Knight Lightning) had published it in Phrack. The file was neither valuable nor confidential. https://twitter.com/todayininfosec/status/1287768573310533633 Rant of the Week (16:59)VirusTotal: We're sorry someone fat-fingered and exposed 5,600 usersVirusTotal today issued a mea culpa, saying a blunder earlier this week by one of its staff exposed information belonging to 5,600 customers, including the email addresses of US Cyber Command, FBI, and NSA employees.The unintentional leak was due to the layer-eight problem; human error. On June 29, an employee accidentally uploaded a .csv file of customer info to VirusTotal itself, said Emiliano Martinez, tech lead of the Google-owned malware analysis site."This CSV file contained limited information of our Premium account customers, specifically the names of companies, the associated VirusTotal group names, and the email addresses of group administrators," Martinez wrote in a Friday disclosure."We removed the file, which was only accessible to partners and corporate clients, from our platform within one hour of its posting."The employee had this list in the first place because the customer data was "critical to their role," we're told.For those who don't know: VirusTotal allows netizens to – among other things – upload files, or submit a URL to one, and the site runs the material through various malware-scanning engines to see if anything malicious is detected or identified. Premium subscribers can also download uploaded samples, and thus that's how the uploaded .csv file of customer info was accidentally leaked.https://www.bbc.co.uk/news/uk-politics-66333488 Billy Big Balls of the Week (24:01)Crooks pwned your servers? You've got four days to tell us, SEC tells public companiesPublic companies that suffer a computer crime likely to cause a "material" hit to an investor will soon face a four-day time limit to disclose the incident, according to rules approved today by the US Securities and Exchange Commission.The SEC proposed the changes last March, and on Wednesday the financial watchdog voted to adopt the requirements [PDF]. The rules, which take effect 30 days after being signed into the Federal Register later this year, will require publicly traded firms to openly disclose in a new section (Item 1.05) of Form 8-K any cybersecurity incident that has a material impact on their business. Companies must make this determination "without reasonable delay," according to the new rules. If they decide a security breach is material, then they have four days to submit an Item 1.05 Form 8-K report detailing the material impact of the incident's "nature, scope, and timing," plus any impact or likely impact on the business. Those 8-K forms are made public by the SEC.It is that time of the show where we head to our news sources over at the Infosec PA newswire who have been very busy bringing us the latest and greatest security news from around the globe! Industry News (30:05)Booz Allen Pays $377m to Settle Government Fraud CaseCyber-Attack Strikes Norwegian Government MinistriesIndustry Coalition Calls For Enhanced Network ResilienceDark Web Markets Offer New FraudGPT AI ToolGroup-IB Founder Sentenced in Russia to 14 Years for TreasonSEC Wants Cyber-Incident Disclosure Within Four DaysSupply Chain Attack Hits NHS Ambulance TrustsNCSC Publishes New Guidance on Shadow ITOpenAI, Microsoft, Google and Anthropic Form Body to Regulate AI https://www.outkick.com/robot-pizza-start-up-shuts-down-because-they-couldnt-keep-cheese-from-sliding-off/ Tweet of the Week (42:02)https://twitter.com/hilare_belloc/status/1683797122628321280 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
so you're actually going to publish this each one i generally thought we're gonna i was gonna
have to add five to every podcast episode number instead of four just to uh what i i had one of
those neck mohican moments in the shower on saturday night it's like crap i haven't pressed
publish i haven't done it why don't you publish straight away like what's the thing with you
waiting until well when i say I hadn't pressed publish,
it means I also hadn't done all the other steps before it,
including editing it and downloading it and downloading it and editing it.
It was kind of a sequence.
We are professionals here.
There's nothing to edit.
You literally, after we hit end, you say download and then upload and hit publish.
That's all you have to do.
This is from One Take Malik.
One Take Malik has spoken.
Yeah, One Take Malik.
And also, if you want professionalism,
you know which other podcasts you need to listen to, right?
No, I don't.
You're listening to the Host Unknown Podcast.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome, welcome one and all to episode 162. 162.
Good enough. Of the Host Unknown Podcast.
Welcome, dear listener.
Well, thank you.
Thank you for tuning in.
We know it was a little bit late last week.
I blame Javad, frankly, just because he's there.
And you need a scapegoat, right?
Yeah, I don't know.
A scapegoat.
Yeah, exactly.
Especially given the trouble we've had with the jingles just now as well.
And also, we didn't expect expect Jeff to be here this week.
So that kind of threw us off.
It's kind of awkward.
Graham turned up and Carole turned up and then all of a sudden Jeff turned
off and it was like,
Oh,
awkward.
