The Host Unknown Podcast - Episode 193 - The "At Last!" Episode
Episode Date: May 27, 2024This week in InfoSec (11:36) With content liberated from the “today in infosec” twitter account and further afield17th May 2015: CNN published their article on a statement Cybersecurity Consult...ant, Chris Roberts had publicly made on Twitter a month earlier. There were lots of accusations made regarding Chris Roberts' actions hacking into computer systems while a passenger on multiple airline flights. Did he actually cause a plane to fly sideways? Maybe? But it's not like he made it fly upside down.FBI: Hacker claimed to have taken over flight’s engine controlshttps://twitter.com/todayininfosec/status/1791214444980080724 26th May 1995: Gates Declares Internet "Most Important Single Development"Realising his company had missed the boat in estimating the impact and popularity of the Internet, Microsoft Corp. CEO Bill Gates issued a memo titled, "The Internet Tidal Wave," which signaled the company's renewed focus on that arena. In the memo, Gates declared that the Internet was the "most important single development" since the IBM personal computer -- a development that he was assigning "the highest level of importance”.https://1995blog.com/2020/05/25/25-years-on-bill-gates-internet-tidal-wave-memo-a-seminal-document-of-the-unfolding-digital-age/ Rant of the Week (18:00)Giving Windows total recall of everything a user does is a privacy minefieldMicrosoft's Windows Recall feature is attracting controversy before even venturing out of preview.Like so many of Microsoft's AI-infused products, Windows Recall will remain in preview while Microsoft refines it based on user feedback – or simply gives up and pretends it never happened.The principle is simple. Windows takes a snapshot of a user's active screen every few seconds and dumps it to disk. The user can then scroll through the archive of snapshots to find what were doing some time back, or query an AI system to recall past screenshots by text. Billy Big Balls of the Week (28:58)Hacker Breaches Scam Call Center, Warns Victims They've Been ScammedA hacker claims to have breached a scam call center, stolen the source code for the company’s tools, and emailed the company’s scam victims.The hack is the latest in a long series of vigilante actions in which hackers take matters into their own hands and breach or otherwise disrupt scam centers. A massively popular YouTube community, with creators mocking their targets, also exists around the practice. Industry News (34:17)Authorities Arrest $100m Incognito Drugs Market SuspectAI Seoul Summit: 16 AI Companies Sign Frontier AI Safety CommitmentsUK Government in £8.5m Bid to Tackle AI Cyber-ThreatsMastercard Doubles Speed of Fraud Detection with Generative AIPSNI Faces £750,000 Data Breach Fine After Spreadsheet LeakGitHub Fixes Maximum Severity Flaw in Enterprise ServerNational Records of Scotland Data Breached in NHS Cyber-AttackNVD Leaves Exploited Vulnerabilities UncheckedMicrosoft: Gift Card Fraud Rising, Costing Businesses up to $100,000 a Day Tweet of the Week (41:59)https://twitter.com/gcluley/status/1792881296907043217Two for one:https://twitter.com/mer__edith/status/1793888092321202634 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So, we obviously had to take some time off because, you know, the Cybersecurity Awards have been up and it was very important to us that we did not take away from other people, obviously being former winners of the awards.
In consecutive years, it was very important we did not stick around to take that opportunity from some other, maybe newer podcast which may not be as good as this but
you know, deserve a bit
spotlight. Yeah. That's what
we're putting in the press release? Exactly.
Okay.
Nothing to do with
forgetting. No.
No.
You're listening to the
Host Unknown Podcast Hello, hello, hello, good morning, good afternoon, good evening and welcome
Welcome one and all, welcome dear listeners from wherever you are joining us
Welcome to episode 193 of the Host Unknown podcast.
We are recording rather late on a Friday evening once again.
But at least we are recording.
I mean, it's been a while, folks.
Let's face it.
It's been a while.
It has.
But had we recorded the conversation that we would be privy to in the last couple of
hours it would be a different broadcast going out trust me it would destroy lives yeah discretionary
i'm not even saying anything advised and uh yeah you would know jav for the real person he is
dear god the things we heard
anyway jav how are you wouldn't know Jav for the real person he is. Dear God, the things we heard.
Anyway, Jav,
how are you?
I lost my words there.
Bloody
whiff-waff.
Honestly,
I can't believe you two have made me sound like a
Tory politician.
