The Host Unknown Podcast - Episode 176 - The Jingle Free Episode
Episode Date: December 2, 2023This week in InfoSec (09:40)With content liberated from the “today in infosec” twitter account and further afield24th November 2014: The Washington Post published an article which included a pho...to of TSA master keys. A short time later functional keys were 3-d printed using the key patterns in the photo. https://twitter.com/todayininfosec/status/172804840445278249726th November 2001: "In an effort to turn the tide in the war on terrorism", Cult of the Dead Cow offered its expertise to the FBI. How did it plan on helping? By architecting a new version of Back Orifice for use by the US federal government."THE CULT OF THE DEAD COW OFFERS A HELPING HAND IN AMERICA'S TIME OF NEED"https://twitter.com/todayininfosec/status/1728998509033238952 Rant of the Week (18:55)Interpol makes first border arrest using Biometric Hub to ID suspectEuropean police have for the first time made an arrest after remotely checking Interpol's trove of biometric data to identify a suspected smuggler.The fugitive migrant, we're told, gave a fake name and phony identification documents at a police check in Sarajevo, Bosnia and Herzegovina, while traveling toward Western Europe. And he probably would have got away with it, too, if it weren't for you meddling kids Interpol's Biometric Hub – a recently activated tool that uses French identity and biometrics vendor Idemia's technology to match people's biometric data against the multinational policing org's global fingerprint and facial recognition databases."When the smuggler's photo was run through the Biometric Hub, it immediately flagged that he was wanted in another European country," Interpol declared. "He was arrested and is currently awaiting extradition."Interpol introduced the Biometric Hub – aka BioHub – in October, and it is now available to law enforcement in all 196 member countries. Billy Big Balls of the Week (27:42)https://www.theregister.com/2023/11/28/cert_in_rti_exemption/India's government has granted its Computer Emergency Response Team, CERT-In, immunity from Right To Information (RTI) requests – the nation's equivalent of the freedom of information queries in the US, UK, or Australia.Reasons for the exemption have not been explained, but The Register has reported on one case in which an RTI request embarrassed CERT-In.That case related to India's sudden decision, in April 2022, to require businesses of all sizes to report infosec incidents to CERT-in within six hours of detection. The rapid reporting requirement applied both to serious incidents like ransomware attacks, and less critical messes like the compromise of a social media account.CERT-In justified the rules as necessary to defend the nation's cyberspace and gave just sixty days notice for implementation.The plan generated local and international criticism for being onerous and inconsistent with global reporting standards such as Europe's 72-hour deadline for notifying authorities of data breaches.The reporting requirements even applied to cloud operators, who were asked to report incidents on tenants' servers. Big Tech therefore opposed the plan. Industry News (34:04)Cybersecurity Incident Hits Fidelity National FinancialCybercriminals Hesitant About Using Generative AIGoogle Fixes Sixth Chrome Zero-Day Bug of the YearDeleFriend Weakness Puts Google Workspace Security at RiskOkta Admits All Customer Support Users Impacted By BreachThousands of Dollar Tree Staff Hit By Supplier BreachBooking.com Customers Scammed in Novel Social Engineering CampaignManufacturing Top Targeted Industry in Record-Breaking Cyber Extortion SurgeNorth Korean Hackers Amass $3bn in Cryptocurrency Heists Tweet of the Week (43:12)https://twitter.com/JamesGoz/status/1730498780812767350 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
so now i'm in control i'm the one that does what presses the record button
so we're going to go for a jingle free episode today are we oh it's going to be like smashing
security let's just be like it's gonna be really weird isn't it it's gonna be very business-like
and recurrent of course yes well it's good to see you again, Thomas and Andrew.
Let's get on with our podcast for the day. Okay, Javelicious.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you're joining us.
And welcome, welcome once again to episode one seven...
One hundred and...
Six!
Eighty.
Eighty!
God, do I say that with another flourish?
Yes, okay, let's try it again.
Yeah, welcome to episode one hundred and seventy-six.
One hundred and eighty!
Yay! Triple top.
But, or whatever it's called
No one leaves empty handed
Exactly
Let's see what you could have won today
For those who don't know
That was
Bullseye
I think wasn't it
A reference to Jim Bowen
Jim Bowen and Bullseye
Only the UK
Only England
Could have
A game show Predicated upon darts.
Utterly bizarre.
And amateurs playing darts.
And people from the northeast, from like council houses, winning speedboats.
It was always a speedboat.
That's right, that's right.
They could use it in the Manchester Ship Canal, I guess.
Anyway, welcome, gentlemen.
We are, well, as we said, we are jingle-free.
Nothing's working in the Host Unknown Towers this morning.
The jingles aren't working, so goodness knows when you're going to get this podcast.