Do, do why not i mean oh yeah so i was actually away i wasn't gonna be back today were you not no no no but um
no i i was gonna show up just maybe not from home. Oh, okay, okay.
You couldn't have done that any other times?
I don't know.
No.
So you've been away this week.
Good times?
Work, right, presumably?
Yeah.
Presenting, doing all that sort of stuff?
Yeah.
Okay.
Moving swiftly on. Yay!
Andy, how are you? you good thank you very much it's been a great week for me fantastic why so good uh because why not hey i'm just trying to lift the mood
like if you could see me i'd be here dancing like
you know trying to just try and lift the mood tom how was your week
oh it was very good it was very good um yeah uh well i was in london a week that was nice
uh dinner with friends dinner with work colleagues uh did a little bit of work in between times,
came back this morning,
got a little bit of Lego fun come through the post as well.
We see your Lego.
It's actually pretty...
It's more than an obsession now, Tom.
It is actually probably something you need help with.
Yeah.
Do you know what?
The thing that tells me I don't is I go on Instagram
and I see people who say, come here,
and they go down a set of steps and they open up this basement
that is filled with shelf upon shelves upon shelves,
filled, absolutely filled with Lego, and I think, goals.
You know, I am merely just a
beginner at this
unbelievable
I don't feel too bad about it actually
you know how like
some people they take the cyber obsession
a bit too far and they have NFC chips
implanted in their fingers and magnets
and everything
why would you have magnets?
so you can stick to the fridge door
or something whatever yeah but um they're like hey i'm my five-year-old kids like painting from
school so like they stick themselves on the fridge but uh if you take off your shirt do you have
those lego circle things in your back implanted so you can like connect yourself. Lego nipples. He's part of a club where he swings with other Legoers.
Yeah, yeah.
So they check if they're compatible or not by the way.
Or do you have to work your way up?
Do you start at Duplo level and then you go all the way up
to like Lego technique or something?
Yeah, exactly.
Well, you know, what is it?
An adult fan of Lego, an AFOL, I think is the phrase.
Oh, it sounds like that, but I don't think that's how it's spelled.
Yeah.
Talking of things that sound rude but really aren't,
shall we see what we've got coming up this week?
This week in InfoSec, reminisces about simpler passwords.
Rent of the Week looks at a layer 8 problem.
Billy Big Balls is the SEC no longer messing around.
And Industry News brings the latest, greatest news stories from around the globe.
And Tweet of the Week could be a trip down InfoSec memory lane.
So let's move on, shall we, to our favourite and memorable part of the show,
the part of the show that we like to call...
This Week in InfoSec.
it is that part of the show we take a trip down infosec memory lane with content liberated from the today and infosec twitter account and further afield and our first story shall take us back
a mere 12 years to i want to say in or around the 18th of july 2011 when microsoft hotmail announced that
it would be banning very common passwords such as one two three four five six and i love cats
and so it appeared this story they actually announced it on various dates because i did a
bit of research this week to actually fact check stuff um it the first the story did first appear around this week
in sort of 2011 um but it also came up again in 2021 and sort of 2018 and you know they seem to
announce it a lot um but the general consensus at the time and this tells you what was going on at
the time is that this was a wise move uh and so one of the commentary was, as data from the Gawker password hack,
the HB Gary federal hack, and the Booz Allen Hamilton hack,
and many others have shown, obvious passwords are abundant.
So if you can remember those hacks, they were like big news stories.
HB Gary, bloody hell, that guy's a hack.
I know, fantastic stuff.
But yeah, so they said, you know, people consistently choose poorly.
Blocking the use of these obvious passwords might be a little annoying
for those who want to use them, but it's a move that's in everyone's best interest.
Was this one of the first occasions that a company passed this kind of rule,
as it were?
I think it was certainly a company of that size.
Yeah.
If I consider the amount of accounts I've lost
because I used rubbish passwords
and they were just, you know, someone else hacked them.
But, you know, they were accounts I didn't care about.
It's not like, you know, they were used for various...
Shenanigans.
Testing activities.
Sorry, yeah, that's what I meant. Test accounts. they were used for various um shenanigans testing activities test accounts um but also at the time
which i like in 2011 was um they said and if an account does get compromised there's a new feature
to handle that situation too so if a friend on hotmail sends you spam or fraudulent mail you can
now report that their account is hacked.
The feature called My Friend's Been Hacked
will block their account
so the spammer can no longer use it.
Next time your friend tries to log in,
they'll have to go through an account recovery process.
Now, I do not ever remember this going mainstream.
No.
And I'm wondering whether it's because it would be abused.
Because if you guys... I would literally click,
my friend's been hacked every time you guys sent me an email.
That's right.
Just for the sheer hell of it.
