The Host Unknown Podcast - Episode 193 - The "At Last!" Episode

Episode Date: May 27, 2024

This week in InfoSec  (11:36) With content liberated from the “today in infosec” twitter account and further afield17th May 2015: CNN published their article on a statement Cybersecurity Consult...ant, Chris Roberts had publicly made on Twitter a month earlier.  There were lots of accusations made regarding Chris Roberts' actions hacking into computer systems while a passenger on multiple airline flights. Did he actually cause a plane to fly sideways? Maybe? But it's not like he made it fly upside down.FBI: Hacker claimed to have taken over flight’s engine controlshttps://twitter.com/todayininfosec/status/1791214444980080724 26th May 1995: Gates Declares Internet "Most Important Single Development"Realising his company had missed the boat in estimating the impact and popularity of the Internet, Microsoft Corp. CEO Bill Gates issued a memo titled, "The Internet Tidal Wave," which signaled the company's renewed focus on that arena. In the memo, Gates declared that the Internet was the "most important single development" since the IBM personal computer -- a development that he was assigning "the highest level of importance”.https://1995blog.com/2020/05/25/25-years-on-bill-gates-internet-tidal-wave-memo-a-seminal-document-of-the-unfolding-digital-age/ Rant of the Week (18:00)Giving Windows total recall of everything a user does is a privacy minefieldMicrosoft's Windows Recall feature is attracting controversy before even venturing out of preview.Like so many of Microsoft's AI-infused products, Windows Recall will remain in preview while Microsoft refines it based on user feedback – or simply gives up and pretends it never happened.The principle is simple. Windows takes a snapshot of a user's active screen every few seconds and dumps it to disk. The user can then scroll through the archive of snapshots to find what were doing some time back, or query an AI system to recall past screenshots by text. Billy Big Balls of the Week (28:58)Hacker Breaches Scam Call Center, Warns Victims They've Been ScammedA hacker claims to have breached a scam call center, stolen the source code for the company’s tools, and emailed the company’s scam victims.The hack is the latest in a long series of vigilante actions in which hackers take matters into their own hands and breach or otherwise disrupt scam centers. A massively popular YouTube community, with creators mocking their targets, also exists around the practice. Industry News (34:17)Authorities Arrest $100m Incognito Drugs Market SuspectAI Seoul Summit: 16 AI Companies Sign Frontier AI Safety CommitmentsUK Government in £8.5m Bid to Tackle AI Cyber-ThreatsMastercard Doubles Speed of Fraud Detection with Generative AIPSNI Faces £750,000 Data Breach Fine After Spreadsheet LeakGitHub Fixes Maximum Severity Flaw in Enterprise ServerNational Records of Scotland Data Breached in NHS Cyber-AttackNVD Leaves Exploited Vulnerabilities UncheckedMicrosoft: Gift Card Fraud Rising, Costing Businesses up to $100,000 a Day Tweet of the Week (41:59)https://twitter.com/gcluley/status/1792881296907043217Two for one:https://twitter.com/mer__edith/status/1793888092321202634 Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:01 So, we obviously had to take some time off because, you know, the Cybersecurity Awards have been up and it was very important to us that we did not take away from other people, obviously being former winners of the awards. In consecutive years, it was very important we did not stick around to take that opportunity from some other, maybe newer podcast which may not be as good as this but you know, deserve a bit spotlight. Yeah. That's what we're putting in the press release? Exactly. Okay. Nothing to do with forgetting. No.
Starting point is 00:00:38 No. You're listening to the Host Unknown Podcast Hello, hello, hello, good morning, good afternoon, good evening and welcome Welcome one and all, welcome dear listeners from wherever you are joining us Welcome to episode 193 of the Host Unknown podcast. We are recording rather late on a Friday evening once again. But at least we are recording. I mean, it's been a while, folks.
Starting point is 00:01:18 Let's face it. It's been a while. It has. But had we recorded the conversation that we would be privy to in the last couple of hours it would be a different broadcast going out trust me it would destroy lives yeah discretionary i'm not even saying anything advised and uh yeah you would know jav for the real person he is dear god the things we heard anyway jav how are you wouldn't know Jav for the real person he is. Dear God, the things we heard.
Starting point is 00:01:48 Anyway, Jav, how are you? I lost my words there. Bloody whiff-waff. Honestly, I can't believe you two have made me sound like a Tory politician.
