The Host Unknown Podcast - Episode 192 - The Unedited Episode
Episode Date: May 8, 2024This week in InfoSec With content liberated from the “today in infosec” twitter account and further afield27th April 2012: The Information Commissioner's Office (ICO) in the UK issued its first...-ever data breach fine to an NHS (National Health Service) organisation, fining Aneurin Bevan Health Board in Wales £70,000. https://www.digitalhealth.net/2012/04/first-nhs-fine-issued-by-ico/ Rant of the WeekDropbox dropped the ball on security, haemorrhaging customer and third-party infoDropbox has revealed a major attack on its systems that saw customers' personal information accessed by unknown and unauthorized entities.The attack, detailed in a regulatory filing, impacted Dropbox Sign – a service it bills as an "eSignature solution [that] lets you send, sign, and store important documents in one seamless workflow, without ever leaving Dropbox." So basically a DocuSign clone.The filing states that management became aware of the incident last week – on April 24 – and "immediately activated our cyber security incident response process to investigate, contain, and remediate the incident."That effort led to the discovery that "the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings." Billy Big Balls of the WeekChinese government website security is often worryingly bad, say Chinese researchersFive Chinese researchers examined the configurations of nearly 14,000 government websites across the country and found worrying lapses that could lead to malicious attacks, according to a not-yet-peer-reviewed study released last week.The researchers concluded the investigation has uncovered "pressing security and dependency issues" that may not have a quick fix."Despite thorough analyses, practical solutions to bolster the security of these systems remain elusive," wrote the researchers. "Their susceptibility to cyber attacks, which could facilitate the spread of malicious content or malware, underscores the urgent need for real-time monitoring and malicious activity detection."The study also highlights the need for "stringent vetting and regular updates" of third-party libraries and advocates "a diversified distribution of network nodes, which could substantially augment system resilience and performance."The study will likely not go down well in Beijing, as China's government has urged improvements to government digital services and apps often issues edicts about improving cybersecurity. Industry NewsGoogle Blocks 2.3 Million Apps From Play Store ListingDisinformation: EU Opens Probe Against Facebook and Instagram Ahead of ElectionNCSC’s New Mobile Risk Model Aimed at “High-Threat” FirmsLawsuits and Company Devaluations Await For Breached FirmsUnitedHealth CEO Confirms Breach Tied to Stolen Credentials, No MFAREvil Ransomware Affiliate Sentenced to Over 13 Years in PrisonSecurity Breach Exposes Dropbox Sign UsersIndonesia is a Spyware Haven, Amnesty International FindsNorth Korean Hackers Spoofing Journalist Emails to Spy on Policy Experts Tweet of the Week https://twitter.com/summer__heidi/status/1783829402574639187 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Yeah.
Oh, this is like one...
Oh no, it's the reactions of a one-legged blind snowcat.
What?
Or a slug on Valium?
I don't know.
What are we talking about?
It's got to be some sort of sloth reference or something? I don't know. What are we talking about? It's got to be some sort of
sloth reference or something.
I don't know.
You know, what is it?
The best things come
to those who wait.
Procrastination wins.
So this is a problem, right?
This is a problem
when we record late
on a Friday night.
Everyone is just burnt out.
Yeah.
Shall we just crack on then?
Yeah.
Let's do it.
You're listening to the Host Unknown Podcast.
Hello, hello, hello.
Good morning, good afternoon, good evening from wherever you are joining us and welcome.
Welcome one and all to episode 196.
192 of the Host Unknown podcast.
Welcome, dear listeners.
Thank you for joining us once again and welcome the two of you.
Jav, hello. How are you, sir?
I'm good. I'm good. Unlike you two, I'm not burnt out completely. I'm lying. I'm a completely and utterly nuked and destroyed. But yeah, it's been an interesting week. The weather's
been really strange up and down. We've had thunderstorms. We had nice, pleasant days.
We've had freezing cold days.
You know you're really scraping the bottom of the barrel
when you start talking about the weather.
Yeah, can't you tell us about your back alley again or something
or your neighbourhood watch or something?
My back alley has had no action. My back alley has had no action my back alley has had no
action for a while now so uh nothing going on there well maybe the fact that you're here for
a second week in a row this is like you know like the total eclipse where like maybe twice in a
lifetime that's what it feels like getting you on this show as a guest two weeks running it's like
maybe twice in a life maybe a listener will have heard your like getting you on this show as a guest two weeks running it's like maybe twice
in a life maybe a listener will have heard your voice now twice on this podcast so speaking of my
voice my colleague perry has been playing around a lot with ai and everything and he took my voice
from a podcast and he created an ai clone of it that made a phone call to social engineer someone.
