The Host Unknown Podcast - Episode 168 - The Purple Pineapple Episode

Episode Date: September 22, 2023

This week in InfoSec (09:32)With content liberated from the “today in infosec” twitter account and further afield18th September 2001: The Nimda worm was released. Utilising 5 different infection v...ectors, it became the most widespread virus/worm after only 22 minutes. $ echo "admin" | rev nimda  https://twitter.com/todayininfosec/status/170376036668821104116th September 2008: 20-year-old David Kernell compromised the Yahoo! email account of US vice presidential candidate Sarah Palin, then posted her emails to 4chan. 2 years later he was found guilty and sentenced to a year in prison. At age 30 he died of complications related to MS.https://twitter.com/todayininfosec/status/1703169477548884296 Rant of the Week (14:55)[We’re sympathetic of companies who get hacked and what they have to deal with, but there comes a time when they’re repeatedly hacked and you have to ask questions]:T-Mobile app glitch let users see other people's account infoT-Mobile customers said they could see other peoples' account and billing information after logging into the company's official mobile application.According to user reports on social media, the exposed information included customers' names, phone numbers, addresses, account balances, and credit card details like the expiration dates and the last four digits.As first reported by The Verge, some of the customers affected by this issue could see the sensitive information of multiple other people while logged into their own accounts.While a massive number of reports started surfacing earlier today on Reddit and Twitter, some T-Mobile customers also claimed that they've been experiencing this throughout the last two weeks."Reported this issue when it first popped up here on Reddit over 2 weeks ago and sent pics of the other person's info to their security team. No response, but wow, just wow," one customer said.Nine data breaches since 2018In May, T-Mobile disclosed the second data breach since the start of 2023 after hundreds of customers had their personal information exposed between late February and March after attackers hacked into the carrier's systems.In January, the mobile carrier revealed another data breach after the sensitive info of 37 million customers was stolen using one of its Application Programming Interfaces (APIs).Since 2018, T-Mobile has been hit by seven other data breaches:In August 2018, attackers accessed the data of around 3% of all T-Mobile customers.In 2019, T-Mobile exposed the account info of an undisclosed number of prepaid customers.In March 2020, T-Mobile employees were affected by a breach exposing their personal and financial information.In December 2020, threat actors accessed customer proprietary network info (phone numbers, call records).In February 2021, an internal T-Mobile app was accessed by unknown attackers without authorization.In August 2021, hackers brute-forced their way through T-Mobile's network following a breach of one of its testing environments.In April 2022, the notorious Lapsus$ extortion gang breached T-Mobile's network using stolen credentials. Billy Big Balls of the Week  (23:31)Singapore may split liability for phishing losses between banks and victimsSingapore officials announced on Monday that next month they will deliver a consultation paper detailing a split liability scheme that will mean both consumers and banks are on the hook for financial losses flowing from scams.It is an answer to a common question these days: in a world of rampant payment and transfer scams, who is responsible?Countries like Australia have also considered shared loss schemes. Meanwhile, the European Commission has proposed a "refund" to victims of certain types of fraud, including authorised push payment scams.Starting next year, the UK will enforce mandatory reimbursement by banks to scam victims up to one million pounds – with the sending and receiving banks sharing the bill.Singapore's minister of state Alvin Tan has a different view."There are some views that banks can easily absorb losses arising from individual scam cases. However, full restitution without due consideration of culpability is neither fair nor desirable," he told Parliament on Monday. Industry News (33:01)Caesars Entertainment Reveals Major Ransomware BreachPirated Software Likely Cause of Airbus BreachTikTok Fined $368m For Child Data Privacy OffensesIllegal Betting Ring Used Satellite Tech to Get Scoop on ResultsMicrosoft AI Researchers Leak 38TB of Private DataClorox Struggling to Recover From August Cyber-AttackThreat Actor Claims Major TransUnion Data BreachFinnish Authorities Shutter Dark Web Drugs MarketplaceInternational Criminal Court Reveals Security Breach Tweet of the Week (41:32) https://x.com/gabsmashh/status/1704875732282077244?s=20 Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 any of this chat or they just it is so dry it's like oh i know getting surprised with no loop that's what i heard about graham he's he's a he's a little bit a little bit quick off the mark yeah doesn't even say are you ready to record it's just like there's no precursor no no preamble there's there's no foreplay with graham is there no but you know as I was as I was just downstairs making a coffee it did make me chuckle because he did mention that when he comes on here everyone just disappears and does their own thing for like half an hour before we start recording and I'm making my coffee downstairs whilst you know you're off in the kitchen yeah well I think yes well I walked in you out. I waited until you got back. Oh, that's a good idea.