Starting point is 00:02:06 This is incredible. I am so glad we are in separate physical locations. It's not like, you know, we have to sit around the same place to have this podcast because there would be hands being thrown right now. That's all I can say. Yes, exactly. hands being thrown right now that's all i can say yes exactly and tom and tom is uh uh yeah showing some patty cake type moves there but um i hate you two more today than i think i've hated you in such a long time just because we heard the truth about you. The truth? You can't handle the truth.
Starting point is 00:02:52 I know. I know. Most mere mortals wouldn't. Anyway, how has your week been, Jav? Because I believe last week you were sick as a dog, weren't you, in San Francisco? I was. I was sick as a dog in San Francisco. I was meant to fly back on Wednesday,
Starting point is 00:03:09 and I was so sick I had to move my flight, and the earliest flight I could get was a Saturday because everyone's flying back from San Francisco. I could have got an earlier flight on Friday, but that was an indirect flight, and I did not want to risk an indirect flight. No, nobody wants to be changing planes with the common people no no of course not it's it's it's hard enough not being able to fly business class anymore you know it's just like I feel like so poor not being able to turn left as soon as I board
Starting point is 00:03:37 and how the world changes honestly honestly I mean like I just remember like early in my career when I was barely making a hundred grand a year I mean it was just like felt so demeaning we used to get out of bed for less than 250 yeah exactly I dream of a hundred grand we're talking a year a year tom yeah you know i could only afford like a housemate to come three days a week i mean what do you think i've done for the other four days those dishes did not wash themselves that's all i can say it's getting tough you have to lay off the estate manager. I know, I know. I had to replace my doorman with an Alexa, I mean, like a ring doorbell.
Starting point is 00:04:34 Like, you know, that's how tough times are. And then I had to cancel the subscription because they raised the monthly rate so much. And then some. Anyway, but yeah, no, I was sick. Then I got better. I got back. And then I was in Berlin for a few days. And then I was in Frankfurt for a conference. And now I'm back for now. And in a couple of weeks, we've got InfoSecurity Europe,
Starting point is 00:04:58 which is my next big gig that I'm gearing up for. I'm actually speaking twice. I'm struggling to be able to take the time off to go to, actually. I'm not sure I'll be there for, well, much of it at all. Oh, no. Anyway, Andy, how's your week been? Talking of disappointing, Andy. Hey, I also will not be at InfoSet Europe. I shall be travelling to Mexico week um to get a bit of
Starting point is 00:05:25 sun so uh yeah i i completely forgot infoset was on but it is extremely commercial these days anyway i've kind of stopped going a while as opposed to the early days when it wasn't commercial at all well so the early days were good it was commercial but they had better swag uh and i still remember i mean the educational program is a lot better now than it ever has been yeah but it's a smaller event back then it's more intimate you could literally speak to people and you know now it's i don't know it's not the same and the swag's not as good like the best thing i ever got from infoseSec was a basketball hoop that you stuck on the wall from Checkpoint.
Starting point is 00:06:09 And the idea was you put it above a bin, but they also had a ball as well. And there was a guy, I used to wind up this guy in the office because I stuck it to the side wall of his office. And so he would constantly hear me bouncing this ball against the wall, trying to get it in the
Starting point is 00:06:27 basket i didn't know you were so easily pleased andy and and then you complain i like good things and then you complain about my mechanical keyboard this is karma this is karma this is yeah karma. This is... Yeah. Hey, look, it's fine if I'm making the noise, but when I'm listening to the noise, that's where... Yeah, no. I'm good at it. Oh, wow.
Starting point is 00:06:53 So, Mexico, is this business or pleasure, amigo? Ah, what's the difference? Eh? I'm always working. I'm always working. I enjoy my work. It's always business. It's always business. It's always business.
Starting point is 00:07:08 No question. Oh dear, we're talking of business. Tom, how are you doing? I'm alright. I'm alright. Well, it's been quite a tumultuous couple of three weeks actually since we were last here. A lot going on. I've got a new job. Same one, same parent company. So June 15th will be my last day in my current role.
Starting point is 00:07:31 June 18th is when I start the new role, so with the parent company. You missed the little small print where you actually start your employment all over again, so you are no longer protected by your... No, no, check that. Your continuous service history. Got my continuous service.
Starting point is 00:07:54 Yeah, they're going to work hard to get rid of me. And I've got a fresh slate that I can start putting my debits onto. But, yeah, so that's rather exciting, actually. It's all happened quite quickly. So what is your new role exactly? What's your title and what will you be doing? Well, I couldn't... Well, the title is Director of European Cyber Security.