Hopefully not later than last week's podcast.
Not that either of you two noticed.
Oh, I definitely noticed.
And you know why I noticed?
Because some guy on TikTok called, I think, Graham Clully,
he sent a message saying, where's the podcast?
Oh, I thought I'd go away with it because he normally texts me.
He normally messages me.
Everyone's on TikTok these days, Tom.
Apparently so. I'd. Everyone's on TikTok these days, Tom. Apparently so.
I'd love to be on TikTok,
but I'm sure one of you got me banned.
I'm more convinced about that every day.
More convinced about that every day.
Anyway, talking of things that should be banned.
Jav, how are you?
That's a bit racist, but okay.
Nigel Farage.
Why is it racist?
It's racist because what the only brown person on this podcast is now like should be banned should be kicked out the country
should not be allowed on these english-speaking podcasts I see what you're doing there I see what
you're doing there but it's all right you're this is not the first case of me being attacked by the man,
by the institution, not on this podcast and not in my life,
because today, tonight, later, I am doing a speed awareness course
because I was caught by those pesky average,
average speed cameras that they have on the mall.
Not even a distinctly better speed camera, but an average one.
It's a very average speed camera, exactly.
And it's really funny because we've got two cars in the house
and I have my motorbike.
And I was in the slowest car in our house
that struggles to get up to 70 anyway on a good day with a run-up.
And it was like, a it's a 40 limit and i was doing like 45 or something like that and but so but the rules don't apply to you right so what you're saying is
what i'm saying is that had i been caught on my motorbike i would have been like
it would have been worth it right yeah well no actually the first I would have been like, fag, cop. It would have been worth it, right?
Well, no, actually, the first thought would have been like,
how did they see my number plate when it's like literally
like two inches wide and like, you know, hidden under the seat.
But yeah, so I'm doing that.
So I'm giving more money to the government.
To the man.
To the man.
But to be fair, the alternative is taking points, right?
Yeah, and I don't want to take points.
No, you still get points, don't you?
No, they offer the speed awareness course.
Much like the ICO gives people the opportunity to learn from incidents
rather than be fined immediately,
you can do a speed awareness course once every three years.
If you get caught again within that three years,
then you get the points back.
I did one, well, within the last three years,
but I thought I got three points instead of six points,
but I don't know.
I have no idea.
We like points.
What do points mean?
Points mean prizes.
All right, my loves.
Good.
So that's the rest of your day sort of because it's like a
four hour course or something yeah yeah it starts at 6 p.m tonight so six till nine
so i've ordered my dinner uber eats already to be delivered to my office in the back well no
well the thing is you're not allowed other people within within range of where you're sitting they're
really you can do it you can do it remotely
yeah yeah yeah this is a remote one they had to do mine in person i know so i've done one about
five six years ago clearly effective and that was he's a repeat offender
and he's complaining about the man keeping him down. I was
evading the man
at the time.
You know, I did not realise he was chasing
me. I was trying to get out of his way, but he
kept getting closer and closer,
so I had to accelerate.
That's exactly it.
There was no safe place to pull over, so I was trying
to stay out of his way yeah
the officer should not be tailgating me with his blue lights on
but yeah that was in person but since covid then they introduced my online option and now i think
they they feel that it's cheaper to to run it's it's a lot easier it's a lot easier anyway talking to repeat offenders
Andy
how are you
all good
it's been a busy week
as you know
the temperature's
absolutely dropped
it's horrendous
and I am glad to say
I'm heading back to Mauritius
next week
so
yes you're missing
B-Sides
screw you guys
I'm out of here
this is the first B-Side
I've missed since the start.
First one in 12 years.
Jeez.
Yeah, I'm absolutely gutted about,
but unfortunately I'm on a bit of a tight schedule.
I cannot...
It's normally an annual reunion as well for the three of us.
It is.
So, yeah, we're going to have to do another one instead.
Yeah.
January.
We'll do one in January.
I'll give you Christmas presents then. Exactly, yeah yeah anything that i get for christmas i don't
want i will uh re-gift yeah perfect for you guys yeah so i i look forward to my um gift box of old
spice yes absolutely and uh extra large t-shirts From a couple of years ago.
Yeah.
But talking of years going by, how are you, Tom?
Yeah, very good.
Yes.
Very good.
As you know, the podcast went out late last week. I was away for the weekend.
Everything just got on top of me.
You genuinely forgot.
Not far off.
Not far.
And do you know what?
