The Host Unknown Podcast - Episode 163 - The Sombre Episode
Episode Date: August 4, 2023This week in InfoSec (11:56)With content liberated from the “Today in Infosec” Twitter account and further afield4th August 1998: Microsoft published a critical security bulletin MS98-010, titled ...'Information on the "Back Orifice" Program'. Microsoft Security Bulletin MS98-010 - Criticalhttps://twitter.com/todayininfosec/status/1423037189714219020 27th July 2000: In security bulletin MS00-047, Microsoft thanked PGP's COVERT Labs and Sir Dystic of Cult of the Dead Cow for reporting NetBIOS vulnerabilities Patch Available for 'NetBIOS Name Server Protocol Spoofing' Vulnerabilityhttps://twitter.com/todayininfosec/status/1287934373019385861 Rant of the Week (18:31)Brit healthcare body rapped for WhatsApp chat sharing patient dataStaff at NHS Lanarkshire - which serves over half a million Scottish residents - used WhatsApp to swap photos and personal info about patients, including children's names and addresses.Following a probe, the UK Information Commissioner's Office (ICO) has now issued a heavily redacted official reprimand to the organization, which oversees three hospitals plus clinics and more across rural and urban Lanarkshire in the Central Lowlands of Scotland. It said a group chat created in March 2020 – just as the UK government issued the first COVID lockdown – was in breach of Article 58 of the UK GDPR.Information was shared between 26 staff for more than two years – from 1 April 2020 to 25 April 2022 – over hundreds of entries within the WhatsApp group that included adult and child patients' names, plus hundreds of patients' phone numbers, many dates of birth, and at least 28 home addresses, "15 images, three videos, and four screenshots." Some of this info included clinical information, and therefore "special category" data in breach of Article 9 of the UK GDPR.Yes, on their actual work phones, using software provided via NHS portal.The staffers were using copies of WhatsApp downloaded directly via NHS Lanarkshire's portal on their work phones, it emerged, but someone, whose name was redacted, was added to the group "in error." That "unauthorised individual" was given access to "four students' names and student numbers, one child's name, and two children's names and addresses."The ICO noted that since WhatsApp stated it was an encrypted platform, staff thought it would be secure. This, the watchdog said, "demonstrates that information governance expectations regarding WhatsApp were not understood by staff involved in the WhatsApp Group." Billy Big Balls of the Week (31:21)[The fact the government doesn’t even try to hide what they do and gaslight the country by saying it would be the worst intelligence failure of their time is a BBB move to me - but I’ll let Jav decide 😀]White House: Losing Section 702 spy powers would be among 'worst intelligence failures of our time'The White House has weighed in on the Section 702 debate, urging lawmakers to reauthorize, "without new and operationally damaging restrictions," the controversial snooping powers before they expire at the end of the year.Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows the American government to monitor electronic communications of foreign persons outside of the United States [PDF], and people they confer with, including US persons. While it's supposed to be used as an intelligence tool — to prevent terrorist attacks or track down similar targets — it's also at times abused to conduct warrantless snooping on Americans including protesters, campaign donors, and elected officials.The controversial law, introduced in 2008, is up for renewal at the end of the year, and the US intelligence community has been frantically lobbying to keep these surveillance powers. FBI Director Chris Wray said last week that Section 702 data was responsible for "97 percent of our raw technical reporting on cyber actors."Now the White House has thrown its weight behind its intel services, arguing that curbing the legislation or letting it drop would be "one of the worst intelligence failures of our time."Despite unanimously recommending that Congress renew Section 702, the PIAB's report [PDF] does acknowledge that "complacency, a lack of proper procedures, and the sheer volume of Section 702 activity led to FBI's inappropriate use" of the surveillance powers to query US persons Industry News (37:04)NHS Staff Reprimanded For WhatsApp Data SharingCanon Inkjet Printers Expose Wi-Fi ThreatAI-Enhanced Phishing Driving Ransomware SurgeHundreds of Citrix Endpoints Compromised With WebshellsCocaine Smugglers that Posed as PC Sellers JailedHumans Unable to Reliably Detect Deepfake SpeechMenlo Leverages Advanced Technology to Combat Surging Browser ThreatsMicrosoft Teams Targeted in Midnight Blizzard Phishing AttacksHacktivist Collective “Mysterious Team Bangladesh” Revealed Noteworthy mention: Security Serious Unsung Heroes Awards 2023 Open for Nominations Tweet of the Week (47:23)https://twitter.com/Sheriffie/status/1686864006160711680 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I also cook
yeah
I'm just
I also
see so
oh dear
that would be
a good movie
like you know
you're all
come on it
wouldn't it
be such a
cult niche
industry like
you'd have all
the IT
you'd have every
department
what the fuck
so special
about a CISO
exactly
but he also cooks
meth
breaking CISO
that's the job for AI
let's reimagine movies
with the CISO as the lead
we've ascertained
the next Host Unknown music video I was the CISO as the lead. We've ascertained the next Host Unknown music video.
I was a CISO, but I'm also a chef.
Yeah.
I think the video visuals need to be done in the style of the Beastie by Sabotage video.