Starting point is 00:08:24 But I'll be doing... I'll be directing a lot of cyber security cyber security so once you update LinkedIn how many more invites are you going to be getting every every day like oh congratulations on your new job and by the way can we meet you for a chat? Oh, you won a prize. Here's a tailor-made suit. Yeah, well, I answer those ones, as you well know. But, yeah, yeah. But have you noticed on LinkedIn, actually,
Starting point is 00:08:57 you know how you can use your, you can actually register multiple email addresses, so you can still register your company, the one your company was. But if you move companies, you can still log in with your personal address and all that sort of stuff, right? Yeah. So now I'm getting loads of cold emails from salespeople
Starting point is 00:09:18 to my personal email address asking me about business, you know, my business profiles. And, you know, can we arrange a meeting to talk about XYZ with, you know, current company. Since when did that happen? I assume that was just in-mail. I didn't realise it was anything different to what's been going on. I thought it had to go to the business one, but I don't know. It's only happened in the last few months.
Starting point is 00:09:44 Very annoying. No, I'd never used my business email address on linkedin have you not no the first time i did it was recently where you can uh validate or verify that you work somewhere yeah yeah which is by putting in that corporate domain yeah that's the first time i've ever done it i've never never associated any company address with my LinkedIn. But all this stuff, I mean, all you used to do... And on LinkedIn, I've just switched off all my options for in-mail and everything, so I don't get any notifications or any emails to my...
Starting point is 00:10:16 any email address. Until I log on to LinkedIn, that's where I see everything. I didn't know you did that. OK, boomer. Dear. Oh, dear, oh, dear oh dear oh dear oh dear the director of security for european security for the company does not know there are options other things to worry about other things to fish to fry yeah exactly you know you can you can turn off certain settings so that
Starting point is 00:10:43 you can uh or turn on certain logging settings so you can see what your servers are doing. You can turn on alerts. You can do all sorts of stuff. Is there a button marked Javad that I can switch off? Oh, no. Grayed out, obviously. Oh, well.
Starting point is 00:11:02 Anyway, talking of being oblivious about things, shall we see what we've got coming up for you this week? This week in InfoSec talks about the visionary that is Mr. Bill Gates. Rant of the Week is a privacy horror show. Buddy Big Balls tells the story of the insider threat. Industry News is the latest and greatest security news stories from around the world. And Tweet of the Week is a self-promoting tweet from one of our
Starting point is 00:11:27 presenters. Okay, let's move on to our favourite part of the show. It's the part of the show that we like to call This Week in InfoServe. it is that part of the show where we take a trip down infosec memory lane with content liberated from the today in infosec twitter account and further afield and our first story takes us back a mere nine years to the 17th of May 2015 when CNN published their article on a statement
Starting point is 00:12:07 that cybersecurity consultant Chris Roberts had publicly made on Twitter a month earlier. So there were lots of accusations made regarding Chris Roberts' actions hacking into computer systems while a passenger on multiple airline flights. Did he actually cause a plane to fly sideways? Maybe. But it's not like he made it fly upside down. So this event in May 2015
Starting point is 00:12:33 caused a significant cybersecurity incident and it drew widespread attention when an FBI investigation revealed that this hacker claimed to have taken control of a commercial aircraft mid-flight. So Chris Roberts allegedly exploited vulnerabilities in the plane's in-flight entertainment system, which allowed him to access critical flight controls. And Roberts asserted that he managed to issue a command to one of the airplane engines,
Starting point is 00:13:02 causing the aircraft to slightly alter its course um so i mean you know the fbi did take this claim seriously they investigated the technical feasibility the implications of such attack and although this event you know he did cause a lot of kerfuffle his actions sparked widespread debate about ethical hacking and security disclosures um there's absolutely no public evidence that he did successfully make this happen um so it's been nine years and nothing has been disclosed since yeah it reminds me once like muhammad ali he was giving an interview and he said to the guy, I can punch you so fast you won't even be able to see it. So he asked him to hold out his hand and he stands in front of him and then he goes like, did you feel it? Like, you know, did you see it or whatever? It's like, I was so quick, you know, that's what it feels like. I slightly turned it so much that no one really felt it do either of you know chris i know of him i've met him a couple i think i've met him very briefly at an event i know you've
Starting point is 00:14:18 done i know you've done stuff with him and you're right big mates with him but obviously your choice of friends is very very dubious well he's a nice guy i have to say he's a lovely guy but but what i remember was rsa 2020 i just before the big lockdown like literally weeks before the big lockdown he rocks up wearing one of those middle ages plague masks you know with the long noses and um i saw him being uh approached by a number a couple of members of the security team and someone in a suit asking him to remove it so uh yeah that was quite funny yeah yeah funny distressing for some people who might have lost loved ones and someone's making a joke out of the pandemic real classic real classic this is still yeah not in the u.s not in the western
