The Host Unknown Podcast - Episode 184 - The Bee in the Bonnet Episode
Episode Date: February 19, 2024This week in InfoSec (08:40) With content liberated from the “today in infosec” twitter account and further afield14th February 2001: In a presentation at Black Hat Windows Security Conference ...2001, Andrey Malyshev of ElcomSoft shared that Microsoft Excel uses a default encryption password of "VelvetSweatshop". https://twitter.com/todayininfosec/status/175778227540662283516th February 2004: The Netsky worm first appeared. It spread via an email attachment which after opened would search the computer for email addresses then email itself to those addresses. Its dozens of variants accounted for almost a quarter of malware detected in 2004.https://twitter.com/todayininfosec/status/1758497889972576608 Rant of the Week (5:10)Air Canada must pay damages after chatbot lies to grieving passenger about discountAir Canada must pay a passenger hundreds of dollars in damages after its online chatbot gave the guy wrong information before he booked a flight.Jake Moffatt took the airline to a small-claims tribunal after the biz refused to refund him for flights he booked from Vancouver to Toronto following the death of his grandmother in November last year. Before he bought the tickets, he researched Air Canada's bereavement fares – special low rates for those traveling due to the loss of an immediate family member – by querying its website chatbot.The virtual assistant told him that if he purchased a normal-price ticket he would have up to 90 days to claim back a bereavement discount. Following that advice, Moffatt booked a one-way CA$794.98 ticket to Toronto, presumably to attend the funeral or attend to family, and later an CA$845.38 flight back to Vancouver.He also spoke to an Air Canada representative who confirmed he would be able to get a bereavement discount on his flights and that he should expect to pay roughly $380 to get to Toronto and back. Crucially, the rep didn't say anything about being able to claim the discount as money back after purchasing a ticket.When Moffatt later submitted his claim for a refund, and included a copy of his grandmother's death certificate, all well within that 90-day window, Air Canada turned him down.Staff at the airline told him bereavement fare rates can't be claimed back after having already purchased flights, a policy at odds with what the support chatbot told Moffatt. It's understood the virtual assistant was automated, and not a person sat at a keyboard miles away. Billy Big Balls of the Week (22:06)Australia passes Right To Disconnect law, including (for now) jail time for bosses who email after-hoursAustralia last week passed a Right To Disconnect law that forbids employers contacting workers after hours, with penalties including jail time for bosses who do the wrong thing.The criminal sanction will soon be overturned – it was the result of parliamentary shenanigans rather than the government's intent – and the whole law could go too if opposition parties and business groups have their way.European companies have already introduced Right To Disconnect laws in response to digital devices blurring the boundaries between working hours and personal time. The laptops or phones employers provide have obvious after-hours uses, but also mean workers can find themselves browsing emailed or texted messages from their boss at all hours – sometimes with an expectation of a response. That expectation, labor rights orgs argue, extends the working day without increasing pay.Right To Disconnect laws might better be termed "Right to not read or respond to messages from work" laws because that's what they seek to guarantee. Industry News (31:45)US, UK and India Among the Countries Most At Risk of Election Cyber InterferenceSouthern Water Notifies Customers and Employees of Data BreachCybersecurity Spending Expected to be Slashed in 41% of SMEsGoldPickaxe Trojan Blends Biometrics Theft and Deepfakes to Scam BanksMicrosoft, OpenAI Confirm Nation-States are Weaponizing Generative AI in Cyber-AttacksPrudential Financial Faces Cybersecurity BreachGoogle Warns Unfair AI Rules Could Empower Hackers, Harming DefenseHackers Exploit EU Agenda in Spear Phishing CampaignsNew Ivanti Vulnerability Observed as Widespread Security Concerns Grow Tweet of the Week (39:24)https://twitter.com/MalwareJake/status/1758454999380557885 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I'll be finished by six and...
Well, you didn't turn up till 20 past.
Oh, well, you were on the phone till 30 past.
Fucking...
The mental gymnastics of this man
whilst he tries to justify being late is incredible.
I am Neo. I can dodge all your accusations.
I could do this all day, like Captain America.
My ideal job, and I told this to my boss one day,
I would be like that.
The person that does the press questions at the presidents,
like Lectern, I would love to do that job
because it's just like pure spin and like...
