The Host Unknown Podcast - Episode 195 - The Smashing Unknown Episode
Episode Date: June 10, 2024This week in InfoSec (11:16)With content liberated from the “today in infosec” twitter account and further afield5th of June 1991, a mere 33 years ago, : Philip Zimmermann sent the first relea...se of PGP to 2 friends, Allan Hoeltje and Kelly Goen, to upload to the Internet. From the man himself, First, I sent it to Allan Hoeltje, who posted it to Peacenet, an ISP that specialized in grassroots political organizations, mainly in the peace movement. Peacenet was accessible to political activists all over the world. Then, I uploaded it to Kelly Goen, who proceeded to upload it to a Usenet newsgroup that specialized in distributing source code. At my request, he marked the Usenet posting as "US only". Kelly also uploaded it to many BBS systems around the country. I don't recall if the postings to the Internet began on June 5th or 6th.It may be surprising to some that back in 1991, I did not yet know enough about Usenet newsgroups to realize that a "US only" tag was merely an advisory tag that had little real effect on how Usenet propagated newsgroup postings. I thought it actually controlled how Usenet routed the posting. But back then, I had no clue how to post anything on a newsgroup, and didn't even have a clear idea what a newsgroup was.After releasing PGP, I immediately diverted my attention back to consulting work, to try to get caught up on my mortgage payments. I thought I could just release PGP 1.0 for MSDOS, and leave it alone for awhile, and let people play with it. I thought I could get back to it later, at my leisure. Little did I realize what a feeding frenzy PGP would set off. Apparently, there was a lot of pent-up demand for a tool like this. Volunteers from around the world were clamoring to help me port it to other platforms, add enhancements, and generally promote it. I did have to go back to work on paying gigs, but PGP continued to demand my time, pulled along by public enthusiasm.I assembled a team of volunteer engineers from around the world. They ported PGP to almost every platform (except for the Mac, which turned out to be harder). They translated PGP into foreign languages. And I started designing the PGP trust model, which I did not have time to finish in the first release. Fifteen months later, in September 1992, we released PGP 2.0, for MSDOS, several flavors of Unix, Commodore Amiga, Atari, and maybe a few other platforms, and in about ten foreign languages. PGP 2.0 had the now-famous PGP trust model, essentially in its present form.It was shortly after PGP 2.0's release that US Customs took an interest in the case. Little did they realize that they would help propel PGP's popularity, helping to ignite a controversy that would eventually lead to the demise of the US export restrictions on strong cryptography.7 June 2009. A mere 15 years ago. Sophos launched its (utterly shit) IT vigilante marketing campaignDress up a British man (who appears to have had a nervous breakdown over a corporate data breach incident) in an orange gimp suit – that will sell security software for sure!At least, that was the plan made by Sophos’s marketing department for its “IT Vigilante” campaign.https://www.youtube.com/watch?v=-gc6sDqofcIhttps://grahamcluley.com/top-five-worst-videos-anti-virus/Other awful videos:Happy birthday Eugene Kaspersky: https://www.youtube.com/watch?v=ujnq188E5-wEugene’s “silent movie”: https://www.youtube.com/watch?v=Ib8UjCQl5sE&t=6s Rant of the Week (22:45)https://www.bbc.co.uk/news/articles/cxee7317kgmoRussian hackers are behind the cyber attack on a number of major London hospitals, according to the former chief executive of the National Cyber Security Centre.Ransomware attacks on the healthcare industry as a whole have increased significantly over the past year. Whaley attributes the uptick to “lives on the line.”“While no sector is invulnerable to these attacks… healthcare providers have proven time and time again that they’re the most willing to pay a ransom following these incidents," Whaley said.“Bad actors know this and smell blood in water,” he added. Whaley pointed out that the rise in state-sponsored cyberattacks combined “with the further digitization of the NHS paints a pretty grim picture for the defensive capabilities of the British healthcare sector… and possibly a warning sign of much larger attacks to come.” Graham's Giant Gonads of the Week (30:51)Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Labhttps://therecord.media/kaspersky-apple-bug-bounty-declinedhttps://securelist.com/trng-2023/Apple has snubbed Russian cybersecurity firm Kaspersky Lab, refusing to shell out a bug bounty for four zero-day vulnerabilities discovered in iPhone software. Targets were infected using zero-click exploits via the iMessage platform, and the malware ran with root privileges, gaining complete control over the device and user data. The twist?The vulnerabilities were used to spy on Kaspersky employees.Kaspersky politely enquired whether it could be rewarded for finding the vulnerabilities used in the espionage campaign - known as Operation Triangulation.Kaspersky claims it was a "highly sophisticated" attack, so intricate it needed 13 bullet points to explain.Russia, not one to be outdone in the drama department, accused the U.S. and Apple of colluding to spy on Russian diplomats. Apple, of course, vehemently denied these allegations.It's like Eastenders.Amidst all this chaos, the U.S. and Russia are engaged in a geopolitical staring contest, with Apple caught in the crossfire. Apple, being an American company, has taken a stand against Russia's actions in Ukraine, suspending sales and removing apps. It's a bit like a tech giant trying to play peacemaker in a playground brawl.Kaspersky, meanwhile, has its own history with the U.S. government, having been banned