Well, in fact, the only email you'd get from us is an email saying,
we think your account's been hacked.
You need to reset your password.
So let's face it.
I mean, it would a like a perpetual energy machine
wouldn't it absolutely yes but uh yeah i don't obviously the password feature list from hotmail
that's made it mainstream and you know i think you can get plugins for your corporate azure active
directory and stuff these days so um you know very useful feature other one i don't think that's
happened but it's something that you know instagram and the likes of those could probably benefit for yeah um certainly a lot of social media accounts but yeah no good times um but our
second story takes us back a mere 33 years to the year of my birth believe it or not again um
why do you laugh what's so funny about that so this is is the 27th of July 1990. The case of United States v. Riggs was decided.
So Robert J. Riggs, a.k.a. Profit, had stolen the Enhanced 911 file from Bell South.
And then co-defendant Craig Needorf aka Night Lightning had published it in
Frack magazine uh now I love this story and this is like one of those truths of like trip down
infosec memory lane so I used to read a lot of books on my train journey into London when I
first started working in London in the late 90s and this story was covered in uh do you remember
Bruce Sterling's book called The Hacker hacker crackdown yeah yeah fantastic but covering operation sun devil and all that you know the
it was about the the hacker community thriving in the late 1980s um so frack magazine was one of the
most popular platform for sharing information back then knowledge exploits related to computer
systems telecommunications, all of that.
One of the contributors to FRAC was Craig Needorf, aka Night Lightning. And in 1989,
he published an article called FRAC E911, the theft of services. And it detailed the inner
workings of the 911 emergency call system in the US.
And it specifically discussed vulnerabilities in the enhanced 911 system of Bell South, which is a telecoms company.
Now, that article, you know, the information raised concerns across the authorities. We know what it was like back then. Like, you know, people saying, oh, you're going to bring down satellites or whatever by whistling down a phone um so bell south accused need off and um profit of stealing
this information uh from their telephone uh company said it's like sensitive information
proprietary all about the company's emergency services so as a result of this publication
um they both got arrested they faced legal troubles charged with various offenses from
like computer fraud unauthorized access computer systems theft of intellectual property um need
awful loan was facing 31 years in prison after he was arrested uh and he was charged with you
know receiving this stolen document from bell south and distributing it online um and bell South, you know, in their defense, they said this document,
it's the inner workings of the enhanced 911 system.
It's worth 80,000 US dollars.
You know, and they came to this figure.
They showed their workings, included the value of the VAX workstation
that the document had been typed out on.
Right.
So this is how, you know, things were done.
So this actually got, you actually got so much attention.
It was a massive landmark trial in the history of hacking
and sort of internet culture.
But obviously from the sort of hacker culture side,
lots of people saw it as an attack on the freedom of information
and the crackdown on the hacker community just in general.
But the charges were dropped when it was revealed that the document was not,
as initially described, you know, this source code and inner workings of the system,
but rather it was a memo.
And a more detailed document could actually be ordered direct from Bell South for $13.
And so, you know, this whole thing was just...
But the whole episode sort of, you know,
highlighted the ethical and legal challenges
surrounding the sharing of information
back in the hacking community.
The, you know, probably one of the first cases
of responsible disclosure, you know,
the need for responsible disclosure
or sort of respectful engagement when dealing with sort of confidential information yeah but the proceedings
formerly known as united states v rigs as we said but this was also the catalyst for the founding of
the electronic frontier foundation so this story alone is just filled full of history this is like the origins it's like the prequel to the
origin story this is rogue one yeah yeah this is great listen it's funny like you you read the
story and it's almost like walking out of a restaurant with the menu and then getting
charged for stealing like secret recipes it is charged for the food that is on the menu yeah yeah it's uh it's it's just ridiculous you see how far
you know how well how far removed from reality the the the prosecution was back in the days and
well yeah last week we spoke about about Kevin Mitnick as well
and some of the charges that he put against him.
And you know what?
It reminds me of, and I can't find any mention of this online,
but years ago, before the Computer Misuse Act and everything,
a couple of guys broke into the Royal Families.
They had something that was a prequel to cfax
or something it was just like right um and a tv programming thing or something like that
minitel or something like that maybe something like that and then they found them but they
couldn't find a law to prosecute them under and so what they did is they charged them with theft of electricity
because when they logged in remotely, it caused the disc to spin up,
which used more electricity for Buckingham Palace than otherwise it would have.
Which we pay for anyway.
Yeah, yeah.
See, the authorities don't change.
They will find something to pin on you.
Yeah.
I just can't believe how
incompetent the prosecution were in this in this riggs case given that you can order the document
that you know a more detailed document for 13 how could they hand on heart say 80 000 oh by the way
there's this other document for 1313. I find that very odd.