You can lie through your teeth and just claim it's alternative
facts
yeah so it's not a lie
it's an alternative fact exactly
you know you could do that just working for a different vendor
like
like Avanti someone who's got a really shit
product just go and work for it
allegedly
allegedly
you're listening to the host unknown podcast allegedly allegedly allegedly hello hello hello good morning good afternoon good evening and welcome welcome from wherever
you are joining us dear listener this is, and I scroll to the top to check,
188 of the Host Unknown podcast.
We're only 12 weeks away from the 200th episode.
Are we going to do something special?
I know.
Are we?
Not I know.
Do we do 200 or 250?
Oh, God.
Well, we did say 100 originally, and then we never got around to it.
And then 150, never got around to it.
So I think we really know the answer, don't we?
Yeah.
Do we end it at 200?
This is true.
This is true.
You know, it may keep at least one of us out of trouble.
Well, actually, actually, it ended at 100.
We just get together, have this chat,
and Tom never records or uploads it, and that's it.
No, that's right.
Nobody has listened for the last however many weeks,
which is about right, which is about right.
And talking of inconsequential things, Jav, how are you?
Oh, wow.
Out with the casual racism straight off the bat.
This is what he's talking about,
how he can just flip things around when he's just, you know,
he throws something at him, boom.
Yeah.
No.
Yeah.
What, is it because I was brown?
Are you saying I do not have the right to defend myself?
Is that what you're
saying okay moving on swiftly yeah let's let's let's not touch on those particular points at
this anyway how's your week been sir it's been good it's been like half well i say it's been
good half term so the kids have been at home the missus is away so it's just me and well three of
the kids uh she took the other one with her uh I was gonna say it's been fine did you guarantee that at least
two of them would be alive when you got back yeah but um midway through the week my dad was like I'm
not getting enough attention here he's so busy with the kids so he's like oh my chest i got cold sweats and everything one morning so i had to call the ambulance and uh it wasn't a heart attack it was an angina
okay he spent the whole day a whole day in a hospital and uh he's back home now but he's
yeah he's at that age where everything's going a bit downhill you should know all about that
and uh speaking of things going downhill andy andy
i was gonna say one of my favorite jokes involves angina but
okay i'm trying to figure out whether it rhymes with something but uh
yeah no no no it's about acute angina.
Okay.
Move on.
I'll tell it to you afterwards.
Yeah, okay.
This is... Yeah, no, my week's actually pretty good.
I am just making sure that, you know,
hopefully the tax man's not listening.
But no, I had to cash out some shares.
I've just been burning through cash recently.
Really?
So I cashed out some shares from my last company.
Right.
But I also noticed my crypto is up and up.
I mean, like, well up.
What?
So you've got £25 now?
I now have £25.
From that initial £50 investment.
So when i stopped investing
like a couple of years back uh i am up i think it's about 23 on bitcoin uh and up 26 on ethereum
wow um and a couple of others are other little ones are still down what about your cummies
uh my cummies uh i actually kind of muted that for a minute because
you know in order to extract them i need to go through a different network it's not a straightforward
transaction no uh and it is i mean that's a whole separate issue where i need to log back into
finance and exchange them for another type of coin your cummies are suffering from a little bit of ed
is what you're saying you know this sounds a
lot like you know some of my cousins from up in bradford and it's like why do you have two mobile
phones bro oh well you know i need to like i've got this one for my work and that one for like
family stuff and like yeah i just got a nice new beamer outside. I'm still in between jobs at the moment, but that's what it sounds like, Andy.
Oh, man.
Talking to suspicious people that do things up north.
Tom, how are you doing?
What?
That was tenuous.
You know.
Still tenuous.
Still tenuous.
Yes, very very very good although and i really don't want to bring bring this down but i i do think we need to uh acknowledge this i was very saddened to hear
about the death of uh dr alan solomon um it was a good friend of a friend of the show graham
clewley so graham our thoughts are with you and obviously with dr solomon's family friends and and colleagues but but he he was one of my early influences back in 1991
uh when i was at a trade show called soft teach because a friend of mine had a software company
and this is in a heathrow airport it was you know, Microsoft had like a small hotel room to demonstrate their products.
I mean, this was like nascent stages.