The longer it went, like saturday i must do
it saturday because i had no chance on friday so let's do it saturday oh i don't fancy it and
sunday it was like no can't do it tonight and then by monday lunchtime i was thinking oh my god it's
gonna if i've got to do it now but i don't want to it just got bigger than it was but it was fine
in the end it was fine in the end i don't know what jav's mouth in there but
what were you saying jav i said that's what she said oh please
oh dear so um but yes outside of that being uh being working from home all week uh let's see
that's about it really that's about it you don't have to drag it out
you can just say my life's boring nothing to report yeah my life's boring nothing to report
i did get some new lego though which i didn't pay for i got it on lego vouchers
oh i thought you'd say you shoplifted it yeah you were in old school yeah that's right
put the lego in the bag and nobody gets hurt.
We kind of look like Father Christmas.
There's an old guy with a big white beard.
It's the best time of year for you to be shoplifting, Tom.
Exactly.
Put a red hat on.
And talking of robbery with assisted violence,
shall we see what we have got coming up for you this week?
They get more and more tenuous every week, aren't they?
They do, yeah.
This week in InfoSec is moving from one orifice to another.
Rant of the week is all over your face.
Billy Big Balls is do as I say, not as I do.
Interesting News is the latest and greatest security news stories around the world. Rant of the week is all over your face. Billy Big Balls is do as I say, not as I do.
Institute News is the latest and greatest security news stories from around the world.
And tweet of the week is about the good old days.
So let's move on, shall we, to our favourite part of the show.
And it's the part of the show that we like to call...
This week in infosec it is that part of the show where we take a trip down infosec memory lane with content
liberated from the today in infosec twitter account and further afield can i just say
without the jingles we don't have to pretend they're actually playing and leave the right amount of space, which I think is what we've done up till now.
Absolutely. It just doesn't flow naturally otherwise.
It doesn't, does it?
I'm playing it in my head.
You can see all of us were singing it in our heads.
You need to do it. It's the the timing you don't want to throw off the
timing no exactly it's like yeah but alas our first story takes us back a mere nine years to
the 24th of november 2014 when the washington post published an article which included a photo of the TSA master keys and then a
short time later functional keys were 3d printed using the key patterns in the
photo. So we know the US government has a history of advocating key escrow for
security purposes, obviously wanting to maintain a set of keys for potential use.
So the TSA introduced screener-friendly locks that used
one of seven master keys, which were exclusive to them. But in 2014, when the Washington Post
were covering this article, they revealed the images of all seven keys on the desk. And so
subsequently, all the keys became accessible for 3D printing, with security researchers releasing
the final key at the HOPE conference,
which is the Hackers on Planet Earth. And hackers explain their process of legally obtaining the
locks, analysing the inner workings and discovering a common pattern. But despite the security
concern, TSA downplayed the issue, stating that, you know, just the ability to create keys and
from a digital image and opening everyone's luggage does not pose a threat to aviation security.
And to remind us all to remove everything from our pockets, even the lint.
Yes, yes.
Take your belt off, remove your shoes.
Yeah.
That's great.
That's a good – I remember this one, Andrew.
But also there was like a a few years prior to that,
there was the case of on eBay, you could buy New York firefighters keys.
Oh, yes.
That opened every building.
We've covered these, because it's this week in InfoSec, right?
But yes, I remember.
Yeah.
I think those were great as well.
So for 4th of July, me and my daughter were over in New York this year. right but yes i remember yeah and i think those were those were great as well so so for fourth of
july me and my daughter were over in new york this year so we went over there she wanted to
see fourth of july firework she'd never seen new york and we we were i i suggested to her like why
don't we try and acquire one of those firefighters keys and we can get a really good vantage point to
see the fireworks what's the worst that could. What's the worst that could happen? What's the worst that could happen? Exactly.
Clearly, she's a sensible one in the family,
and she said, no, that's not a good idea.
But I think it would have been a great idea.
I know, and orange really is your colour.
I was saying, waterboarding in Guantanamo Bay
sounds really good if you don't know what either of those things are.
Yeah.
Yes.
Wow.
Alas.
So we're actually going to talk about the war on terrorism.
So if we jump back a mere 22 years,
when I must have been about two or three years old,
to the 26th of November 2001.
In an effort to turn the tide in the war on terrorism, Cult of the Dead Cow offered its
expertise to the FBI. Now, how did it plan on helping? By architecting a new version of back
orifice for use by the US federal government. So this is obviously in the rifting world of cybersecurity.
The FBI embarked on a quest to develop top-notch electronic surveillance software.
So moving on from what was the, I guess, the bad publicity of Carnivore,
they came out with Magic Lantern, which was a rootkit for snooping on computers.
CDC, or Cold Dead Cow, they applauded the FBI's innovation,
but they believed they could sprinkle a dash
of public-private sector synergy.
So with their expertise,
especially in the realm of back office,
they opted to re-architect a stealthier,
more top-secret version for law enforcement needs.