Oh, yes.
The Seven E's cop show with the fake tashes and the sliding over the bonnet.
You say fake, you two could actually generate those tashes quite easy
just by shaving that little part on your chin.
Yeah.
We'll get you one of those stick-on ones, Andy.
Or else I'll just need 18 months to grow one.
That's all.
You're listening to the Host Unknown Podcast
Hello, hello, hello, good morning, good afternoon, good evening
From wherever you are joining us and welcome, welcome one and all
To episode 163
67
167
Of the Host Unknown podcast.
Do you know what I've just noticed, I think for the first time,
in the show notes, it actually has the correct episode number
at the top of it.
I always put the correct episode number in song.
I have done for at least the last six weeks.
So you now admit it is the correct number?
Well, the number that you read, it's not.
It's the correct number, yeah.
Well, because otherwise you'll change it
and then I'll forget, you know,
we're going to jump another four episodes without...
Before we know it, we're going to hit 200.
It's our big 300 episode.
Gala.
We reached 300 weekly episodes
after just a year and a half.
Actually, no.
I mean, if you do the math, it's actually been eight years since I've been running.
If you do the what, sorry?
The maths.
Yeah.
With an S.
You haven't even been to the US in the last, like, four years.
It's been a while since I went.
Yeah, 2020 was the last time I was there.
Well, Jav's the only one who's travelling at the moment.
We need to do a points run, Andy, a points run.
I'm going to.
But I'll do it after November when I've got no status.
And I'll get that status back in a week.
Don't talk to me about BA status.
It's awful.
It's awful.
It reminds you of the, yeah, it's awful it's awful it reminds you of the yeah it's dark days that you yeah if you hadn't seen
such riches you could live with being poor right now yeah exactly exactly you know we had some
family friends come around the other day and uh we were talking about airlines and like their dad
used to work for ba as an engineer so growing up they always and and they started going on about how the
qualities declined so much of BA it's really gone downhill and then everyone like my mom jumped in
and everyone's like oh yeah it's really bad it's the worst airline I'm like la la la la I will not
hear anything bad about BA I will not hear anything bad about BA even though when you do
in other airlines you realize you're getting ripped off by the...
Tom used to always be like that,
posting selfies in first class with his glass of champagne and stuff.
Yes, saying thank you for the upgrade, in fairness,
because that's how you get more upgrades.
Come on.
Yeah.
And also using your real name on social media.
Yeah.
Exactly.
So their social media team can let the
passenger locator team know that uh this person is is giving us free publicity absolutely you know
and also you know tag tag it with my um my ba number and all that sort of stuff yeah yeah and
they also say like we're safe if anything happens on, if there's a hacker on the plane, we have a CISO on the plane.
He'll know exactly who to call.
And worst case, I can rustle something up in the galley.
Which brings us neatly round to spoiled food.
Jav, how are you, sir?
How have you been this week?
Oh, it's been a week of... It's been a rollercoaster week of...
Yeah.
Emotions and also my wallet, so...
LAUGHTER
What, you finally found it?
We're the two related. Yeah yeah he finally opened it in the bar
yeah and it hurt oh man it hurts so much
but uh but now i think things are all right came out of that bad boy
well when you have everything on your phone now it's all contactless it's like
although pro tip and i found this out a few weeks ago,
if you ever take the M6 toll, they don't accept contactless phone payments.
So like your Apple Pay or Google Pay, it's not accepted.
You need an actual physical card.
How can it tell the difference?
Technology man, Mr. CISO.
No, but it's a presentation of an NFC device, right?
Surely it...
I'm fascinated.
I'm not sure there's something in that communication.
That IDs it as a phone.
A card or a device.
That's ridiculous.
Why would you?
I don't know.
I was on my motorbike.
Why would you go north?
Why would you need to be on the M6?
I was at an event a few weeks ago,
and it was held in Manchester City's football club.
Not that I'm a football fan, but it was really good.
So I went there and I'm on my motorbike.
And most times I just don't even take my wallet now because you've got everything on the drive.
Because, yeah, you never pay for anything.
No, exactly.
Especially if I'm travelling with one of you.
Whoever I'm travelling with, oh, you're more senior than me.
I think you should get this.
All of a sudden I've become the
janitor 30 year industry veteran oh no you're more senior than me yeah but I got to the the
toll booth and I'm on the bike so I'm already thinking oh you know it's going to be a bit
fiddly having to take my gloves off to grab my phone and tap it and you know
worried about there's a queue behind me got my phone tapped it once nothing tapped it second
nothing then I hear a voice through the intercom no you need to use a card it doesn't take your
phone thing and I'm like I don't have a card thing what what what year are you living in
and then it was a painful process of him trying to uh get my details so
that he could send me a a ticket on the unbelievable on text or email send you a paypal link yeah
basically you know it's really funny you say that because he wanted me to buy an amazon gift card
and pay via that so it was really was it was it oddly expensive to get through that toll?
It was about £250, you know.
Oh, man.
Love it.
Love it.
Anyway, Andy, what about you?
