The Host Unknown Podcast - Episode 167 - The Sweaty B***s Episode
Episode Date: September 15, 2023This week in InfoSec (08:18)With content liberated from the “today in infosec” twitter account and further afield13th September 2011: Backup tapes containing info on 4.9 million TRICARE military h...ealth care customers were stolen from an SAIC employee's parked car which a burglar broke into by breaking a vent window. TRICARE Breach Affects 4.9 Millionhttps://twitter.com/todayininfosec/status/170193692357973223112th September 2001: MafiaBoy (Michael Calce) was sentenced in Canada to 8 months of open custody, 1 year of probation, and restricted Internet use for crimes related to DoS attacks he performed against numerous high profile websites at age 15 the year prior.Cyber Attackshttps://twitter.com/todayininfosec/status/1701628591262302571 Rant of the Week (17:27)[Responsible disclosure? Even close competitors share threat intel]: https://twitter.com/vegasstarfish/status/1702076730075492739 - video in link too Billy Big Balls of the Week (25:21)10 years ago, Apple finally convinced us to lock our phonesEvery phone you pick up today has a fingerprint scanner, a face scanner, an option for PINs with four, six, or more digits, and often all of them at once. Phones prompt you to set up a scan and a passcode the first time you turn them on, and you’d be hard-pressed to find anyone who doesn’t have some form of security set up.But go back just 10 years, and the story was very different. Back when our phones were still used almost entirely as phones and not teeny personal computers, most of the “locking” features on mobile devices were designed more to prevent you from butt-dialing anyone than to protect your sensitive information.It wasn’t until the iPhone 5S came along — 10 years ago this month — that everything changed.It just goes to show how much of an innovator and an investor in security Apple always has been. They removed the headphone jack and called it courage…Just a couple of days ago they pushed the boundaries of innovation even more and introduced USB C to the latest iphones. Now that’s real courage Industry News (34:29)Ransomware Attack Wipes Out Sri Lankan Government DataEuropol: Financial Crime Makes “Billions” and Impacts “Millions”Cyber-criminals “Jailbreak” AI Chatbots For Malicious EndsUK ICO and NCSC Set to Share Anonymized Threat IntelligenceMGM Criticized for Repeated Security FailuresNew Microsoft Teams Phishing Campaign Targets Corporate EmployeesLazarus Group Blamed For $53m Heist at CoinExElon Musk in Hot Water With FTC Over Twitter Privacy IssuesManchester Police Officers’ Data Breached in Third-Party Attack Tweet of the Week (41:54)https://x.com/Marlebean/status/1308858471106871298?s=20 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I can't believe you guys got me into TikTok for then me to be just kicked out a week later.
A week. Permanently banned. No appeal. I have no idea what I've done.
You told me it was going to be a win win.
So you got kicked out a week after you joined.
Yeah. But 20 minutes after Jav found out about your account.
Yeah. But 20 minutes after Jav found out about your account.
Do you know what? It all falls into place now.
This is how we keep the quality of TikTok high.
You're listening to the Host Unknown Podcast. Hello, hello, hello, good morning, good afternoon, good evening from wherever you're joining us.
And welcome, welcome one and all, welcome dear listener to episode 167 of the Host Unknown Podcast.
Welcome one and all. Jav, how are you? How are you doing? It's been ages. I'm good. I'm
good, Tom-son. It's a good world. You're obviously feeling happy as you managed to get me banned off
TikTok. I had nothing to do. You've got to keep the boomers off it, though, right? It's a no-boomer zone.
It's only for us Gen Z people.
Exactly.
Gen Z.
Isn't it, fam?
What is that, under 50?
We don't want no mandem on there, isn't it, fam?
Yeah.
No cap.
What?
I could buy into
Jav's part of that, but yours, Andy,
was a very
oh gosh, yes man ting in it.
I love the way you say that, but still
put such a, you know, you pronounce
every word as well, every syllable.
I was brought up properly.
Yeah, the queen's road man
the queen's road gentleman
oh wow
oh have you been jab good week yeah it's been good i've been working you know what kids are
back to school this week oh it's quiet i know it's like
okay it's a bit it's a bit of a hassle in the morning yeah true um but you know it's good there
was two events i attended in person live events so uh two days in a row and i got so tired from
all the social interaction i was like no i want to sit at home in my office now.
Post unknown for the social introverts of your life.
Exactly.
Isn't that for all podcasts?
Isn't that?
Well, that's true.
That's true.
Yeah.