from government use due to security concerns. It's a classic case of "guilty by association."So, will Kaspersky continue to report bugs to Apple despite the lack of reward? Only time will tell.Speaking to Russian-language media agency RTVI, Kaspersky’s research head Dmitry Galov said that typically cybersecurity companies like Kaspersky nominated a charity to receive the funds from the Apple Bug Bounty program instead of collecting the revenue itself. He added that although Kaspersky was confident the attacker was state-sponsored, he and his research team did not have the technical data needed to identify which state may have been behind the attack.A spokesperson for Kaspersky did not respond to whether it had nominated a charity when initially contacting Apple, nor whether the company’s refusal to issue a bounty would affect its decision to disclose vulnerabilities discovered in the future. Industry News (40:23)London Hospitals Cancel Operations Following Ransomware IncidentEmailGPT Exposed to Prompt Injection Attacks#Infosec2024: CISOs Need to Move Beyond Passwords to Keep Up With Security Threats#Infosec2024: Ransomware Ecosystem Transformed, New Groups “Changing the Rules”Security Flaws Found in Popular WooCommerce Plugin#Infosec2024: Collaboration is Key to an Effective Security Culture#Infosec2024: AI Red Teaming Provider Mindgard Named UK's Most Innovative Cyber SMEFBI Warns of Rise in Work-From-Home ScamsAccount Takeovers Outpace Ransomware as Top Security Concern Tweet of the Week (44:27)https://x.com/dakacki/status/1798882732203803070 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
well there's no jav there's no andy it's brilliant it's brilliant so we've had to
bring the big guns in who you calling big guns big gun well i mean they are from where i'm standing
um graham thank you so much for coming on for this i tell you that those two boys they just
let you down as soon as look at them always a pleasure i tune every week, and I look forward to the podcast on Friday evening.
Then I look forward to it on Saturday morning,
Saturday evening, Sunday morning, Sunday evening.
Eventually, I get it typically about Tuesday lunchtime.
So I just thought I'd speed things up a bit this week.
Well, hopefully.
Hopefully.
And no doubt the quality will be much higher too.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining
us and welcome, welcome one and all to episode 195.
199. Brilliant. to episode 195. 199!
Brilliant.
Oh, just... Of the Host Unknown podcast.
I tell you what, Graham, that is so good.
I mean, the quality alone is just...
Of that response, the timing, it was superb.
Superb.
Do you know what?
I think we should just jack it all in
and just do a blog together. I think we should just you know jack it all in and just uh
do a blog together i think we'd be we'd be perfect i think i'd be lovely i think it's about time yeah
i think maybe you know maybe we could merge our two podcasts perhaps we could have the smashing
unknown podcast that sounds pretty good to me what are we going to do with Carole though?
Well, she could occasionally come in like Jav and Andy do.
I mean, you know, we wouldn't, well, we certainly wouldn't be any worse off with her.
Anyway, Graham, how are you, sir? You've had quite the week.
Well, I think we all did, didn didn't we in the infosecurity
world in uh the uk so um obviously i popped down to the infosec show at the excel center in london
lovely lovely lovely met lots of lovely people including yourself um yes and javad no andy
um so good to see you guys and we went the Blogger Awards, which was good fun as well.
So that was terrific.
If a little noisy.
Well, for our ears, yes.
For those of us in our 50s or later in your case, yeah, a little bit noisy.
But no, it's all great fun.
And the show, I haven't been to Inversec for a few years,
great fun and um the show the show i haven't been to infosec for a few years but um it feels it's different at the excel isn't it to the old olympia days it's it's a little less crowded especially
this year a little less crowded there were some some vendors i didn't spot you know some of the
usual faces they don't seem to be doing the shows anymore i know right like microsoft cisco all those big boys um i mean
trellis were there which is what mcafee is but they were quite small kind of mcafee isn't it yeah
yeah that's right but yeah i don't know what it i think we were saying don't recognize half the
names of the companies out there and i think we said this last year as well but loads and loads
of small companies who
are obviously pitching their tents up next to some of the big boys that actually turn up and
trying to obviously trying to sell themselves and have you noticed granddad that all the policemen
are looking younger as well um it's uh yes they are i have to say yes they are all looking a
little bit younger um so, yeah, I know.
But we have glossed over the most important part,
which was you were awarded an award, for want of a better term,
at the Security Blogger Awards, weren't you?
Well, not me.
The Smashing Security podcast, which I'm just a small cog in the operations of.
Yes, Smashing Security won an award at the Security Blogger event. insecurity podcast which i'm just a small cog in the operations of um yes so smashing security won
an award at the security blogger blogger event um expertly judged of course i thought uh they've got
some fantastic sponsors like know before um you know anyone who works for them and great great
great fun wonderful what who's that bad Jabad. What? Hang on.
You guys, I told you I was going to go make a coffee and you started recording without me.
You said you couldn't make it.
And here you are, just rocking up halfway through.
Very mature.
Very mature.
I do.
It's not like you haven't done it to me either.
I've never done that to you.
I wouldn't know where the record button is.