This is incredible.
I am so glad we are in separate physical locations.
It's not like, you know, we have to sit around the same place to have this podcast because there would be hands being thrown right now.
That's all I can say.
Yes, exactly. hands being thrown right now that's all i can say yes exactly and tom and tom is uh uh yeah showing some patty cake type moves there but um i hate you two more today than i think i've hated you in such a long time
just because we heard the truth about you.
The truth?
You can't handle the truth.
I know.
I know.
Most mere mortals wouldn't.
Anyway, how has your week been, Jav?
Because I believe last week you were sick as a dog, weren't you, in San Francisco?
I was.
I was sick as a dog in San Francisco.
I was meant to fly back on Wednesday,
and I was so sick I had to move my flight,
and the earliest flight I could get was a Saturday because everyone's flying back from San Francisco.
I could have got an earlier flight on Friday,
but that was an indirect flight,
and I did not want to risk an indirect flight.
No, nobody wants to be changing planes with the common people
no no of course not it's it's it's hard enough not being able to fly business class anymore
you know it's just like I feel like so poor not being able to turn left as soon as I board
and how the world changes honestly honestly I mean like I just remember like early in my career when I was
barely making a hundred grand a year I mean it was just like felt so demeaning
we used to get out of bed for less than 250 yeah exactly I dream of a hundred grand
we're talking a year a year tom yeah you know i could only afford like a housemate to come three days a week
i mean what do you think i've done for the other four days
those dishes did not wash themselves that's all i can say
it's getting tough you have to lay off the estate manager. I know, I know.
I had to replace my doorman with an Alexa, I mean, like a ring doorbell.
Like, you know, that's how tough times are.
And then I had to cancel the subscription because they raised the monthly rate so much.
And then some.
Anyway, but yeah, no, I was sick. Then I got better. I got back.
And then I was in Berlin for a few days.
And then I was in Frankfurt for a conference.
And now I'm back for now.
And in a couple of weeks, we've got InfoSecurity Europe,
which is my next big gig that I'm gearing up for.
I'm actually speaking twice.
I'm struggling to be able to take the time off to go to, actually. I'm not sure I'll be there for, well, much of it at all.
Oh, no.
Anyway, Andy, how's your week been?
Talking of disappointing, Andy.
Hey, I also will not be at InfoSet Europe.
I shall be travelling to Mexico week um to get a bit of
sun so uh yeah i i completely forgot infoset was on but it is extremely commercial these days
anyway i've kind of stopped going a while as opposed to the early days when it wasn't commercial
at all well so the early days were good it was commercial but they had better swag uh and i still remember
i mean the educational program is a lot better now than it ever has been
yeah but it's a smaller event back then it's more intimate you could literally speak to people and
you know now it's i don't know it's not the same and the swag's not as good like the best thing i
ever got from infoseSec was a basketball hoop
that you stuck on the wall from Checkpoint.
And the idea was you put it above a bin,
but they also had a ball as well.
And there was a guy,
I used to wind up this guy in the office
because I stuck it to the side wall of his office.
And so he would constantly hear me
bouncing this ball against the wall,
trying to get it in the
basket i didn't know you were so easily pleased andy and and then you complain i like good things
and then you complain about my mechanical keyboard
this is karma this is karma this is yeah karma. This is... Yeah.
Hey, look, it's fine if I'm making the noise,
but when I'm listening to the noise,
that's where... Yeah, no.
I'm good at it.
Oh, wow.
So, Mexico, is this business or pleasure, amigo?
Ah, what's the difference?
Eh?
I'm always working.
I'm always working.
I enjoy my work.
It's always business.
It's always business. It's always business.
No question.
Oh dear, we're talking of business. Tom, how are you doing?
I'm alright. I'm alright.
Well, it's been quite a tumultuous couple of three weeks actually since we were last here.
A lot going on.
I've got a new job.
Same one, same parent company.
So June 15th will be my last day in my current role.
June 18th is when I start the new role,
so with the parent company.
You missed the little small print
where you actually start your employment all over again,
so you are no longer protected by your...
No, no, check that.
Your continuous service history.
Got my continuous service.
Yeah, they're going to work hard to get rid of me.
And I've got a fresh slate that I can start putting my debits onto.
But, yeah, so that's rather exciting, actually.