Very odd.
It's just bruised egos and wanting to do something.
It's like they were hurt.
Someone hurt their feelings.
Exactly.
So now they wanted to do something about it.
Don't focus on the vulnerabilities in this system
and all the damage it can be done.
Focus on how much my butt hurts.
Yeah.
Excellent. Thank you Andy for
This week in InfoServe
Recording from the UK
You're listening to the Host Unknown Podcast
Now our more astute listeners You're listening to the Host Unknown Podcast.
Now, our more astute listeners may have worked out that the jingles that are going to be used in this episode
are the same as the jingles that we used in the last episode
that Jav and Andy edited and recorded without me
because they're all laid out at the moment in in uh usage order which is very handy
for me given that my system has just stopped working you're welcome yes my pleasure my pleasure
no thank you is what i meant to say let's move on to listen up rent of the Week. It's time for Motherf***ing Rage.
Right, this is a rant in many parts, as it normally is.
So let's start on the traditional route, shall we?
Virus Total today, well, maybe not today, maybe the other day Issued a mea culpa
Saying a blunder earlier in the week
By one of its staff
Exposed information belonging to
5,600 customers
Including the email addresses
Of US Cyber Command, FBI
And NSA employees
Which probably isn't too difficult
You just, you know, john.smith
At NSA.gov And work know, and work from there.
But the unintentional leak was due to the Layer 8 problem,
or, you know, otherwise known as human error.
June 29th, an employee accidentally uploaded a CSV file of customer info
to VirusTotal itself, said Emiliano Martinez,
tech leader of the Google-owned malware analysis site.
This CSV file contains some limited information of premium account customers,
specifically the names of the companies, the associated VirusTotal group names,
and email addresses of group administrators. So not too much.
Now, why is someone uploading a CSV? Well, if you don't know, VirusTotal actually allows its
customers and its users, its netizens, as it were, to, among other things, upload files, submit URLs,
and the site runs the material through various malware scanning engines see if anything
malicious is detected so if you've got concerns about a site or a file or whatever you upload it
the premium subscribers can then subsequently download those samples and that's how
an uploaded csv file was accidentally leaked,
so it was posted and made available.
Virus total, say we removed the file,
which is only accessible to a small group of people, blah, blah, blah.
And the employee had this list in the first place
because the customer data was critical to their role.
So a couple of
things here. One, stupid mistake. This sort of thing shouldn't happen without a shadow of a doubt.
VirusTotal seems to have done the right thing. I'm sure there are plenty of commentators out
there who are jumping all over this and saying, this outrageous you know companies like this should know better we
should plan better etc but can we also rant about the fact that very often this these sorts of
things are taken out of context are blown out of proportion and we don't really need to make
headline news every time somebody makes a genuine mistake, especially one of this nature, which...
Excuse me, which...
But no one died, right?
No one died.
No one's going to die.
Well, hopefully.
Well, of course, somebody will eventually,
but, you know, not about this.
And, you know, much of this data
is probably available on LinkedIn
or easily worked out, like I said, john.smith at NSA.gov or whatever.
Yeah.
But, of course, in this, well, I almost want to say cancel culture
when it comes to, you know, when there are breaches or whatever,
people jump up and down and shout and scream from the sidelines
about, you know how
irresponsible how terrible it is blah blah actually we need to get a sense of perspective
on some of these things and hopefully the regulatory bodies will as well you know so
hopefully virus total will be looked upon well it's a u.s company so actually they won't be
looked upon at all probably but uh will be looked upon somewhat favourably as regards that this is,
you know, unfortunate, shouldn't have happened,
but is in the great scheme of things, not a big deal.
So, yeah, kind of a double-edged rant of the week.
Shouldn't have happened without a shadow of a doubt.
And that lower rate problem, that human being needs to be addressed. No, no, completely wrong. I mean, like, we shouldn't shout from without a shadow of a doubt and that human being needs to be completely
wrong i mean like we shouldn't shout from the sidelines says man who does rant off the week
every week on this podcast jump up and down unneedlessly i've been accused of many things
consistency is not one of them yeah actually what one of the problems of this is when you condone this sort of behavior
you know while this might be a small thing it's a bit like little little kid like who steals just
a penny sweet from the shop which is probably worth about 20p now not a penny anymore yeah
you know regardless no a half a penny you know and um you know they grow up and they they get
involved in like bank robberies or something.
And so you need to stop the rot.
It's a gateway.
It's a gateway drug.
That fruit salad is a gateway drug.
It is.
Because, and I'll just post the link in here now because I just found it while you were talking.
Small child.