How have you been? Good. It been uh one of i've had the
um some holidays as you know so my missus and little one went can you not tell by looking out
the window of course yeah i mean those flash floods are fantastic as the canoe goes past the
window yeah morning um so yeah the missus was out so i thought i would uh like washers out the house for a couple of
days i thought mastermind frequently uh well that's just standard anyway but um i thought i
would get decorators into it so we've had this black feature wall that's been there since we
moved in in the living room i've hated it always hated it so i thought get the decorators in um
obviously i decided last minute last week when i realized she'd be away for three
days um yeah it didn't work out i spoke to a guy he's like yeah yeah i can get it done in a day
fuck me here we are he's coming back on saturday tomorrow what what else has he got to do
the the well the wall was so dark it needed like five coats of paint because i've turned it cream
um and then he did like the skirting boards and the ceiling and the other walls as well it's just
like the whole thing so yeah mrs got back yesterday and it's like the dining room's out of
use because all the stuff's in the dining room living room's out of use because it's covered in dust sheets. It's like, surprise!
How'd you like your half-painted wall?
Yeah.
This is why it was better in the 80s and 90s, I suppose the 90s,
when you just used to slap a new layer of wallpaper on top.
On top of the lead paint.
Yeah, seven layers of wallpaper, extra insulation,
extra sound dampening, you know, had so many benefits. extra insulation, extra sound dampening.
You know, had so many benefits.
Kept the plaster on the wall.
We're talking about things that were better in the 80s.
Tom, how was your week?
Yeah, very good.
Another week at home.
It looks like I'll be going into London a little less now.
But yes, very, very good.
Sorry to hear that, so we can never meet up oh no so we can
so we can not meet up less frequently yeah yeah well i'll be in next week so there you go um okay
but uh yeah uh i'm trying to think what what i might have done around the house actually uh
oh i built the white house in Lego. Nice. Yeah.
So that was good.
I've been shifting my Lego around and wall mounting a lot of stuff because I found this guy who 3D prints Lego wall mounts.
So, yeah, half the stuff is now hanging off the wall.
So now I've got more shelf space.
Wall ceiling mounts, you know. Yeah, exactly. space wall ceiling mounts you know yeah under under sink
mount you know everything is yeah exactly have you ever been to mercedes world no where they've
uh they've sort of got suspended cars exactly like that yeah but they've got cars suspended
from ceilings like i was just imagining that's what you face looks like now. Yeah, that's right. My little painted Spitfires hanging from the ceiling with fishing lines.
I miss those days.
I miss those days.
Oh, dear.
Anyway, talking about things that we really should be missing.
Let's see what we've got coming up for you today.
This week in InfoSec talks about orifices.
Again, again, we talked about that at the end of last show.
It was not a good thing to end on.
Rant of the Week discusses personal data in group chats.
Billy Big Balls asks you to think of the poor US government.
Industry News brings the latest and greatest security news stories
around the world.
And Tweet of the Week is some career advice.
So let's move on to our aptly named favourite part of the show,
the part of the show that we always call...
This Week in InfoSec.
In InfoSec.
It is that part of the show where we take a trip down InfoSec memory lane with content liberated from the today in InfoSec Twitter account and further afield.
And this week we are going back 25 years to the 4th of August 1998, when Microsoft published a critical security bulletin MS-98-010, which you guys are obviously familiar with, titled the information on the back orifice program.
Now, if you recall, Back Office was a remote administration tool, a RAT that gained notoriety in 1998 after it debuted at DEF CON 6.
It was a brainchild of Sir District, who was a member of the US hacker organization Cult of the Dead Cow, the original CDC.
And according to the group, its purpose was to demonstrate the lack of security in Microsoft's Windows series of operating systems.
And obviously, back office allowed unauthorized individuals to gain access and control over Microsoft Windows computers without the knowledge or consent of the system owners.
So it was used. I think this is where i actually first learned the term script kiddies uh back in like the late 90s because it just it was so powerful it was so useful it's so
it's silent install um you know it had a really useful gui on it quickly became associated with
malicious activities and you didn't need any skill to use it um but, it got considerable attention, you know, sort of from the hacking community, cyber security community, as well as I think corporates really started to pay attention to serious threats to infrastructures.
Yeah, I remember around about this time, I think it was, yeah, it must have been around about 98 or 97 maybe. I used Back Orifice and Loft Crack to get budget for my very first firewall
on the end of my 64K leased line.
Oh, you guys were rich, rich.
You had money.
Yeah, yeah, exactly.
Well, we were all dial-up, individual dial-up before that.
And, yeah, so we got this lease line in, and it was like,
no, we don't need a firewall.
Surely we need something.
So, yeah, using a combination of those tools,
I got the leadership team's passwords for their laptops
and told them, look, I just came in.
I've got this stuff, and I think we might need a firewall.
The best thing is you can't, well, so the best,
you could do that back in the day.
Like you could crack people's passwords,
hand it to them and say, this is why you need to do this.
You can't do that these days.
Like companies get really antsy if you sort of, you know.
Yeah.