So if you picture an artificial witness
thwarting everything from internet fraud to child pornography the ultimate intelligence gathering
tool and cdc's foreign minister boasted this is better than any other available tools promising
it would be cyber crime strategy cornerstone for federal prosecutors and they also trusted the fbi
to use it responsibly
as they say they have full confidence in federal law enforcement
organizations and their knack for following the law to the letter
that sounds like one of those um you know those plea deal statements it's like we will not
prosecute you if you read this out and say we completely trust all these agents.
When people are facing the camera like without blinking.
Yeah.
Yeah.
Yeah.
Or blinking SOS.
So one thing that's not related to the story, but you said like, oh, back like 22 years ago when I was like two or three.
I was at a conference earlier this week up in Leeds.
And after the talk and everything, there was a networking area.
I was chatting to a couple of people, and there was one guy there.
He's been working for a few years in security.
And he was like, oh, you must have seen stuff change and what have you.
And he goes, like, when did you start?
And I said, oh, I started in my first job in IT security was in 1999.
And he just smiled.
He goes, I was born in that year.
Oh, my God.
Wow.
Painful.
But that was the year that an explosion on the moon tilted,
knocked it out of orbit and sent it on a journey through the universe.
I remember watching a TV show about it.
But thank you andy but um but also i'm going to add one more here because i post it to the group and you you maliciously did you know denied its existence this year uh 29 years ago in 1994
the made for tv movie bionic ever after was released and this tells a story
everybody knows everybody knows about the bionic man the bionic woman but this tells the story
of jamie summers played by lindsey wagner experience it who's the bionic woman experiences
problems with her bionic systems a discovery is made that it's
been infiltrated by a computer virus how cool is that i mean that's entering into the the into the
into the into the you know the international zeitgeist of computer viruses that is that is
brilliant that is brilliant and in the in the images it has to be said that Lee Majors does not look particularly bionic.
He's looking a bit rough around the edges in the mid-90s.
Lee Majors has got that Hulk Hogan look about him.
He's never been young.
He's just been less old, a little bit less old.
He's always been young. He's just been less old, a little bit less old. He's always been old.
That's kind of like...
Actually, Tom kind of falls into that category as well.
I've never known Tom to be young.
He's just been less older than what he is now.
But speaking of Lee Majors, he was in the show The Fall Guy.
Oh, it's good old days.
He's not the kind to kiss and tell.
Yeah, exactly. But he's been seen with Farah. But anyway... It's good old days He's not the kind to kiss and tell Yeah exactly
But he's been seen with Farah
But anyway
He's never been with anything less than nine
Yeah so fine
The movie is coming out
With Ryan Gosling
That's right it looks really good actually doesn't it
The trailer looked really good.
I was pulled in, I've got to say.
I was pulled in.
I'm increasingly rating another Ryan in my list of Ryans,
and Ryan Gosling is one of them.
So, yeah, he's good.
He's very good.
Right, excellent, Andy.
Thank you very much for this week's...
This week in InfoSoul
This is the podcast the king listens to
Although he won't admit it
Right, that's my favourite jingle, that one
Definitely, we haven't played that one for ages
I don't know what I'm saying i'm just making
myself problems for later on uh let's move on to uh this the angry part of the show it's time for
right i don't know where i stand on this, but Interpol makes the first border arrest using biometric hub to ID suspect.
So European police have for the first time made an arrest after remotely checking Interpol's trove of biometric data to identify a suspected smuggler.
identify a suspected smuggler. So it takes a little bit to break down, but what it comes down to is there is a company, I think IDEMIS, is that what it's called? I think so. Yeah, it'll do.
Let's call it IDEMIS. I can't find it in the story now. Who have been sort of contracted to build
a hub of all biometric data that's been gathered by various
agencies and international agencies around the world including you know as you know anybody who's
flown into the u.s you get you get your fingerprints and your palm prints back taken and
photos taken and all that sort of stuff and what this search yeah exactly You get a freedom search, exactly. But what is happening for the first time now is that this company is collating all of this into a hub.
And what's happened for the first time is effectively Europol has got access to this data hub of biometric information that's been provided by other governments,
at the moment predominantly in the US, and has used that to identify a suspected smuggler and make an arrest as a result.
Now, that's all well and good, it would seem. It kind of makes sense. It's where we're going.
In fact, we were chatting just before the show that, you know, in many cases now you can walk through an airport.
You can even board a plane without showing your passport or your ticket or your ID or your ticket or anything.
Because once you've used that to gain access to the airport or through security, it's captured all of that data about you.