You were in my house when you did it.
Was I?
Yes.
I cannot remember that, but okay.
Way to hold a grudge, Mr...
A lot of people don't remember being in Tom's house,
let's be honest.
No, no, that's true.
Especially after they've drunk us some coffee or something.
Yeah, yeah.
I mean, all I remember was the hoodie going over my head,
put in the back of a van,
and then waking up and a blurry eyed
and someone doing their best Bill Cosby impersonation,
but white and bald.
Oh, see you soon.
Ouch.
All lies and all allegedly anyway let's get back onto the track
with um you know talking about uh basically graham being the shaved monkey in a suit on
the smashing security podcast um because it's all carol right carol is uh wonderful but of course she delegates the attendance
of award ceremonies
to me so people never actually get
to meet Carole, I'm the one who's rolled
out for the public occasions
but it was lovely
to receive an award, thank you to the
esteemed judges who
this year didn't give it to their own podcast
which is always appreciated
so thank you very much
for that whoever you might be indeed indeed i've got a grudge with the judges because that's twice
in a year i've been nominated for something and still not or twice in two years and still didn't
win i mean i just don't know why i bother i can't believe you didn't make the shortlist if only you
could have a word in their ear if only there was someone you could say oh i know well i wasn't the shortest in fairness for tice oh were you oh you are oh oh for tice yes for tice
yes but what about host unknown oh for goodness sake you've done 199 episodes now that is
incredible 150 actually well you have you might have done 100 yeah we cut we did that last year but what was it you said what post unknown is is a big
podcast i mean like we don't need a plastic glass award to validate ourselves we know who we are and
what it's a bit we're like the celebrities that snub the oscars because you don't need that
recognition from the manufactured institute to feel appreciated or known.
You just know your worth and our fans know our worth and that's how we roll.
I mean, it's absolutely right, but it'd be nice to win something.
Let's face it.
Anyway, Geoff, how's your week been?
It's been...
It's been busy.
Well, you were at Infosec for three days in fact even saw you on stage i was on stage twice yeah i met you lot oh there's some old colleagues who i haven't seen for 10 12
years who rocked up this year to infosec and uh it was really great you know when you meet people haven't seen for a
long time and but you just pick up exactly where you left off as if like yeah you don't miss a beat
so it was it was really really nice and we all made promises that we won't leave it
as long next time but i'm sure we will yeah but but the good thing is now like you know i've got more whatsapp groups that i'm part of
each with like a trio of people like three colleagues of three of us colleagues from
one place three from another place three from another place you know segregated by age gender
you know so i no longer feel special anymore is what is is what you're trying to tell me
you actually felt special at some point
in your life for a moment for a moment you know when when the light you mean special as in special
olympics tom yeah because i could special when that's why he wants an award smile poured out on
me occasionally yeah there's a saying in Urdu which translates a bit to
if you see a lion's teeth it doesn't mean he's smiling at you but
well after your trip to the dentist we're not going to be seeing much of your teeth for much
longer are we oh no that's terrible so so this is yeah this is some of the down news this week and in my absolute aging horribly phase is that um
i'm diabetic now apparently so i've got to take metformin and i went to the dentist after three
months and they're like are you a smoker i said no i never smoked really and he goes like are you
diabetic i said funny you should mention that he yeah, because you've had terrible bone loss
in the last three months.
Oh.
Three months then?
Yeah.
Well, I've had bone loss before,
but in the last three months it seems to have accelerated.
He goes, well, you know, it can have an impact on that.
And yeah, you're probably going to lose a few teeth now,
but there's not enough bone to get like an implant in
there so you might have to wear a brace a denture or have a bridge put in or something so i i'm
really close to just going to turkey going for the five star package teeth hair liposuction face
laser you know whatever the whole works bit of botox liposuction, face, laser, you know, whatever. The whole works, a bit of Botox, liposuction, everything.
I'm just going to go there, do it all in once.
See, unless I get stopped by immigration
for not looking like my passport photo anymore,
I wouldn't consider it a successful trip.
Yeah, you're going to come back as a six-foot white man called Daniel.
Yes.
So if anyone wants to sponsor my my my social experiment into seeing how people will treat me
differently if i looked and felt better then uh please do send send an email to sponsor at
host unknown.com and talking of other things that need a facelift, shall we see what we've got coming up for you this week?
This week in InfoSec is pretty good.
Rant of the Week just boils your blood.
Billy Big Balls is more like Timmy Big Apples.
Industry News brings you the latest and greatest stories from around the world.
And Tweet of the week is more corporate bullshit.
So without further ado, let's move on to our favourite part of the show.
It's the part of the show that we like to call...
This week in InfoServe.
Copyright.
Quality jingle
You can't copyright free
It's ok
We've got two stories for you this week folks
I'll take the first one
And our guest Mr Clully
Will take the second one
You mean our other guest
So the first story
Yeah
So the first story comes from the 5th of June 1991, a mere 33 years ago, when Philip Zimmerman, known and loved by many in the security community, sent the first release of PGP to two friends, Alan Hotley and Kelly Goan, to upload to the internet. And in the words of the man himself,
first I sent it to Alan, who posted it to PeaceNet, an ISP that specialises in grassroots
political organisations, mainly in the peace movement. It was accessible to political activists
all over the world, and then I uploaded it to Kelly Kelly Goan who proceeded to upload it to a Usenet group that specializes in distributing source code. At my
request he marked the Usenet posting as US only. Kelly also uploaded to many BBS systems around
the country. I don't recall if the postings to the internet began on the 5th or 6th of June.
