The Host Unknown Podcast - Episode 30 - The Magic Number

Episode Date: October 30, 2020

Our presenters delve into their darkest secrets from the past,  the internet is rebooted, the logs cleared, and cats play havoc with your home security (according to your training programme).This wee...k in Infosec24th October 2010: 2010: Eric Butler announced Firefox extension Firesheep's release at Toorcon, making HTTP session hijacking on open Wi-Fi trivial.Today, by far, high traffic sites redirect HTTP requests by default - so 90% of Internet web traffic is encrypted. That long tail though? Sad face. https://twitter.com/todayininfosec/status/1320095119857561603?s=2027th October 1980: ARPANET ground to a halt because a bad status message propagated, causing all IMPs (routers) to exhaust memory. The solution? Reboot all IMPs! Yep, a reboot.This incident was such a big deal that the case study of it was published as RFC 789.https://twitter.com/todayininfosec/status/1321054719863828481?s=20 Tweet of the Weekhttps://twitter.com/KathsBurgess/status/1321509257431449600?s=20Very good awareness video: Billy Big Ballshttps://www.huffingtonpost.co.uk/entry/no-woolworths-is-not-returning-to-the-uks-high-streets_uk_5f97f50ec5b6b74d85f459ccHere to save 2020! Woolworths is coming back to your high street, as a physical store!A couple of legal things to get sorted, but we’re full steam ahead at Woolworths HQ.We want to get this right, so we need your help. What do you want at your UK #YourWoolworths?https://www.standard.co.uk/news/uk/woolworths-reopening-prank-student-a4573379.html Industry NewsUS and UK Issue Sanctions to Iran and RussiaAmazon Warns Users of Insider Disclosing Details to Third PartyReport: Application Flaws Being Fixed Faster Although Bugs PersistAkamai Boosts Mobile Security Offering with Asavie Acqusition Rant of the weekhttps://www.theregister.com/2020/10/26/finland_psychotherapy_clinic_ransom_attack/A Finnish psychotherapy centre was hit by hackers who stole therapy session notes – before threatening patients of the clinic with ransom demands amid selective dark web leaks of stolen material."Psychotherapy Center Vastaamo has been the victim of data breaches and blackmail," said the Helsinki-based clinical chain late last week (in Finnish), adding: "In recent days, the blackmailer has published sections of the information he obtained during the hacking. Now the blackmailer has begun to approach the victims of the breach with blackmail letters demanding a ransom." The Little PeopleMadelaine Howard of Cygenta and the NCSC Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 Could we perhaps take the piss out of Graeme trying to pronounce the Wu-Tang Clan? Yeah, that's right. So something about they got the G because Smashing Security doesn't have the G. Well, surely they must have done that one themselves. No. What? Or is it because Graeme couldn't find the G? You're listening to the Host Unknown Podcast.
Starting point is 00:00:41 I didn't realise we started recording, though. Hello, hello, hello. Good morning, good afternoon, good evening, wherever you are. And Jav, you know, you always say the funniest stuff when we're not recording. But yes, welcome to episode 30. Talk about the magic number of the Host Unknown podcast. Jav, hello. We're recording, by the way. Hello, yes. I kind of gathered that now that I see the red blinking light on my screen. But yes, hello. Nice to be back. Good to speak to both of you, I suppose. Indeed, as usual. And Andy, how are you?
Starting point is 00:01:20 Not too bad. Not too bad in interior decorating hell. This is self-imposed interior decorating hell but um this is self-imposed interior decorating hell it's self-imposed yeah i will just say so before you uh join this morning uh tom i was chatting with jeff um it's just sort of how this has kind of spiraled out of control so half term week i've taken the week off work uh the original plan was just to repaint my office um and then when i kind of looked at it i thought you know what i'm not a painter um so i will get a professional in because i am a big fan of getting professionals to do what professionals do yeah um and that kind of spiraled into yeah do you know what i need to take the desk out um but i actually i love the desk but it's just too big so i need you to take two inches off
Starting point is 00:02:01 the desk all the way around and then um yeah then, then there's a case of, you know what, the shelves, they're really nice, they're custom fitted, but I don't want them anymore. I'm going to get rid of them. And then, you know, it's like while the desk is out, you might as well put down the carpet. Yeah, and then the finest rule is probably this fan, which I'm getting attached to the ceiling. You know those proper big-on ceiling fans?