It's tracking you through there, much like casinos do. And all it needs is your face. It knows who you are and where you've walked
and all that sort of stuff. So it's kind of the way that we're going. And as I just said,
casinos have been doing this for a long time, blah, blah, blah. Not that you don't surrender
any of your personal rights as you enter a casino, but nonetheless. But this does raise some interesting
questions. On the one side, I might be thinking, okay, so now we can get people who are sort of
sneaking through the system, going into countries that, you know, that don't have, you know,
sophisticated methods of tracking people that, you know, have got maybe not very experienced staff on the security desks and passport desks
and all that sort of stuff to now where any government potentially anywhere could just flag
you as an undesirable and have you arrested at any single point in in the world and it's all well and
good and it's the standard privacy um argument it's all well and good, and it's the standard privacy argument, it's all well and good while
governments are benign and while your government is benign and looking out for your best interests,
but what if that government changes and you become, you know, a political dissident or
undesirable to that particular government? What it means is that you've potentially got no,
that you've potentially got no place to go without being arrested.
Because, of course, at an airport, it's international, etc.
There's international laws that apply there.
And not necessarily the laws of that particular land that you might be in.
So this is both the inevitable march of technology, but it's also a little worrying, I think, about how actually ubiquitous and just insidious all of this technology is that's
tracking quite literally every single move you make. And then what happens when it moves from
airports and moves into shopping centres
and the high streets and, you know, when you check into a hotel and things like that.
And the whole thing of, well, if you've got nothing to, if you've done nothing wrong,
you've got nothing to worry about. But again, we go back to that old argument. So,
yeah, interested to hear what you guys think admit i i find this difficult to rant about but i also find it quite difficult difficult to sort of swallow as well so it's it's um
it's an it's a challenging one this one so so it's been running for two months right
yeah and how many thousands of searches do you think it does per day
like 50 000 100 000 whatever a A million And it's identified one person
Do you know what I mean?
I don't think we need to be worried about this technology yet
I think this is so inaccurate
Yeah, but yet
That's the point
We don't have to be worried about it yet
So
Part of me thinks we need to
Rename this section from Rant week to tom's uh schizophrenic
moment off off the week because he's never sure which side of the fence he's on anymore he just
like lightly treads waffles on for like you know a few minutes and then says what do you guys think
and then hope that we can add some some much i'm beginning to wish i just said what do you guys think? And then hope that we can add some much needed commentary. I'm beginning to wish I just said, what do you think, Andy?
You know, I think this is of no surprise to anyone.
And I wouldn't be surprised if this was been going on for a long time.
And, you know, this is just more of a press release, press statement and what have you.
You think they're drip feeding it to us because they've been doing it for years anyway?
Yeah, yeah. Wouldn't be surprised.
Well, it's probably using alien and UFO technology, right? I mean, let's face it.
Yeah, I mean, that's what's behind everything, isn't it?
They've got a call centre of cheap labour, literal aliens.
In the pyramids. In the pyramids in the pyramids in that pyramid in vegas the luxor the luxor well they've upgraded to that sphere in vegas i know yeah
imagine doing a a security conference in there that would be awesome have you heard that
london was going to get one And Sadiq Khan said no What
They were looking to build one in Stratford
At the old Olympic site
I love how
When you read the stories
It's almost as if Sadiq Khan
Has got so much power
He sits behind his desk
Like I don't know Pressing buttons and having trap doors open Sadiq Khan has got so much power. He like sits behind his desk,
like,
I don't know.
Pressing buttons and having trap doors open.
Yeah,
exactly.
Like Kingpin or something.
So no,
we will not do this.
And yes,
we will do that.
Send him to the alligators.
Exactly.
Exactly.
It's whatever,
it's Stratford council or whoever.
Yeah,
I know.
I know.
It falls under,
it's on his watch. No, no, you know, I think, I know. It falls under, it's on his watch.
No, no.
You know, I think, I feel so sorry for him. I feel like he's the scapegoat for so many things.
It's like central government cuts police funding.
Oh, Sadiq's gone London,
he doesn't have enough police officers.
Okay, I've got one word for you.
ULES.
Do you know who implemented ULES?
Boris Johnson.
Was it Bojo?
That was the original one, wasn't it? It was Bojo. Okay, extended ULES? Boris Johnson. Was it Bojo? That was the original one, wasn't it?
It was Bojo.
Okay, extended ULES.
Yeah.
I'm in a ULES zone.
I actually, do you know what?
It's not actually as bad as people thought it was going to be.
Yeah.
Although they keep cutting cameras down, which is funny.
We keep finding them on the side of the road.
Good hobby, yeah.
Yeah.
But it's good for uniting the people, I think.
It's good.
We need something like that.
It's like what Maggie, sorry, Margaret Thomas,
did with the poll tax, isn't it?
United the nation.
Oh, dear God, yeah.
Do you know what?