And it may be surprising that Philip back then did not
know a lot about Usenet news groups to realize that a US only tag was merely an advisory. It
wasn't a mandatory. It's a bit like even today, like when you tag an email as confidential,
it doesn't mean anything. It has little effect on how real, around how Usenet
really propagated the postings. And he actually thought it controlled how it worked, but he had
no clue. And he didn't even really know what a news group was, according to himself. And after
releasing it, he went back to consulting work to pay for the mortgage and, you know, what have you, leave it alone for a while.
But little did he realise that a feeding frenzy PGP would set off.
Apparently, there was a lot of pent up demand for a tool like this.
Volunteers from around the world were clamouring, clamouring, I say, to help import it to other platforms, add enhancements and generally promote it.
port it to other platforms, add enhancements and generally promote it.
He did have to go back to paying gigs, but PGP continued to demand my time.
So he assembled, much like Tony Stark, a team of volunteer engineers from around the world.
No, I mean Nick Fury. They ported PGP to almost every platform, except the Mac, because Mac is so hard and they're so closed uh they
translated it into different languages and uh 15 months later it were pgp2 was released for ms dos
several flavors of unix commodore amiga atari and maybe a few other platforms and there were about
10 foreign languages it had the now famous pgp trust
format trust model in you know which was used for pretty much till today i suppose um and it was
shortly after the pgp2's release that the u.s customs took an interest in the case and this
is something many people remember uh little did they realize that they would help propel pgp's popularity helping to
ignite a controversy that would eventually lead to the demise of the u.s export restrictions on
strong cryptography and yes i mean this is the stuff of yeah this is the stuff of legends though
like how you know they try to restrict it and how those people like saying like this is just code
you can't promote it and then there's all these memes about uh we i think we covered one like a
few weeks ago when someone said like uh who was it president reagan sent a t-shirt to uh gorbachev
which had his public key printed on it as part of the design and so it was it was quite funny but yeah it's it's only been in
the last 33 years i mean both of you've been around in the industry like longer than that so
you've seen a lot of evolution in this time it was an extraordinary time wasn't it because you
couldn't you couldn't send people a copy of pgp i think from the states but you could print out the code and send it to them via the post
for them to type in at the other end yeah it was absolutely bonk did you guys use pgp way back
i printed out the manual for it in an attempt to learn it and actually i just gave up it was
just too difficult it's it so complicated, wasn't it?
Same here.
It was extremely complicated.
I had no idea.
But it was fascinating because people were talking about it
and how it's like you can protect things now and no one can read it.
And you didn't really think why there was a need even.
I mean, I didn't realise.
But it just seemed so, like, futuristic.
It seemed a cool thing to do do not an essential thing to do yes yes well whereas now i dispute i well yeah it is different now but
even 30 years ago we were using it in sorry to be the old guy talking about the antivirus industry
but we were using it to share computer viruses with other companies.
So we'd use PGP because we wanted to be sure that the only people who could decrypt these huge virus collections were the real virus researchers who we'd exchanged keys with.
So, you know, there would be this steady communication going on for the betterment of the world
so that we could all protect against the latest malware nasties.
So you're saying, did I hear that right,
that you, as working for an antivirus firm,
were sending out viruses protected by PGP?
Is that what I'm hearing?
To our competitors.
To your competitors? Oh, wow.
So it was a cartel all mixed in together.
It's not quite the same as when McAfee bought Dr.
Sullivan's.
And as part of the acquisition,
they actually did give us a few viruses,
but we couldn't,
we couldn't believe,
we couldn't believe what they were like.
It was like,
are you serious?
But surely they were the type that John McAfee gave you personally.
Oh my goodness
oh dear
oh dear
okay Graham what do you have for us
well I want to go back a mere
let me work it out 2009
a mere 15 years ago
and I'm sort of raking my memory now
of companies I've worked for
because I used to work for Sophos
and today as we're recording this Friday the 7th of June I'm sort of raking my memory now of companies I've worked for because I used to work for Sophos.
And today, as we're recording this, Friday the 7th of June, is the 15th actual anniversary of Sophos' memorable and utterly shit IT vigilante marketing campaign.
I remember the marketing people coming into the building and saying we need to make a viral video we need to
make a viral video they said it's going to go viral i said oh that's very interesting and they
spent a huge amount of money getting a script and getting these actors and they of course it was all
made in america and they what they decided to do was they were going to get a british man they said
they wanted it to be like monty python they said we, we're going to create a CISO who's had a nervous breakdown after a corporate data breach.
And he's responded to this.
It's a different approach from you, Tom.
He's responded to this by wearing an orange gimp suit.
Yeah, mine's black.
And this character, right.
He comes in with his aqualung on the back
and an orange gimp suit and these great big goggles.