It's all happened quite quickly.
So what is your new role exactly?
What's your title and what will you be doing?
Well, I couldn't...
Well, the title is Director of European Cyber Security.
But I'll be doing... I'll be directing a lot of
cyber security cyber security so once you update LinkedIn how many more
invites are you going to be getting every every day like oh congratulations
on your new job and by the way can we meet you for a chat? Oh, you won a prize.
Here's a tailor-made suit.
Yeah, well, I answer those ones, as you well know.
But, yeah, yeah.
But have you noticed on LinkedIn, actually,
you know how you can use your,
you can actually register multiple email addresses,
so you can still register your company,
the one your company was.
But if you move companies, you can still log in with your personal address
and all that sort of stuff, right?
Yeah.
So now I'm getting loads of cold emails from salespeople
to my personal email address asking me about business,
you know, my business profiles.
And, you know, can we arrange a meeting to talk about XYZ with, you know, current company.
Since when did that happen?
I assume that was just in-mail.
I didn't realise it was anything different to what's been going on.
I thought it had to go to the business one, but I don't know.
It's only happened in the last few months.
Very annoying. No, I'd never used my business email address on linkedin have you not no the
first time i did it was recently where you can uh validate or verify that you work somewhere
yeah yeah which is by putting in that corporate domain yeah that's the first time i've ever done
it i've never never associated any company address with my LinkedIn.
But all this stuff, I mean, all you used to do...
And on LinkedIn, I've just switched off all my options
for in-mail and everything,
so I don't get any notifications or any emails to my...
any email address.
Until I log on to LinkedIn, that's where I see everything.
I didn't know you did that.
OK, boomer.
Dear.
Oh, dear, oh, dear oh dear oh dear oh dear the director of security
for european security for the company does not know there are options other things to worry about
other things to fish to fry yeah exactly you know you can you can turn off certain settings so that
you can uh or turn on certain logging settings
so you can see what your servers are doing.
You can turn on alerts.
You can do all sorts of stuff.
Is there a button marked Javad that I can switch off?
Oh, no.
Grayed out, obviously.
Oh, well.
Anyway, talking of being oblivious about things,
shall we see what we've got coming up for you this week?
This week in InfoSec talks about the visionary that is Mr. Bill Gates.
Rant of the Week is a privacy horror show.
Buddy Big Balls tells the story of the insider threat.
Industry News is the latest and greatest security news stories from around the world.
And Tweet of the Week is a self-promoting tweet
from one of our
presenters.
Okay, let's move on
to our favourite part of the show.
It's the part of the show that we like to call
This Week
in InfoServe.
it is that part of the show where we take a trip down infosec memory lane with content liberated from the today in infosec twitter account and further afield and our first story
takes us back a mere nine years to the 17th of May 2015 when CNN published their article on a statement
that cybersecurity consultant Chris Roberts
had publicly made on Twitter a month earlier.
So there were lots of accusations made regarding Chris Roberts' actions
hacking into computer systems while a passenger on multiple airline flights.
Did he actually cause a plane to fly sideways?
Maybe.
But it's not like he made it fly upside down.
So this event in May 2015
caused a significant cybersecurity incident
and it drew widespread attention
when an FBI investigation revealed
that this hacker claimed to have taken control
of a commercial aircraft mid-flight.
So Chris Roberts allegedly exploited vulnerabilities in the plane's in-flight
entertainment system, which allowed him to access critical flight controls.
And Roberts asserted that he managed to issue a command to one of the airplane engines,
causing the aircraft to slightly alter its course
um so i mean you know the fbi did take this claim seriously they investigated the technical
feasibility the implications of such attack and although this event you know he did cause a lot
of kerfuffle his actions sparked widespread debate about ethical hacking and security disclosures um there's absolutely no public evidence that he did successfully make this happen
um so it's been nine years and nothing has been disclosed since
yeah it reminds me once like muhammad ali he was giving an interview and he said to the guy, I can punch you so fast you won't even be able to see it. So he asked him to hold out his hand and he stands in front of him and then he goes like, did you feel it? Like, you know, did you see it or whatever? It's like, I was so quick, you know, that's what it feels like. I slightly turned it so much that no one really felt it
do either of you know chris
i know of him i've met him a couple i think i've met him very briefly at an event i know you've
done i know you've done stuff with him and you're right big mates with him but obviously your choice
of friends is very very dubious well he's a nice guy i have to say he's a lovely guy but but what i remember
was rsa 2020 i just before the big lockdown like literally weeks before the big lockdown
he rocks up wearing one of those middle ages plague masks you know with the long noses and um i saw him being uh approached
by a number a couple of members of the security team and someone in a suit asking him to remove
it so uh yeah that was quite funny yeah yeah funny distressing for some people who might have lost
loved ones and someone's making a joke out of
the pandemic real classic real classic this is still yeah not in the u.s not in the western
world anyway yeah yeah so don't don't let the truth get in the way of a good rant come on man Alas, our second story takes us back a mere 29 years to the 26th of May 1995,
when all-round babe magnet Bill Gates declares the internet the most important single development.