And honestly, had he just sent it to me
saying, here's a recording of you,
80% of me would be convinced
that that really was me making that phone call.
Do you know what software he used?
I can find out for you, but he's using a lot of different things stitching them together and what have you yeah whatever a good one is i for
that for audio and one for video as well would be really appreciated yeah no particular reason
whatsoever guys asking for a friend yeah yeah although potentially it could mean that we could
get the friday afternoons off right indeed well yeah there is that as well let's just yeah i'll
just automate it pipe into chat gbt podcast yeah yeah you know or we could just outsource it like
amazon due to a thousand guys in Bangalore.
Well, that's what I mean. AI, actual Indians.
It's not like we've told that joke before.
But talking of tired old jokes, Andy, how are you?
Not doing too bad, thank you.
It's been a long, long old week as everyone else has been through.
I think, yeah, one thing, I did actually renew my GIAC certification this week, which I've
held since 2012.
And I thought this would be the year I actually just gave it up.
And, you know, I was looking at the content and I was like, wow, you know, maybe I'm getting
a bit long in the tooth to be down with all of this content and it's yeah a bit more of a
helicopter view um but no at with one minute to spare before expiry I um did it literally at 11
59 what yeah it was so did you leave that renewal fee in a high interest bank account until the very last
minute so that you could then like take it out and pay yes that renewal fee which i stuck on my
credit card uh the very last and you know what i actually renewed my cisp at the same time that was
due back in february and i was like you know what I'm going to let it lapse this year I'm not doing it again
and then I was like
do you know what, I've paid for the GIAC
I might as well pay for the CISP as well
and in 15 seconds before
midnight you submitted your tax return
well no
I do leave my tax return until the
30th of January every year
or 31st of January every year.
I just work better under pressure, okay?
Let's just, yeah.
No, I've only ever been fined once.
Once personally and once for my company.
That was...
But hey, we're not going to get into stories
of getting fined for company mistakes, are we?
No, we're not. We're not. Otherwise we'll stories of getting fined for company mistakes, are we? No, we're not.
We'll be here all day.
Absolutely not.
Talking of mistakes, Tom, how are you doing?
Oh, come on.
That was poor.
You could have done so much better than that.
Very good.
Again, I agree.
Maybe we're going to have to change the timings of this because Friday evening is not a good time for high energy and japes and capers on the podcast.
Not at our age.
Not at our age.
Or your guy's age.
Exactly.
Yeah, the slug on Valium is definitely an actor analogy right now.
But yeah, it's been a bit of a week.
But the highlight was the Wednesday when I went up to London,
Notting Hill, went to a club there, you know, down with the kids
and watched my...
On a school night?
No wonder you're so tired today.
A bingo club, A bingo club.
A bingo club.
No, it was underground as well.
I was like, where the hell is this club?
Oh, it's this one doorway.
Did you go underground?
I said, OK.
I did check to see if I had both kidneys as I came back out.
But yeah, so i watched my son's
band perform and i was their official photographer as well so if you follow me on instagram you'll
see the photos on there too so uh yeah so so it was very good well we got the preview via whatsapp
we received some photos uh via whatsapp and i commented one of them actually looked like a stock
photo that you'd get off adobe i wasn't sure if that was a commented one of them actually looked like a stock photo that you'd get
off adobe i wasn't sure if that was a compliment or what this looks just like a stock photo
uh thanks no it's a good one it's it's one that you could uh probably sell yeah yeah so uh so yeah
i popped them up on instagram but yeah it was really good to see them perform and see him
perform but that my son's the bass player, which I always tell him, you know,
why did you choose to be the knobby bass player in a band?
Nobody wants to be the bass player.
But the lead guitarist was like a young Mark Bolan,
like this skinny, beautiful kid who's just...
Jesus, man. Now you're showing your age, Tom.
I know.
I think Mark Bolan was dead by the time i was born
who is that anyway not far off for me actually
who's mark boland says half the audience but um yeah he was such a good guitarist and so
a photogenic it was he was really really easy to to take photos So, shall we see what we...
Sorry, I just have to quit.
I'm not even joking.
He was dead before I was born.