Windows 3.1 was out.
It was that kind of time, right?
And it turns out that when I went to see Dr. Solomon's presentation and demonstration, Graham was there as well.
I was in the same room as Graham watching him in 1991.
And now look where we are.
You're in a hotel room with...
With Graham in 1991.
And funnily enough, old habits die hard.
Because as I said to him yesterday morning when we woke up,
I said, you know, just i said to him yesterday morning when we woke up i said you know just just
just that you know just a few decades ago we we barely knew each other but uh mere decades ago
in 91 you must have been what you're late 30s yeah something like that
but i find that really i find that you know I find that, you know, the way the universe brings these serendipitous coincidences together,
I find that quite fascinating.
I did wonder who that sort of skinny, gawky, you know,
spotty teenager was, stood next to Dr. Solomon,
but now I know.
Now I know.
Oh, do we.
So talking about prepubescent, spotty, gawky things,
let's see what we've got coming up for you this week.
This week in InfoSec is a story of default passwords.
Rant of the Week is a Canadian argument worthy of a Billy Big Balls.
Billy Big Balls is a ballsy move from the British Texans.
Industry News is the latest and greatest news stories from around the world.
And tweet of the week is a plea to make the compliance work easier.
So let's move on to our favourite part of the show,
the part of the show that we like to call...
This week in InfoSec.
It is that part of the show.
We take a trip down InfoSec memory lane with content liberated from the Today in InfoSec Twitter account and further afield.
And our first story takes us back a mere 23 years to the 14th of February 2001. In a presentation at Black Hat Windows Security Conference 2001, Andrei Malchev of
Elcomsoft shared that Microsoft Excel uses a default encryption password of Velvet Sweatshop.
Ooh.
Yeah, and this is great.
Where does that come from?
Isn't that your password for Fiverr?
It is, yes.
I still use this password now.
So this funny thing about the Velvet Sweatshop password being, you know,
default.
So malware authors to this day still encrypt malicious documents,
sort of avoid detection as they get emailed in.
And typically, you think it's going to require the victim to type the password to open the document.
However, it turns out that if you encrypt a document with Velvet Sweatshop,
which used to be hard-coded into all
the old versions of Excel, for compatibility reasons, the latest versions of Excel still
support that password and will automatically decrypt it. So you can encrypt malicious documents
with that password, so all your scanners can't read it. But if the end user opens it,
all your scanners can't read it but uh if the end user opens it um you need something else on there to protect them so so so hang on if if somebody was to send me a password protected excel file
and i type in velvet sweatshop today well you wouldn't have to that that's the thing it would
actually it would automatically open and that's still in in you today? It was as of two years ago.
I haven't checked the last two years, but I mean, it's a 22 years is a long run, right?
I doubt they would have fixed it in the last couple of years.
But they're saying it was left in for compatibility reasons.
Ah.
I'm going to try that.
True story.
Cool.
Let me send you something, Tom.
I'll keep you right now.
I just need to boot up this laptop.
There's no reason, but I'm going to send it from this other laptop.
So anyway, our second story takes us back just 20 years
to when the NetSky worm first appeared.
And it spread via an email attachment which, after being
opened, would search the computer for email addresses and then email itself to those addresses.
And it's dozens of variants encountered for almost a quarter of the malware detected in 2004.
And this was actually from a Sophos report, and they also talked about four
other Netsky variants which made into the top ten, and the Sasser worm. But a
quote here, 2004 was the year of the Netsky, and that was a quote from Sophos
senior technology consultant Graham Clully.
Graham Clully?
Yeah.
Yeah, adding that Netsky-P was the world's most widely reported virus
eight months after its discovery.
And he also went on with a drop in the knowledge, as always.
The time period between patch availability and worm exploit
is getting shorter than ever.
So he hasn't changed his quotes for the last 25 years, is that what you're saying?
Well, do you know what, you know, this was what I did like about this as I read up in the story,
so there's like an image of the type of attachment names that it attaches to emails that your message sends out.
And you've got things like WinXP underscore crack.exe, Photoshop9 crack.exe, Matrix.scr.
Oh, screensavers, yeah.
Exactly.
Everyone wanted this stuff back in the day, right?
Yeah.
Office underscore crack.exe.