So realising his company had missed the boat in estimating the impact and popularity of the internet,
Microsoft Corp CEO
Bill Gates issued a memo titled the internet tidal wave, which signaled the company's renewed
focus on that arena. And in this memo, Gates declared that the internet was the most important
single development since the IBM personal computer. And it was a development that he was assigning the highest level of importance
and so during this what was great is that Gates actually acknowledged that Microsoft had
underestimated the internet's potential prompting the strategic pivot to focus on it as as a cool
part of the business but the funny part was that you know the memo actually highlighted the competitive threat posed by netscape because their browser dominated the market yeah um and so yeah
he urged the rest of the company to innovate and compete aggressively um and where's netscape today
hey and where's bill gage today man was he was right exactly still counting that money yeah exactly exactly i remember
he was making trips to epstein's island yeah allegedly so he released no the logs were there
okay jav says it's true andy and i say allegedly um so he released a book didn't he called the road ahead and it was all about that
was part of the part of his big push about you know how the future of computing and the internet
was going to change the world so he they obviously put a few a few dollars behind the sort of
marketing and and com side of this as well but uh yeah he was he was pretty good i mean obviously other people got got there
right first but he certainly knew how to take advantage of it
right thank you andy for this week's
this is the award-winning Host Unknown podcast.
Guaranteed to be a solid 5 out of 10 at least once a month.
Or twice your money back.
And you can take that to the bank.
Okay, now it's time for... Well, for me.
Listen up!
Rent of the week.
It's time for Mother F***ing Rage! So I tell you what since gates left microsoft is uh just going downhill and this this story
really just tells you everything you need to know um obviously i joke somewhat because microsoft did
extremely well after gates left and uh with sachi and adela coming on board and made massive changes but this I think
is one of Satya's biggest missteps to be honest with you and this this story comes from the
register although it has been all over the the trade rags this week and the headline from the
register reads giving windows total recall of everything a user does is a privacy minefield.
When you look into this and what it says, it's really quite concerning.
So there was a press conference.
Satya was talking about the power of the latest Windows laptops,
the Windows Surface, which they were also saying is more powerful than Apple's new m3 computer blah blah blah so lots of lots of standard um you know uh sword waving at each other but they also said when combined with
the power of copilot plus which uh not sure what the plus means. Maybe it comes with wings or something like that. But Copilot Plus, when combined with Windows computers,
it is effectively the most powerful tool, they're saying,
that allows people to be able to work more effectively
because it's pooling and it's synthesizing and it's gathering all of the
data and every single thing you touch on your on your laptop you know so so what you might say you
know this is what we do is you know um uh indexing and stuff like that you know but but this is
beyond that this is actually uploading things into an ai model uh Copilot Plus. This also includes taking a screenshot of your desktop every two seconds,
which is really quite concerning because when you start to look at it,
this, well, not only is this data stored somewhere,
This, well, not only is this data stored somewhere, which may be, you know, could actually be used against you by attackers, etc.
But what this data can do, if it is compromised, is that more than anything, more than looking at external identifiers like LinkedIn or anything like that. It can identify real behaviors, how you behave using your laptop. You could even use another AI model to modify, sorry, to analyze that.
And that can be used really quite significantly by attackers because knowing how you behave,
knowing the kinds of emails you get and how
you respond and how you know what you're logging into and all that information can be used to
create a profile that will be extremely accurate and extremely convincing when trying to attack you
um it's uh it they they do want they go on to talk about quite how much this, uh, uh, quite how insidious this is.