76, wasn't it?
He died in 77.
Oh, 77.
Yeah, there you go.
Yeah.
That is 10 years before I was born.
Yeah.
Yeah, but come on.
He's some of the greatest glam rock
And, you know
Early 70s
Music came out of Mark Bolan
He was so good
But he died at 30
Yeah, he crashed his Mini into a truck
Yeah
It's an absolute
Absolute loss
Huge loss But Huge loss.
Anyway, but if you look at the photos, you'll know what I mean.
Talking of car crashes, shall we see what we've got coming up for you today?
This week in InfoSec talks about an NHS first.
Rant of the week is the age old abuse of power.
Billy Big Balls says it was
China. Industry news is the
latest and greatest news stories from around the
globe and tweet of the week
is sound advice on how to
increase your resistance to
malware. Right
let's move on shall we to
our favourite part of the
show. Slightly shorter this
week but it is the part of the show that we like to call...
This Week in InfoSec.
It's because I'm not wearing shoes
I look slightly shorter this week, Tom.
Nothing other than that.
It is that part of the show where we take a trip down InfoSec memory lane
with content liberated from the Today in InfoSec Twitter account
and further afield.
And this week we have gone further afield.
I just want to say, I just want to say, you and I both know, Andy,
that you're not the shortest one out of this trio.
This is true. This is true.
Shut up.
Fake news. Fake news.
Our first story takes us back a mere eight years to the 27th of April 2012,
when the Information Commissioner's Office in the UK issued its first ever data breach fine to an NHS organisation,
fining a Nuremberg Health Board in Wales £70,000.
And this was due to a series of errors by members of staff in the trust.
Firstly, an unnamed consultant emailed a letter to
a secretary for formatting, included different spelling to the patient's name, but failed to
include any other unique identifier, such as their hospital number or NHS number. So they were sent
out to everyone. And so, yeah, as a result, letter containing confidential and highly sensitive
personal data, including the report from the consultant detailing contacts with the patient
over a period of six months, was sent to the wrong person.
And so the monetary penalty that was issued by the ICO had said that
sex agents are used to letters arriving in this state.
So it wasn't like a one-off.
This was actually a systemic issue which is why they took the decision to fine them quite highly but as we
know these days the ICO has changed tack and rather than sort of fining NHS and hitting them making
them pay fines with public money they are taking the time to educate them instead hoping for better outcomes instead of defaulting to fines
so hopefully
changing things for the better
Quick point of order
how long ago was 2012?
8 years
8? 12 years?
Damn! I lost 4 years Eight, 12 years. Damn.
I lost four years.
This is why you keep saying you're so young.
You think it's 2020.
Oh, damn. What the hell?
Did your brain just fart then?
It did.
I told you, it's Friday night.
It's been a very long week and uh i didn't even uh insert this story into the show notes this week i will hold my hands up so
and i do you know what i thought this is such a small number i don't even need a calculator for it
well i shall i shall leave the calculator noise out because you obviously didn't use it.
Oh, man.
I can't believe it was only 8, 12, whatever, many years ago
that the ICO only issued their first fine.
Surely it would have been before that.
How long has the ICO been around?
Oh, for a long time.
It's a first find to an NHS body, not to anyone at all.
Oh, I'm sorry.
Right, right, right, right, right.
Tom was so fixated on your mathematical error,
he didn't listen to any of the story.
He was just waiting for his opportunity.
He wanted to attack the man, not the content.
Exactly.
Well, yeah, absolutely. The content's sound.
It's the man who's all over the place in this instance.
Anyway, excellent.
Thank you for that, Andy.
That was this week's...
InfoSoup.
This is the EasyJet of security podcasts.
Let's be honest, your cheap ass couldn't tell the difference between us and a premium security podcast anyway.
Very, very true right let's move on to uh all the ranty part it is listen up rent of the week it's time to mother rage so the headline is Dropbox dropped the ball or even the box on security hemorrhaging customer and third party info.
Now, you may think that this rant is squarely aimed at Dropbox.
It's not necessarily, although let's just take a look at the high notes here.
the high notes here so Dropbox revealed that they had a major attack on its systems that saw customers personal information accessed by unauthorized people entities the attack which
was found in a regulatory filing had impacted Dropbox sign it's a service I guess like
DocuSign etc that it builds as an e-signature
solution that lets you send sign and store important documents in one seamless workflow
without ever leaving Dropbox. So yes, the DocuSign clone. Now, they became aware of the incident last
week, April 24th, or just a little bit longer than last week,
and immediately activated our cyber security instant response process.