No, no, no. The Ministry of Defense has launched an investigation after emails containing classified information
were sent to a close ally of Russia.
And what it is, is that the emails were intended
for the US military, which uses the domain name mill.mil.
And they missed out the letter I,
so the messages went to the West African nation of Mali.
Yeah. Whose domain name is dot ml now you see that now that you can talk about well people can die from
a typo i didn't say he couldn't die from a typo but the data was not confidential in that sense
this data is yeah i mean i'm saying it's the same error the ministry should have some kind
of dlp or something you want to nip it in the bud we need to nip it in the bud yeah yeah okay right
it's a reach i don't know jav it's a reach i don't know andy would never make that well he would make
the mistake because his ones would autocorrected dot milf isn't it fortunately i own that that that's known for his reach arounds on these
just because you don't want to admit that i'm right
as always no but you are very good at them i have to say
right excellent thank you well thank me. That was this week's... Thank you. Rant of the Week.
This is the podcast the King listens to.
Although he won't admit it.
Right, Jav, it's time for you to talk about your favourite criminal of the week.
It's time for...
The Rant of the Week. Time for... So, yes.
So, after that limp performance by Tom,
I'll raise the standards once again.
So, the SEC, the US Securities and Exchange Commission,
they put the SEC in sexy,
have now come up with new guidance
for public companies
that suffer a computer crime
likely to cause material,
and I'm using air quotes
when I say material,
hit to an investor
will soon face a four-day time limit
to disclose the incident
according to rules. Approved. will soon face a four-day time limit to disclose the incident,
according to rules.
Approved.
This is for American companies or American registered companies?
American public companies. So Europe has 72 hours, the US give four days?
Yeah.
Okay.
So the details are like, you know,
they require publicly traded firms to openly disclose
in a new section item 1.05 of Form 8-K
any cybersecurity incident that has material impact on their business.
And the companies must make this determination
without reasonable delay according to the new rules
if they have four days to make it and what have you.
So it's all really, really interesting stuff.
And the commentary on this has been really good across the industry,
because I obviously don't have any thoughts on this because I'm not a publicly traded U.S. company myself.
And I have no idea what Form 8K is.
a US company myself, and I have no idea what Form 8K is. But the biggest thing is like,
there's no definition really of material. What's a material hit given? And so every lawyer or every internal law will just say, oh, you just lost 50,000 customer records. That's not material.
If it had it been 55, we would have considered it being material. And I think that's not material uh if it had it been 55 we would have considered it being material and
i think that's where a lot of this will will go around i saw someone on linkedin describe this as
the uh sarbanes oxley for cyber security and most of the comments were like yeah but socks has teeth. Let's see how far this gets. So it's, you know, I get the intention
and what have you. But I'm reminded of the quote that if you take a problem to a lawyer,
you're going to get a legal answer. If you take the same problem to an engineer, you're going to
get an engineering answer. If you take the same problem to a mathematician, it'll give you a
mathematical answer. If you take a problem to a a regulator that's the kind of response you're going to get
let's out regulate this to you know or let's introduce some more compliance rules and forms
and what have you when all you've got is a hammer yeah exactly i should have gone with that that's But having said that, it's still a Billy Big Balls move by the SEC.
Yeah, why?
Why?
Well, they need something, right? It's a start.
But hang on.
Long overdue, but it's a start.
It's a Billy Big Balls move for something that's 30% slower
than what the EU has had in place for the last god
knows how long well you know it we're talking about our slightly slower cousins across the pond
and also i can i can see you scrabbling because it was a story you were given right
as every week and like a true professional,
I take the stories I'm given.
You're leaning into it.
You know, this is why I think I would be the perfect Fox News anchor.
Just give me any stories.
I can spin it whichever way you want.
Do you know what?
If you applied to be a Fox News anchor, they'd have you in a snap.
I mean, you know.
I'm just asking the questions, man.
I'm just stating the facts.
If you don't like it.
I'm just reading the script, man.
Yeah, yeah.
So this is what it's turned into.
Like, you know, they must disclose it if it's a material hit.
I'm saying Billy Big Balls.
And now we're arguing over the definition of whether this is a material story,
whether it actually hits a Billy Big Balls thing. Are these balls material enough?
So if your data was leaked by a US company, would you be willing for them to be indefinitely
allowed to not disclose it? Or is four days a big step forward? I think it's a big step forward,
Tom Langford. And if you don't like that, you hate freedom. You hate personal privacy protection rules and shame on you and the
communist boat that you rode in on. And you obviously hate America. Sorry, America.
Brilliant. All right. I'll give you that one, Jeb. That was definitely a very good.
Billy Big Balls of the Week. All right, I'll give you that one, Jav. That was definitely a very good...