So, uh, even in its FAQs, it says that the snapshotting feature will vacuum up sensitive information.
You know, they're saying the quiet parts out loud here.
Recall, as they call it, does not perform content moderation.
It will not hide information such as passwords or financial account numbers.
That data may be in snapshots stored on your device,
especially when sites do not follow standard Internet protocols like cloaking password entry.
But that's OK because, you know, you can opt out to filter out sites.
Only if you're using their browser edge, not if you use any of the other potentially more popular browsers.
So to filter out, you know, a website from a snapshot, I tell it not to create snapshots of it.
of it, you've got to be using their web browsers, which may be okay in some corporate environments, but other corporate environments obviously will default to Chrome, for instance, or possibly
even other browsers and their own secure browsers.
browsers and their own secure browsers. And there's plenty of concerns here coming out, concerns around, you know, it doesn't respect GDPR requests to delete personal data,
you know, when requested to. Even Mozilla, who own Firefox and are known as privacy advocates.
Their chief product officer said Mozilla is concerned about Windows recall.
From a browser perspective, some data should be saved and some shouldn't.
Recall stalls not just browser history, but also data that users type into the browser
with only very coarse control over what gets stored.
with only very coarse control over what gets stored.
It's a new vector of attack for cyber criminals and a new privacy worry for shared computers.
This is, I've got to say, in the days of when we're talking about
being at the forefront of AI and how we need potentially more control,
this is really quite concerning, quite how far Microsoft is going with this.
So yes, not too happy about this from this side of things.
But then again, that's why I use a Mac.
Andy.
I'm not against this at all.
So I think it is.
I think it has its uses
and the reason I say this
is because there's a product
called Rewind
which has been out
for a couple of years now
it originally started on the Mac
it's available on iPhones
it records everything you do
so better than what Recall does
it's a very smart product
it stores it all locally
and they've addressed all the privacy concerns.
Well, they've not addressed it.
They've said, you know, it's up to you to make sure that, you know,
when you're on Zoom calls or Teams calls,
that you're telling all the other participants that you're using Rewind.
So they've slowly shouldered the privacy concerns, right?
Absolutely, yeah.
Well, yeah, it's informed consent, right?
It's up to you to get that stuff.
As a data controller, it's up to you to ensure you get the consent of all the individual data you're processing.
However, the reason it has been good.
So the person who invented that actually had, he's got ADHD and he struggles with information.
And so the whole thing, it's AI based.
So he can recall information from meetings that he had
or when someone walks past your desk and it records from the webcam.
And it's just absolutely insane.
Now, my only concern is Microsoft won't do it as good as Rewind.
And it's just like one of those old spyware programs.
But I do see potential with this if they can execute it correctly.
I think that's absolutely the point.
The reasoning for doing it is very, very good.
But because of its integration with Copilot
and because of concerns over quite what kind of data AI has access to,
what it will do with it and how it will use it elsewhere further down the line
this is and the fact that it's even built in as part of the operating system as well rather than
um being something that you download and install etc i think that's where my concern is i think
very often yes you know the road to hell is paved with good intentions right and that's that's where i fear this is going yes i for once uh well not for once again i kind of i once again
i agree with tom more than andy on this one i actually think yeah it's it's kind of like a
dangerous press it's a bit like what's that other thing they released? The one which allows you to monitor how many hours people spend working and
it gives managers thing.
Yeah.
Yeah.
And like,
you know,
the thing is like all of these things are open for abuse.
And you know what?
I,
I,
I'm just reminded of the quote by Dr.
Ian Malcolm,
Malcolm,
who said that you,
you,
your scientists were so preoccupied with whether or not they could, they did not stop to think if they should.
Yeah.
Of course, a great man, Dr. Malcolm.
So it feels a lot like that.
But from the other end, I say Microsoft just done a misstep.
They just branded it wrong.
If they had just marketed this as a forensics tool or something like that, that you can deploy in high sensitive environments and keep a log of like what happens, PCI environment, whatever.
I think it would have been like welcomed with open arms.
But the fact that they just said that this is a the way
they positioned it it just felt like spyware well it's consumer grade and therefore everywhere right
yeah and that's the problem and you know i was reading some people's thoughts of this and like
you know how it could be misused especially if people are like in abusive relationships or they're
trying to you know get away and like you know and uh you know
you're just making it so much easier for people if they can access your machine and access
all of this kind of data um a lot easier than than they would have otherwise yeah yeah
uh so you know such a seems like a little bit of a misstep unless, of course, you've got Andy working for you,
in which case you've obviously taken some of Andy's advice.