If you crack the CEO's password and hand it to him and say hey
but then you know also they wouldn't be none the wiser they wouldn't be none the wiser back then
whether you cracked it using back orifice or whether you just went into the the the the
admin group and like you know just like you know scraped it from plain text or something in whatever
system it was being held in so yeah that was, that was the magic of back in the day.
I never actually got it to work, you know, back orifice.
It just, like, used to pop up the calculator.
So what that means is basically you're not even a script kiddie level.
Apparently so.
I used to give people free, you know, the whole,
do you want a free coffee holder?
Oh, yeah, a free cup holder.
You'd send people an ICQ message saying,
do you want a free cup holder?
They said, yes.
You just ejected their CD tray and then sit at your desk laughing.
But you could get it to shut down their machine, couldn't you,
and send shutdown requests and stuff like that?
Yeah, but that's, yeah, it's more fun just to play with people,
like, you know.
Oh, I know, but then you'd cancel it,
you know, like, you know,
20 seconds later after they're panicking
and leaping around.
When your token ring cards popped out
and you drop off the network
and, like, you can't cancel it, yeah.
Token ring.
God, the struggles were real back then, man.
But anyway, our second story takes us back a mere 23 years
to the 27th of July, 2000,
when in a security bulletin, MS00-047,
Microsoft thanked PGP's covert labs
and Sir Distick of Cult of the Dead Cow
for reporting NetBios vulnerabilities.
So, you know, in the space of two years,
CDC sort of turned from this group of nefarious people up to no good
to actually trying to make a difference in the community.
And it wasn't just about distributing hacking tools.
Yeah. Yeah.
So NetBios is still around now, isn't it?
It's kind of like... Yeah, that was fun. There's a program.
Go on. There's a program called Bitch Slap back in the day, which sent an out of band
signal to port 139. So what you have to do is you put in someone's IP address,
literally across the internet. And obviously all chat rooms used to have their people's IP address.
It was a Windows machine.
Put in that IP address, bitch slap them.
And it blue screened their machine.
It was like, because people didn't install patches back then.
No.
Well, patches were made available on floppy disks on the cover of magazines.
Yeah.
Yeah.
You had to pay for them.
Yeah. I mean. If I was logging
onto my internet, I was downloading
Kazaa or LimeWire tunes.
I wasn't wasting that time and
bandwidth on patches.
You were downloading tunes. I know what me and Andy
were downloading.
Excellent. Thank you, Andy,
for this week's...
This week in InfoServe.
You're listening to
the Host Unknown Podcast.
Bubblegum for the brain.
Right. Talking to soft, chewy subjects,
let's see what we've got in this week's...
Listen up!
Rant of the week.
It's time for Mother F***ing Rage.
I don't know.
I'm just trying to fill some air here.
If you say links fast enough and not draw attention to it
people may not notice right so a british healthcare body has been wrapped for whatsapp
chat sharing patient data so the nhs So the NHS in Lanarkshire, which serves over half a million Scottish residents,
used WhatsApp to swap photos and personal info about patients,
including children's names and addresses.
Won't somebody think of the children?
Can I just say something here?
Just based on that that you can end
your rant here because this is probably far more secure method than anything the nhs actually uses
to transfer data well you say that you say that so um the obviously the CO were involved, so we know that there was at least a £4.50 fine issued to the NHS.
It's issued a heavily redacted official reprimand to the organisation,
which oversees three hospitals plus clinics and more across rural and urban Lanarkshire
in the central lowlands of Scotland.
It said a group chat was created in March 2020,
just as the UK government issued the first COVID lockdown
and was in breach of Article 50 of the UK GDPR.
So contextually here, we now are no longer able to sort of walk up to each other or talk about stuff.
It's now over a chat or a Teams call or similar.
But there was definitely an explosion in the use of social media chat systems, be it WhatsApp or Signal or whatever, for obvious reasons.
So 26 staff shared information for more than two years, so roughly COVID, I guess.
And, you know, there were hundreds and hundreds of communications within this WhatsApp group
that included adult and child patients' names
plus hundreds of patients' phone numbers, many dates of birth,
at least 28 home addresses, 15 images, three videos, four screenshots,
some of which included clinical information,
which falls into the special category data in breach of Article 9.
So obviously very, very personal data uh this was shared on their
work phones using software provided by the nhs portal so whatsapp was made available in the nhs
portal uh and was basically said use this to to communicate with each other so they've got like a they've got like secure like
device management or application management and you can only download stuff from an approved portal
but in that approved portal they just load it with third-party apps anyway yeah yeah exactly
exactly so so the people are not to blame for this this is like a clearly a case of the
organization just not providing the right
guidance absolutely it doesn't appear like that you're right you're right but the the problem here
is that someone whose name was redacted was added to the group in error and that that unauthorized
individual was given access to four students' names and student numbers,
one child's name and two children's names and addresses.
The ICO did note that WhatsApp stated it was an encrypted platform,
and staff therefore thought it was secure.