Starting point is 00:15:13 world anyway yeah yeah so don't don't let the truth get in the way of a good rant come on man Alas, our second story takes us back a mere 29 years to the 26th of May 1995, when all-round babe magnet Bill Gates declares the internet the most important single development. So realising his company had missed the boat in estimating the impact and popularity of the internet, Microsoft Corp CEO Bill Gates issued a memo titled the internet tidal wave, which signaled the company's renewed focus on that arena. And in this memo, Gates declared that the internet was the most important single development since the IBM personal computer. And it was a development that he was assigning the highest level of importance and so during this what was great is that Gates actually acknowledged that Microsoft had
Starting point is 00:16:13 underestimated the internet's potential prompting the strategic pivot to focus on it as as a cool part of the business but the funny part was that you know the memo actually highlighted the competitive threat posed by netscape because their browser dominated the market yeah um and so yeah he urged the rest of the company to innovate and compete aggressively um and where's netscape today hey and where's bill gage today man was he was right exactly still counting that money yeah exactly exactly i remember he was making trips to epstein's island yeah allegedly so he released no the logs were there okay jav says it's true andy and i say allegedly um so he released a book didn't he called the road ahead and it was all about that was part of the part of his big push about you know how the future of computing and the internet was going to change the world so he they obviously put a few a few dollars behind the sort of
Starting point is 00:17:16 marketing and and com side of this as well but uh yeah he was he was pretty good i mean obviously other people got got there right first but he certainly knew how to take advantage of it right thank you andy for this week's this is the award-winning Host Unknown podcast. Guaranteed to be a solid 5 out of 10 at least once a month. Or twice your money back. And you can take that to the bank. Okay, now it's time for... Well, for me.
Starting point is 00:18:00 Listen up! Rent of the week. It's time for Mother F***ing Rage! So I tell you what since gates left microsoft is uh just going downhill and this this story really just tells you everything you need to know um obviously i joke somewhat because microsoft did extremely well after gates left and uh with sachi and adela coming on board and made massive changes but this I think is one of Satya's biggest missteps to be honest with you and this this story comes from the register although it has been all over the the trade rags this week and the headline from the register reads giving windows total recall of everything a user does is a privacy minefield.
Starting point is 00:18:50 When you look into this and what it says, it's really quite concerning. So there was a press conference. Satya was talking about the power of the latest Windows laptops, the Windows Surface, which they were also saying is more powerful than Apple's new m3 computer blah blah blah so lots of lots of standard um you know uh sword waving at each other but they also said when combined with the power of copilot plus which uh not sure what the plus means. Maybe it comes with wings or something like that. But Copilot Plus, when combined with Windows computers, it is effectively the most powerful tool, they're saying, that allows people to be able to work more effectively because it's pooling and it's synthesizing and it's gathering all of the
Starting point is 00:19:46 data and every single thing you touch on your on your laptop you know so so what you might say you know this is what we do is you know um uh indexing and stuff like that you know but but this is beyond that this is actually uploading things into an ai model uh Copilot Plus. This also includes taking a screenshot of your desktop every two seconds, which is really quite concerning because when you start to look at it, this, well, not only is this data stored somewhere, This, well, not only is this data stored somewhere, which may be, you know, could actually be used against you by attackers, etc. But what this data can do, if it is compromised, is that more than anything, more than looking at external identifiers like LinkedIn or anything like that. It can identify real behaviors, how you behave using your laptop. You could even use another AI model to modify, sorry, to analyze that. And that can be used really quite significantly by attackers because knowing how you behave,
Starting point is 00:21:03 knowing the kinds of emails you get and how you respond and how you know what you're logging into and all that information can be used to create a profile that will be extremely accurate and extremely convincing when trying to attack you um it's uh it they they do want they go on to talk about quite how much this, uh, uh, quite how insidious this is. So, uh, even in its FAQs, it says that the snapshotting feature will vacuum up sensitive information. You know, they're saying the quiet parts out loud here. Recall, as they call it, does not perform content moderation. It will not hide information such as passwords or financial account numbers.