Billy Big Balls of the Week.
You know it's good because all you can hear
is the asthmatic laughing of Andy in the background.
People who prefer the Smashing Security podcast
over the Host Unknown podcast
are statistically more likely to enjoy the Harry and Meghan documentaries. Read into that what you will. I think that jingle's going to age like milk very, very quickly.
I think it has aged like milk.
People are like, who's Harry and Meghan?
Exactly right.
That was the last time we edited the...
That's right.
That's right.
It was a while ago, right?
It was funny at the time.
Topical.
And talking of time, Andy, what time is it?
It is that time of the show where we head over to our news sources
over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news
from around the globe.
Industry News
Booz Allen pays $377 million to settle government fraud case.
Industry News
Cyber attack strikes Norwegian government ministries.
Industry News
Industry coalition calls for enhanced network resilience.
Dark web markets offer new fraud GPT AI tool.
Industry News.
Group IB founder sentenced in Russia to 14 years for treason.
Industry News.
SEC wants cyber incident disclosure within four days
What are the chances of that?
Industry news
Supply chain attack hits NHS ambulance trusts
Industry news
NCSC publishes new guidance on shadow IT
Industry news
OpenAI, Microsoft, Google and Anthropic form body to regulate AI.
Industry News.
And that was this week's
Industry News.
Huge
if true. That last
headline you mentioned there about
Open AI, Microsoft, Google and Anthropic
forming a body to regulate AI. That's like
NatWest, Barclays, HSBC forming a body to regulate banks.
I was going to say, I'm interested in the story that he mentioned
about the SEC once cyber incident.
It's fascinating to me.
I wonder why four days.
Yeah, I mean, it's's 30 slower than the you know
did you see that group ib founder who's sentenced in russia uh to 14 years for
obviously russia we know um you know very rigid justice process so this is justice
apparently this guy was arrested in um like for criticising the government's response to ransomware attacks.
And obviously, he's been out of the news since because, you know, for reasons.
But his whole trial was held behind closed doors because they said it involved state secrets.
And so no one else could. So they're like, yeah, it's a very swift process,
but it's all like totally above board.
Yeah. 14 years for treason.
Yeah. You know, be lucky he's not dead.
Well, I'd be lucky if he makes it through to the 14 months or weeks or days.
Yeah. It's amazing he even made it to trial.
I mean, he could have fallen out of a window or something.
It's just...
I was going to say, they're going to give him a prison cell
at the very top of the multi-storey prison that he's in, right?
Yeah.
Dear me.
It's such a shame.
I want to know more about this SEC one.
Cyber incident disclosures within four days.
Yeah, it's a non-story.
Or it's a very bold move from the SEC, actually.
It is, it is.
Well, it depends.
I mean, I wasn't asking you, Andy.
I was asking Jack, you know.
So I'm looking at the fraud GPT circulating
on the dark web and telegram channels.
So there's like all these variations, variations spin off of g chat gpt where like worm gpt and
what have you um and i've seen some uh someone showed me a demo of this um for from for a fishing
perspective oh yeah and uh because like where i work they were they were they were doing a proof of concept
to see how it could do and uh they can't concept right that's what the ethics committee said to
call it right they can't they canned it because uh because you don't can you you just you you
there's no worth knowing how far it would take it. And that's the problem. So you would say, send a phishing email to, say, Andy,
and then you'd say, okay, I've looked on LinkedIn.
This is who Andy reports to.
These are some of his colleagues.
These are some people who are reporting to him.
And then they, so it will craft a very convincing phishing email.
And then if Andy replies to that email saying,
hey, this is very unexpected,
it will reply again and it'll say like,
you know, oh, I've spoken to so-and-so
and so-and-so and this and that.
And it can keep the conversation going
until it gets you to believe
or bail out on the conversation altogether.
So it's, you know,
it really does streamline that the whole process
and uh even on chat gpt you can ask it to say send me write an email on behalf of hr asking
colleagues to of x company to fill out a google form and it'll write a very very good email for
you and then if you say to it oh someone's someone's replied saying, I don't believe you,
this doesn't look secure. It'll reply to that saying, we understand. And it'll be very reassuring.
You'll say, we understand. Thanks for pointing it out. Security is our number one priority.
Rest assured, this is all right thing. If you have any further queries, you can reach out to,
you can read the security policy and it covers all of this. It kind of bamboozles you with stuff as well.
So I think it's just going to be the more way to go.
But it's...
It doesn't actually change the attack.
No.
It just increases the level of scale that they can attack.