The Watchdog said it demonstrates the information governance expectations regarding
WhatsApp were not understood by staff involved in the WhatsApp group. So I hate to say it, Jav,
but I totally agree with you. This is not the individual's fault. This is about a very poor level of information security governance and clarity on the communications
policy about what is allowed to be used, how it should be used, and even in the first place,
whether it should be used at all. So to Andy's point, you've got, you know, a managed mobile platform, which is just sideloading third party apps. It's fine to use WhatsApp per se, if you're the UK government at the moment, it would seem.
absolute clarity over, you know, how it's used and what it's used for, etc.
But the fact that it is a third party app and is not under the control of the NHS in this instance,
means that they can't control which people are added and what groups are added, etc. And whether people, you know, and how they know joiners, movers and leavers, right?
If somebody joins a department and moves you know uh or moves
into the department or leaves the department how do they know that people have been added and removed
to this hence why that the the ico's investigation so for me there was absolutely zero clarity from
the uh from the information security lead here you know at the nhs because the staff thought it was a sanctioned platform there were
no guidance on how to use it properly they were using as far as they were concerned uh the right
platform so this is just a massive failure on behalf of the nhs now we know and i've said this
before that many organizations like health care and like education are woefully under-resourced and underfunded, etc.
But they've certainly got enough money for a platform to deliver apps from.
Surely, rather than chucking them on there, they should be ensuring
that people know how and why to use them and when to use them as well so yeah very very poor show uh information
security lead uh i i hesitate to call them a cso at this point because the cso would have you know
certainly i've got someone else to make that decision but uh um but isn't there a job didn't
we see a job for the NHS CISO?
Yeah, but that was a national job, wasn't it?
Yeah.
Yeah, wasn't it something like 80 grand?
It was silly.
Yeah, it was a very poor salary,
but it was like a 30% pension or something.
Yeah, yeah, that's right.
That's right, yeah.
It's like an excellent side gig for someone.
Yes, a side gig. Maybe that's gig for someone. Yes, a side gig.
Maybe that's the problem.
Maybe it was a side gig.
So, you know, but I don't know if that was the national CISO in charge of this
or whether it was, you know, NHS Lanarkshire.
I'd noticed it's in Scotland,
so I'm sure it falls under some different ruling as well.
You know, so who did this?
Who came up with this policy or lack of policy lack of of of process
lack of communication lack of education lack of awareness just dreadful all right
your blood pressure's getting a bit too dangerous now i know i've got a bit red
i'm looking in the camera you are but you know are. But, you know, you mentioned GDPR several times,
and just in case our American cousins feel a bit too smug about this,
I actually posted something about this on LinkedIn the other day.
Was it a TikTok of you dancing to something?
No, unfortunately not.
With a 10-year security link?
It was just a written piece that's why i didn't
get so much um interactions but because i couldn't see your man boobs jiggling yeah yeah exactly and
it's on a platform where you've only got like you know a couple of thousand followers instead of a
couple of hundred thousand right yeah yeah so it said that um yeah in uh last september the sec charged 16 banks like on
wall street a total of over 1 billion dollars for this very we covered that story yeah i know i'm
just reminding our listeners and our new listeners welcoming our new listeners every week just
because we cover everything every week and we remember it it doesn't mean no i think andy meant me and him covered it when you were on one of your
many uh sabbaticals i like how you're pretending that you remember it but no it's like you you
know when you just seamless wasn't it like there's no hesitation when he said yeah i remember and
then he jumps in to justify it. I'm just reminding other people.
He's got no idea what we're talking about.
That's why he's such a professional.
No shame.
No shame.
Just like one take Malik.
No hesitation.
Exactly.
Exactly.
All takes.
Just takes it all.
You know when you watch a series, a TV show,
and before the show starts there's a recap.
Even on Netflix they do a recap even on netflix they do
a recap even though they know very well you're binge watching the whole thing you just saw it
like five seconds ago previously on host unknown we talk about you and you're like but the recap
is useful because people sometimes have short memories or they there's been a gap between when
they last watched the episode and they just want a filler and whatever. See if it's still showing.
That's what I'm providing here, like a service.
Well, get on with it then.
You two fuckers don't appreciate the value I add here.
Well, I'm not here for you two.
I'm here for our listeners.
Those guys were trading, weren't they?
They were sort of doing side deals.
They were trading.
Discussing trades.
They were discussing trades on WhatsApp, exactly.
That's right, yeah.
It's just not using approved channels.
And, yeah, there is a space for these kinds of apps,
especially with remote working,
where people can keep in touch with each other.
So they can have those water cooler moments.
Yeah, yeah, yeah.
And they can swear at each other and Like, so they can have those water cooler moments. Yeah, yeah, yeah. You know, and they can swear at each other,
whatever, without putting on the official slack,
which can be subpoenaed or, you know,
part of a discovery process.
Well, I mean, as the Conservative government found out,
they can also be subpoenaed,
or the equivalent of subpoenaed.
Yeah, yeah, yeah, yeah.
And that's the thing.