Starting point is 00:02:26 And he did actually say to me, the room's too small for it. But I measured it myself, and the fan will fit. The fan will fit, but the wind produced by the fan will probably, well, do more than just shuffle a few papers on your desk. So I am actually not bothered about that. So I love the cold. I've got my fan on at the moment in the background, keeping the room nice and cool.
Starting point is 00:02:55 But summertime, this office is just too hot for me. So the big question is, when is the house going on the market so you can get a larger room? Well, there was a big debate as to whether or not I actually sacrificed this room and just got a garden office built instead. Yeah, I think most people call those sheds. Why don't you just swap your bedroom for this room? Put your bed in it.
Starting point is 00:03:23 I mean, you're only sleeping in it at night. Nothing happens in the bedroom for you anymore mate let's face it you've been married for 20 years yeah it's just this uh this room's too small for a bedroom it is it's perfect office size but uh obviously not if you're taking up shaving off your desk from all sides, ripping off the cupboards. The fan barely fits. Oh, it's perfect size. Perfect size, Governor. One of these days, we will get the host of Noam podcast
Starting point is 00:03:52 recorded from the broom cupboard. I'll bring Gordon the gopher. Hey, just watch where you put in that hand. Yeah, exactly. Exactly. For our American viewers, look it up. And listeners as well. Ah, good. How. For our American viewers, look it up. And listeners as well.
Starting point is 00:04:08 Good. How's your week been? Yeah, very busy. Been doing a lot of writing. I've got a report I'm trying to finish, and it's like pulling teeth. You know what it's like when technically you could write about a thousand words in an hour really easily, right, if you know what you're writing. This feels like pulling teeth out.
Starting point is 00:04:27 Every single word is just not wanting to come out onto the document at all. So really painful. So lots of late nights. But I think I've broken the back of it now. Is the topic just InfoSec? No, it's not even InfoSec. That's the best part of it now um is that the topic just infosec uh no it's not even infosec that's the best part of it it's like it's another topic um which i'm i won't talk about in case somebody so i noticed a uh payment which you made me this week uh under the description of anal re-bleaching
Starting point is 00:05:01 well that's that's that's more that's more about finally being able to get my own back on your, what, two, three times that you've transferred money into my account, of which every time I tweet, never, never, ever have Andy owe you money because of what's going to come up in your bank account. So when are the bank going to be looking at your account details for mortgage renewal time? Is that any time soon?
Starting point is 00:05:32 It is actually May time, so I've got six months or seven months. Okay, we're going to have to work out how you owe me some more money in the next few months. Just send them a fiver anyway, Tom. It'll be worth it. Yeah, exactly. Actually, yeah, now I've got his bank account details i could tell a whole story you know what i've got so a friend of mine is actually i'd say he's actually that dummy actually accidentally transfers me money on a
Starting point is 00:05:58 regular basis and he just sends me a text saying sorry i've done it again can you send me the money back please well i don't know just say no uh well i did uh start deducting five pound admin fee um so this is this is this is a story i've i've seen this film before at the end and he gets done for being a money mule. Yeah, that's right. How can somebody send you money accidentally so often? So he's, uh, his brother's called,
Starting point is 00:06:33 uh, Andrew. And, um, so he's got my bank deal and like him and his brother, they're always exchanging money. It's his brother rents out his house or something. And,
Starting point is 00:06:42 you know, it's, uh, they regularly transfer money between each other. This is what he told the judge, yeah? Yeah, yeah, absolutely. It makes sense when you hear it, you know? It's when you actually look at it and pick it apart that it does it.