And all I can hear now is robot noises and flashing red and yellow lights.
So they found that the threat actor had accessed data related to all users of Dropbox Sign,
such as emails, usernames, as well as general account settings.
Probably no doubt documents as well.
They accessed phone numbers, hashed passwords, authentication information,
such as API keys, OAuth tokens, multi-factor authentication.
They got the crown jewels, basically.
And third parties who received or signed a document through Dropbox,
signed but never created an account, also had email addresses and names exposed.
So you didn't even have to be a member of Dropbox to be affected.
You just had to have signed a document sent through them.
So, thankfully, Dropbox found no evidence the attacker accessed the contents of users' accounts, such as agreements or templates, and also that Dropbox saw no evidence that its other products had been impacted primarily, I guess, their file sharing applications.
Now, this is where the rant comes in. I'm'm sorry we see a question from the audience yes
yes sir no evidence of files being accessed is not the same as like the absence of evidence
is not evidence of absence no i agree sustained i second that motion by the right honourable gentleman. Anyway, just move on.
It's not the point of making.
So the nugget of positivity, as Elrej puts it,
is that it hasn't seen evidence that other products were affected,
although it's more likely to be a happy accident
because Dropbox Sign is actually from an acquisition from a startup
called HelloSign that they acquired in 2019, a mere one year ago, according to some of
our members on this show.
Now, which is great.
You know, it does mean that they didn't move laterally through the tech stack.
But this is where I think the real rant is.
And it's a couple of things.
One is the only reason this didn't go any further is purely because Dropbox
had not integrated this acquisition into their tech stack.
If they had got it into their tech stack, potentially, I guess,
brought it up to date and made sure that it was consistent
and that they actually had proper monitoring, et cetera,
this may not have happened in the first place.
But the real issue here is because of this, a weak point was exploited.
So companies that are just going out and growing through mergers and acquisitions
and then just leaving these stovepipes of companies there to do their own thing
is a great way of growing, but not necessarily a great way of providing the best security
and the best singular approach for their customers.
and the best singular approach for their customers.
So it wouldn't be surprising if there's actually been many more situations like this. I can't think of any off the top of my head, but I know there are some out there,
which literal acquisitions that have not been integrated have been attacked,
but not the core product.
And it's just, you know,
this is what frustrates me on this front is it's almost like, well, I don't want to say laziness,
but it's like this unwillingness to integrate and harmonize and actually put the hard work in rather than just buy the damn thing and put it out it out there and say hey it's got a dropbox
logo on it we're all good um now i see one of my other learned gentlemen stroking his beard
in a very very suspicious manner and i so i'm looking forward to what jav has to say on this
oh no i i i was just thinking m&a man is and. He's the one with M&A hair.
And I'm thinking about like all the things that are going through his head as you are bashing organizations for going through acquisitions without integrating it,
as if like integration is as easy as putting a conservatory on the back of the house.
So, you know, it is difficult.
Integration is difficult. Integration is difficult. Of course it is. But one of the things that, you know, we had to prepare,
I call them targets, right?
We used to call them targets, but we're told to call them prospects
because it's less aggressive.
But one of the things we used to prepare prospects for,
so obviously I worked for a big company, regulated entity at the time.
And so depending on the company we were buying,
we would have to go for
approval from whatever regulator operated in that industry, like Competition and Markets Authority,
Monopolies, Mergers Commission, you know, whoever it was, depending on the country.
But what we could evidence and what we saw from very early on is that by monitoring the traffic on um you know acquisition companies were requiring before the
deal was announced because obviously you know you don't go public until you're ready so we would
literally have sense and we had like measurable demonstrable evidence of the type of attacks the
company received before they had publicity versus the amount of attacks they got from the second the deal went public.
So as soon as it hit the press newswire, you see those attacks would spike, go through the roof,
which is why it's so important that during that DD process, you identify the weak points,
you put in mitigating controls, you close close the gaps and then you have a rapid plan
for integration because you know people whether they're smart or not they just assume that you
can get to the mothership through the acquisition which in this case they did but uh you know
ultimately from day one you are liable for that company so anything that happens to them that is
your problem um you know from the day it happens.
Do you know that this is going to be a slight segue, but what you say there is so true.