I refused to pay my poll tax when it first came out.
Didn't pay it and didn't pay it, didn't pay it
until the final, final court summons came through
and then I just folded like a jav and just paid it.
Oh, Thomas, I'm so disappointed in you.
Excellent. Well, thank you.
That was this week's...
Rant of the Week.
We're not lazy when it comes to researching stories.
Nope.
We're just lazy when it comes to researching stories. No. We're just energy efficient.
Like and subscribe to the Host Unknown podcast for more ESG adjacent tips.
OK, time for some more disappointment.
Let's move on to Jav's part of the show.
It's time for...
Yes, and it is that time of the show where we speak about uh a big
ballsy move that someone might have done in the world of cyber security could be good could be bad i i do not differentiate despite what haters may say
so this week firmly in uh in my scopes is the indian government again
it's never the pakistani government is it? Never the Pakistani government. Well, they clearly don't mess up as much.
That's all it is in the world's name of that is we're talking.
So the Indian government has granted its computer emergency response team
the CERT-IN, which is probably for India.
Oh, I thought that was its LinkedIn name.
Yeah.
So it's given its cert immunity from right to information requests.
So this is the equivalent of your freedom of information
that you have here in the US or the UK or whatever.
So basically, if you go to the government is some reporter I
can't remember which one she was but she flew to the US she asked the US under the freedom of
information to give all of my photos every time I entered the US like they they take a photo of you
and it's really cool it came up like you know you see yourself over 10 years of passport photos or whatever like you know after coming off an 11 hour flight or something and and it's cool but
you can't do the same with the cert in india you can't ask them because they'll say no and uh this
uh this was uh photos no but they they have information on whatever it was it was an example of a type of information
that's so tom thomas let's break it down when we speak about data that could be any sort of data
or information it could be written records it could be photos it could be images it could be
audio it could be video you know with what i've learned today i'm gonna knock
things out of the park at work today could be white papers could be like pdf documents could
be excel spreadsheets could be power carry on i'm writing these down carry on yeah
could be like uh keynote could be pages well it could be keynote and powerpoint it could be keynote and
wow so anyway india's right so this came out in 2005 right so this has been ingrained in there
as a lot of governments did to allow for transparency and so yes you know we're not
doing anything dodgy gotcha apart from anywhere like anywhere like China. But I think there's been a shift in the sort of government somewhat
over the last few years.
It's definitely gone more, dare I say, right wing.
Oh, no, it's not.
They started off right wing.
Now they've gone pretty far right wing, extreme right wing.
Even like, you know, even your mate Nigel will look at them and say,
oh, Modi, I think you're going a bit too
far there i think we better bring it back a bit i'm a celebrity get me out of here uh anyway
uh apparently there was a case where someone requested some information and the request
embarrassed cert india so rather than do the right thing by saying hey we we may have messed up let's
fix let's fix it right let's say well from now on you're not asking us any questions
yes go to your room and think about what you've done
um so it's gonna have a good hard think yeah yeah so so while like you know it's... Go and have a good hard think. Yeah, yeah. So while, like, you know, it's...
You have to report everything to the...
Like, you know, within 72 hours kind of thing.
Like, you know, if you have, you know, a breach or something.
That's all the information they're collecting.
Six hours.
In the case of India, it's six hours.
Six hours?
Six hours.
It takes that long to even get half the execs in a room,
virtual or otherwise.
You just don't know what's happening within six hours.
Six hours, you probably don't even know you've had an incident
or there's just a, is this an incident or is this just like, you know?
An event.
Is this an incident or an event?
Exactly, exactly.
But, you know, so they gather a lot of information.
And this is everything from ransomware to just a social media account being breached or taken over or something like that.
So they gather all this information.
And, OK, you have your reasons for that but you know radical transparency
or the the right for information or doing the right thing goes both ways yeah and and i think
it really undermines confidence in the government when you say like okay we want you want us to give
you everything okay but then we're not sure you you're imposing a second set of laws for yourself and rules. And I think that's a pretty ballsy move.
It's very dictatorial.
And, you know, it's I'm calling it a Billy Big Balls move because that's what my section is called.
But it leaves a really, really light, you know, bad feeling.
Nicely caveated at the end there.
Very good. Excellent. Thank you, Jeff. nicely caveated at the end there very good excellent thank you Jeff Billy Big Balls
of the week security podcasts. Let's be honest, your cheap ass couldn't tell the difference between us and a premium security podcast anyway. I'm going traditional now, Andy. What time is it? It's
that time of the show that we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
very busy bringing us the latest and greatest security news from around the globe.
Industry news.
Cyber security incident hits Fidelity National Finance.
Industry news. Cyber criminals hesitant about using generative AI.
Industry news.