As long as you keep it completely out of bounds of work you can justify that this is just a personal friendship with my colleagues
but as soon as you include work stuff in there then that becomes it becomes part of scope and
then the problem is that everything on that chat becomes and like we saw like this happened to
police officers a few months ago here in the UK that's
right yeah some of their groups were set up and they're you know and you know you don't have
context it could be just friends exchanging memes and what have you I mean some of the stuff they're
exchanging was pretty heinous though well I don't know I haven't seen it but I'm just saying there's
probably like levels of what's being shared like some things are really really bad like there's
always an Andy in the group somewhere and then there's like you know uh you know some stuff that's just
like banter really yeah oh yeah absolutely i think in the case of the police officers they were they
were sharing um uh well ostensibly confidential information about crimes and murders and indeed
photos of murder victims as they were
found and stuff like that yeah i mean it was it was that was um abusing their position as as police
officers you know i think that's that's the things but uh but as as as we all know we don't abuse
whatsapp you know we we know we we we keep it completely off the
professional subjects because it's just not worthwhile
right? Absolutely
100%
Anyway, rant over, that was
this week's rant of
the week
Go!
Recording from the UK
You're listening to the Host Unknown podcast.
Excellent.
Now let's move on.
At the risk of possibly having to agree with Jav again,
let's move on, shall we, to this week's...
So this week we turn our... weeks.
So, this week we turn our
admiring ball-gazing
to the US
government.
I like that one.
For those that didn't tune in
previously, the assumption called
Section 702
of the Foreign Intelligence Surveillance Act, FISA,
which allows the American government
to monitor comms from foreign persons,
so they're not protected by the Constitution,
but also of people they confer with within the US,
so basically everyone.
Tenuous link.
Yeah.
You work in the same company as those international foreign people.
So therefore there's a justified link.
Yeah, exactly.
Exactly.
You breathe the same oxygen as this person.
Like, you know, so yeah.
Now, while it's supposed to be used as an intelligence tool, and I'm making air quotes to say intelligence, it's meant to prevent terrorist attacks or track down similar targets. 2021, the FBI misused their surveillance powers more than 278,000 times.
Thousands?
Yeah.
I thought 278, that would have been awful.
No.
278,000?
The warrantless searches included George Floyd protesters january 6th raiders who stormed the capitals
donors to government campaigns uh monitor activists journalists and others without obtaining a warrant
and then these communications can and have been used to prosecute people for crimes
so it's not like it's just intel and then that it
can't be used in in a court of law but you know it's like yeah it doesn't matter how we obtain
this but the fact we've got it now and we can now use it to send more people to jail um and you know
it's a controversial law from the beginning, but it's up for renewal now.
And so all these government departments have gone into overdrive,
trying to justify and urging lawmakers to reauthorize.
Now, you're probably wondering what the Billy Big Balls part of this is.
Is that the government doesn't even try to hide what they do.
They're literally gaslighting the entire country
by saying it would be the worst intelligence failure of their time. And it's like to implying
that to protect America, we must spy on all Americans. When what we want to do without
having to, you know, whenever we want without having to ask a judge for permission, because
that's good for America. And what's good for America is good for the world. And if that's not a Billy Big Balls move in real
life, this is not something from Team America World Beliefs. I think that deserves a special mention.
Wow. And you know what, this ties back to that story we ran a few weeks back about the French
government. Yeah, we already ran that.
We already spoke about that, Tom.
Why are you bringing it up again?
I'm relating it to this.
Hey, don't bring it up to Andy.
Anyway, yeah, but about the French government trying to get access to people's phones and microphones and cameras and all that sort of thing.
It's kind of like, well, it's going to be in a controlled environment,
blah, blah, blah.
Well, here is the perfect example of that slippery slope
being used, well, 278,000 times beyond the original intent.
Yeah.
But you know what?
To get numbers like that, you must literally have,
like they're doing favours for friends.
Yeah, it would seem to be.
They don't even process that many crimes in a year.
They don't investigate that many crimes.
Well, it's not crimes.
It's the terrorist events, do you know what I mean?
It's beyond.
But it has to go into just day-to-day crime, right?
Yeah, but that whole sort of, what do you say about
who's lobbying who or who's
who's funding what you know political reasons like yeah give me a list of everyone that's
donated to that campaign yeah yeah yeah yeah yeah shocking this is like you know how like you know
for the auditor you always say like yeah we've got we've got a normal account then we've got
our admin account our privilege account that we use right but everyone just logs on using their
privilege account every day and just use it this is what i imagine the
entire fbi office is like everyone just logs on to the system first thing it's just easier yeah
but you know what it's the break glass account so there's no accountability everyone's using the
same account exactly yeah madness madness billy big balls of the week
people who prefer the smashing security podcast over the host unknown podcast
are statistically more likely to enjoy the harry and megan documentaries read into that what you I think we played that one just before the industry news last time, didn't we?
I'm talking the time, Andy. What time is it?
It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry news.
NHS staff reprimanded for WhatsApp data sharing.
Industry news.
Canon inject printers expose Wi-Fi threat.
Industry news.
AI enhanced phishing driving ransomware surge.
Industry news.
Hundreds of Citrix endpoints compromised with web shells.
Industry news.
Cocaine smugglers that posed as PC sellers jailed.
Industry news.
Humans unable to reliably detect deepfake speech.
Industry news.
Menlo leverages advanced technology
to combat surging browser threats.
Industry news.