Yeah, exactly. Why interact with real people when we can talk to our pretend friends?
Yes. So what events did you go to
uh one was a akj put on event about securing the public sector oh akj do the um
yeah that's right and pci for pci yeah yeah i remember one year all three of us went there and that's when
i founded host unknown that's when that's when i came up with the idea for host unknown yeah
that's when i told you that this is the thing and you know anyway you got a photo from then as well
that that's the time when i realized it's a terrible, terrible idea to be in the same room as Andy when there's a talk going on.
Cause even if you're not next to him where he can whisper comments to you,
he'll just post stuff on, on, on,
on WhatsApp or message them to you. And he,
he can keep his poker face or he smiles,
but he doesn't completely lose it whereas i once i get the
giggles i cannot stop at all and more than once i've had to actually walk out of a conference
like just pretending i'm on the phone or something like oh it's a really important
phone call i've got to take a walk out because like i need to get away from andy
oh dear story of my life people getting away from Andy. Oh dear, story of my life, people getting away from me.
Yeah.
Andy avoidance techniques.
Yeah, yeah.
What about you Andy?
You doubled the amount of chloroform you're using.
Yeah.
Damn me.
And the lawyer in my ear says
allegedly.
So I was going to say So, Andy, have you walked out of any conferences this week?
No, I haven't.
I haven't even been to any conferences this week.
Do you know, I realised 44Con is on this week.
Is it?
Yeah, I saw a message about it.
Yeah, but no, it's one of these things i think well i've got to get to
every year because it truly is one of the best conferences i think we have in the uk
yeah well any conference that has a gym o'clock every every day i mean it's got to be up there
yeah it's um yeah just busy week it's i don't know because it's that post summer holiday like
now everyone's back and everyone's sort of catching up and it's, because it's that post-summer holiday. Now everyone's back and everyone's catching up.
It's unfortunate timing.
I was saying to some colleagues yesterday,
it's just as busy as it has been in August and July and June, etc.
Our August just didn't seem to quieten down at all.
Very odd.
Really?
Mine did, but it just kind of
built up instead.
Yeah.
Even busier.
Yeah.
Even busier.
But, yeah,
how was your week anyway?
Yeah, good.
A rare week.
I couldn't find
an insulting segue
into that one.
No, no, that's right.
Talking of noisy children.
Yeah, a rare week in London because I'm now only up in London about once a month now.
OK. And were you around the corner from my office as it turned out?
No, because it's London Fashion Week.
Oh, OK. So you're looking for the latest hairstyles?
Well, you know, I was looking for an an affordable hotel room to be honest with you uh so the place around the corner from
you 600 pound a night i know i ended up in a hampton a hampton inn by hilton for 360 pounds
a night a hampton inn they're polystyrene plates for breakfast.
That's the, I can't believe it's not Hilton brand.
Yeah, it's exactly it.
It's exactly it.
You know what, next time, 2.50,
I'll let you sleep on the sofa.
It's a bargain.
I'll give you an official-looking receipt and everything.
In fact, I can drop you to the station
and I can give you an Uber receipt for that as well.
Shuttle service.
Yeah.
Do you know, I've been in your office with a black light.
I'm not sleeping anywhere in there.
It's called heart.
You know how some people, you see them,
they run a certain route and then on the gps like on the
maps it shows like yeah exactly oh my god and talking of disturbing imagery shall we see what
we've got coming up for you uh this week so this week in infosec is the age-old story about a 15
year old bringing down multi-million dollar companies.
Rant of the week could have been a casino.
Billy Big Balls for Jav, but instead is a rant from me.
Billy Big Balls asks Javad to praise Apple's innovation to change culture.
I am so looking forward to that one.
Industry news brings us the latest and greatest security news stories from around the world and tweet of the week is some insurance advice so let's move on shall we to our favorite part of the show this
is the part of the show that we often in fact may always call this week in InfoSec.
It is that part of the show where we take a trip down InfoSec memory lane with content liberated from the Today in InfoSec Twitter account and further afield.
And our first story shall take us back a mere 12 years to the 14th of September 2011,
when backup tapes containing info on 4.9 million Tricare military health care customers
were stolen from an SAIC employee's parked car, which a burglar broke into by breaking a vent window so this tricare breach in 2011 was
a significant security incident that occurred although it's not one that's often referenced
but it has all the key components of the absence of suite of controls that needed to sort of manage
information security so for those who don't know and not just controls
how about some common bloody sense well we didn't have common sense back then right if no one told
us we had to do it we didn't do it it is it is the uh the armed forces right so okay uh yeah
you're gonna get banned from facebook next. So thank you for your service.