Starting point is 00:00:47 I'll get a coffee. In my mind as well now. Classic English farce. Next minute there'll be a vicar popping out from under the stairs. Actually, I think I should have gotten a coffee now. You're listening to the Host Unknown Podcast. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us. And welcome, welcome one and all.
Starting point is 00:01:20 Welcome, dear listener, to episode 172 68 of the host unknown podcast we've over time we've drifted where actually now we're swapping time sync yeah exactly exactly uh i'll fix it in post uh yes 168 of the hosts unknown podcast i don't know what we'll call this uh this episode probably the the way we've already done the Late Late Show. I've been sat here waiting for an hour for you two to arrive. I was here on time. You were not.
Starting point is 00:01:54 You were here at 8.45. Almost on time. You were here at 7.45. 6.45. on time. You were here at 7.45. And here it is now, a quarter to eight. Anyway, yeah, so it's a bit of a slow start this morning. Anyway, Jav, how are you? How's your week been? Good, good. I saw live karma in action this week. So I took a drive up to Leicester on Wednesday. There was a little event there.
Starting point is 00:02:39 And as I was driving back, the heavens opened up and it was like absolutely chucking it down with rain. And I was coming down the M1 and everyone's doing like 50 to 60 miles per hour. That's about it. And there's this white souped up hot hatch that goes on the outside lane doing about 80 or 90. In the pouring rain. And in the pouring rain where visibility is like literally like you know a few you know 20 meters or something like that you can't see further than that you just see make out like the lights are there do you know what add blue neon lights underneath that car and that
Starting point is 00:03:17 was me 20 years ago yeah 20 30 yeah and uh lo and behold, five minutes up the road, traffic's all slowing down, crawling to a halt, and then people changing lanes. And see homeboy spun his car out, front bumper in the Central Reservation, car facing the wrong way. And him sitting on the, you the you know well there's some cars that had pulled over us i think he was he was like behind one of those on the side over there basically pulled over to tell him he's a bit of a twat yeah yeah so uh so you know i i chuckled a
Starting point is 00:03:58 bit at thinking that that was andy 20 years ago aquaplaning on the motorway so so basically your your the highlight of your week was a huge dose of schadenfreude something like that yeah if you can hear some clicking in the background that's google now that's jav now googling schadenfreude no i just like i'm trying to work out how you spell it first before i can actually google it it's going on mute elenca what is sheldon it's uh it's taking the delight in in the pleasure from other people's misfortune yeah well that that's the title of my life autobiography then, isn't it?
Starting point is 00:04:50 We should probably call this podcast that. Oh, dear. Anyway, talking about pleasure and misfortune. Andy, how are you doing? How's your week been? Not too bad. It's been an all right week, actually. Can't complain. I met with some old friends in fact not even friends just old colleagues really you know what i barely know them yeah it's you know every now and then you've got to keep in contact with people that you know you've kind of known for 10 years just in case you need a reference for anything it's uh you know i just remember when i left my job at pwc and uh we had a big big night out and out and I stood up and went to the pub,
Starting point is 00:05:27 et cetera, put a whole bunch of money behind the bar. And at one point, you know, people said speech, speech, this is back in sort of like 2002 when that sort of thing happened. And, and so basically I stood up and said, I will think of all of you as people I once knew. It's true. We move on, right right we move on right we move on no it is uh it is still good to uh stay in contact every now and then just sort of see what's going on and then just kind of sad miserable lives well i just kind of think actually did i make the right move did i not did i and yeah on balance i think you did absolutely yeah absolutely that's good but uh
Starting point is 00:06:06 talking to people moving on yeah yes very good uh i i was actually up in london on monday night to meet my 74 year old cousin which is lovely your 74th wife yeah 74 so did you two um uh go to schools together no no no no no she used to babysit uh used to babysit her when she was younger right him but but no he was uh he was over from australia because that side of the family moved over many many years ago it's my father's sister's son um but it was really nice you know i think i'd met him when i was very very young so i have no recollection of it um um but he was remember what you did last year yeah exactly let alone anything else but uh he's got a cracking sense of humor so he's he's only got one leg, which I think, you know, well, for a start,
Starting point is 00:07:05 you know, we were off. Always good material to start with. Always good material. But he's ex-Australian SAS. He, you know, he lost his leg in Rhodesia, blah, blah, blah. And he was talking about his missus. Rhodesia? We still say that.