He likes to keep a tight rein on his staff, does Andy.
So maybe it's good for that kind of use.
Rant of the Week.
Feeling overloaded with actionable information?
Yep.
Fed up receiving well-researched, factual security content?
Yes.
Ask your doctor if the Host Unknown podcast is right for you.
Always read the label.
Never double dose on episodes.
Side effects may include nausea, eye rolling and involuntary swearing in anger.
Right, Jav, let's see yours.
Let's see if I can concur.
The Labels of the Week.
So, yes, I have to confess, when I was reading the show notes,
I actually read the rant that you just did as the Billy Big Balls story of the week.
And so I hadn't actually read the Billy Big Balls until you just played the jingle.
So I'll go over it quite briefly.
so i'll go i'll go over it quite briefly but um there is a hacker who has claimed to have breached a scam call center uh stolen the source code for the company's tools and emailed the company's
scam victims uh this is kind of stuff that um people like jim brown is it on on youtube
they they do quite a lot they they reverse hack into these these scammers they're all based in
india somewhere you know when they're not providing the ai for amazon's back end i assume um but you
know it's it's it's kind of like a trend where there's a series of vigilantes, cyber vigilantes, cyber batmen, you know, for lack of a better term, where they take matters into their own hand and breach or otherwise disrupt scam centers.
And there's a big YouTube and even TikTok community now with you know creators mocking
the targets and like you see these videos and they're hilarious because like people they play
dumb they're saying like sir enter this thing there and they're like oh where's this key where's
the any key what control I don't know what that and and it's hilarious because you just love seeing these
absolute scumbags uh lose their lose their rag on on these calls and so you know i think like
forget bug bounties just point every wannabe hacker or you know you know a pen test or whatever
say look here's some targets they're all like trying to scam money out of people and do it so so you know whilst i do not condone illegal activity or
accessing networks without permission you know i cannot um condone this very very fine work that
some people are doing um there's a screenshot embedded in the story where, you know, the email's been sent to the customers.
And they're talking about, you know, you've been targeted by this fake antivirus company known as Wear.
There's a link to a video giving them information about it.
Feel free to, you know, cancel it from your credit card provider or bank.
Apparently scammers are charging people $300 to $400 per month
as a subscription on this.
That's almost Microsoft money.
Yeah, it is.
And they've given an email of the developers of Wear.
And they said, like, feel,
feel free to, you know,
do it.
So,
you know,
it's,
it's a,
it's a good public service,
I think.
But also it's like,
if,
if people,
if your average individual sitting behind a computer can do this,
the question is why can't the NCSC or,
you know, the US.s people resource to do
people with resources to do this and my big assumption is just political will or not wanting
to rock the boat i mean rishi sunak wouldn't want his cousins back in india to be locked up
it's not a good look for him so time to uh time to hit that rewind button do you know what what i like about this moving
swiftly on is is actually the hacker does offer to the uh to the where.team that they if they want
to reach out to him because he actually says to the where.team if you want to contact us please
stick your head up your arse and scream,
death to scammers, which I thought, you know, that's extending an olive branch to them, really, isn't it?
So I'm very impressed.
I'm very impressed.
It's very nice. I think this particular personal team is deserving of said large balls belonging to Billy.
We're in agreement.
Wow, that does not happen very often at all, does it?
Billy Big Balls of the Week.
You're listening to the award-winning host unknown podcast
officially more entertaining than smashing security
all right andy um well i'm i'm hesitant to say what time it is because it's really rather late at the moment. But, Andy, what time have you got there?
It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News
Authorities arrest $100 million incognito drugs market suspect. Industry News. AI Soul
Summit. 16 AI companies sign frontier AI safety commitments. Industry News. UK government in £8.5 million bid to tackle AI cyber threats
Industry News
Mastercard double speed of fraud detection with generative AI
Industry News
The police service of Northern Ireland faces £750,000 data breach fine after spreadsheet leak
Industry News £50,000 data breach fine after spreadsheet leak. Industry news.
GitHub fixes maximum severity flaw in enterprise server.