Google fixes six Chrome zero day bug of the year.
Industry news.
Deli friend weakness puts Google workspace security the year. Industry news. Deli friend weakness puts Google Workspace security at risk.
Industry news.
Okta admits all customer support users impacted by breach.
Industry news.
Thousands of Dollar Tree staff hit by supplier breach.
Industry news.
Booking.com customers scammed in novel social engineering campaign.
Industry news.
Customers scammed in novel social engineering campaigns.
Industry news.
Manufacturing top targeted industry in record breaking cyber extortion search.
Industry news.
North Korean hackers amassed three billion in cryptocurrency heists.
Industry news.
And that was this week's.
Industry news. Now, I know our listeners are not going to hear this
but it's so much harder without the jingles
I know
I know
It's like our crutch
It's like you trying to present without
PowerPoint on the screen
which you can turn your back to the audience
and read them off the slides Full detailed script on the screen which you can turn your back to the audience and like read them off the slides full detailed script on the slide yeah written on my back how very dare you
how very dare you oh no sorry you you had the uh cue cards that's the one yeah
two of my talks had cue cards two or i could have just stood there and sweated a lot.
Yeah.
Well, you do that anyway, but okay.
Well, I'm just reminded the first time I saw you speak publicly.
Yeah.
Let's not go there.
I didn't have cue cards, at least.
I know.
We could tell.
Oh, sorry.
So, cyber criminals hesitant about using generative AI.
So this is pretty much the hackers have the same issue that most companies have,
is that you can't necessarily rely on the accuracy of the stuff that's generated to launch attacks.
Well, I think I heard someone say the other day
that actually a lot of AI now,
it's learning from content that's been generated by AI
that has learned from content that has been generated by AI and so on.
So you're getting this...
It's almost like when you recorded music from cassette to cassette,
the copy of the copy of the copy.
Yeah, and it degrades over time.
And it's degrading over time.
Unless you use Memorex.
Memorex, yes, indeed.
Or my favourite tape of the time was the Maxell.
Maxell was the class one.
See, I always went, hello, Tosh, got a Toshiba.
Oh, yeah.
With a skeleton, yeah?
Yeah.
Good to see we all have different brands.
I'd always get the cheap pack from Woolworths anyway.
Me and my old mate, it was a standard birthday present.
It was a pack of three Maxell C90s.
Way before my time, I wouldn't know.
I've just heard about this.
Yeah.
What else have we got here?
Ooh.
Okta.
So what is it?
First they said only 1% of my customers have been impacted
and it's nothing.
And now it's like, actually actually all of our customers were impacted
and they got access to like a lot of your your who's this uh octa oh octa sorry i missed that
yeah so um so i i'm i'm being a bit flippant about it you know you don't always know what
the scope of the thing is when you give your initial thing so that's why it looks like they um you know the the breach was much worse than previously thought and i think
you know this is a just like a this is where the trends go isn't it first it's like let's use a
password manager or let's use some security in the cloud and then criminals start attacking it and
then it's all of a sudden maybe cloud isn't as great as we thought it was going to be yeah everything we use is going to
be vulnerable at some point by some people wow i see north korean hackers are amassing 2.5 billion
in cryptocurrency heists uh 2.5 billion pounds yeah three three billion dollars uh two
billion pounds wow yeah it's the old one it's the old one yeah almost almost 1500 dollars yeah um
do you know what like what are they doing with this money because they're not spending it on
country or infrastructure or no of that stuff, right?
No, exactly.
It's bizarre.
And also, crypto is an interesting one.
It's not like it's going back up.
No, but it is going back up at the moment. Oh, is it?
Yeah.
So my losses are coming back closer to sort of like 15%.
Your losses are only now considerable rather than excessive.
Yes, exactly.
I was tempted to cash out earlier in the year.
But I thought, no, hold on till next year.
Because, you know, next year is going to be the big one.
It's always next year.
I've given up on all kinds of investment when my, you know,
when I cashed out when Bitcoin was 7,000 and then like four weeks later it was 20 and then six weeks later it was 30.
And it's like, for goodness sake.
So, yeah, I've just cashed in all my investments.
I've got no clue.
That's not right.
It's like on Reddit someone asked, like, people who work work at casinos what's the saddest thing you've
seen or something and the guy's like i saw someone win 25k on a slot on a slot machine
and he was like really happy and he goes i ended my shift and went home and then he had a day off
he goes i came back like literally two days later and he's there having lost nearly all of his 25k back in the slot machine oh my god yeah but that's not so bad in
terms of like you you just lose what you've made yeah yeah when you go the other way chasing those
losses thinking it's gonna come good it's like the house always wins it does it does but um i i
jeff white friend of the show yeah he i saw him speak uh recently at an event and he was
speaking about uh north korean hackers and you know he he is to north korea what um richard
is to china everything's but um he was saying how a lot of the North Korean hackers aren't based in North Korea because they have a really tiny internet pipe and everyone's watching it.