Starting point is 00:07:20 Oh, sorry. Well, that's what he calls it. Sorry. What is it now? What's the modern, what's the real name for Rhodesia? Isn't it Zimb? Is it Zimbabwe? Zimbabwe, yeah.
Starting point is 00:07:31 Okay, okay. Yeah, it's funny. Do you know what? I just took it on face value. It's funny how you forget, you know, like Bengaluru instead of Bangalore and Chennai instead of... Look at Tom trying to like cover up how he just slips into casual racism with his friends damn straight I am genuine mistake um just took it on face value uh we was talking about how his how his wife and daughter are in Spain there's some long walk thing um which yeah some black Spain is a long walk from Australia you've got to give them that well. Well, yeah, true. But it's like a pilgrimage thing. Anyway, so they're doing that. And I said, well, it's just as... Because he had an Apple Watch on as well.
Starting point is 00:08:11 I said, just as well, you're not going because you'd only get half the steps in. Yeah, it was a nice time anyway. It was really good. And then with my mother, the Duchess as well, stayed overnight. So it was really good uh and then with uh with my mother the duchess as well stayed overnight so it was really nice to see her did a bit of uh network troubleshooting which most people would have fixed in about 20 minutes and took me about two hours uh you managed to stretch it out good well i managed to be very very confused all it all it came down to was the
Starting point is 00:08:43 access point needed rebooting. Literally the first thing that people would do. Yeah, but it was coming up with certificate errors. That was the thing. Like, what? Anyway, talking of errors, certificate or otherwise, shall we see what we've got coming up for you this week? This week in InfoSec is a story about vice presidential candidates
Starting point is 00:09:05 using Yahoo Mail. Rant of the Week asks where we should draw the line on victims. Billy Big Balls asks won't somebody think of the poor banks? Industry News brings the latest and greatest security news stories from around the world and Tweet of the Week
Starting point is 00:09:22 queries a recent acquisition. So, let's move on to our favourite part of the show, the part of the show that we love to call... This Week in InfoSec. It is that part of the show where we take a trip down infosec memory lane with content liberated from the today in infosec twitter account and further afield and our first story shall take us back a mere 22 years ago to the 18th of september 2001 when the ninder worm was released utilizing five different
Starting point is 00:10:07 infection vectors it became the most widespread virus after only 22 minutes wow i did not know that yeah it's huge and obviously it was um there's a huge panic at the time it was a week after 9 1111 had occurred. And so, you know, the US didn't know if they were getting attacked on sort of multiple fronts. It was like, you know, that was a physical, now comes a cyber. But yeah, NIMDA was also known as the concept virus, obviously a worm. It could spread, as we mentioned, through multiple methods. So email, web servers, network shares, the email propagation, it could spread via we mentioned through multiple methods. So email web servers, network shares,
Starting point is 00:10:46 the email propagation, it could spread via email attachments and email messages, exploited web server vulnerabilities, network shares, multiple payloads for this virus, absolutely fantastic. So it could overwrite files, it slowed down machines, it could modify web pages. But yeah, like I say, it was known for its widespread disruption,
Starting point is 00:11:15 but most notably the speed that it could spread at. Kind of drifted off there. Did you lose your thread a bit? I did. I heard some typing in the background. More keyboard noises from Jav. I've got my quiet Apple keyboard and I wasn't even touching it. Yeah.
Starting point is 00:11:31 It wasn't... Do you know what? I reckon Andy's just hearing it in his head now. Yeah, yeah, yeah. Even last week he was like oh, I can hear something, I can hear something. He's such a keyboard Nazi. He is. Nazi? Nazi. He is. Nazi?
Starting point is 00:11:47 Nazi. You did not see that coming. He's going to tell us that the keyboard clicks don't track now. I love it. Jav's sitting there saying, it's not me while he's looking at his other screen, his arm going up and down like that. It's not me. It wasn't me at all. It his arm going up and down like that. And he's like, it's not me.