From the moment you acquire it, you are liable for them.
That also includes any even sort of personal lawsuits or court cases against you from ex-employees that are outstanding. So, you know, if your company acquires, you know,
a company that's got an unfair dismissal claim,
you inherit that as well.
You know, even though you have nothing to do with it.
And if you need any assistance with due diligence
or background checks on board members or members of staff,
then hit me up.
I can offer a discount.
Use code HOSTUN unknown 10 for a 10%
discount off the list price of uh due diligence checks that uh that we can perform don't
accidentally put host unknown 100 because that's the wrong yeah please don't do that because
otherwise i'll be operating at a loss no break even but i think like what what it
is is that like you know acquisitions are a very multifaceted thing and it's not just the tech
stack that you're integrating it's the cultures of two companies yes and sometimes that's the
hardest part like you sometimes see years and years after an acquisition people still refer
to themselves as x or whatever like yeah an acquisition people still refer to themselves as
x or whatever like yeah you know they still refer to them as the company that they originally were
hired by and not the the new entity yeah and uh and that kind of thing also creates silos within
departments and old kids clubs and what have you so um and i think that's probably like you know again
another overlooked aspect of it where you know we've acquired you and now nothing's going to
change except for everything and then like people end up getting vexed and leaving and what have you
so do you know i will say that with the um if you actually look you know complete m&a plan when you
acquire a company or certainly you know in, in my experience, obviously, I was very focused on the cybersecurity aspect and the integration works that need to happen from the security point of view.
But when you actually look at the overall roadmap to like you say, you know, HR working on the cultural aspect, integrating, getting people on payroll, you know, new bonus structures, things have to be changed from what they had previously, you know, to align with the wider group.
You've got branding that needs to go out,
you've got marketing, you've got product, everything.
So much needs to happen.
And particularly if they're a small company,
you are competing with that exact same resource
that the rest of the organisation is competing with
in order to get what they need to implement.
So, yeah, no, I do have sympathy with it,
but for five years, absolutely zero sympathy for Dropbox.
That is more than enough time.
Agreed.
Fantastic.
Well, we've got complete...
What's it called?
We've got consensus.
Consensus, thank you.
No, I just completely agree with Andy.
I don't agree with you, Tom.
Yeah, that's fair.
Rant of the week.
This is the EasyJet of security podcasts.
Let's be honest, your cheap ass couldn't tell the difference
between us and a premium security podcast anyway.
You're listening to the award-winning
How's that randomiser working out for you?
like a real security podcast but lighter well it was working all right anyway uh shall we move on let's see if um if i can agree with
but not jab on this one it is and uh this is a great billy big balls i think there's there's five researchers out there
who i think we we salute their bravery and ginormous balls for what they've done
there are five chinese researchers and they have called out the Chinese government.
That's a bold move.
They have indeed called out the Chinese government. 14,000 government websites across
the country, to be exact, and found worrying lapses that could lead to a malicious attack.
According to a not yet peer
reviewed study and i don't think it ever will be peer reviewed to be honest but you know oh i'll
review that they said yeah no they want someone off their peers off their quantity
no like you said oh yeah i'll volunteer to to review something against our
slightly uh oh overzealous government when it comes to punitive uh
sanctions against individuals
yeah yeah so you know they they said that there's a lot of light issues with the DNS servers
they said that
The the the ISP's China mobile China telecom China Unicom and Alibaba cloud occupy
98.29% of the market
Which explained that if one of the ISPs experienced a failure or attack,
the entire network could be affected causing widespread service outages.
They found unsigned DNSSEC signatures and they found that you know you know there's entire
subdomains that could be knocked out easily. Anyway, they ran a ZAP, Z attack proxy.
They found over 10,000 sites not configured with the X content type options header,
which, as you know, Tom, makes them vulnerable to MIME type spoofing attacks.
Over 10,000 sites did not set the...
Yes, yes. Which Tom, as you know, the content security
policy SP header, which increases the risk of cross-site scripting attacks. You know,
the list goes on and on. So like, you know, there's lack of CSRF controls, there's missing
anti-click jacking headers making them more vulnerable to tom
cross-site scripting click jacking attacks sites had not enabled cookies for the http only flag
session hijacking yes cookies lack the same site, which may put the cookies at risk of improper access.
I'm just laughing at Tom's face. He's like...
Anyway, the list goes on.
Someone's panicking here.
It was quite a comprehensive study.