Starting point is 00:21:50 That data may be in snapshots stored on your device, especially when sites do not follow standard Internet protocols like cloaking password entry. But that's OK because, you know, you can opt out to filter out sites. Only if you're using their browser edge, not if you use any of the other potentially more popular browsers. So to filter out, you know, a website from a snapshot, I tell it not to create snapshots of it. of it, you've got to be using their web browsers, which may be okay in some corporate environments, but other corporate environments obviously will default to Chrome, for instance, or possibly even other browsers and their own secure browsers. browsers and their own secure browsers. And there's plenty of concerns here coming out, concerns around, you know, it doesn't respect GDPR requests to delete personal data,
Starting point is 00:22:56 you know, when requested to. Even Mozilla, who own Firefox and are known as privacy advocates. Their chief product officer said Mozilla is concerned about Windows recall. From a browser perspective, some data should be saved and some shouldn't. Recall stalls not just browser history, but also data that users type into the browser with only very coarse control over what gets stored. with only very coarse control over what gets stored. It's a new vector of attack for cyber criminals and a new privacy worry for shared computers. This is, I've got to say, in the days of when we're talking about
Starting point is 00:23:38 being at the forefront of AI and how we need potentially more control, this is really quite concerning, quite how far Microsoft is going with this. So yes, not too happy about this from this side of things. But then again, that's why I use a Mac. Andy. I'm not against this at all. So I think it is. I think it has its uses
Starting point is 00:24:05 and the reason I say this is because there's a product called Rewind which has been out for a couple of years now it originally started on the Mac it's available on iPhones it records everything you do
Starting point is 00:24:17 so better than what Recall does it's a very smart product it stores it all locally and they've addressed all the privacy concerns. Well, they've not addressed it. They've said, you know, it's up to you to make sure that, you know, when you're on Zoom calls or Teams calls, that you're telling all the other participants that you're using Rewind.
Starting point is 00:24:33 So they've slowly shouldered the privacy concerns, right? Absolutely, yeah. Well, yeah, it's informed consent, right? It's up to you to get that stuff. As a data controller, it's up to you to ensure you get the consent of all the individual data you're processing. However, the reason it has been good. So the person who invented that actually had, he's got ADHD and he struggles with information. And so the whole thing, it's AI based.
Starting point is 00:25:01 So he can recall information from meetings that he had or when someone walks past your desk and it records from the webcam. And it's just absolutely insane. Now, my only concern is Microsoft won't do it as good as Rewind. And it's just like one of those old spyware programs. But I do see potential with this if they can execute it correctly. I think that's absolutely the point. The reasoning for doing it is very, very good.
Starting point is 00:25:31 But because of its integration with Copilot and because of concerns over quite what kind of data AI has access to, what it will do with it and how it will use it elsewhere further down the line this is and the fact that it's even built in as part of the operating system as well rather than um being something that you download and install etc i think that's where my concern is i think very often yes you know the road to hell is paved with good intentions right and that's that's where i fear this is going yes i for once uh well not for once again i kind of i once again i agree with tom more than andy on this one i actually think yeah it's it's kind of like a dangerous press it's a bit like what's that other thing they released? The one which allows you to monitor how many hours people spend working and
Starting point is 00:26:27 it gives managers thing. Yeah. Yeah. And like, you know, the thing is like all of these things are open for abuse. And you know what? I,
Starting point is 00:26:37 I, I'm just reminded of the quote by Dr. Ian Malcolm, Malcolm, who said that you, you, your scientists were so preoccupied with whether or not they could, they did not stop to think if they should. Yeah.
Starting point is 00:26:52 Of course, a great man, Dr. Malcolm. So it feels a lot like that. But from the other end, I say Microsoft just done a misstep. They just branded it wrong. If they had just marketed this as a forensics tool or something like that, that you can deploy in high sensitive environments and keep a log of like what happens, PCI environment, whatever. I think it would have been like welcomed with open arms. But the fact that they just said that this is a the way they positioned it it just felt like spyware well it's consumer grade and therefore everywhere right
Starting point is 00:27:31 yeah and that's the problem and you know i was reading some people's thoughts of this and like you know how it could be misused especially if people are like in abusive relationships or they're trying to you know get away and like you know and uh you know you're just making it so much easier for people if they can access your machine and access all of this kind of data um a lot easier than than they would have otherwise yeah yeah uh so you know such a seems like a little bit of a misstep unless, of course, you've got Andy working for you, in which case you've obviously taken some of Andy's advice. He likes to keep a tight rein on his staff, does Andy.