The speed, the scale, and, you you know if english isn't your first language
then it just sorts that that issue out for you as well so um but when you look at the defenses
they're exactly the same is it unexpected is it trying to trigger an emotional response is it
a sense of urgency yeah yeah yeah that's right does it want me to buy some gift cards from target and why are they asking me to get them from target i live in the uk yeah
yeah right anything else on there i see you're hovering over the ncsc there andy
i did well i did actually just click into it and I just thought, actually, this is quite detailed.
It's NCSE guidance, right?
It's not going to be a quick paragraph.
And on shadow IT as well, that's an interesting one.
It's kind of like quite an oldish problem.
Yeah, so they're sort of... Ultimately, it's important to acknowledge shadow IT
is rarely the result of malicious intent.
It's normally due to staff struggling to use sanctioned tools or processes to complete a specific task yeah um basically don't don't don't tell people to not do stuff if you can't tell them
how to do stuff exactly yeah so it's really pretty much if there was if they're resorting
to insecure workarounds in order to get the job done, this suggests that existing policies need refining
so staff aren't compelled to make use of shadow IT solutions.
Policies and services, more to the point.
Exactly.
If they're using file sharing because all you've got is a crappy old SFTP site,
you need to start investing in...
What's wrong with SFTP?
Yeah.
At the command line. Yeah? So so well well you need a gui
these days oh what are you gen z jeez man you're spoiled just ask chat gpt to write you the command
line and it will do it for you upload this file yes to yes you type out the binary numbers for that file yeah in the command line
i'll put this file to sftp.somewhere.ml yeah so speaking of just like ai and jack gpt and what
have you and this is the last this isn't on the list of stories but i thought this was relevant so there's a pizza maker company called zoom and uh z-u-m-e uh and uh they they uh they had like a basically automated process of making
pizzas and they raised half a billion in um in uh in funding in silicon valley. But they've actually
recently shut down because robots
could not figure out how to
stop the cheese from sliding off the pizza.
So...
Unbelievable.
I'm sure it's set up for a gag.
I'm trying to work that out.
No, no, it's an actual story.
I'll put it into the show notes. There you go.
This is like... Do you remember the dot-com boom,
where all you had to have was a dot-com?
Yes.
And then also investors, like VCs, were chucking money at it.
This sounds like that.
Anything that ends like dot AI, and our investors are like,
I've got to get in on the ground floor of this one.
Yeah.
Because crypto's gone sort of like all quiet, hasn't it?
Yeah.
It's gone quiet in a sunny bolo tree detector.
But I saw this.
Actually, I was looking at some stuff yesterday about.
Were you just trying to order pizza?
Is that how this came about?
No, no, no, no.
So I just, if you do a search for millionaire crypto dead,
there's at least four stories that come up there's one
millionaire crypto fernando ferez algaba who was found in argentina cut into pieces and in a
suitcase um there's a dr john forsyth a prominent figure in the crypto space, an ER doctor was found dead on 30th May with a gunshot wound.
Bob Lee, Cash App founder, died from multiple stab wounds.
And Bitcoin billionaire Mirko Popescu drowned in Costa Rica.
So I think there's a trend happening here.
That's why you don't see many people, influencers, pushing a lot of crypto these days.
Because they're, you know, getting knocked off faster than some Russian informants.
That Jason Bourne fellow actor, he needs to look over his shoulder a little bit more because he was pushing a crypto as well, wasn't he?
Musk was as well, wasn't he?k was pushing dogecoin yeah i invested dogecoin on the back of
that wow i'll tell you what tom i've got these magic beans here you might be interested in well
why don't you tell me about those cummies that you invested in hey my cummies are still going strong
that you invested in.
Hey, my commies are still going strong.
Are they really?
What's your gain so far?
Well, it's probably about, what, minus 63%. I don't know.
But compared to...
Well, I was going to say, compared to Solana
and some of the other coins I've got,
that's not doing too bad.
They're sort of like minus eight.
They start with a minus 80
uh well i mean you know about my experience with any bitcoin selling at 7 000 about four
weeks before it hit 42 000 they're like what the hell ridiculous anyway that was just buy shares
oh sorry no go on go on i was saying just buy shares. Sorry, no, go on, go on.
I was saying just buy shares in Lego and it'll be a self-sustaining cycle.
Yeah.
Lego and Apple.
Yeah.
Lego and Apple.
Anyway, that was this week's.
Industry News.
We don't research the story,
but let us tell you what we think
based on the headline.
You're listening to Insights from the award-winning
Host Unknown podcast.
So coming up, we've got something we're going to have to rename,
actually, aren't we?
Yeah.
Because it's now time for...
Tweet of the Week.
And we always play that wrongly named one twice. Tweet of the Week. And we always play that wrongly named one twice.
Tweet of the Week. X of the Week.