But the story ends with, the study will not go down well in Beijing.
Really?
As China's government has urged improvements to government digital services and apps and i think that they are going to take the
the lloyd's banking group approach and like if we get rid of these researchers we won't have any
vulnerabilities i was going to say what are these four security researchers going to do?
Yeah, who are them three?
Yeah, exactly.
I mean, either of them, both of them are in trouble, right?
Yeah, yeah.
I mean, that's a brave researcher right there, standing alone against the government. I'm just, I'm looking at, you know, unrelated news.
This thing about five Chinese researchers were arrested yesterday for anti-communist activities.
No word has been given on the date of the trial.
I mean, that's clearly not related, right?
No, no, clearly unrelated.
I mean, it could only get worse for them if they work for Boeing.
Yeah, I tell you, those statistics are racking up man they're those are getting
unexplained yes yes i i reckon there's a movie in the works already it's uh it's like the the
movies before like that were done about the big tobacco when they were like the informative
you know the whistleblower type movies where someone tried to say
no, they're lying to you.
I was going to say, Liam Neeson
is the whistleblower.
Yeah.
Yeah.
Yeah.
But yeah,
I think we joke about it
and everything, but honestly, I
wouldn't have the guts to to blow
a whistle on on a big organization like big tobacco or pharma or the chinese government
or putin or the not unless you're safely in another like basically on your deathbed and
you know you're already dying and even then i want to die on my own terms i don't want like
some some foreign regime to have
the honour, the pleasure of
depriving me
You called it Tom, the deceleration
trauma combined with acute
concrete poisoning
That's the one
That's the one
That's the puting style
Yeah
Oh dear Well Well, if only there were That's the putin style. Yeah. Oh, dear.
Putin style.
Ding, ding, ding, ding, ding.
Well, if only there were any researchers around
that could talk to this in China about these sites.
But, yeah, it's...
If you're talking about the big balls on these researchers
that don't exist, Javav i completely agree with you billy big balls
of the week
this is the award-winning host unknown podcast guaranteed to be a solid five out of ten at least
once a month or twice your money back.
And you can take that to the bank.
Unfortunately, this episode is not one of those five out of ten episodes.
Right. Andy, it's well, it's that time of the show, isn't it?
What time is it?
It's that time of the show where we take a trip to our news sources over the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
Google blocks 2.3 million apps from Play Store listing. Industry News. Google blocks 2.3 million apps from Play Store listing. Industry News.
Disinformation. EU opens probe against Facebook and Instagram ahead of election.
Industry News. NCSE's new mobile risk model aimed at high-threat firms.
Industry news.
Lawsuits and company devaluations await for breached firms.
Industry news.
UnitedHealth CEO confirms breach tied to stolen credentials.
No MFA.
Industry news.
Our evil ransomware affiliate sentenced to over 13 years in prison. Industry News. Security breach exposes Dropbox sign users. Industry News. Indonesia is a spyware haven. Amnesty International finds.
Industry News
North Korean hackers spoofing journalist emails
to spy on policy experts.
Industry News
And that was this week's...
Industry News
Huge if true. Huge if true. huge if true huge if true uh i'm immediately drawn to the two words at the end
of the middle one there no mfa uh so united health co confirms breach tied to stolen credentials credentials without any MFA that's quite concerning for a health tech Titan as
they are described yeah so this came oh the revelation surfaced in United Health
CEO Andrew witty's written testimony submitted before a House subcommittee hearing today.
Damn.
Yeah, concerning the breach,
the February 21 breach that wreaked havoc across the American healthcare network.
So criminals used compromised credentials
to remotely access a changed healthcare Citrix portal
using an application used to enable remote access to desktops,
and the portal did not have
multi-factor authentication so once the threat actor gained access they moved laterally within
the systems in more sophisticated ways and then exfiltrated data ransomware was deployed nine
days later damn Wow.
So your data's been going out for over a week before they decided to ransomware what was left.
That's kind of like, let's take the valuable stuff.
Let's lift out the valuable stuff
before we lock up what's left.
Jeez.
And Google blocking 2.3 million apps from the play store listing jeez that's that's a lot
of dodgy apps isn't it that's a lot of crap on the play store well we know this yeah
yeah this is a bit like so it's interesting i was talking to someone yesterday and they
were talking they worked for one of these online digital agencies
that managed a lot of the advertising networks.
And they're like, because Google also encourages people
to have multiple versions.