And they made these series of videos.
And because it was scripted by Americans trying to write for a British character, they made a number of mistakes.
And I remember that they sent us scripts and things.
And the character was saying things like, he was going up to these characters in the video.
And he said, oh, you're a funny little wanker, aren't you?
And they thought they
thought that was just what british people said to each other i mean it is it is what we do
just not in the boardroom or you know no no and uh and we had sort of had to explain to them um
you may have heard that phrase but it's maybe not entirely
appropriate you may want to reword some of this maybe say wazzock or something like that anyway
look i'm telling all the tales now these should have gone into my memoirs so they they spent
fortune they spent a fortune this video which were linked to in the show notes and there were a series
of these videos most of them have been destroyed but i'll link to them and some other awful antivirus videos from different companies
over the years um but one of the things they did was they wanted it to go viral and so it's really
important for the marketing team to be able to go to the bosses and say it's been watched 50 000
times yeah and they found this agency who said we can promise you 50 000 views and so they gave this agency some money
they really did this they gave them some money sure enough boom the views went up went all the
way up to 50 000 and then stopped it was like there was a month of lots of views and then it
completely stopped and so the marketing team were. The bosses were happy because they were able to say it's a success.
We later found out how they'd done it.
And the video had been embedded in a one pixel by one pixel
inside a Facebook app used by girls on Facebook
to send digital teddy bears to each other.
And they hadn't known there had been a Sophos marketing video
playing in the corner of the screen. that happened 50,000 times and they spent a fortune
on both the videos and making sure it had quote lots of views although it never was
actually viewed at all.
I think after 15 years I'm probably past statute of limitations.
I think you're safe. I think I 15 years, I'm probably past statute of limitations.
I think you're safe. And I can reveal that.
I think I'm safe.
From attack, yeah.
But the fact that they come in and say,
we want to make a viral video means it's never going to be viral
and it will be awful.
No.
Yeah.
Wow.
There are some other awful videos out there,
which I can link to as well.
There's one where all the staff of Kaspersky
sing happy birthday to Eugene.
They make like a rock video.
It's like the sort of thing you'd expect
the Church of Scientology to make.
It is so vile.
And there's also a silent movie
done in the style of Charlie Chaplin,
which is the least funny thing
you will ever see in your life,
actually starring
Eugene Kaspersky
but if you want to watch them, because I've had
to watch them, please feel free
they're in the show notes
links in the show notes, wow
thank you gentlemen, that was this week's
this week's
InfoSoul
this is the podcast the king listens to.
Although he won't admit it.
Right, we're going to move on to the rant of the week,
which, let's face it, with our special guest
and the fact that he's already mentioned the words gimp suit,
it's really not going to have that much of an impact on you all.
But here you go. It's time for Listen Up! Rant of the Week. It's time for Motherf***ing Rage.
So this is not a story from InfoSec this week, which is actually quite a feat given all of the
news feeds are filled, at least in the UK uk news are all filled with infosec news
um this is actually from was just earlier in the week wasn't it tuesday night maybe or was it
monday i can't remember something like that uh basically russian hackers were behind the cyber
attack on a number of major london hospitals according to the former chief executive of the National Cyber Security Center so as you know the the NHS had to cancel a whole bunch of
operations and procedures and all that sort of thing because one of their main
third parties a company called synovus who does all of their blood work, all of their
lab work and all that sort of thing, they were hacked and held to ransom.
As we know, the ransomware attacks on the healthcare industry have increased significantly
over the last few years and definitely over the last year as well and the problem with this of course is that it potentially?
Puts human lives on the line
healthcare is a soft is the soft underbelly basically of of
Where to attack when it comes to cyber attacks because it's woefully underfunded it's basically healthcare
education and virtually every other government agency or government department out there
but healthcare providers uh on the whole have proven time and time again that they're the most
willing to pay a ransom following these incidents, said one commentator.
Bad actors know this and smell, excuse the pun, blood in the water.
And this is true because, frankly, if you don't have the expertise to protect yourself from ransomware particularly well,
you're certainly not going to have the expertise to recover yourself from ransomware.
But in this case, it being a third party supplier and also uh it it
transpires that the uh the parent company the third party has also been ransomware i believe
it's two or three times this year uh so with all of this in place with all of these uh all these
in place it it's frankly really quite disturbing how fragile our health care system is,
because thousands of operations and procedures were cancelled and postponed.
Some of them, no doubt, very critical. You can't guarantee the provenance of the of the blood that you're you're you need for these
operations um and for transfusions because the systems are down that control all of that you
can't order more blood etc so it's absolutely critical so the rant here is is twofold one is
we really need to put more effort into protecting our health care industry.
And quite how we do that. Well, well, partly, I guess part of it is to do with the general election in just a few weeks time.
Hopefully we can get somebody in who might actually start to fund the NHS rather than defund it.
rather than defund it uh but also if you are in you know one of the private health care providers i you are for profit uh and you are supplying the nhs you absolutely need to up your game
you know you are not funded by um you know contributions from the government you you are
funded by your customers uh since you are a private organization there really is no excuse
to not invest in this uh so yeah the rant is very much you know we we need to do better on this front
and companies that are supporting our national health service absolutely need to do better
they do i agree this is oh my god really appalling it is and what's really interesting like you you use the link to the bbc story here and as i was going through this there's a photo
of a gentleman in there whose heart procedure was delayed due to the cyber attack and i recognize and I recognise him because he's my neighbour. What? He is, yes.