Starting point is 00:12:06 It wasn't me at all. It wasn't me. I don't know how I came off mute, but it wasn't me at all. Accidentally hit the space bar. Anyway, our second story takes us back a mere 15 years to the 16th of september 2008 when 20 year old david cornell compromised the yahoo email account of u.s vice presidential candidate sarah palin and then he posted her emails to 4chan and yeah two years later was found guilty and sentenced to a year and a day in prison which i mean if you think back then,
Starting point is 00:12:47 we thought Sarah Palin would be a bad idea as a vice president, right? And then we saw her emails. Yeah. And then, yeah, along comes, you know, the alternative candidates and one actually became president. But yeah, no, it's a huge cyber security incident back in 2008 um she was the then governor of alaska uh and obviously republican vice presidential nominee she she was um she was very qualified because she had lots of um uh foreign country experience because she could
Starting point is 00:13:20 see russia from alaska exactly yeah i mean they practically, yeah, it's the same thing, right? So the guy, David Cornell, he actually operates under the pseudonym Rubico. He managed to gain entry into her account by using publicly available information to reset her password. And then, obviously, once he downloaded her emails, he then shared that with um
Starting point is 00:13:47 the uh you know the the well-known uh group of people with high moral values down at 4chan but yeah no you know the incident did prompt sort of concerns about online privacy security and you know potential vulnerability of public figures to cyber attacks um but yeah it while it did have obviously humorous aspects of the uh the attack it is a reminder of the importance of cyber security and the need for individuals and public figures to take steps to protect their online laughs, you stay for the sage advice. Exactly. This week in InfoServe. You're listening to the Host Unknown podcast. Bubblegum for the brain.
Starting point is 00:14:44 the host unknown podcast bubble gum for the brain right let's move on shall we to uh well my favorite part of the show because i'm doing all the talking it's called listen up rent of the week it's time to mother rage right if jab finds fault in this, I'm sorry. I think I'm just going to pack it all in. I don't attack the story, I attack the man. Very good. As a man of moral turpitude, I can see there, Jav. So obviously, and we've said this on the
Starting point is 00:15:27 show a number of times we're we're always sympathetic to companies who get hacked and what they have to deal with you know we're not into victim blaming or supporting the the criminals or anything like that you know but um but there has to be a line drawn right there has to be a line drawn, right? There has to be a point where you question a company's ability to run business. So we're talking about T-Mobile. So T-Mobile has recently had another glitch, security breach, where it lets users see other people's account information. Customers were talking on Reddit and other social media accounts platforms about how when they log in, they're able to see other people's personal and sensitive information after logging into the company's official mobile app. The exposed information included customers' names, phone numbers, addresses, account balance,
Starting point is 00:16:32 credit card details, like the expiration dates and the last four digits. I mean, I guess at least they covered that, right? So it was first reported on The Verge. Some of the customers affected by the issue could see the sensitive information after they logged into their accounts. And although this surfaced in the last few days, it's actually been going on apparently for up to two weeks. on apparently for up to two weeks. One user said on Reddit, reported this issue when it first popped up here on Reddit over two weeks ago and sent pics of this other person's info to their security team. No response. Wow. Just wow. One customer said. Now let's put this in context. You know, things go wrong with your technology, right? You know, it's coded by humans. It's just, you know, stuff happens.
Starting point is 00:17:31 I've got to say two weeks is a long time, right? It should have been addressed the moment they saw it. But OK, it's given the benefit of doubt. Until you look at the history. you look at the history. So since 2018, how many times do you think T-Mobile has had a data breach? Three, four, nine, nine, nine times. That's nearly once every six months. That's probably something like once every 7.5 months on average. Are we talking about like proper breach or are we just like a little noddy? August 2018, attackers accessed the data of around 3% of T-Mobile users. That's tens of thousands of people. In 2019, T-Mobile exposed the account info of an undisclosed number of prepaid customers. In March 2020, T-Mobile employees were affected by a breach exposing their personal and financial information.
Starting point is 00:18:27 December 2020, threat actors accessed customer proprietary network info, such as phone numbers and call records. February 2021, an internal T-Mobile app was accessed by unknown attackers without authorization. August 21, hackers brute-forced their way through T-Mobile's network following a breach of one of its testing environments. April 22, the notorious Lapsus extortion gang breached T-Mobile's network using stolen credentials. Wow. And now this one. So it's just, you have to question, you have to question what is going on there. To be fair, they're not just exposing customers. They are at least the employees are also in on this.