I mean, everyone I used to work with, you know.
Hardcoreporn.jpg.exe.
Love it.
Yeah, exactly.
Maxpain2.crack.
What's the worst that could happen if I were to click on this file?
And obviously doom2.doc.piff.
But yeah, just type of things that...
These were the things people wanted back then as well
like photoshop 9 geez god and it's quite common to email those cracked round as well yeah it's
a lot before they started blocking these things yeah yeah so i heard yeah i wasn't part of any
of this no but yeah there was no no filters or anything so internally you'd email them around
and i remember when someone got the matrix screensaver
and everyone was begging them to like send it so they sent it around and everyone had the screens
matrix on their like beige like big monitor crt monitors it was like a matrix yeah 15 inch giant
thing that took up half the desk yeah three people people to live. A 15-inch monitor was massive.
That was huge.
Especially if you got one of the Sony Trinitron curved ones.
Oh, I didn't have Sony, no.
I had Gateway.
Oh, Gateway 2000, yeah.
I remember having a 15-inch monitor for a weekend
and just being blown away at how big everything was.
And how much heat it could dissipate.
Yeah, exactly.
And how much it buckled your desk.
And that's the weekend after Tom lost all his hair.
Oh, dear. Excellent. Thank you, Andy. That was this week's... like it was just oh dear excellent
thank you Andy
that was
this week's
InfoSoul
you're listening
to the award winning
host unknown podcast
officially more
entertaining
than smashing security
right shall we move on to uh this week's
right we all know about chatbots and robots right these are the chat bots and robots that uh that come in when uh you're typing
and you're logging into systems to get hold of tickets and things like that um and uh and they
sort of say hi my name is timmy the chat bot how can i help and it gives you no help whatsoever
normally and you just keep typing give me a human just keep typing, give me a human, give me a human, give me a human until eventually it connects you to a human.
But in some cases, these chatbots and robots are useful.
So in one instance with Air Canada, a chap called Jake Moffitt,
He's actually taken Air Canada to a small claims tribunal after the business refused to honour what the chatbot actually told him. So in this instance, a quick summary. Unfortunately, James Moffat was travelling because on the death of his grandmother.
It was in November last year. And he researched Air Canada's bereavement fares.
Now, these are fares that I wasn't aware existed,
and maybe it's just an Air Canada thing,
that offer special low rates for those travelling
due to the loss of an immediate family member.
And he looked into this by chatting to the website Chatbot.
The Chatbot told him that if he
purchased a normal price ticket he'd have up to 90 days to claim everything back or to claim his
bereavement discount which is quite a significant amount so he booked a basically an $800 flight
there and an $800 $850 flight back.
He also spoke to an Air Canada representative who confirmed he would be able to get a bereavement discount on his flights
and that he should expect to pay only roughly $380 to get to Toronto and back.
So that's basically a quarter.
You know, that's less than a quarter of the price.
So really quite significant.
That's less than a quarter of the price, so really quite significant.
Crucially, though, the rep didn't say anything about being able to claim the discount as money back after purchasing the ticket.
When Moffat submitted his claim for a refund,
including a copy of the grandmother's death certificate,
all within the 90-day window, Air Canada basically said,
computer says no.
Not great.
The staff told him at the Bremen fair rates can't be coming back
after having already been purchased a policy at odds
with what the support chatbot told Moffat.
And it's understood the virtual assistant was automated
and not a person sat at a keyboard miles away.
Now, the rant here is is if someone like Air Canada
changes a policy, so they are well within their rights to not offer said discounts anymore, it's
entirely up to them, but they do not update their systems to reflect that, that needs to be entirely
on Air Canada and how they can refuse this when given this kind of evidence, I think is
absolutely shocking. It's such a trivial thing to build into and to update in the chatbot.
I think this is absolutely outrageous, frankly, because not only that, when you're changing any
kind of policy, but especially when you're changing a policy to do
with bereavement or something that's going to impact people who are at a very very vulnerable
period of their lives or very you know very much in some cases maybe even at risk etc etc
you have to be so careful you get it right and Air Canada Canada, frankly, was not. This is shocking, to say the least.
It's probably more a sign of a large organisation just getting lost within its own bureaucracy.
But this is really poor, I think. Really poor.