Microsoft Teams targeted in midnight blizzard phishing attacks.
Industry news.
Hacktivist collective Mysterious Team Bangladesh revealed.
Industry news.
And that was this week's
Industry News.
Huge
if true. Huge.
Huge if true. That story,
Menlo leverages advanced technology to combat
surge in browser threats, that sounds like
sponsored content to me.
Do you know what,
Menlo, if you you interested in sponsoring us?
No, it's not a headline.
We'll pay you to say that we do this.
Well, do you know, since the InfoSec dig moved on, though,
the quality of content has been patchy.
So I'm looking at this,
humans unable to reliably detect deep fake speech.
And do you,
I know Jav,
Jav's obviously aware
because I speak to him all the time on TikTok,
but there's accounts on all the socials,
not just TikTok.
I think it's called There I Ruined It or something
where they sort of AI voices,
singers' voices.
And you've got like Frank Sinatra
singing Gangster's Paradise.
Yeah.
Oh, yeah.
It's just fantastic.
It's like you shut your eyes
and it actually sounds like,
you know,
you can imagine like the Rat Pack
doing that.
It is just brilliant.
And Elvis singing
I Like Big Butts or whatever.
Yeah.
So, I mean, with this,
yeah, voice,
you know, they just need a couple of minutes or not even minutes like you know obviously the more more speech they've got to work with the better it is
but yeah they can very quickly generate fake what it underscores is that actually
educating people on what to spot is not just about where the email comes from what the voice message sounds like etc
it's about is it breaking protocol is it going is it urgent you know a sense of urgency sense of
yeah distress you know is it asking you to do things that you wouldn't ordinarily do um you
know to break break the sort of financial procedures or whatever that's what's
important because that's the one thing that you can always fall back on yeah yeah because i remember
like a few years ago tom you sent an email to me and andy from a rooftop in front well after you've
been on a rooftop in france and um i a few days later later Andy still hadn't replied or said anything and I said
Andy and he goes like yeah it was a fishing evil don't you know I mean like well it sounded
desperate he was like reaching out for help he was like I mean and I was like damn I fell for it
I was just surprised he didn't ask for money yeah I know
oh dear but there is uh so obviously there's a story this week i know
we're not covered it here but there's a picture of the uk prime minister um pouring a pint and
in the background there was a girl who uh was like giving a side eye looking like you know what the
hell is going on um that a labor mp opposition mp posted on social media and it turns out that her eyes were sort of
superimposed that they weren't her real eyes like she gave the side eye um but the real picture she
was just looking neutral but in the picture the mp posted she was like you know what is this clown
doing like very different you know you say that oh sorry go on carry on please well i was going
to say it reminded me of you where you showed me behind the magician's curtain last week on some of your TikTok videos,
where the content's obviously getting a lot more detailed and like, you know, it's flowing a lot more.
And it turns out that you're actually reading a script, but not obviously reading the script like a teleprompter or anything.
And you said that you're using ai to keep your eyes trained on the
camera all the time so you're reading a script to the side and your eyes are moving in real terms
can we use that on on the last um you know um lost all the money video
even ai can't help you i don't know but yes going forward that is the type of thing that it could be used for it is it is because i
remember seeing this like um several months back nvidia in their one of their chips they had this
technology so if you're on a zoom call or or a video call it would keep your eyes locked onto
the camera regardless of where you were looking on the screen. That's right. But then I found this,
this is like,
I use Descript to record my TikTok videos most of the time.
And it just makes it so much easier.
So I just,
I can just write up the script and look off camera,
read it.
And then in post,
it just fixes my eyes onto the camera.
But it blinks as well.
It actually looked quite natural. I didn't. Yeah. That thing it's not um yeah wow i'm gonna have to i'm gonna
have to actually watch some of these now look me up on tiktok j4vv4d is my i'm doing my hand
not going on tiktok um i'll send you the links tom but i'm yeah no i'm not talking to you i'm
talking to our listeners so if you go there and then look at my last 30 videos and you tell me which ones you think
comment on them and like them and comment on them and the one that tells me accurately which
ones i generated by double tap the screen to lock your choice in yes you you will win you will win. You will win a prize. The prize of knowledge.
Yeah.
What else have we got here?
Canon inkjet printers expose Wi-Fi threat.
Quentin!
Quentin!
Why does it always have to be the printers?
Why is it about printers that make them such bastards
compared to every other element of computing today?
In an office, why do you need Wi-Fi on your printer
if it's not going anywhere?
Yeah, but also, printers are still notoriously a pain in the arse
to set up and get wrong.
I know of at least one major security incident from the last year
in a major organisation caused by a printer.
Well, that's the thing.
They're so good that they go undetected.
they're so good that they go undetected.
Yeah, but what's the thing that your mother always calls up about or some vague relative always calls?
I can't get my printer working, right?
Anyway, sorry, that was this week's Rant of the Week.
I did see a tweet or a tweet or something,
Weeks round to the week.
I did see a tweet or a tweet or something,
and I thought I'd go back to it to see whether it was actually true or not.
But someone said something like, the HP printer stopped working.