So if you don't know, TRICARE is a health care program for the United States Department of Defense,
not just serving active duty members, their dependents and any military retirees as well.
But they also process data for people who went through even if they didn't have uh sort
of medical care through them but if they process the data they'll get it from there as well um
so did anyone ask why this employee was sort of carrying backup tapes with them in their car so
this is why was this employee carrying backup yeah absolutely there's a question we've got why was this employee carrying backup? Yeah, absolutely.
There's a question we've got to ask.
Why was this employee carrying backup tapes in the car?
It's a good question.
Do you know what? I worked for a startup, early noughties,
and once we had a requirement to keep off-site backups,
I started taking them home with me.
Right?
I mean, it's fair, right?
Let's be honest.
Was there anything on the tapes?
You'll never know.
But I could prove that there were tapes at my house.
Not after you put them to the fridge with a magnet.
Yeah, left them in my magnet collection.
So the breach exposed the personal and health information of 4.9 million individuals.
health information of 4.9 million individuals it included social security numbers names addresses phone numbers clinical notes lab test results and prescription information wow um but obviously
even though it was back then um trico actually did a great um you know sort of piece of pr saying
that fortunately no financial data was included on the stolen tape you know that was the
important thing. But do they take security
seriously? Was this before HIPAA was the
thing?
No, HIPAA was there
in 2011. I'm sure they said it because
it's going to be in there
but yeah so
they did say that
some of the personal information
was encrypted, but it wasn't encrypted in compliance with federal standards.
So that's a very carefully worded statement.
Wow.
So, you know, I'm sure federal standards say, you know, render it so that you can't decrypt it or something like that.
So however they refer to whatever format of encryption they used,
it clearly wasn't good enough.
The federal standards probably say an Excel password is not encryption.
Yeah.
Especially back then with advanced office password recovery tools, right?
AO, PR, whatever.
So obviously lots of questions raised about data security it turned out that saic
stands for science applications international court they're actually a contractor a subcontractor
of tricare so it's a supply chain issue that we've got here um but obviously between them they did do
an investigation they assessed the risk and they said that you know they concluded the risk of harm
from stolen tapes was low because accessing the data would require specific software and knowledge of the system
um which is dubious because i'm sure if you had what was it back then the
veritas backup software you could just plug the tlt and arc serve yeah that's it arc serve that's it arcs have that's what i was thinking of yeah um but yeah so they did uh offer
um credit protection services uh obviously uh as all good uh responses do um and you have to ask
they actually had data starting from 1992 through to september 7th. So it's nearly 20 years worth of data were on those tapes.
And it's just, it's just one of these stories that, you know,
when you look at it and you know, this is, let's say, say 12 years ago,
everything in it, it's got the hallmarks, everything like,
what you need to encrypt sensitive information, security of physical media,
vetting the practices of subcontractors, unnecessary retention of data, yada, yada, yada.
But yeah, just a great story. I like that one.
These are great. These are like the origin stories for so many of modern day regulations and requirements.
And it's brilliant. I love it.
Brilliant. I love it.
Yeah.
So our second story just takes us back a mere 22 years to the 12th of September 2001.
2001.
Yeah.
The day after.
The day after, the night before.
But no, it wasn't in North America.
It was actually in Canada, just across the border.
So the 12th of September, 2001,
Mafia boy Michael Kelsey was sentenced in Canada
to eight months of open custody,
one year of probation,
and restricted internet use for crimes related to DOS attacks.
He performed against numerous high-profile websites
at age 15 the year before.
So if you don't know, Mafia Boy, he obviously gained notoriety in the early 2000s
for his involvement in a series of high-profile cyber attacks.
And by that, I mean he managed to take down CNN, Amazon, Yahoo, eBay,
which were some of the biggest websites at the time but by limiting his or restricted internet access was he basically forced to use aol
well but so is that you say it's actually um so he pleaded he pled guilty to 56 counts
of illegal access to computer systems.
But because he was a minor at the time of his arrest, that's why his sentence was so lenient.
But this was a DOS attack. It wasn't even a DDoS attack. Is that right?
Yeah. So, yeah, just a DOS attack. So, yeah, I mean, if you think like eBay, can you imagine bringing down eBay these days? Back then, it was like one of the biggest sites.
Remember, it knocked out, well, QXL, or as I understand,
it's supposed to be pronounced Quixel,
which was like the UK version of the online auction site.
Oh, Quixel.