I like how their argument in court was they shouldn't be held liable for an automated system
because it's not a real person.
No, see, this is...
An automated system that they own. I mean, come on.
Yeah, this is such a slippery slope.
Because the thing is, if you put these systems in place,
you need to vet them, you need to make sure they work accordingly.
It's no different than you
publishing information on your on a static website that is wrong you're going to be held
to that standard if you say like sale 50 off and you buy the ticket the latest say oh no that was
a mistake too late tough so you can't pass the blame on to like, oh, the AI got it wrong. Go sue the AI if you want, which we implemented or what have you.
It's just rubbish.
And there's so many cases of companies honouring these kinds of discounts, right?
So it's not, you know, and where they got it wrong, basically.
I think Hoover was one of the famous ones, wasn't it?
With their flights, with their free flights if you buy a Hoover.
Didn't it nearly put them out of business or something?
As a promotion, yeah.
Yeah, but they honoured it.
They actually honoured it, you know, to the best of their ability.
It's a bit like that.
It's a bit like Pepsi, where's my jet?
He didn't win it, though.
They did not give him the jet, which I think is outrageous.
When they say, oh, wow, obviously we didn't mean actually giving you a jet,
just giving the impression you could get a jet.
But, you know, the law is in our hands sometimes.
But in this instance, absolutely outrageous, right?
Yeah.
Yeah.
Air Canada not living up to its name of being a really, really nice airline.
Well, no, no.
It pains me to say I agree with you once again, Tom.
Oh, man.
This is a generational run.
We've not seen a run this long.
No, we haven't.
This has got to be like the Undertaker streak.
When will it end?
You had me up until that point, I have to say.
Right, that was this week's...
When the Undertaker takes him away.
Enough.
Billy Big Balls of the Week.
People who favour the Smashing Security podcast
are statistically more likely to eject USB devices safely.
For those who live life dangerously,
you're in good company
with the award-winning
Post Unknown podcast.
Let's see if we can keep this streak going
even longer than you did last year
before you got arrested, Jav.
When did I get arrested?
What, for the streaking incident?
The streaking incident?
I don't think I shared that with you,
but it might have been a TikTok that I sent to Andy just on TikTok.
Oh, I thought you were admitting to it then.
No, no, no, no, no.
But there was a streaking incident at the Super Bowl.
Superb Owl.
Yeah.
So there's a guy that streaked there.
And then some other, I don't know whether it was him or someone else,
but it was someone or someone else but it
was someone else that made a tiktok saying yeah that was me i spent 24 hours in jail totally worth
it because i placed a bet like 20k bet on whether there'd be a streaker in the match and then i
spent 10k to get like front front seat tickets and so i recovered my money and I'm 10 grand up. Wow.
Surely whoever took that bet has to... I don't know.
That's rigging, isn't it?
No, that's just playing the odds.
Yeah.
I mean, to be fair, it wasn't actually the guy.
He wasn't the real streaker.
But, you know, the theory is sound.
Oh, I see.
Right. OK, let's move on let's move on so today's billy big balls is from a land down under and uh crikey they passed uh
a bill that's the right to disconnect law that forbids employees contacting workers after hours
with penalties, including jail time for bosses who do the wrong thing.
And I think this is just such, I know the EU has something similar and what have you, but
you know, the criminal sanction will soon be overturned, apparently,
because that was the result of parliamentary shenanigans
rather than the actual intent.
And the whole law could also go
if opposition parties and business groups have their way.
So, basically, this is just a big bluff by Australia.
It is a big bluff, probably.
You say it's a bluff.
It's going in the right direction, though, right?
Yeah, but...
I mean, a lot of Europe already does this type of stuff.
No, no, but just for what Jav was saying there.
So there's a law being passed
where bosses can be sent down for doing the wrong thing,
except being sent down part was was just a mistake is going to
be backed off and also probably because of opposition parties and business groups it's got
the whole thing's going to go anyway potentially but i think it's one of those things once the
once the question is asked it's hard to unask it. Unask it.
The bell has been tolled.
And so you can never completely, I think, reverse these things.
You can't take it back.
No, no.
So, yeah, I mean, in Europe, we've always got the already got these things because like
of the blurring between work hours and personal time.