So they're abroad.
Sent out.
Get off the phone, Kim Jong-un.
I'm in the middle of hacking someone.
Exactly.
Exactly.
And so they have to be self-sufficient.
So they have to fund themselves and they have to be self-sufficient, so they have to fund themselves, and they have to send money back.
But he was like, the laundering process is so complex,
and law enforcement just doesn't know.
So he was like that.
They caught some people driving out of the UK on the Eurotunnel to Europe,
but they had a new Merc, they had two rolexes each
and you know so so that's how you get like quarter of a million out of the country
really easily as opposed to in cash or something like that but he goes like no one knows what the
connection is like how these people in the uk were connected to north korea and how they were
getting the money and how they were
laundering it and what have you so it's an intricate intricate web so um yeah I think like
how they get the money is is one thing then what they spend it on is another thing but I think
they're it's probably like we're going to see more um cryptocurrency sort of like regulation
or try and like put better tracking in place.
I think that's the way the governments
really want to go.
It's not like they haven't had a
decade to work it out, is it?
No, they first want to get
you addicted to the drug and then they
bring you down.
Excellent.
Okay, let's call it there.
That was this week's...
And that was my third favourite jingle, I have to say, of all time.
So, Andy, why don't you take us home with this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And this week's Tweet of the Week comes from James Gosnold.
Friend of the show.
And 3,198 others.
That's James Gosnold and 3,198 others. That's James Gosnold.
So he says,
when I was a one-person IT team
supporting 200 more users
across 16 sites,
I rebooted servers at lunchtime.
I'm talking 25 years ago
and I was paid approximately
£28,000 per year.
They didn't get 99.999 service
levels for that and I think we can all relate to that I used to work with a guy um well myself
and right work with a sysadmin he had issues right as a lot of sysadmin did in the the early
noughties normally anger issues yeah serious so we had to support this company who
was a friend of the ceo um and so they had the service now racks and he would literally just be
sitting there and he'd just say oh scheduled downtime and just get up walk over and unplug
their ethernet cable that powered their switches for their service and this is like you know the
dot-com era when like you know things were going And that was it. We just used to call it scheduled downtime.
And he'd just get up, unplug it.
And if they called, he'd say he'd look into it and then sort of fix it.
If they didn't call, he'd plug it back in after about an hour or two,
depending on what he felt like.
But things were wild back then, man.
They were.
They were.
I mean, there used to be like Wednesday and someone would say,
you know, so-and-so production database has been down since Friday.
And everyone's looking at each other.
Really?
No one knew.
It couldn't have been that important, could it?
I've had that before where, you know, ready to go home in the evening
and received an email, you know, webmaster app account,
and it's a screenshot or an app account and it's just a screenshot
or an image and it's like a message saying i think your sequel logs are full and it's like
a screenshot of like an error message on the website saying your sequel logs are full oh wow
and uh yeah i mean i was like calling right no idea because like now the disc is absolutely full
what can you do?
It's not like Elastic Demand now.
You can't log in.
Yeah, exactly.
It's not like it's on a separate disk.
It's all the same disk.
Yeah, so we let it grow too much.
We didn't realise that the transaction log...
What's a partition?
You need to prune it.
You need to have the log set up so they overwrite every 48 hours or something.
No logs, no evidence.
Good times.
Good times.
I remember our server room not having any racks.
It was all tables.
Stacked.
Stacked and
kitchen work surface
that had been put in.
We used to keep beer in the comms room because it was the coldest place.
Yeah, yeah, yeah.
Exactly. It was madness.
Absolutely madness.
Very good. Excellent. Thank you, Andy,
for this week's
Tweet of the Week.
When listeners leave the
Host Unknown podcast in favour of another
security podcast, they raise
the average IQ of the show.
Gentlemen, thank you so much for your time, contributions,
and general good humour this week.
So, Jav, thank you very much.
You're welcome, as always.
And Andy, thank you.
Stay secure, my friends.
Stay secure.
You've been listening to
the Host Unknown Podcast.
If you enjoyed what you heard,
comment and subscribe.
If you hated it, please leave your best insults
on our Reddit channel.
The worst episode ever.
r slash Smashing Security. You guys are such plagiarists.
I don't know if you've watched any of the Tice Talks that I do,
but that's how I sign off on my Tice Talks now.
And if you steal from one person, it's plagiarism,
but when you steal from many, it's research.
Don't tell me you've stolen my sharks and coconut example as well.
And toothbrushes.
Oh, my God.