Industry news.
National records of Scotland data breached in NHS cyber attack.
Industry news.
National vulnerability database leaves exploited vulnerabilities unchecked.
Industry news.
Microsoft gift card fraud rising,
costing businesses up to $100,000 a day.
Industry news.
And that was this week's...
Industry news. Industry News And that was this week's Industry News Huge if true
Wow
Huge
Huge
Do you know what I think is really interesting
When we look at the values here
In the first one
Authorities arrest 100 million dollar
Incognito drugs market suspect
So obviously
But then we get to the third one.
A UK government is investing eight and a half million in a bid to tackle.
I know.
The imbalance.
Drugs pay.
Yeah, crime pays.
That's the bizarre thing.
You know, UK government, you know,
what much is what we say about the UK, still has a large GDP and is, you know, one of the,
certainly one of the richest countries in the world.
And it still can only afford to put eight and a half million in
when the, you know, the criminals are making so much money that it's just...
Making bank. Yes... Making bank.
Yes.
Making bank.
Well, isn't that because, like,
Rishi's getting asked questions about his wife's shareholdings
and why they're getting, like, favourable bonuses
and grants from the government?
I mean, I'm just throwing it out there.
Maybe it's like...
You're cutting out there.
I didn't hear all of that.
Everything you said after Rishi's...
No, but i definitely heard
the word allegedly yes allegedly allegedly
i thought generative ai was the thing that made pictures
what you did not. Generative AI.
It's like the all-encompassing...
I thought large language models are the things that look at text and look at things.
Generative creates.
That's the point.
That's the name, right?
Yeah, but creation is more than just images.
It's words.
It's documents.
It's everything.
So how is that detecting...
Do you know what? I'm going to click on the link and find out.
That's how interesting I am.
You're trying to guess a story just from the headline.
Well, I know it's rare. I know we don't do it very often.
Predictive technology.
I don't know.
I'll have to look into that.
What else you got?
So I was just looking at the Microsoft gift card fraud rising,
costing businesses up to 100 grand a day.
And this is quite an interesting one.
There's a group called Storm-0539, which operates out of Morocco.
Mashallah.
So what they do is they actually social engineer their way into large retailers and restaurants,
normally by a smishing text message to get the employee to click on it and give them access.
Then they move laterally to work out
the gift card business process that that organisation has.
And then they gather information on remote environments
such as virtual machines, VPN connections,
SharePoint, OneDrive resources.
And then they use this information to create new gift cards
via compromised employee accounts.
What?
And this then allows them to redeem the value associated with these cards,
sell the gift cards to other threat actors on black market,
or use money mules to cash out the gift cards.
So this is like something completely different.
I hadn't read.
Normally, when you hear a gift card scam, it's like they trick someone into going buying a gift card this
is the other approach and i think this is um really clever sounds complicated though doesn't
it it's it's a billy big balls move isn't it no but why see see gift cards are as good as cash and we know it's very difficult to
counterfeit cash in a convincing way yeah but if you can counter if you can counterfeit the gift
card which isn't even owned by central repository it's by individual individual organizations yeah
yeah then you know it's like if smashing security has gift cards it'll be a lot
easier to forge it hey i've got um excuse me what do you mean if they do have gift cards and if you
buy them through us you get them at a discounted rate exactly so a hundred pound smashing security
gift card you can pick up from us for just 50 pounds exactly this is true and so if you want to sponsor
if you want to sponsor smashing security you can do it at a big big discount if you do it
through us yeah yeah you get the price list from them and then pay through us yes and the money
just rests in our account for a certain period of time and then we pay it on yeah yeah yeah yeah there's that
cooling off period in case the customer wants to you know in case graham actually wants a refund
right anything else on here
nah no no i guess the uk government could use that 750,000 quid they're going to get
from the PSNI towards their
bid to tackle AI cyber threats
maybe that's how it was
originally only
what was it 7.75
million before
no 7.5 million
whatever added 10%
right okay well that
was this week's Industry News
in 2021
you voted us the most entertaining
cyber security content amongst
our peers
in 2022 you crowned us
the best cyber security
podcast in Europe you areed us the best cyber security podcast in Europe.
You are listening to the double award winning Host Unknown podcast.
How do you like them apples?
All right, Andy, take us home.
It's getting late.
The nights are drawing in.