Yeah, that makes sense.
I never worked that out.
Oh.
Yes, the penny has dropped finally.
Yeah.
So, yeah, QXL.com. It's supposed to be
pronounced Quixel.
But,
hey,
you know.
It's what I remember
in Back to the Future
when Michael J. Fox
is on stage,
he plays Johnny B. Good
and he's like,
oh,
you know,
you're not ready for it yet
but your kids are going to love it.
Yeah,
yeah,
yeah.
So if you think,
yeah,
Quixel back then,
they sort of got clever
with pronunciation of words
but didn't take off.
What's that, that high street shop, C-E-X?
Everybody calls it sex.
Yes.
I'm going to sell this off for sex, you know.
Okay.
Not sure about that.
Yeah, I totally got the wrong end of the stick with that one.
Jeez, I was nice and embarrassed.
Oh, wow. Yeah, I was nice and embarrassed. Oh, wow.
Yeah, the arrest was very embarrassing.
Anyway, thank you very much, Andy,
for this week's...
This week in InfoSwerve.
Feeling overloaded with actionable information?
Fed up receiving well-researched,
factual security content.
Ask your doctor if the Host Unknown podcast is right for you.
Always read the label.
Never double dose on episodes.
Side effects may include nausea, eye rolling and involuntary swearing in anger.
All right, let's move on to the angry part of the show.
And this is the part that we call...
Listen up!
Rant of the week.
It's time for mother f***ing rage.
I say angry.
It's still a bit warm in the country.
I don't really have the energy for it.
But nonetheless, this one is talking about responsible disclosure or, you know,
not even close in some cases. So there's been a lot of activity about MGM Resorts International
being under a cyber security attack. So this was brought, well well the story is initially from gen g uh or vegas starfish
on on twitter or x yeah it's a little concerning that one uh so three days of uh concerted
cyber security attack on mgm resorts in las vegas and around the globe guests and employee data uh security and
experiences have been tremendously impacted and by that you know all of the activities that are
going on even even down to how they handle security on the um casino floors etc i'm assuming
because all of their video feeds are probably over the network rather than sort of closed circuit, as it were.
Significant leaks of information have led to the disclosure that Caesars Entertainment has also been hacked.
So presumably Caesars informed MGM of this, that they were hacked, etc.
And, you know, to try and ensure that MGM didn't fall prey to the same thing.
So which is which is all well and good, you know, sharing of intel, which is good.
And that they had actually paid off their group of attackers.
They had actually paid off their group of attackers.
The attackers allegedly asked for $30 million and Caesars negotiated down to $15 million.
So this is all well and good, except, check notes,
nobody knows about the Caesars attack.
Nobody knew that Caesars had been breached,
had a major security incident,
and that they had paid out to the attackers.
Did they pay a bug bounty?
Yeah, they paid a bug bounty.
An Uber bounty, as they're often called now, allegedly.
So here's the thing.
So there's a couple of things here.
One, the advice, never pay your attackers.
I think many years ago, most of us in the room would have said,
yeah, don't negotiate with terrorists, blah, blah, blah,
all that sort of stuff.
Actually, business needs to continue.
And in Vegasgas and we
were talking about this before and i think andy you said you heard a figure that each slot machine
makes what was it each i don't know if it's each slot machine but i think the slot machines oh the
slot machines in each in each um casino make one and a half million dollars a day um all of which
are no doubt centrally controlled etc so if you're not making that one and a half millions a day um all of which are no doubt centrally controlled etc so if you're not making
that one and a half millions a day and you're out for 10 days or that 15 million dollars you know
plus all your other activities but as a baseline you know that that 15 million dollars makes makes
a lot of sense just to stop it and get going etc and that's just the slots right yeah exactly there's so many other activities you know
that are going on in there so the key thing here is you know mgm has obviously announced this they've
been it would appear to be fairly open since everybody's talking about it but we keep coming
back to caesars no one knew that they had been attacked.
This particular part of the story doesn't say when
they were attacked, but obviously it must be
fairly recent memory.
I think it was about six weeks ago.
I think they definitely had enough time
to give an advance warning.
Yeah, to give a heads up.
Like, hey, if you've got these slot machines,
just be careful, they're vulnerable.
Yeah, exactly.
Not that anybody did anything about it.
But how can Caesars have this kind of attack go on
and not do anything about it?
That's what I find quite amazing,
is the fact that we just don't know that this has happened.