It's like kind of A-B testing of your ad.
Yeah, yeah, yeah.
Now, if you as a publisher post like
700 different ads for different regions different languages different a b testing and what have you
if one of them gets reported for like having malware they only take that one ad because
it's not beneficial for them to take you down as a so the other 699 still still run there and what have you
what so financially it just doesn't make sense to um to take down everyone when you think about
what happened to do no evil
oh well yeah it's not always google though is is it? They outsource to third parties.
They sell space.
Yeah.
And then that space is, you know, those people then can sell that space.
And, you know, the chains of people involved in these can actually go like 15 layers deep.
Yeah, I know.
I know.
It's just subletting, subletting, subletting.
They're pretty high on that
on Tom's
Facebook
shit list
last one
I'll just
add the
Indonesia
is a
spyware
haven
as discovered
by Amnesty
International
I had no
idea Amnesty
International
looked into
spyware and these types of malwares.
So they're saying that Indonesia has become a hub for spyware and surveillance tools that threaten citizens' rights and privacy.
So I guess that's their angle.
But it's actually quite a detailed technical report.
They're saying that the tools primarily came from Israel, Greece, Singapore and Malaysia,
you know, including things linked to NSO Group, Finn Fisher and others.
And it's also like quite elaborate money layering scheme
or like the purchases made through like lots of different entities with lots
of different countries i think singapore's in them and what have you like where they
to just hide the source and the destination and what have you yeah the equivalent of a digital
laundering but instead of for money for for software sales and yeah this is what um amnesty
has been getting involved in this more and more over the last few years because it relates a lot to uh activism and people's uh so so journalists okay places and you know um
sort of like health or like charity workers or aid workers who are being targeted by sometimes
like regimes who don't want them then so it's all that kind of stuff crikey it all it's all that kind of stuff Crikey, it's all very interconnected
isn't it?
I mean, you've got
organisations like Bellingcat
which just started from somebody's
front room because he happened to be interested
in stuff and now it's
expanded into
they're now invited to
security briefings by various
governments and stuff like that
just because
of how good they got it same's going for amnesty though you know their breadth of work is spreading
because they're just really good at what they do and i think also it's about understanding
and communicating in the right way a friend of mine, he consulted once for a large,
I don't want to say the name, so a large media organization. And they sent their journalists
and reporters out to many dodgy places around the world where there's conflict going on and
what have you, where they don't want to know that they're a reporter or something. And sometimes
they say like, is it okay for me to open my laptop here or can I send an email
from there or what have you and it goes like as security professional your tendency is to go into
the technical details well have you downloaded this have you done this have you done that
because literally the question they're actually asking is if I power on my laptop am I gonna get
bombed like that's what it really boils down to is a missile gonna find me or am I gonna expose the location of someone
he goes once you understand that he goes then you can actually give him practical
advice you you but you know oftentimes we don't do it I think that's the
difference between a lot of like when you see like security purists giving
advice versus something like Amnesty
or one of these other organisations,
they actually really understand what the ask is
and give them advice that meets that need.
Yeah.
Well, on that sobering thought,
that was this week's...
Industry News.
This is the award winning Host Unknown podcast
Guaranteed to be a solid 5 out of 10
At least once a month
Or twice
Your money back
And you can take that to the bank
I'm also going to take my money back
Or get my money back
And take that to the bank
For this bloody randomiser
This is the award
winning host unknown podcast guaranteed to be a solid five out of ten at least once a month or
twice your money back and you can take that to the bank elgato if you're listening can we can we have
a word about the stream deck please it's it's just not i'm not impressed i'm not impressed honestly find find any roulette
machines that use that randomizer yeah exactly the elgato slot machine
anyway uh andy why don't you take us home with this week's suite of the week and we always play
that one twice suite of the week and this week's tweet of the the Week. And we always play that one twice. Tweet of the Week.
And this week's Tweet of the Week comes from Heidi
at summer underscore underscore Heidi
on Twitter.
And she says,
download smaller viruses
to your computer
to help it build an immunity.
That is so good.
The old ones are the good ones.
But, you know, it's like I was thinking,
sometimes, like on the old Windows machines,
you'd actually go into the registry and change values on that.
Yeah.
And was that like the DNA alteration equivalent?
Like you'd alter the DNA of the computer?
In the old days, before it was Teams, whatever it was called,
like Microsoft Messenger, but the corporate version.