Starting point is 00:19:16 They've got skin in the game, right? Exactly. If they say we're in this together, they actually mean it. They literally are in this together. T-Mobile, we don't discriminate between your data or our data. We lose all of our data. Yeah, we treat your data exactly the same as ours. But you have to ask.
Starting point is 00:19:39 I mean, maybe, and it would be good to see, you know, get some insider information here. Maybe, and it would be good to see, you know, get some insider information here. Maybe there are some real fundamental flaws in the platform. But I thought T-Mobile was one of the more modern operators, right? I thought they were fairly recent. They're not an AT&T or Verizon that were there from day one and therefore had, you know, probably still got mainframes running stuff and, you know and very poor integration and all that sort of stuff.
Starting point is 00:20:10 I thought they were one of the more recent operators for a start. So their tech stack should be fairly up to date. But who knows? You don't know also what their financials are like, apart from what is disclosed. And I assume they're still doing okay, but that might be because they're not investing money in tech. But you have to question, really, what is so fundamentally flawed in their environment
Starting point is 00:20:35 that it gets breached every seven or so months? Really, what is going on? What is going on? I wonder what the lifespan of their cso is do you know what that would be that that would be some good linkedin research wouldn't it that would be brilliant they've probably stopped calling them cso's now they're probably you know um master of the dark arts i don't know yeah i i love how on this story you started off by saying we do not like to victim blame and then proceeded to victim blame for the next five minutes straight in this
Starting point is 00:21:11 case damn straight bringing out bringing out digging up ancient history uh in yeah i think you'd find in 2018 you suffered a breach there in 2019 history you know to be fair it's constant there is something every year like they've not even yeah yeah they're consistent it's actually consistent yeah we only know about it from 2018 like maybe they didn't even have monitoring before 2018 wow i know but it's a bit like you you get house burgled, right? Because you, I don't know, you leave a latch open on one of your windows or something and your house is burgled. That's still wrong, right? But then you don't fix the latch and then you open the window and you get burgled again. It's like, oh, that's really bad.
Starting point is 00:21:58 If that happens to you nine times, you know, because you haven't fixed your window latch. Yes, you are being targeted, but you're being targeted because you're an idiot. Wow. So we've gone from we don't victim blame to T-Mobile, you're an idiot. Yes, they are. Quote by Tom Langford. Well, no, I'm talking about said homeowner who's leaving their window open. But yeah. Pulling no punches, wow.
Starting point is 00:22:30 So how would you take this story? Poor T-Mobile, bullied by playground hackers. By every hacker in there. T-Mobile sets up bug bounty program to teach kids the value of skills in important hacking skills or playground. To teach 16-year-olds living in mother's basement. Yeah, sets up non-financial incentivated bug bounty program. Yes, exactly. Exactly.
Starting point is 00:23:02 Do you know what? I like that. We should have, maybe we should change rant of the week to positive spin of the week you know oh dear anyway that was rant of the week recording from the uk you're listening to the Host Unknown podcast. Right, Jav, let's see how we can clash on this one. So this ties in quite nicely with stories that both of you have brought up
Starting point is 00:23:41 and the key messaging is like you know there's responsibility on every side when it comes to a breach or fraud specifically so you know when Andy was talking about Sarah Palin's email and it brought about that whole question about you know people should be a bit more savvy people should should, you know, they should take some responsibility, not use their real, you know. Anyway, so the question is, we are getting so much more payment transfer scams and fraud. Who is responsible?
Starting point is 00:24:21 And Singapore has shown they've got a pair of kahunas on them by announcing that they would deliver a consultation paper detailing a split liability scheme that will mean both customers and banks are on the hook for financial losses flowing from scams. for financial losses flowing from scams. Countries like Australia have also considered share loss schemes. Meanwhile, the European Commission has proposed a refund to victims of certain types of fraud, including authorized push payment scams.
Starting point is 00:24:59 The UK, not wanting to get left behind, next year will enforce a mandatory reimbursement by banks to victims, by banks to scam victims up to £1 million, with the sending and receiving banks sharing the bill. See, that's just going to make transactions harder. It is. Are you sure you want to make this transaction are you positive your customers or that know your customer stuff is going to go through the roof right it's yeah come to the uh come to the
Starting point is 00:25:34 local branch which is now 52 miles away yeah unless you live in wales unless you live in wales or scotland or Scotland or the Scottish Highlands where your mobile bank will drive up to you on the 3rd October or 3rd weekend of every month. If you're in Wales or Scotland, you just have to drive to another country to get to your local bank. Yes, pretty much. But yes, Singapore's Minister of State, Al Van Tan, has their view.