No way!
So I'm like, what, Oliver?
So he's been retired.
He's a fascinating guy.
You can actually go to his website, oliverdowson.co.uk.
He's written several books since he's retired.
Stick it in the show notes.
Most of them are fiction books.
We'll make sure it's in the show notes.
I'll stick it in the show notes.
I'll put it in the show
notes his first book was called there's no business like travel business and it talks about
so he worked he had a company i think he was a director or partner there where he would travel
around the world to manufacturing plants like factories and what have you and find ways to reduce their electricity bill.
So he would find out where all their meters were,
bring them back and everything.
So his book's really fascinating.
Anyway, I actually pinged him.
I messaged him.
I said, like, Oliver, I did not know you were waiting a heart procedure.
Literally, the BBC told me.
And I said, how's it going?
And he goes, yeah yeah i was tweeting it
out on tuesday morning as to why no news channels were covering the hack right um he goes i had my
op cancelled on monday and i thought if i get in the news and he got on with the bbc and itv actually
came to his house and filmed his ulterior motive was that maybe the nhs wouldn't cancel it again
and then and then he literally messaged me about half hour ago and saying well they cancelled it
an hour ago it was supposed to be next tuesday but now there's an indefinite delay oh so he's
free to come on the podcast then you could have invited
him on i suppose so he goes i need a heart valve replacement so a fairly major but routine surgery
so so what this really got me thinking is that you know we often hear about ransomware against
hospitals and everything and people say well no one's really dying have they and maybe not directly
you can't attribute like oh this attack actually killed someone but how many people are there like
oliver on the waiting list for something quite major who might have further complications because
the procedure's been delayed or might actually have something go on in between that you can't
really say oh it was because of this,
or no one wants to admit because of this.
But there's a real, real life implication on this.
So I think it's so, so, you know,
it actually feels to me a lot more real
when it's someone I know that's been directly impacted by this.
But I think we need to really, you know,
I have no sympathy for these companies.
Like you said, Tom, they're not being funded by the government.
They're private for profit.
They should do better.
Yes, they should.
They should.
Rant of the Week.
You're listening to the award-winning Host Unknown podcast.
Officially more entertaining than smashing security you do know that that was actually that was on the random button right that was uh
so i had no control yeah funny that funny that no of course you didn't. It seriously was on the random one. That's the best part of it.
Right, Graham, let's move on to you, shall we?
It is time for... Lovely.
Now, chums, chums,
let me tell you all about something that's been going on uh just recently which is
that apple has been doing a snubbing it has been snubbing the russian cyber security firm
kaspersky lab friends of the show i'm sure is that because they watched the happy birthday video
because we've promoted the happy birthday Eugene video. It really is awful.
Anyway, what's happened is Apple is refusing to give Kaspersky staffers a bug bounty.
They won't shell out because, I don't know if you remember, but last year, I think it was last June,
Kaspersky researchers found some zero-day vulnerabilities in iOS. Specifically, there
was an exploit, a zero-click exploit, the worst kind. So you don't even have to click
on something. You don't have to be enduped by any social engineering. It just happens.
So it's a zero-click exploit in iMessage. So someone effectively just messages you.
And malware could be installed, gain control over your phone or your iPad,
and access all of your data.
Really, really nasty stuff.
Now, the twist in this tale, I mean, great that the Kaspersky Lab guys found this problem
and reported it to Apple, but the twist in the tale was that these vulnerabilities
were actually being used to spy on Kaspersky employees.
So somebody, hmm, I wonder who, somebody was running an espionage campaign
against an antivirus company based in Moscow.
An antivirus company which has, of course, suffered a lot of,
how can we put it, rumour and speculation about their ties to the FSB and Russian security services.
I mean, it's debatable as to, you know,
I think there's lots of confusion and smoke and mirrors there
as to whether that really is fair.
But as we know, both in the US and in the UK
and in other European countries,
Kaspersky these days finds it very hard to sell their software because people are saying well if Putin wants to he can
tell Kaspersky to spy on you and you know it's looking at all your files it's examining their
contents it may even be uploading them to Kaspersky Systems for further analysis.
And that could be St. Ritzky. It's been a huge, obviously, commercial challenge for Kaspersky
over the last, I don't know, 10 years, something like that, that this has been going on. Anyway,
this campaign, this espionage campaign, which Kaspersky uncovered and warned Apple about,
they called it Operation Triangulation.
And they said it was a highly sophisticated attack.
It was so intricate, they actually needed 13 bullet points to explain it to the media.
And actually, the Russian authorities, they accused the United States,
as if they would ever spy on anybody,
and Apple of colluding to spy on kaspersky and russian
diplomats with this particular vulnerability no apple of course has denied everything so this is
like eastenders this is drama this is like den and lofty i'm sorry i don't know what was that
angie yeah so it wasn't lofty who got the divorce papers, was it?