Starting point is 00:28:18 So maybe it's good for that kind of use. Rant of the Week. Feeling overloaded with actionable information? Yep. Fed up receiving well-researched, factual security content? Yes. Ask your doctor if the Host Unknown podcast is right for you. Always read the label.
Starting point is 00:28:44 Never double dose on episodes. Side effects may include nausea, eye rolling and involuntary swearing in anger. Right, Jav, let's see yours. Let's see if I can concur. The Labels of the Week. So, yes, I have to confess, when I was reading the show notes, I actually read the rant that you just did as the Billy Big Balls story of the week. And so I hadn't actually read the Billy Big Balls until you just played the jingle.
Starting point is 00:29:20 So I'll go over it quite briefly. so i'll go i'll go over it quite briefly but um there is a hacker who has claimed to have breached a scam call center uh stolen the source code for the company's tools and emailed the company's scam victims uh this is kind of stuff that um people like jim brown is it on on youtube they they do quite a lot they they reverse hack into these these scammers they're all based in india somewhere you know when they're not providing the ai for amazon's back end i assume um but you know it's it's it's kind of like a trend where there's a series of vigilantes, cyber vigilantes, cyber batmen, you know, for lack of a better term, where they take matters into their own hand and breach or otherwise disrupt scam centers. And there's a big YouTube and even TikTok community now with you know creators mocking the targets and like you see these videos and they're hilarious because like people they play
Starting point is 00:30:32 dumb they're saying like sir enter this thing there and they're like oh where's this key where's the any key what control I don't know what that and and it's hilarious because you just love seeing these absolute scumbags uh lose their lose their rag on on these calls and so you know i think like forget bug bounties just point every wannabe hacker or you know you know a pen test or whatever say look here's some targets they're all like trying to scam money out of people and do it so so you know whilst i do not condone illegal activity or accessing networks without permission you know i cannot um condone this very very fine work that some people are doing um there's a screenshot embedded in the story where, you know, the email's been sent to the customers. And they're talking about, you know, you've been targeted by this fake antivirus company known as Wear.
Starting point is 00:31:36 There's a link to a video giving them information about it. Feel free to, you know, cancel it from your credit card provider or bank. Apparently scammers are charging people $300 to $400 per month as a subscription on this. That's almost Microsoft money. Yeah, it is. And they've given an email of the developers of Wear. And they said, like, feel,
Starting point is 00:32:06 feel free to, you know, do it. So, you know, it's, it's a, it's a good public service, I think.
Starting point is 00:32:13 But also it's like, if, if people, if your average individual sitting behind a computer can do this, the question is why can't the NCSC or, you know, the US.s people resource to do people with resources to do this and my big assumption is just political will or not wanting to rock the boat i mean rishi sunak wouldn't want his cousins back in india to be locked up
Starting point is 00:32:38 it's not a good look for him so time to uh time to hit that rewind button do you know what what i like about this moving swiftly on is is actually the hacker does offer to the uh to the where.team that they if they want to reach out to him because he actually says to the where.team if you want to contact us please stick your head up your arse and scream, death to scammers, which I thought, you know, that's extending an olive branch to them, really, isn't it? So I'm very impressed. I'm very impressed. It's very nice. I think this particular personal team is deserving of said large balls belonging to Billy.
Starting point is 00:33:28 We're in agreement. Wow, that does not happen very often at all, does it? Billy Big Balls of the Week. You're listening to the award-winning host unknown podcast officially more entertaining than smashing security all right andy um well i'm i'm hesitant to say what time it is because it's really rather late at the moment. But, Andy, what time have you got there? It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire who have been very busy bringing us the latest and greatest security news from around the globe.
Starting point is 00:34:19 Industry News Authorities arrest $100 million incognito drugs market suspect. Industry News. AI Soul Summit. 16 AI companies sign frontier AI safety commitments. Industry News. UK government in £8.5 million bid to tackle AI cyber threats Industry News Mastercard double speed of fraud detection with generative AI Industry News The police service of Northern Ireland faces £750,000 data breach fine after spreadsheet leak Industry News £50,000 data breach fine after spreadsheet leak. Industry news.
Starting point is 00:35:07 GitHub fixes maximum severity flaw in enterprise server. Industry news. National records of Scotland data breached in NHS cyber attack. Industry news. National vulnerability database leaves exploited vulnerabilities unchecked. Industry news. Microsoft gift card fraud rising, costing businesses up to $100,000 a day.