But I was thinking about this just before we we
started recording because clearly I spend a lot of time researching my stories and uh in the five
minutes that you two went to get a coffee before we started I I was reading it and uh and I think
like when you think about it like who does this really impact and I was thinking it doesn't really
impact say like retail workers
or people working on zero hour contracts or, you know, fix, you know, those kinds of people. So
you clock off your shift at Tesco's at six o'clock. What's your boss going to message you and say,
oh, where did you park the forklift or something? I don't know. It's like, you know, I don't think there's much there. So this really applies to
office workers, knowledge workers. And especially since the pandemic, which feels like a lifetime
ago, a lot of people have gone to either remote or hybrid working anyway. And that's benefited
people greatly because you sort of like have that flexibility. It's like before,
if you had, say, like a dentist appointment at 10 o'clock in the morning, you'd have to take
half a day off because you couldn't get to the office till 12. But now you can kind of like say,
I work from nine till quarter to 10. I'll go off to my appointment, come back, carry on my day.
Maybe I won't have lunch or, you know, it's sort of like give or take when you were in this sort of environment so I don't think it's wholly unreasonable for like oh my god I don't know
if you just saw Tom I apologize I got completely distracted Andy got up and he's looking over his
shoulder and he's ducking and diving as if there's some sort of like bug in his room and he's just
like ran out of his room and slammed the door behind him.
So I don't know what's gone on with him.
But...
What is he doing?
He's looking around at something.
It might be a cockroach or whatever.
I have no idea.
He heard this buzzing or something.
Or he might just be tripping.
He might have had some magic mushrooms before.
Look at him.
He's looking around.
What is going on?
Hello?
Andy?
What's happening?
So a giant angry wasp has come in from somewhere.
No, he's tripping on the shrooms.
No, and it kind of flew down and around.
Now I can't find it.
It was looking dazed.
So I don't know whether it's been sleeping or...
He's fine.
Just leave him alone.
Wasp or hornet?
Yeah.
Well, it looked like one of those giant murder hornets.
I'm surprised you didn't...
If it's the size of your thumb, it's a murder hornet.
If it's not, it's a wasp.
Well, he's got stubby thumbs.
Possibly even a bee.
No, it's definitely not a bee.
How is it in here, though?
I've got, like, my...
Yeah, OK.
Not happy about this.
It's disappeared now.
OK, so if we hear Andy scream later, we know what's going on.
Yeah. Yes. It's all right.
Right, so you were saying, Jav,
because I'm going to have to leave that in the edit as well now.
That's the worst part.
Yeah. So I think it only applies...
And there's lots of give and take here anyway. So personally,
I don't really mind like getting emails after hours. I mean, I get it when there's a,
as long as it's without an expectation to immediately respond. I mean, other than the
odd occasion, but then I feel like it's a bit of give and take. It's like, you know,
I get a bit of flexibility. The company gets a bit of flexibility. I'm not sure I'm completely on board. I get the intention. I know people would abuse this kind of thing. And there are lots of terrible, terrible bosses out there that do this a lot to their team.
I don't know if legal pressure or this is more of a cultural issue and something that organisations need to look at internally and implement some sort of measures and training and guidance and frankly, get better managers, I think.
But that's just my view.
I agree with you on that front. I think, you know, the fact is most people just want to do a good day's work and get done and switch off and all that sort of thing and i think really this is this is aimed at the bad managers you know um but you're right there's a give and take there's an ebb and flow you know there's a there's a you
know when we're busy we we do a little bit more and when we're quiet you know we take that that
extra time in hand because we can and i think that's that's
important but setting it into a law which sometimes is the only way to make it work
and to make it happen is well that's going to be difficult because then there's then there's
the thing about you know we can only do this if you come into the office and then we've got the
that change as well um to to take into account so yeah very challenging one very challenging one
yep it is a challenging one but um
oh i had something for that
i'm gonna rename this to the most professional episode ever
on which note there's a bee in andy's bonnet is it the bee in the bonnet episode there we go
right thank you jab for this week's billy big balls of the week
it doesn't matter if the judges were drinking.
Host Unknown was still awarded Europe's most entertaining content status.
So I think the problem that Andy's having with that bee, wasp, murder hornet, whatever, is that obviously they shouldn't be out at this time of the year.