Where's the responsible disclosure what about what data was taken etc it does underline the fact that um casinos are kind of
a law unto themselves right yeah that's what i was gonna say it's like casinos they have their own
lobbying efforts and they are pretty much a law unto themselves they have their own laws it's like even simple things like um indoor smoking is allowed in casinos because they don't
want people to leave the table so to speak to have a fag and then think oh my god i'm 12 grand down
let's stop now they want you at the table dipping into your savings as much as possible. Having a moment of post-cigarette clarity.
Yeah.
Yeah.
It's not good, is it?
I'm trying to find something to get ranty about on this.
And it's difficult, right?
As always, you've given us nothing.
And so much so, so much so that, you know,
I was talking to a friend of the show, Mo Amin, yesterday.
And he was like, oh, my God, that Tom Langford, he's really like,
you know, processes a lot of oxygen for very little.
Oh, right.
Okay.
Okay.
And he sent a clip.
Yeah, we'll do.
He goes, this will work really, really well. I'll get it loaded up in a second.
And then but you finish your thought and then let me see if I can get this played.
OK, so so here's the bottom line. Where is where is the legal action against Caesars for not notifying the relevant authorities in the US
that they had been massively
breached and paid a
huge amount of money and
surely if nothing else the shareholders are going
to be upset since it's all about the money
so you
establishment that
has gambling
prostitution
drugs, all sorts of other ills, alcohol.
You didn't inform us when there was a breach,
and that's what they're coming after you with.
Well, here's the thing.
Here's the thing.
They're supposed to operate inside the law.
We know they don't so much, but they're supposed to operate inside the law.
Nobody's doing anything about it.
That's the law. Nobody's doing anything about it. That's the right.
What you just said is one of the most insanely idiotic things I have ever heard.
At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it.
God have mercy on your soul.
Indeed. God have mercy on your soul, Tom.
All I can say is, Mo, I'm coming for you.
Rant of the Week.
Go!
Recording from the UK.
You're listening to the Host Unknown podcast.
All right, Jav, your turn now.
Tell us about what criminals you're supporting this week.
The criminals of the week.
so um today's criminals that i'm supporting is a small company known as apple this is a bit of a uh uh today in infosec but i think you know we sometimes um overlook the impact that
apple has had to not just technology innovation but to security and i was reminded that you know
when you pick up a phone today it has a fingerprint scanner a face scanner an option for pins with four
six or more digits and sometimes multiple options at the same time.
Phones prompt you to scan and set up a passcode. But, you know, you'd be hard-pressed to find
anyone that doesn't have some form of security set up on their phone. But if you just go back
10 years, not that long ago, and, you know, the story was very different because back then a lot
of the phones were still used almost entirely as phones and not as teeny personal computers.
Most of the locking devices on mobile devices and locking, I'm doing air quotes as I say that,
were designed, yeah, more to prevent you from butt-dialing anyone than to protect sensitive information.
In fact, there used to be a key, like an actual key to lock the keypad,
wasn't there?
There was.
You press and held it for a second and it locked the keypad.
That's right.
Or on Nokia's you could do star three when they removed the key.
Yes, yes, yes.
That's right.
So it wasn't until the iPhone 5S came along, which is 10 years ago this month, that everything changed again.
And it just goes to show how much of an innovator and investor in security Apple always has been.
innovator and invest in security apple always has been and it reminds me of some of their some of their other amazing groundbreaking innovations like when they removed their
headphone jack a few years ago and you know they explained it courageous it was it was courage
it was courage absolutely courageous and and and I was amazed just a few days ago,
they had their new keynote about the upcoming phones
and they've really, really pushed the boundaries.
And now the latest iPhones are going to have USB-C.
And I think if that isn't real courage,
if that isn't a Billy Big Ball's move to be so leading edge, I don't know what is.
So I'm struggling here. So you pick up on one thing. 5S came along.
I had fingerprint unlock. I think that was the first time it came along. Right.
Yeah. Which is which is what you're talking about. It's a great thing. Right.
You know, it's fingerprint ID for the masses, blah, blah, blah.
And then you go and pick.
I think it was prior to that, though, wasn't it?
It was actually the original passcode was put on the iPhone 4.
Was it iPhone 4?
Their first.
Possibly, yes.
Were they the first putting passcode?
No, you could lock from the original iPhone.
Right.
You could always lock the phone from the original iPhone.