Starting point is 00:26:02 There are some views that banks can easily absorb losses arising from individual scam cases however full restitution without due consideration of culpability is neither fair nor desirable so it is really interesting because like you know banks have always experienced fraud like from from you fraud from the beginning. And a lot of them will set aside a certain amount of money to just absorb this because it's easier to refund people. Maybe there's like a £50 million budget a year. And that's easier to do than to actually then get into the whole litigation and who's to blame and who's not to
Starting point is 00:26:45 blame and having very expensive lawyers and what have you and uh and and the way of thinking of this is it it's all risk management isn't it it's all like you know can is this risk tolerable or do we transfer some of the risk and uh yeah it it reminds me of like my favorite explanation of this was from the movie Fight Club, where the main character, the narrator played by Edward Norton. He's like he works for a car company and he assesses accidents. He works for an insurance company. Insurance company. That's one. So I'm a recall
Starting point is 00:27:25 coordinator. My job is to apply the formula. A new car built by my company leaves somewhere traveling at 60 miles per hour. The rear differential locks up. The car crashes and burns with everyone trapped inside. Now, do we initiate a recall? Take the number of vehicles in the fuel, A. Multiply it by the probability of failure, B. Then multiply the number of vehicles in their fuel, A, multiply it by the probability of failure, B, then multiply the result of the average out-of-court settlement, C. A times B times C equals X. If X is less than the cost of a recall, we don't do one. And I think that's the very same formula that Mr Tan of Singapore is applying here.
Starting point is 00:28:06 Just with slightly less death attached to it, I guess. I don't know. The thing on this is it's taking such a binary view, isn't it? It's just taking a, you know, well, we're not going to. Yeah, you have to. I actually think this is a good move. Because the UK is making sure that the banks refund everyone, right? But if you think, you see the amount of people that actually transfer money,
Starting point is 00:28:35 you know, that then say they got victimized. You know, someone said that this. And you have to go through so many steps. Are you sure you want to transfer this money? Do you know who this person is? Are they asking you to make payment quickly yeah and it's like there's only so many times you can guide and you know people click through all of this stuff constantly and then you know face i see we all click through stuff i mean i don't know i actually think yeah because this way how many end user license agreements have you read?
Starting point is 00:29:09 Only about 692 as of last week. But I haven't installed anything for it. 694th is probably the one that's going to get you, right? Yeah, exactly. But people click through stuff because they become blind to it. And now they're going to learn. Yeah. It's going to learn today, boy.
Starting point is 00:29:28 It's too far the other way we need three strikes and you're out or uh or uh you know like the financial services compensation scheme they did well no because then otherwise people just keep getting defrauded they don't pay any attention they're not changing their behaviors yeah but you know they just know they've got a safety net of the what a million pounds is the limit well yeah, that seems rather extreme, I must admit. You know, I would have said something like 10 grand, five grand, you know. But I don't know. I just I just think skin in the game. Skin in the game is all well and good. But we also talk about how convincing a lot of these attacks are nowadays,
Starting point is 00:30:04 how, you know, how efficient attack is really convincing. also talk about how convincing a lot of these attacks are nowadays how a phishing attack is really convincing and how we all sometimes nearly get drawn in and they're designed to trick you and they're designed to do this so you are being robbed so we're not talking about financial
Starting point is 00:30:20 institutions where companies should have additional processes to to not get fished and tricked by this type of we're talking about average house users so someone that you know gets an email yes hey you know you've inherited all this money from an unknown relative you didn't know you had in yeah you know so they're getting even more they're getting more of these attacks. We've got 62 billion Zimbabwean dollars that we need to transfer,
Starting point is 00:30:50 but there's an administration fee to get it through customs. Unfortunately, anyway, it's Rhodesian dollars, I think you'll find, which only comes out at about £4.50 anyway, but nonetheless. No, I think Andy's right. I think this would be a two-step process.