So the guy's, you know, the little bee's clock is completely out.
So, Andy, perhaps if you tell it what time it is,
it will know to just go away back to where it needs to be.
So, Andy, what time is it?
It is that time of the show where we head over to our news sources
over at the InfoSec PA Newswire who have been very busy
bringing us the latest and greatest security news from around the globe.
That should do it.
Industry news.
US, UK and India are among the countries most at risk of election cyber interference.
Industry news.
Southern Water notifies customers and employees of data breach.
Industry news.
Notifies customers and employees of data breach Industry news
Cyber security spending expected to be slashed in 41% off SMEs
Industry news
Gold pickaxe Trojan blends biometrics theft and deepfakes to scam banks
Industry news. Microsoft OpenAI confirmed nation states are weaponising generative AI in
cyber attacks. Industry news. Prudential Financial faces cyber security breach. Industry news.
Google warns unfair AI rules could empower hackers harming defence.
Industry news.
Hackers exploit EU agenda in spear phishing campaigns.
Industry news.
New Ivanti vulnerability observed as widespread security concerns grow.
Industry news. And that was this week's...
Industry News. And that was this week's Industry News.
Huge if true. Huge if true.
Huge if true. Lots of AI news, isn't there? There is.
Microsoft stating
the bleeding obvious that
nation states are weaponising Gen AI.
Google doing what they do
best, crying.
That stuff is unfair.
Hackers are using spear phishing.
Who would ever think of that?
The UK, US and India, of all places, are among countries most at risk of election cyber interference.
Well, India, definitely, because they've had their entire country's database
hacked and slashed and beaten to death.
And I think everyone's probably got a copy of that on their phone downloaded by now.
I'd be surprised if they haven't.
I put it on text-to-speech and it helps me go to sleep.
I prefer the Sri Lankan version
because they've got, like, much more soothing and rhythmic names.
But I wonder, you know, India, US,
they're the two largest democracies in the world, right?
India's, you know, US is the second largest, you know, allegedly.
Yeah, democracies in inverted comm commas in both instances i think quite
interestingly yeah but i don't know what putin wins you know he's so popular he keeps winning
elections yeah 95 approval and he's and he's um the people who run against him turn up dead in
prison right so navani just yeah just just been declared no died of natural
causes today at the ripe old age of like 45 or whatever yeah yeah no they have an issue
actually i think that there's a there's a lack of engineers there or quality control so the windows
are often not built to standard so they often fall out of windows
deceleration trauma yeah yeah yeah yeah or sometimes it's like the doors on helicopters or
aren't like secured properly yeah and they fall out so it is natural causes yes yes indeed yeah
and they actually i have heard they often because it must be like the same jars or something,
they often mistake polonium with the stevia that they use.
Oh, stevia, yeah.
Yeah, yeah, yeah.
Because I've seen it.
You get them in supermarkets, they're right next to each other
in the similar packaging, so it's an easy mistake to make.
Little known fact, polonium in Russian is pronounced stevia.
That's where the confusion comes.
Easy, easy.
Well, what else have we got that's not the bleeding obvious?
Let's actually look at this.
This cybersecurity spending expected to be slashed in 41% of the Vietnamese, right?
But again, and I'm intrigued here,
they compare three countries,
UK, US and India,
in terms of what they're spending on.
But they're actually saying that the UK SMEs
offer a lot less formal cybersecurity training,
62% of UK SMEs versus 72.5% in the US and 74% in India. And 78% of UK SMEs have
an IT security position on staff versus 87% in the US and 94% in India. And again, like the UK is
actually just right down the list on these charts
i wonder is because the definition of an sme is something like two people up to 500 something
like that i wonder if there's a skew a skew in the sort of you know the number of companies that
have sort of less than 20 because it's you know if you've got less than 20 people in your
organization it's quite difficult to prioritize an it security person right at least certainly full time um but i it'd
be interesting to see the you know the raw data in the sense of what are the sizes of companies
that are saying they don't have security people i i also think there's in India especially you have this they grew from a very like service
orientated model where they were out a lot of stuff was outsourced and to them yeah they
delivered so they were used yeah so they were used to putting in place formal roles to meet
the compliance needs in in many cases as well so you mean ticking a box on an RFP for a big...
Yeah, yeah.