Starting point is 00:35:40 Industry news. And that was this week's... Industry news. Industry News And that was this week's Industry News Huge if true Wow Huge Huge Do you know what I think is really interesting When we look at the values here
Starting point is 00:35:57 In the first one Authorities arrest 100 million dollar Incognito drugs market suspect So obviously But then we get to the third one. A UK government is investing eight and a half million in a bid to tackle. I know. The imbalance.
Starting point is 00:36:15 Drugs pay. Yeah, crime pays. That's the bizarre thing. You know, UK government, you know, what much is what we say about the UK, still has a large GDP and is, you know, one of the, certainly one of the richest countries in the world. And it still can only afford to put eight and a half million in when the, you know, the criminals are making so much money that it's just...
Starting point is 00:36:44 Making bank. Yes... Making bank. Yes. Making bank. Well, isn't that because, like, Rishi's getting asked questions about his wife's shareholdings and why they're getting, like, favourable bonuses and grants from the government? I mean, I'm just throwing it out there.
Starting point is 00:36:58 Maybe it's like... You're cutting out there. I didn't hear all of that. Everything you said after Rishi's... No, but i definitely heard the word allegedly yes allegedly allegedly i thought generative ai was the thing that made pictures what you did not. Generative AI.
Starting point is 00:37:25 It's like the all-encompassing... I thought large language models are the things that look at text and look at things. Generative creates. That's the point. That's the name, right? Yeah, but creation is more than just images. It's words. It's documents.
Starting point is 00:37:44 It's everything. So how is that detecting... Do you know what? I'm going to click on the link and find out. That's how interesting I am. You're trying to guess a story just from the headline. Well, I know it's rare. I know we don't do it very often. Predictive technology. I don't know.
Starting point is 00:38:10 I'll have to look into that. What else you got? So I was just looking at the Microsoft gift card fraud rising, costing businesses up to 100 grand a day. And this is quite an interesting one. There's a group called Storm-0539, which operates out of Morocco. Mashallah. So what they do is they actually social engineer their way into large retailers and restaurants,
Starting point is 00:38:45 normally by a smishing text message to get the employee to click on it and give them access. Then they move laterally to work out the gift card business process that that organisation has. And then they gather information on remote environments such as virtual machines, VPN connections, SharePoint, OneDrive resources. And then they use this information to create new gift cards via compromised employee accounts.
Starting point is 00:39:10 What? And this then allows them to redeem the value associated with these cards, sell the gift cards to other threat actors on black market, or use money mules to cash out the gift cards. So this is like something completely different. I hadn't read. Normally, when you hear a gift card scam, it's like they trick someone into going buying a gift card this is the other approach and i think this is um really clever sounds complicated though doesn't
Starting point is 00:39:37 it it's it's a billy big balls move isn't it no but why see see gift cards are as good as cash and we know it's very difficult to counterfeit cash in a convincing way yeah but if you can counter if you can counterfeit the gift card which isn't even owned by central repository it's by individual individual organizations yeah yeah then you know it's like if smashing security has gift cards it'll be a lot easier to forge it hey i've got um excuse me what do you mean if they do have gift cards and if you buy them through us you get them at a discounted rate exactly so a hundred pound smashing security gift card you can pick up from us for just 50 pounds exactly this is true and so if you want to sponsor if you want to sponsor smashing security you can do it at a big big discount if you do it
Starting point is 00:40:33 through us yeah yeah you get the price list from them and then pay through us yes and the money just rests in our account for a certain period of time and then we pay it on yeah yeah yeah yeah there's that cooling off period in case the customer wants to you know in case graham actually wants a refund right anything else on here nah no no i guess the uk government could use that 750,000 quid they're going to get from the PSNI towards their bid to tackle AI cyber threats maybe that's how it was
Starting point is 00:41:11 originally only what was it 7.75 million before no 7.5 million whatever added 10% right okay well that was this week's Industry News in 2021
Starting point is 00:41:33 you voted us the most entertaining cyber security content amongst our peers in 2022 you crowned us the best cyber security podcast in Europe you areed us the best cyber security podcast in Europe. You are listening to the double award winning Host Unknown podcast. How do you like them apples?