Starting point is 00:31:10 I think one is it pushes more accountability to people to think a bit more carefully, but also it should slow down some of these transfers anyway. So banks should put in better controls. I know that the whole thing is on faster payments and everything but if it's a new account you're making a payment to and it's based in another country or there's no agreement to recall funds and all that kind of stuff then yeah you should slow it down i think you know slowing down payments is is a good good measure for that as
Starting point is 00:31:41 well especially if banks are 50 percent liable for even 100 percent whatever it is that's not what you said when you needed that 100 quid off me the other day what do it now do it now come on i did it i did it now yeah exactly and they just proved that you fell for the scam and now you i'm only giving you 50 pounds back to prove the point. Very good. Very good. It's an interesting one. It's an interesting one.
Starting point is 00:32:11 I guess we will see, right? I guess we will see. But yes, thank you, Jav, for that almost coherent Billy Big Balls. Billy Big Balls of the Week. We don't research the story, but let us tell you what we think based on the headline. You're listening to Insights from the award-winning Host Unknown podcast. And talking about crap from headlines, let's see what time it is. Andy, is it that time of the week?
Starting point is 00:32:54 It is that time of the week where we head over to our news sources over at the InfoSec PA Newswire, who have been very busy bringing us the latest and greatest security news from around the globe. Industry News Caesar's Entertainment reveals major ransomware breach Industry News Pirated software likely cause of Airbus breach Industry News TikTok fined $368 million for child data privacy offences Industry News $168 million for child data privacy offences. Industry news.
Starting point is 00:33:26 A legal betting ring used satellite tech to get scoop on results. Industry news. Microsoft AI researchers leak 38 terabytes of private data. Industry news. Clorox struggling to recover from August cyber attack. Industry news. And that was this week's... National Criminal Court reveals security breach. Industry News. And that was this week's... Industry News. Huge, if true. Huge.
Starting point is 00:34:14 Huge, one might say. So I'm looking at this pirated software. Oh, my God. Really? So we were actually talking just before the uh show we were talking about how you know industries that have health and safety yes of mine generally have a good culture of compliance because they understand the seriousness of it and culture as well they have a strong culture they yes yeah absolutely yeah so that's the whole point yeah so in this
Starting point is 00:34:43 situation it looks like, obviously, they've got the standard, Airbus takes cybersecurity seriously. Threat actor known as USTOD claiming to work as part of the ransomware group posted the data breach. Okay, so they stole data, lots of personal information, names, addresses, phone numbers, email addresses. So an employee of turkish airlines um installed some pirate software a pirated version of the microsoft.net
Starting point is 00:35:14 framework oh man see that must be i mean that that's free right that's not even you don't pay for.net framework these days do you You don't pay for.NET framework these days, do you? No, I don't think so. So presumably they just got it from a download site. Well, like I say, we don't research the stories. We just make judgments. But it should have done better.
Starting point is 00:35:41 Hey, from the headline alone, it's outrageous. Yes, exactly. TikTok fined 368 million for child data privacy offences. Witch hunt. I'm glad I'm not on that platform. Glad they kicked you out. Weren't you too old to join?
Starting point is 00:35:58 Didn't they say that your account was banned because you didn't speak Gen Z? You're not fluent in the... I'm down with the kids, innit? Yeah, your basic millennial left a lot to be desired. They couldn't validate you as a... So this was purely about default set. And this is, you know,
Starting point is 00:36:18 you don't see the other social media networks getting fined like this. So any account for children was set to public by default uh whereas the default behavior should be to ensure that any account um owned by children is private by default is is that enshrined in law that that uh account details for children should be set to i i assume that there is some sort of data protection um because it guidance which is very strongly saying that persons under the age of yeah because the interesting thing here is if they're fined 368 million you'd think it was because they were told oh by the way you know your settings here are wrong for children you need to change it and tiktok went nah fuck you we're not gonna we're
Starting point is 00:37:03 not gonna do that we don't care about kids' security. In which case, fine, hit them with a big cash fine and teach them a lesson. If it's kind of like, oh, we found a little loophole that you're not doing, then that's a different matter. That's what it feels like. It very much feels like that. It's a proper witch hunt.
Starting point is 00:37:21 Yeah. And to be fair, the Irish Data Protection Commission is not shy at dishing out big fines. No. Well, they need the money for their economy, for a start. Yeah. Yeah. So is this from Ireland, is it?