Okay. right you could always lock the phone from from the original iphone okay but the 5s came along with the with the with the actual sort of biometric but then you go and cherry pick
two and i have to say two of the crap i mean for instance removing the headphone jack and calling
it courageous what a pile of shite from apple there courageous
my ass i mean don't get me wrong i haven't missed the headphone jack in the slightest not a big deal
at all but then again you say that i've got tinnitus so i don't care it was inconvenient
at the time and now and now nobody does it yeah they, they're all Bluetooth. Everyone's Bluetooth. Exactly. They're all doing it. But calling it courageous, ridiculous.
And then this thing about going to USB-C.
You know, they're trying to tout it.
They were forced to.
Their hand was forced.
And rightly so.
Why are we still using Lightning when USB-C?
I mean, Lightning, I think, is a better physical connector than USB-C,
personally, but we go to standards and actually
now you can connect your iphone it destroys the socket when it snaps off inside so that's why it's
better right it's smaller uh anyway but but i think um you know now your iphone 14 Pro can drive a 5K monitor. I mean, there's benefits to it.
But yeah, 5S, definitely fingerprint recognition, great.
Those other two examples, I think you're just kicking Apple when they're down.
No, they're down.
Yes, poor Apple, they are down.
I was just trying to...
They did lose a lot of money because China you know, China's banned the iPhone.
Has it?
No, they've not banned the iPhone.
They're banning government workers.
Government workers.
Well, yeah, OK.
And even then, Apple have struck up some kind of deal going on there.
But didn't their share price drop?
When China made that announcement, they managed to wipe like a good few billion off of Apple.
Yeah, I think it dropped to the same price it was at the week before.
Right, okay.
And Huawei's, do you see there's literally queues outside Huawei?
Yes, yes.
Stuff like that.
Well, yeah, because if you're a government worker, let's face it,
you know, there's a lot of government workers in China.
Yeah, that's right.
If you're a government worker then
you're gonna you you're gonna have to get a new phone you know but yeah i don't know i don't know
what's what's what's so so is this a sarcastic billy big balls or just a billy big balls no it's
a billy big balls i'm just bringing balance to it that Apple has always been a Billy Big Ball player in the market
it's pushed innovation sometimes in the right way sometimes in the wrong way but innovation
is innovation and you can't knock that the smirk on your face is telling me something different
if you're not making mistakes you're not trying trying. You're trying really hard right now.
Or as Tito Ortiz once said, if you ain't cheating, you ain't trying to win.
Tito Ortiz, what? Gesundheit, who?
Tito Ortiz, he was a UFC fighter.
Oh, God, we're back on that again.
No, it's UFC. It's different from wrestling completely.
What? No, no. Who owns it? Well well now they're owned by the same parent
company i i got one thing to say to that billy big balls of the week
this is the podcast the King listens to.
Although he won't admit it.
No, not at all.
Right, Andy, I know you wanted to keep this show tighter than normal.
I don't know why.
Let's move on.
What time have we got, Andy?
It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry news.
Ransomware attack wipes out Sri Lankan government data.
Industry news.
Europol.
Financial crime makes billions and impacts millions.
Industry news.
Cyber criminals jailbreak AI chatbots for malicious ends.
Industry news.
UK ICO and NCSC sector share anonymised threat intelligence.
Industry news.
MGM criticised for repeated security failures. Industry News.
New Microsoft Teams phishing campaign targets corporate employees. Industry News. Lazarus
Group blamed for $53 million heist at CoinX. Industry News. Elon Musk
in hot water
with FTC
over Twitter
privacy issues.
Industry News.
Manchester
police officers
data breached
in third party
attack.
Industry News.
And that was
this week's
Industry News.
Huge if true. Huge if true. Huge if true Huge if true
I tell you what, Europol have got their finger on the pulse
haven't they?
Blimey, I'd never considered that financial crime
can make billions of dollars and impact millions
Never thought of that
That's basically monetary
So if you can extract a million
If you can extract a billion pounds per million people you get,
that's a good return on investment.
Yeah, that's £1,000 per head, isn't it?
I like the numbers.
Yeah.
It's worth it.
From the news source of the bleeding obvious.
What else have we got? Elonk in hot water with ftc elon musk needs to be oh i don't even get me started i mean you're still giving him money every month though for
no fuck no absolutely no he paid a yearly subscription all one go for the 10 percent
i think i think i had my checkmark for two months.
But anyway, but anyway.
And there was this thing that broke recently
that he ordered the Starlink to be shut down
whilst Ukraine was trying to conduct an operation.
Oh, yeah.
You know, to stop seaborne attacks, you know,
or ship-based attacks.
Absolutely outrageous. Absolutely outrageous.