Starting point is 00:41:54 All right, Andy, take us home. It's getting late. The nights are drawing in. Tweet of the week. And we always play that one twice. Tweet of the week. And this week's tweet of the Week comes from our regular presenter, Mr. Graham Clewley. And he says,
Starting point is 00:42:12 I've given over 300 talks at events across Europe, America, Middle East, Africa, Asia and Australia, but somehow have never got around to making a showreel. Here you go then. Let me know if you'd like me as a keynote speaker at your event. And there's a great link to a showreel where you can see our very own Graham Clully and what he's brought to the industry over the many decades he has been involved in it.
Starting point is 00:42:38 Wow. It's actually quite entertaining. It's a fun one. He starts off in a very monotone sort of like hello i'm graham i've spoken this at the other then he goes blah blah blah how dull is this and then he switches into normal mode which is exactly the same as how he sounded before he switched he's definitely a friend of the show that was definitely friend of the show. That was definitely a friend of the show. But that wasn't the real tweet. We just thought that was a great.
Starting point is 00:43:09 But, you know, because he needs those extra three people that haven't heard of him to see it, right? Yeah, exactly. He needs the other two people in the world who've never seen a keynote from him to see it. So we have another tweet from Meredith Whittaker. So we have another tweet from Meredith Whittaker, and she's quote-tweeting Melanie Mitchell,
Starting point is 00:43:31 who pumped it. You've probably heard that Google are paying Reddit 60 million a year for all of their content, and they sort of fed it into this whole thing. So there's someone that actually posted the question to Google, how many Muslim presidents has the US had? And the AI has responded. The United States has had one Muslim president, Barack Hussein Obama. And so Meredith has quoted to this.
Starting point is 00:43:58 She says shoving a confidently wrong chat bot trained on Reddit into a service marketed for decades as a portal to the world's knowledge is reckless and legitimately dangerous jesus christ i mean there are some great like that there's one where um i think 404 media did a great one about uh someone asked for the recipe to how to make pizza. And so Google responded that you can mix glue in with cheese. Yep. And this comes from a Reddit post from 11 years ago that a lot of people upvoted. And so AI can't tell the difference
Starting point is 00:44:39 between someone being sarcastic in response and people upvoting it as a popular response than an actual genuine thing. So yeah, and that came from a user called uh fucksmith uh which was the greatest thing so it was uh yeah to quote the source of that yeah uh to add yeah yeah non-toxic glue to the source to give it more stickiness that's it that's it i saw that one the other day and this is like who in their right mind would think that reddit four places is is where you would want to i mean it's great as a human tool because as a human like when you go into google and you do a search and like look specifically for the answer on reddit you sometimes get lots of good ideas or inspirations if nothing else you get a good laugh
Starting point is 00:45:25 but yeah to use it in this way where you will as you said andy rightly so ai has no ability to differentiate between sarcasm wit humor um or genuine hate speech this is quickly going down do you remember tay the the Microsoft's Twitter bot? Oh, the Nazi. Oh, it didn't, they had to abandon it after 24 hours. Yeah, because it was self-learning. It was going to learn from the internet.
Starting point is 00:45:55 It started like right-wing. It became super racist. Yeah, exactly. Exactly. I did hear that Google are paying 50 million to 4chan to do the same thing You know what, Google if you're listening Go fuck yourselves
Starting point is 00:46:14 No, no, no, no, no For the discount price of 80 million we'll give you access to our WhatsApp chat No, no, no, no For 80 million i'd take it i don't care what anybody thinks of me for my my half of 80 million what half half what are you going to do with 10 of 80 million and tom fuck i'll do it for 8 million I don't care Oh dear
Starting point is 00:46:51 Excellent that was this week's And we come barrelling Into the end of the show Another one that flew past actually So yeah Gentlemen thank you very much yeah gentlemen thank you very much Jav thank you so much for your time, wisdom
Starting point is 00:47:10 and something else beginning with W spin on these okay lovely and Andy thank you stay secure my friends stay secure Stay secure, my friends. Stay secure. You've been listening to the Host Unknown podcast. If you enjoyed what you heard, comment and subscribe. If you hated it, please leave your best insults on our Reddit channel.
Starting point is 00:47:37 This is so late. You know, on Sunday, one of our friend's daughter is getting engaged and uh my wife she was so she's bless her heart she in she said to them well we've got a big garden why don't you come and host it we can host you so rather than renting a hall just do it at our place so it's so late i'm looking out the window and the the the father of the girl and his son they're struggling to put up a um a marquee so i i'm trying to kill time so that i don't have to leave my office and help them so if you guys can just hang on or even if we stop recording that would be great

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.