Mr Musk, you
will be receiving a
invoice for us to have to
change this jingle. 12 quid.
For 12 pounds.
1,000 Dogecoin.
Tweet of the Week is from
Rufo uh and they have uh very handily and so this is a story from
tom so we're actually like posting each other's stories this week we're actually feeding each
other things to to post so tom's giving me a great visual to try and explain to people
uh but it's a guy who has uh a stupid guy. So when you get these gift card scammers,
you know,
people trying to scam you and then ask for photos of the card so they can read
the serial numbers and then like,
you know,
purchase them while they're still in your possession.
And what he's done is that he sends photo,
he says,
sending Goatsy to gift card scammers.
He says,
I've got my first gift card scam tech,
so I decided to play along.
I sent them Goatsy when they asked for photos of the cards.
I know it's an old reference, but damn, it was satisfying.
And yeah, so I guess, I mean, Tom, I didn't really understand.
Well, this is what I was going to ask.
I mean, what's the big deal about goats?
Obviously, you know, they're quite fun if you like goats.
I'll explain it because i
know both you get embarrassed about this sort of thing so goatsy is and and trust me when i say
this if you don't know what goatsy is do not search it for it um or if you are strong stomach, do not search for it on a work device
or a shared family device.
Goatsy is, I don't even know why it's called Goatsy,
but it's basically a picture of a man bending over, naked,
as you can imagine, so last chicken in the shop already,
hanging from the window.
With his hands, how can I put it?
Making a large hole with his rectum.
So it's quite an unpleasant thing to look at.
I mean, even if you're into that sort of thing anyway,
it's not the thing you want to look at.
And it's become a
bit of an internet meme so um you know there's accidental goatsy on reddit so there's lots of
things that you know look like that sort of thing etc and so it's become a bit of a thing and in
fact it was uh i'm trying to remember remember it's the original shock site isn't it yeah shock
site i think friends of alison and I'm trying to remember her surname.
She used to be a fan of these and sending these around to everybody as well.
So, yeah, so it's a shock image.
This is the old school Rick Roll.
Yeah, the old school trollable Rick Roll. And also, sorry, Mum.
Yeah.
So, anyway, do go on.
So, that's it.
Like, you just literally, you get the scammers and you send them photos of Goat Seed instead of the actual card.
I thought there was more to the story.
There was more to the story, Andy.
Oh, is there?
How much further did I go?
So, carrying on.
Gift card scammers hit me again.
So, they got goat seed.
Think I found a new horribly stupid way to ruin a scammer's day.
Is this goat sec?
And then a short while later, they posted again.
So, it turns out that they were part of the security awareness training.
I passed, but I have to talk to HR.
So, do you know what?
I did not read this far through the messages.
What?
I thought these were just all different times where he got scammed.
No.
Oh, man.
And then the final one, sorry.
Oh, man.
And then the final one, sorry.
The final one is to clarify all messages were sent to and from my personal cell number.
No corporate assets were involved.
I was asked kindly to not do that again,
and I asked them not to use my personal number.
Fair play, I'd say.
Absolutely.
I completely miss the fact that this was part of an awareness
campaign i feel this is just someone getting back at scammers i wondered why you didn't
immediately jump on it and use it as a tweet of the week and i had to like you know crowbar it
that's genius i just thought it's like a good old reference to you know the old
you know from what I've learned today
is something called Goat Sea.
Yes. Poor
naive, innocent Andy.
Exactly. Is that how you
pronounce it? Goat Sea?
Is that correct?
For your birthday, Andy, we will get you a
boo cake
I don't know what that is, it's a kind of cake
that you might enjoy
A boo cake?
A boo cacky cake
is it?
No!
Oh dear
that was, I'm so
lost now, that was this week's...
I have no idea where to go from here.
Home, let's call it.
Let's call it.
Let's call it.
Jav, thank you very much.
I do hope...
Well, thank you for your contributions, charm, good looks and everything else, blah, blah, blah.
And I do hope your weekend goes swimmingly.
Thank you. That's very kind of you.
I wonder what when the ask for money or something comes up.
But thank you. Wishing you both the best and our listener too.
And Andy, thank you. Stay secure, my friends. Stay secure. our listener too our listener and Andy
thank you
stay secure my friends
stay secure
you've been listening to
the host unknown podcast
if you enjoyed
what you heard
comment and subscribe
if you hated it
please leave your best insults
on our reddit channel
worst episode ever
r slash
smashing security
I'm going to have a lot of explaining to do to my mother The worst episode ever.
I'm going to have a lot of explaining to do to my mother.
Good thing she's the only one that listens to the podcast or we'd be cancelled so hard.
I know it's too late by now, Mum, but don't listen to this one.