They changed the ink cartridge.
It didn't work.
This, that, the other.
Then they phoned up the help desk or something.
They said, oh, your card unfiled expired, so we disabled your printer.
Yeah.
Yeah.
I saw that one. which wouldn't surprise me yeah it was definitely an hp yeah definitely
but hopefully if you want to sponsor us whichever part of the the business side
wants to the consumer side the enterprise side whatever you whatever you're called. Yeah. HPE, they'll do.
Yeah.
Right, anything else to look at here?
No.
We did the NHS cocaine smugglers that posed as PC sellers.
That'd be good, wouldn't it?
Ordering up a PC and just getting a big block of cocaine.
Well, do you know there's a video of
where they did an expose about a takeaway
somewhere up north that
you go and you order your food, but they also
sell drugs as well. And they were
interviewing people and there's this guy
and they said, yeah, so, you know, this is a place
that notoriously if you come here, you can
when you order food, they put drugs in it as
well when you say the special things.
And it was on camera and he's like what no no i can't believe it i didn't know they did that here
his face was just like no mate you're not convincing anyone
no no unbelievable i try get me off camera get me off camera.
It's like when you order an extra pillow for your hotel room, Andy, isn't it?
Yeah, my niece is going to arrive later for dinner.
And then you go back to the room
and there is an extra pillow.
Fuck!
Right, thank you.
That was this week's...
Industry News.
We don't research the story,
but let us tell you what we think based on the headline.
You're listening to Insights
from the award-winning Host Unknown podcast.
Well, I was really looking forward
to this week's Tweet of the Week,
but I see you've changed it, Andy.
So we'll go with your second choice, shall we?
So it's time for this week's...
Tweet of the Week.
We always play that one twice.
Tweet of the Week.
And this week's Tweet of the Week is from play that one twice tweet of the week and this week's tweet of the week
is from sherry ramen and she says soft skills are crucial in every field especially in cyber
security number three to me is the most important imagine presenting at a meeting saying we suffered
a phishing attack folks be thinking was there a flood and fish invaded the office uh and she's posted a
screenshot of i'm guessing that's an instagram reel um uh but she's got the 10 uh important
soft skills that she uh believes uh accrues in every field but especially cybersecurity
starting with number one problem solving two time management, communication, creativity, negotiation, collaboration, adaptability, emotional intelligence, decision making and organization.
And I saw this, I thought this is actually a very strong list of skills, which I think, you know, you learn over time, but it really does make it.
When you deal with people who are good at these skills, it makes such difference yeah um you know and it just sort of shines through there's just certain
people in every organization you see um who just immediately do this sort of skills and it's like
okay that's it you know this person's got emotional intelligence or yeah you know this person's
fantastic at communication well just the ability to collaborate actually work with other people
right yeah you know because you're not the smartest guy in the room nobody ever is the
smartest person in the room in that sense right you've got to be able to collaborate adapt to
what's happening around you you can't be fixed you know fixed in stone on what's happening because
everything's changing so yeah this is a good list.
I mean, there's nothing groundbreaking here, in fairness,
but it's a good list.
And there's nothing that actually makes it especially true
for cybersecurity.
It's just general.
Actually, while you were talking about that,
I typed into ChatGPT what are the top 10 soft skills needed
in cybersecurity, and it came up with a list saying
communication skills,
analytical thinking, problem solving, attention to detail,
adaptability, collaboration, ethical mindset,
curiosity and continuous learning, emotional intelligence,
leadership and influence.
So I'm going to put this onto a reel or a TikTok and paste that.
And then we'll have it in next week's Tweets of the Week.
We will. We will.
But also, I think there's an important underlying factor here
that most people forget is that it's easy to get fired for being creative,
but not for being unimaginative.
No one got fired for being unimaginative.
And that's the problem.
Like, when you're sitting on the outside and say, yes yes i'm going to go in and i want to do this at
the other it backfires on on some people quite spectacularly um in in many cases and that's why
i think a lot of people just end up just playing it safe um over the long period of time but that's
where i think a good leader really, really plays a good
and important role, where they allow and they encourage
and they embrace that mindset amongst their team.
I think if you don't have that support from the top,
then it becomes really difficult.
Yeah.
Very true.
Very true.
Somba?
It's not Somba, is it? Sage advice. The other. Somba. Somba?
It's not Somba, is it?
Sage advice.
The other S word.
Yeah.
Sage advice, Jav.
And that was this week's...
Tweet of the Week.
Right.
Thank you, folks.
It's been a blast, and we've even finished just in time
for Andy to get into the office bright and early at 8.30.
So, yes, thank you.
Jav, thank you very much for your contributions today.
Well, you know, don't thank me.
I don't do it for you two.
I do it for our listeners.
That's who I'm thanking you for.
And, Andy, thank you.
Stay secure, my friend.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
R slash smashing security.
Yes.
Sweet. Well, we've got to change. yes sweet
well we've got to change
having an 8.30 start on a
Friday morning is no good for me anymore
I need to
move my Friday morning meetings
so we can start later
yeah exactly
there's a reason why I'm feeling a bit dozy right now
it ain't good