Tweet of the week.
And we always play that one twice.
Tweet of the week.
And this week's tweet of the Week comes from our regular presenter, Mr. Graham Clewley.
And he says,
I've given over 300 talks at events across Europe, America, Middle East, Africa, Asia and Australia,
but somehow have never got around to making a showreel.
Here you go then.
Let me know if you'd like me as a keynote speaker at your event.
And there's a great link to a showreel
where you can see our very own Graham Clully
and what he's brought to the industry
over the many decades he has been involved in it.
Wow.
It's actually quite entertaining.
It's a fun one.
He starts off in a very monotone sort of like hello
i'm graham i've spoken this at the other then he goes blah blah blah how dull is this and then he
switches into normal mode which is exactly the same as how he sounded before he switched
he's definitely a friend of the show that was definitely friend of the show. That was definitely a friend of the show. But that wasn't the real tweet.
We just thought that was a great.
But, you know, because he needs those extra three people
that haven't heard of him to see it, right?
Yeah, exactly.
He needs the other two people in the world
who've never seen a keynote from him to see it.
So we have another tweet from Meredith Whittaker.
So we have another tweet from Meredith Whittaker,
and she's quote-tweeting Melanie Mitchell,
who pumped it.
You've probably heard that Google are paying Reddit 60 million a year for all of their content,
and they sort of fed it into this whole thing.
So there's someone that actually posted the question to Google,
how many Muslim presidents has the US had?
And the AI has responded.
The United States has had one Muslim president, Barack Hussein Obama.
And so Meredith has quoted to this.
She says shoving a confidently wrong chat bot trained on Reddit into a service marketed for decades as a portal to the world's
knowledge is reckless and legitimately dangerous jesus christ i mean there are some great like
that there's one where um i think 404 media did a great one about uh someone asked for the recipe to how to make pizza.
And so Google responded that you can mix glue in with cheese.
Yep.
And this comes from a Reddit post from 11 years ago
that a lot of people upvoted.
And so AI can't tell the difference
between someone being sarcastic in response
and people upvoting it as a popular response
than an actual genuine thing. So yeah, and that came from a user called uh fucksmith uh which was
the greatest thing so it was uh yeah to quote the source of that yeah uh to add yeah yeah non-toxic
glue to the source to give it more stickiness that's it that's it i saw that one the other day and this is like
who in their right mind would think that reddit four places is is where you would want to i mean
it's great as a human tool because as a human like when you go into google and you do a search and
like look specifically for the answer on reddit you sometimes get lots of good ideas or inspirations if nothing else you get a good laugh
but yeah to use it in this way where you will as you said andy rightly so ai has no ability to
differentiate between sarcasm wit humor um or genuine hate speech this is quickly going down
do you remember tay the the Microsoft's Twitter bot?
Oh, the Nazi.
Oh, it didn't,
they had to abandon it after 24 hours.
Yeah, because it was self-learning.
It was going to learn from the internet.
It started like right-wing.
It became super racist.
Yeah, exactly.
Exactly.
I did hear that Google are paying
50 million to 4chan to do the same thing You know what, Google
if you're listening
Go fuck yourselves
No, no, no, no, no
For the discount price of 80 million
we'll give you access to our WhatsApp chat
No, no, no, no
For 80 million i'd take it
i don't care what anybody thinks of me for my my half of 80 million
what half half what are you going to do with 10 of 80 million and tom
fuck i'll do it for 8 million I don't care Oh dear
Excellent that was this week's
And we come barrelling
Into the end of the show
Another one that flew past actually
So yeah
Gentlemen thank you very much yeah gentlemen thank you very much
Jav thank you so much
for your time, wisdom
and something else beginning with W
spin on these
okay lovely
and Andy thank you
stay secure my friends
stay secure Stay secure, my friends. Stay secure. You've been listening to the Host Unknown podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
This is so late.
You know, on Sunday, one of our friend's daughter is getting engaged
and uh my wife she was so she's bless her heart she in she said to them well we've got a big
garden why don't you come and host it we can host you so rather than renting a hall just do it at
our place so it's so late i'm looking out the
window and the the the father of the girl and his son they're struggling to put up a um a marquee
so i i'm trying to kill time so that i don't have to leave my office and help them
so if you guys can just hang on or even if we stop recording that would be great