Absolutely outrageous.
He's a proper villain, isn't he?
Yeah, and he's been paid by the US government
to provide Starlink.
Yeah.
And he decides to shut it off.
Just outrageous.
Outrageous.
I hope he's haunted, haunted by his decision,
which of course he won't be.
Keeping recording here just to see if I can get Tom blocked off Twitter permanently within the next seven days.
Do you know what? I would see that as an accomplishment.
Elon Musk can go and lick the sweater for dead man's s*** as far as I'm concerned.
He's just, just...
What has the dead man done to deserve that?
Nasty, exactly.
Nasty piece of work, Elon Musk.
Horrible person.
Wow.
How the fortunes change.
I know, I know.
I should have realised what he called that cave rescuer guy a pedo.
Yeah.
But do you know what?
That was back then before people really knew Elon Musk
they thought he was just a funny guy
it's like Boris Johnson was mayor of London
and everyone was like oh he's a funny guy
yeah yeah yeah
I bet he runs through the streets of London at night
screaming I'm king of this city
but yeah he put me in a position of power
and it kind of
made London quirky
and blah blah blah, blah.
But Prime Minister, dear God.
This dead man's going to have no sweat left after I've sent all these people after him.
Jeez.
Anyway, but yeah, Elon Musk really needs to sort himself out.
I was just looking at Mm being criticized for repeated security failures
and i didn't realize that so this isn't actually the first breach that they've had
um so they've lost people's data before in 2019 they had to disclose that the details of 10 million
guests were taken um but it wasn't until later in the year that they
actually slipped out a little release saying that actually it's 142 million oh that's right yes
you know it's actually you know 142 million were taken at the time we just miscounted
um we're not very good with decimal points no not good with numbers yeah yeah not good at the odds
um but they're so the group that actually hacked them uh as saying or that they've actually stated
that uh it's the black cat um alf alfie black cat group confirmed responsibility for the attack
they said that the ransom all the ransomware group did to compromise MGM Resorts was hop on a LinkedIn,
find an employee, and then
call the help desk.
And they said that the company
valued at $34 billion
was defeated by a 10-minute conversation
with a service desk employee.
Jesus Christ. And they're saying
that's how they broke the company.
That is not good, is it?
Not good at all.
No, no. no also what's not good is manchester police officers data it was a third party that was breached and it's got their
warrant it doesn't have financial data i don't think but thank goodness it's got their warrant
no credit card details yeah but it's got their personal information uh it's got their personal information.
It's got their warrant card number, their photo and everything,
and I think their home address.
So no chances of any impersonation of a police officer
or people turning up to police officers' houses.
Bottom line is they should stop having these parties
if their data is constantly being breached in them.
I mean, once is unfortunate, twice is coincidental,
three is just irresponsible.
But a third party?
Yeah, exactly.
Yeah, they pushed it too far.
Yeah.
Ever since they stopped making it the secret policeman's ball.
Yeah. But there's ball. Yeah.
But there's that.
And you know what?
There's this story about cyber criminals gel break AI chat pots.
And, you know, there is stuff like Worm GPT out there.
Interesting, though, I was talking to someone recently,
and they said, here's our CTO, I think,
and he was saying how he went to book an appointment at his dentist.
It's an online thing in America.
And they had a chat function built into it as to like the query,
as to like, you know, I'm a new patient.
I remember it.
Yeah.
But he took a look at it and it was running.
It was basically chat GPT in the background.
But it was built for the appointment system
and what have you.
And what he said happened is that really you could type in anything
into the bar as a query.
You didn't have to use the buttons.
So basically, effectively, you ended up with your own chat GPT instance
that the dentist was paying for.
So he sat there running queries until he hit the limit brilliant
so i think jailbreaking ai and stuff is the least of our worries i think it's we're going to see so
many instances of this like people have they've implemented it in some haphazard way and it's
going to be used for all sorts of purposes that you know yeah just make you facepalm and it's going to be used for all sorts of purposes that just make you facepalm.
And there's going to be an AI that monitors all of these instances
so that it can sort of crowdsource all of its integrations with it.
So whenever you hit a limit, you move on to the next one.
Yes.
It's going to be fascinating.
It's a great time.
It's a great time to be an AI.
Right, on that note, thank you very much for this week's.
Industry News.
In 2021, you voted us the most entertaining cybersecurity content amongst our peers. In 2022, you crowned us the best cybersecurity podcast in Europe.
You are listening to the double award-winning
Host Unknown podcast.
How do you like them apples?