No, no, no.
Right, okay.
What are you two talking about?
Well, there was a very famous,
I know our listeners are quite old, like Tom,
but there was about 40 years ago,
there was a famous scene,
one Christmas in EastEnders,
where Dirty Dan sort of said, you're having a laugh, aren't you?
And then Phil Mitchell comes in and goes, oh, I don't like that.
And then Angie says, well, I'm not having any of it either.
And so this is what was going on in EastEnders.
Get out, my pup! Get out, my pup!
So that is basically what is happening right now
on a geopolitical scale between the US and Russia.
Russia, as we know, have been really, really naughty.
They've been invading Ukraine and causing problems.
Apple has been caught in the crossfire.
It's telling Russia, no, you can't have your apps in the App Store anymore.
And you've got to stop selling stuff.
It's a huge playground brawl.
You've got to stop selling stuff.
It's a huge playground brawl.
Kaspersky now, who some believe have links,
certainly they're headquartered in Moscow,
is saying, well, we found these vulnerabilities in iOS.
Could you please pay us a bug bounty?
And Apple is saying, well, thank you for telling us about it,
but no, we're not going to give you any money.
I don't actually know if they'd be breaching sanctions if they gave Kaspersky money in that fashion.
Well, Kaspersky is UK-based.
It's actually UK-registered.
Well, come on!
Is it?
Legally, yes.
If it is, then it is.
Yeah, it's not...
I don't believe Kaspersky is a sanctioned company.
But that doesn't discount any of what you've said at all.
But I just...
Yes, yes. In the interest of balance,
since we are the BBC and there are other antivirus companies out there,
just not so many with Russian connections,
but it is registered in the UK.
And I think it isn't subject to sanctions as an organisation as a result.
Fair enough.
And I do have friends who work at Kaspersky,
let me stress this,
and they're thoroughly nice chaps.
And I've known Kaspersky researchers
and I've known Eugene for many, many years as well.
So, you know,
there have been all kinds of insinuations
about secret meetings in Moscow saunas
with FSB agents and all this sort of thing.
But I suspect they all just love going to the sauna.
That's what they do to relax.
Are you sure that wasn't McAfee again spreading his viruses?
Got native much, Graham?
So, Tom, why do you keep inviting these sorts of people on your podcast
who have, like, links to the KGB or whatever they're called these days?
Links to the KGB or whatever they're called these days.
You've got Andrew, like, I'm African Mauritian,
African Agnes, who's like, God knows,
like how he like just accumulated some land all of a sudden in the last few years and is developing it.
Do you know what?
The one thing I'm picking up from that question, Jab,
is that you called it your podcast, as in my podcast.
Oh. I'm just being clear.
Anyway, I think...
All I'm doing is distancing myself so when people
come to Sue Host Unknown,
the record clearly states that this is
Tom Lankford's podcast. I'm merely
a guest.
I think
there's plenty of big balls on show,
either at the sauna or in this argument
between Kaspersky and Apple at the moment,
because this is hardly going to encourage Kaspersky
to report vulnerabilities to Apple in future.
And apparently Kaspersky says,
well, normally when we report bugs,
what we actually do is we ask them
to give the bounty to charity.
So they don't have to give it to us.
It could go to, you know, the NS the nspcc or you know who knows what um dollars in a brown envelope would come in handy right now right
so it's it's an interesting situation i'm glad the bugs got patched last year and you know everyone
was tough but you have to wonder how many more of these kind of exploits and vulnerabilities may
exist which may be security researchers are thinking well you know we'll be
buggered if we're going to report that again so so if i could ask you to step off the fence for a
second do you think apple is in the right to not pay or should they have paid i think they should
have paid to charity they could have paid to the eff They could have paid to the EFF or someone like that.
I agree.
I think that would be the thing to do.
I mean, Kaspersky's not, you know,
it's not like they're down to their last ruble.
They've got a few quid in the bank, I would think,
so they don't really need the money.
But, you know, or they could send them a T-shirt.
Say, here you go.
Isn't that what Yahoo did when a vulnerability was found?
They sent someone a $12 t-shirt
after they discovered 3 billion
account details were
exploitable.
I did that years ago.
Does the t-shirt have a
PGP key written on it?
Anyway, those
are my giant gonads.
Brilliant. And they're
marvellous, Graham.
Thank you.
Graham, thank you very much.
Giant gonads. security content ask your doctor if the host unknown podcast is right for you always read the label never double
dose on episodes side effects may include nausea eye rolling and involuntary swearing in anger
so jav i'm looking at the time and i'm seeing we're rather short of time so i'm just going to
say we probably shouldn't spend much time on the next section but
but nonetheless Jav what time is it? Well it is that time of the show where we head over to our
news sources over at the InfoSec PA Newswire who've been very busy bringing us the latest
and greatest security news from around the globe. Industry news. Hashtag InfoSec 2024.
CISOs need to move beyond passwords to keep up with security threats.
Industry news.
Hashtag InfoSec 2024.
Ransomware ecosystem transformed.
New groups changing the rules.
Industry news.
Security flaws found in popular WooCommerce plugin. Industry news.