Starting point is 00:37:37 Yeah, it's the Irish DPC. Interesting. What else have we got? Oh, we covered last week actually caesar's entertainment reveals major ransomware breaches it's good to know that uh now they've come out and admitted it well that our news sources are now using us as a source of news right of course yeah caesar's realized they got breached. Yeah. So this TransUnion one, so ThreatActor claims major TransUnion data breach. So TransUnion's one of the big credit providers. And so three gigs of data were published,
Starting point is 00:38:17 sort of about 60,000 individuals of this data. The problem is this data has now been breached so many times, you can't even tell where it comes from. It's been rigged. And so this happens with a lot, you know, between the credit agencies, you know, particularly post the Equifax breach. Every time, like, you know, they sort of package up data, say it's from a particular company and sort of then state that, you know, we've got more but here's enough of the data to validate all the data is real you just can't prove where it comes from
Starting point is 00:38:49 yeah and so it's uh yeah and when you say three gigs of data it sounds like an awful lot until you get to microsoft levels of data. 38 terabytes. How many thousands of times larger is that? 10,000 times larger? I can't work it out. But yeah, that's a lot of data. I mean, you've got to wonder, has anybody even got systems large enough to deal with that data so this included um data including microsoft employees personal computer backups the backups contain sensitive personal data including passwords to microsoft services secret keys and over 30 000 internal microsoft teams messages from 359 microsoft employees you see you see something like this what they should should do is make sure that all the data is in one big zip file
Starting point is 00:39:51 because then you have to download the entire thing before you can open it up and read it you know which which of course nobody can do that's that's your security through obscurity if it's kind of like oh we can stream data and we'll get live data down, then, yeah, anybody can do it. But, you know, you can't sit at home and go, ooh, I'll have that data because you'll fill up your hard disk. It won't open because it's not a proper zip file. But done.
Starting point is 00:40:20 I mean, it's easy, right? Fantastic. That's Tom's security advice. Tom, you know, if anyone's looking for a competency so who thinks outside the box. Well, T-Mobile. Do you know what? T-Mobile could do it.
Starting point is 00:40:36 Yeah, I need a job for six months. Yeah, yeah, yeah. Maybe you could join the Krebs Stamos group. I mean, like, you know, you'd be in good company there. Friends of the show. Please come on the show, Krebs and Stamos. We'd love to take the piss out of you in person. Oh, dear.
Starting point is 00:40:56 I think that just about sums it up, really, doesn't it? Industry News. industry news people who prefer the smashing security podcast over the host unknown podcast are statistically more likely to enjoy the harry and megan documentaries read into that what you will that one's slowly going out of date as as har, as Harry and Megan are slowly falling in out of relevance. Absolutely. Right, Andy,
Starting point is 00:41:30 take us home for this week's tweet of the week. And we always play that one twice. And this week's tweet of the week comes from Lady G who is at Gab smash on X. And this is following the news of cisco's acquisition of splunk at a cost of 28 billion dollars and so lady g asks is this 28 billion dollars that cisco is giving splunk to buy them or just renew their license for the year it's so brilliant brilliant that is so true it is um you'd like to think they get a free license for that yeah spunk used to be great when they first launched they were like you know everyone
Starting point is 00:42:23 wanted to get to spunk then their prices just kept going up, kept going up, kept going up. Yeah. If you want to store anything beyond yesterday. Well, that's it. That's it then. All right. That was a short and sweet one. That was.
Starting point is 00:42:40 Tweet of the week. You can tell we've been on this since about half past five in the morning because I think we just run out of energy. Run out of coffee. Yeah, run out of coffee. Exactly. Exactly. Well, gentlemen, thank you so much for your input,
Starting point is 00:42:59 your radiant smiles that I can see on the cameras at the moment, and staying in all morning just to get this done. Much appreciated. Jav, thank you very much. You're welcome. And Andy, thank you. Stay secure, my friends. Stay secure.
Starting point is 00:43:21 You've been listening to the Host Unknown podcast. If you enjoyed what you heard comment and subscribe if you hated it please leave your best insults on our reddit channel worst episode ever r slash smashing security what was that word again shade and fraud shard and freadenfreud. S-C-H- A-D-E-N F-R-A-U-D-E. Yeah.
Starting point is 00:43:53 Autocomplete. You're obviously typing it an awful lot. When you get hit by a bus, I will be very, very happy. Is that a good word? Boom! There you go. Slapstick is the perfect example
Starting point is 00:44:07 of schadenfreude. As in slapstick comedy, not slapping someone with a stick. Oh. That's assault. Okay. Unless there's like the... Purple pineapple.
Starting point is 00:44:19 Purple pineapple. Purple pineapple? Wasn't that our safe word? That is safe

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.