I can't remember what it was called.
In between Messenger and...
Before Skype for Business or after Skype for Business,
whatever it was.
It was just MSN, wasn't it?
Anyway, there was a thing.
Before you could voluntarily set your status to invisible or offline,
you could actually do it via the registry,
which is what I used to do back in the day.
I used to call the help desk for some reason,
whenever I needed something installed,
and then I'd just convince them to open up regedit whilst they were logged into my machine and let me just add
something to my office office change of value to hidden equals one and then I had you know after
a reboot I'd have that that new feature to to allow my machine to boot up automatically load MSN
but not show me as online.
But yeah, good time.
All because you didn't want to click that one button.
So it wasn't available back then in the old versions.
That's the thing.
It was, you could make it available,
but it wasn't enabled.
Hidden product feature.
Fascinating.
For everybody out there who might need to set their 90s era messenger.
Their 2012 version of corporate MSN messenger to invisible.
Well, let's face it.
Hook me up.
That was only three years ago.
So.
Yeah, exactly. only three years ago. So, that's... Exactly.
Andy's your man.
Andy's your man for your reg edits.
We didn't do that, but...
We didn't have a messaging thing,
but we ended up using NetSend a lot.
So, you know,
from the command prompt,
and it would pop up like one of those...
You could eject CDs.
Yeah, good.
But no, it'd be like just bang, straight in the middle of the screen.
And if the computer wasn't named after the person,
you had to know what the host name was and stuff like that.
So we had a guy that did this, like this is back in,
and this really was a long time ago.
This was like late 90s.
The MD of our department left and he was going to Australia
to go to a competing
company um and he was strategically taking people from the organization and someone meant to send a
message to someone else in the team discreetly without talking across the desk and say like you know has david contacted you but he
actually sent it to everyone in the entire company all at once and so it came up from like you know
like the machine like you know basically guys i'm not going to say his name but it you could tell it
was him and it says like has david contacted you yet and it was like boom the entire organization knew exactly what that
was about fantastic it was just silence for like five seconds yeah there was and you know what
he went beetroot red at his desk like because everyone was like standing up and like like
meerkat like prairie dogs, like, you know, looking over the desk. Yeah.
Brilliant.
So the best prank I'd done was once, like, best, I suppose.
It's like one of the early pranks.
It was just like I created a net send command.
And, like, it was like to send someone to something like, you know, whatever, you up for lunch.
But I repeated it repeated it like 500 times
saved it as a batch file and then i emailed that batch file to another friend in the team
and said do you mind running this it's not working for me so he double clicked the batch file
so he basically ddos the other guys or dosed the other guy's machine and it looked like he had done it so he turned around
said to him like what you do this to so he's got to sit there and hit enter like 500 times just to
get rid of the messages uh one of my finest proudest moments yeah we used to get spam by
netsend like when i when i was at this startup we had external ip addresses on desktops because we
just we had to use up a whole
load of a shitload of ip our ipv6 because they were running out right and so the isp1 is taken
back if they weren't in use so we assign them to individual users to have them on their machines
and people just getting spam constantly uh before like we'd actually figured out how to block that
stuff on the firewall to give you an idea of how long ago this was.
And if you've just joined us, welcome to the Host Unknown podcast
where old men talk about the jolly japes they had
back in their sysadmin days in the 90s.
Excellent. That was this week's...
Tweet of the Week. excellent that was this week's so we have come
to the end of the show
we said we were going to do a short one
we've done exactly the same
as we normally would but
I guess once you've wound us up
and we get our second wind
well I guess we'll all be going to bed
a little bit earlier tonight as a result of this
but nonetheless
anyway Jav thank you so much
not only for agreeing with Andy
who agreed with me but for your
wit, wisdom and contributions
this week
thank you for inviting me once
again to your podcast good sir
and Andy thank you Thank you for inviting me once again to your podcast, good sir.
And Andy, thank you.
Stay secure, my friends.
Stay secure.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel. Worst episode ever.
R slash Smashing Security.
Jav, do you need a wee?
I do.
I don't know.
He's been standing and jumping around like that for like the last 15 minutes.
I was actually going to ask myself.
Yeah.
No, I do.
I'm off ski.
All right. I'm sure it's dri myself. No, I do. I'm off-ski.
I'm sure it's dribbling out of his ears.
Let's see how long we can keep him here for.
Bye.
If you want to ruin the recording.