Hashtag InfoSec 2024.
Collaboration is key to an effective security culture.
Industry news.
Hashtag InfoSec 2024.
AI red teaming provider MindGuard named UK's most innovative cyber SME.
Industry news. FBI warns of rise in work from home scams. And that was this week's...
Industry News. Huge that was this week's Industry News.
Huge if true.
Huge.
Huge.
Huge.
I'm just trying to...
There's a lot of hashtags this week.
Yeah, it's funny.
Infosec, right?
And in fact, one of them, I may have accidentally
copied a promoted a promoted uh post
from uh from the from the news news source but hey you know this is what happens when
andy doesn't do the sponsored content i know you think we get make some money out of it right
uh oh she says need to move beyond passwords yep completely agree
CISOs need to move beyond passwords Yep, completely agree
It's all a bit dull really
Apparently London hospitals have had operations cancelled
following ransomware
Has anyone heard about that?
And, oh good
We're seeing ransomware
no longer going to be the top security concern
account takeovers outpace ransomware but surely you're missing what am i missing you're missing
the fbi's warning that there's a rise in work from home scams who would have thunk
is this the scam where you outsource your job
to somebody in china and then just you know just lays around or have three jobs which you outsource
to china i don't know i don't know but this story does feature a quote from my colleague
from across the pond eric crone a security witness advocate i've known before emphasize
the importance of trusting one's instinct and being vigilant against suspicious job offers,
particularly amid increased prevalence of remote work opportunities.
I've taught him well.
Well done there, Rick.
Well, I think we're done there and we've got more than enough to uh
to shell out on here so that was this week's industry news
you're listening to the award-winning host unknown podcast like a real security podcast but lighter
podcast but lighter i noticed a a little sort of sigh of dissent there graham i mean it's it is like a real security i mean you know i'm not sure you did in the past yes i i mean
we've moved on it's another year another year yeah yeah true very true very true okay shall we shall we move on to this week's tweet of the week
and we always play that one twice tweet of the week
graham why don't you take us home with this one
okay this week's tweet of the week is from lady g at gab, with an extra H on the end.
And she asked,
what is the most ridiculous claim
you have seen a security or technology company make?
And some smart aleck replied,
the layoffs were necessary,
even though we beat our projections
and made record profits.
I think we've all felt that one, haven't we?
Yes. Do you know what it sounds
absolutely ridiculous but you just know you just know that that's real yeah it is yeah i mean you
look at all the layoffs recently i mean nearly all the tech companies had such record profits
during a couple of years of covid and what that money suddenly disappeared and now we have to let people go.
It just doesn't add up.
Well, it does for the shareholders
and the investors, but not for the employees.
And the senior
leadership, right?
Yeah, exactly.
Very scary.
It's quite depressing, actually.
Yeah, it's quite depressing.
I know. Graham, why couldn't you
give us a fun tweet
to end the show?
This wasn't my suggestion.
You came up with this one.
I loved the way you told me
you read it out, Graham, at the end.
I thought, well, this isn't very fun.
It's not how it works.
You own the story.
You own the story.
That's the corporate mantra we have here.
If you didn't like it,
you could have declined it.
We're just saying. I saw't like it you could have declined it but we're just saying
i saw a great i saw a great tweet i could have suggested all about how smashing security podcast
won an award at infosec i could have uh maybe talked about that for a bit that's certainly
not a tweet of the week not not unless you spell week differently oh yes exactly come back andy
i'll tell you what, Tom.
We can reenact that meme that we saw on Twitter.
So it's like from The Wolf of Wall Street.
Imagine, listeners, that I'm holding a pen and I'm saying,
Tom, sell me this pen.
And I go, it comes with AI.
And that was InfoSec Week.
And that's a far better tweet to end with.
That's how you do it, Graham.
That's how you close a podcast properly, a security podcast.
Just saying.
You might want to take some tips.
I'm in the presence of professionals.
Exactly.
Very good.
Very good.
Professional what's, we don't know.
But professionals, nonetheless.
Anyway, that was Tweet of the Week.
So we come barrelling into the end of the show again.
Wolf, gentlemen, thank you so much for your time this week.
It's been fun.
Jav, thanks for turning up, albeit late,
but really appreciate your time, effort and wisdom this week.
It's nice to have you back occasionally.
All I'd like to say is, you know, when earlier,
when we were playing our jingle, when Graham was going,
copyright, copyright, copyright.
All I'd like to say, that's what goes through my head
every time I hear one of you fuckers steal my line,
stay secure, my friends.
Now, you mean the line that i came up with i think i heard carol do it in 2003 yeah on the old sophos podcast way back in the day all of you
can just like take a jump off a huge cliff and And Graham, thank you for your time this week.
Thank you very much. Pleasure being here.
Stay secure.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever channel r slash smashing security
i think somebody best call an ambulance i think jav's face is going red and he's uh
he's he's raging there's no point in calling an ambulance they're gonna cancel my appointment
they're gonna like put me on indefinitely because some third party's been hacked or something anyway
and then look after your blood pressure jeff yeah just as you get under that
get onto this onto the uh operating table all your teeth will fall out