How do you like them apples, boys?
Yeah, don't mention 2023, whatever you do. Right, it's yeah don't mention 2023
whatever you do
right
it is time
to close the show
Andy
it's up for you
to
take us home with
Tweet of the Week
we always play that one twice
Tweet of the Week
Tweet of the Week
there you go
it
is
a tweet
this week
for an
I don't know I'm going to call it a tweet I week for an ex.
I don't know.
I'm just going to call it a tweet.
I'm not going to talk about this every time.
It's the one time when dead naming is fine.
Yeah.
This week's tweet of the week is from Marl at Marley Bean on Twitter.
Ex. And she says, attention, people who run in dark clothes at night.
I don't have that much car insurance.
It's very good, but you could tell we couldn't find a tweet of the week this morning.
No, that's good.
You know, I think there's an analogy here.
Ah, very good.
Okay, go.
Last week or the week before or in the recent few weeks,
there's something about Twitter wanting to collect more and more personal data,
like your biometrics and things like that.
And I think this is it.
It's like, do you have that much insurance
or do you have that much capability to collect so much data
and live with the consequences when the breach does occur?
And I think this is what a lot of companies do.
When they collect so much data that is unnecessary and unneeded.
So are we the car or are we the runner?
We are the runners.
The companies are the runners in dark clothes at night.
Because they take on far more risk than they should.
And but they're not the ones with the insurance.
You know how analogy works, Tom?
Yeah.
You stretch the analogy until it snaps. That's the law. Yeah. You stretch the analogy until it snaps.
That's the law.
Yeah.
So not only is this analogy snapped, but obviously, you know,
just for our listeners, Jav actually got this week's tweet of the week
whilst myself and Tom went off to get coffee this morning.
Yeah.
And so the tweet is from 859 on September the 23rd, 2020.
It's a timeless tweet.
As I look at this.
So, Tom, when you tag Marley Bean and sort of say, hey, look, you know.
Yeah.
I'll ask them, how's the pandemic and the lockdown treating you?
Yeah, exactly. So, Jack, how's the pandemic and the lockdown treating you?
Yeah, exactly.
So, Jack, how did you stumble across this tweet?
Someone must have reposted it.
Unbelievable. Recently.
Oh, man.
I mean, you know, analogies are there.
Analogies are there, absolutely.
But also...
Timeless analogy.
As an old man i also wish
people would stop cycling in dark clothes with no lights at night yeah oh my god and then and
then flick you the v's when you beat them when they swing in front of you like what
so if you go to volbean's Twitter account they are
reposting stuff from many many
years ago so
it's either like this stuff got engagement
let's repost it or maybe
they passed away and this is their bot
that was designed to keep up
engagement that is reposting
stuff
Marlabean rip
yeah oh dear That is reposting stuff. Marla Bean rip.
Yeah.
Oh, dear.
Well, Marla Bean, thank you.
I thank you for today's tweet or three years ago's tweet.
Don't mind either way.
Right.
Excellent.
Thank you for this week's Tweet of the Week.
Well, we've run out of time.
We're good to go now, aren't we?
Yeah, that's it.
We've called it.
I think, I think we're done.
Yeah.
So I did message Mo.
Oh, yes. And I told him that Tom wants to come for you.
And he said.
I'm coming for him.
No, that's not any better either.
Yeah, OK.
He goes, do it.
I ain't scared.
I'll steal his Lego.
That's his Achilles heel.
He's got a point, Tom.
If you leave your house, he knows your Lego's unguarded.
Yeah, this is true.
And also, Mo, you have no idea what a double entendre is, do you?
Because,
well,
I guess he just have to,
you know,
after I've come for him.
Actually,
I don't know.
I think we need to wrap this up.
I think we do.
Jeff,
thank you very much,
sir.
You're welcome.
And Andy,
thank you.
Still in my line.
Stay secure,
my friend. Stay secure. T tweet of the week you've been listening to the host unknown podcast if you enjoyed what you heard
comment and subscribe if you hated it please leave your best insults on our reddit channel
worst episode ever r slash smashing security That was not clunky at all.
That was as smooth as butter episode.
I liked it.
Yeah, yeah.
Jab vaping in the background at the beginning.
Yeah, all I can hear is like...
Actually, I think it might have been my friend on her keyboard.
Yes, that's what it was.
And then you had your friend on the phone as well just a minute ago as well.
Yeah, I'll try and blank that out.
She's in a different room.
It's just it's a very small flat.
Has it got all these doors and floors like you rich people have got?