It's the same person who's the head of security,
the janitor, the local sheriff and the cowherder.
So what you're saying, Jav, is that India lies?
No, they're adaptable.
They're agile.
They said, do you...
The question was asked of them is,
do you have someone who's responsible for IT security?
And they said, yes.
OK.
It just so happens that person's responsible
for a lot of other stuff as well.
Yeah.
Not just security.
Exactly.
Let's actually close this with a slightly more
based-in-fact comment,
shall we, about something else?
Based-in-fact?
I find that very...
Yeah, I find that very...
I only did, in fact.
Oh, Avanti vulnerability.
There you go.
I think that sums up your earlier point there, Andy.
Yeah, they're on a bad run at the moment.
They're suffering, aren't they?
Yeah.
If I was their head of product, I'd be like,
do you know what? I'm not up for this job.
Man down, man down.
Alright, on that bombshell, that was this week's
alright Andy
time to take us home now with
and we always play that one
twice sweet of the week and this week's tweet to the week is a two for one it's actually the
first part comes from accidental cso who says pro tip if your organization does suck too high trust
iso 27001 etc do yourself a solid and talk to your security or compliance folks
before changing tools or cancelling subscriptions.
And Malware Jake tops this one and he says,
this is also known as we were compliant.
Which is very true.
Very true, very true.
Well, with many of those, you're compliant until they tell you you're not compliant
well yeah but do you know how people set up processes they build these tools and like you
know you document them for like the nine months of your certification period and then the auditor
comes in next year and before you know it like you're dealing with teams that have actually just
completely changed the way they're doing things and they're not recording it in the same way they
don't get the same evidence they're saying oh you don't have to record stuff anymore there's no
output anymore it's all automated you don't need to know how this works and it's like well you
sound like you've been stung by like this before and i have seen this in the wild yes i'll say that this is uh yeah you know here's here's the network
diagram it now resembles a work of fiction it doesn't resemble reality at all uh the best one
i had was um it's the best i was at a financial institute and they one of their their their big big public facing services got hit by
a ddos attack and uh so they're looking for like okay let's do an investigation and uh they they
brought in some consultants to look at it and they're like we can't find the logs we can't
find the logs nothing's logging anything they must have taken it offline but no um although
the network diagram showed that you had ids and all
these other controls in place none of them were actually turned on in some cases some of them
weren't even deployed so oh my god it's uh yeah that sounds painful wowzer well on that uh gut Wow. On that gut-wrenching point, that was this week's... Tweet of the Week.
Well, gentlemen, we have... Well, we made it. We made it.
What were we going to call this episode again?
Not the professional episode. I can't remember now.
The bee in Andy's bonnet.
Oh, the bee in the bonnet episode, yes.
Andy's still frantically waving around around do you know what it is
i on tiktok for some reason i've seen a lot of these uh videos where people mostly in the u.s
destroy wasp nests with um like jars of of gasoline yeah where you fill it and then just
you stick it over and like the whole it's amazing. But I've seen a lot of those recently
and this murder hornet knows
and that's why it's come into my office.
Is that why you've got that green can of petrol
on your desk now?
It is, yeah.
I'm ready to...
I'm just curious where he came from.
If anyone could see,
Andy is truly like someone that's tripping on drugs.
He's like just swatting his hands around.
He's like looking around, dazed, you know.
You know, tapping his head, get out, get out, shut up, shut up.
It is a little like that.
I will send you evidence of the dead body later.
Yeah, OK.
OK, that sounds more ominous than it should do.
On which note, Jav, thank you very much for your efforts today.
You're welcome, and I hope to get a replacement fridge
once you receive the one I'm sending back to you, Tom.
Oh, great. Yeah, thanks. And Andy, thank you, sir.
Stay secure, my friends. Stay secure.
You've been listening to the Host Unknown podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever. R slash Smashing Security. subscribe if you hated it please leave your best insults on our reddit channel r slash smashing security tom in in the edit you should add in like a b sound in the background
you know like you know like that's it the episode of uh breaking bad
where heisenberg where you know walter white thinks there's a bee and he, like, takes apart everything.
That's right, yeah.
You joke. I saw it. It landed on my desk in front of me.
Typed out a note, you're dead, and then flew off again.