Starting point is 00:06:58 But, yeah, no, every couple of months now I'll probably just get a text saying, sorry, I've done it again, can you send it back, please? New number, who gives yeah yeah yeah you gotta try that one next time oh anyway anyway let's see what we got on the show for you this week uh our usual suspects of this week in infosec tweet of the week Billy Big Ball's Rant of the Week, and the ever regular question of, will we have a little people today? Time will tell. Stay tuned. Stay tuned, indeed.
Starting point is 00:07:40 So why don't we just jump straight into it? Let's see, oh, we've got our new one, This Week in InfoSec. This Week in InfoSec. so this week in infosec is uh we or curated content liberated from the today in infosec twitter account i highly recommend you follow it if you are not already um however it's a nice little stroll down memory lane and there are many stories i could have gone on about this week this week has been a very busy week in the infosec era we could have gone on about this week. This week has been a very busy week in the InfoSec era. We could have gone back to 1952, 68 years ago, when Harry Truman signed a memorandum revising the National Security Council Intelligence Directive, thus officially creating the NSA,
Starting point is 00:08:40 who I think have been regular topics of conversation in the InfoSec modern era, for reasons unknown. I don't know. But that's where they first started having those generations of agents just watching you through your webcam. And they'll continue to be with us side by side until the end of days. We could have also gone back 18 years to 2002 when a worm-like virus which went by the name friend greet propagated by emailing all Outlook recipients
Starting point is 00:09:15 in your mailbox. But the genius of this worm was that it actually launched an install shield wizard and the EULA literally told you it was going to access your contact list and email all your contacts um alas i did miss out on those fun things because uh during 2002 i was a lotus notes administrator um so we didn't get um we didn't get i thought you're going to say during 2002 i was off my tits on drugs and don't remember much about it. I was absolutely off my tits on drugs. However, I did remember. I'll tell you one time. I did actually miss work for three days where I went on a massive bender.
Starting point is 00:09:56 Oh, my God. Yeah, just completely lost track of time. It was crazy. What time is it? What year is it? The first I knew, I got a phone call from my boss at the time uh and i was like oh i'm so sorry i'm just really not well and um it's like we're just really worried about you because it's thursday i'm like what so it went out on tuesday what the hell happened but uh yeah you tiger in the bathroom and Mike Tyson.
Starting point is 00:10:26 Yeah. No, I wish. Oh, man, I'd love to have those things. Anyway, so what we are doing, we're actually only going back 10 years on this story. And this is a story when Eric Butler announced Firefox extension FireSheep, which was released at Torkon, extension fire sheet um which was released at torcon which then made hacking http sessions um on open wi-fi just a merely a click of a button um and i think as a result you know today by far
Starting point is 00:10:56 all high traffic sites uh redirect to https by default um you know so as of now, I believe 90% of internet web traffic is encrypted. But back then, I don't know if you recall this FireSheep plugin for your Mozilla browser, or Firefox browser, but I think this one, like to me this is such a great turning point in
Starting point is 00:11:20 security education or security awareness, because you could just show people how easy it was to access their facebook um you know just by hijacking their their sessions uh you know on the starbucks wi-fi um it was so funny there was so there was a a spate of blogs cropping up under the guise of research here i went to my local mcdonald's or starbucks and look what people need i need to be stop being so stupid and like yeah you just wanted to perv on everyone's facebook that's all it was i recall watching a video about somebody who tried
Starting point is 00:11:57 to get a um a pwn apple to work um oh it's you jav Jav. That's right. Yes. I think you... Didn't you smoke the mirrors the entire thing? You mean the pineapple? Yeah. Which one? The Wi-Fi pineapple. When you were demonstrating how it worked. You know, I can't remember. And then
Starting point is 00:12:23 you got annoyed and basically sent it to me in a box and said, you fix it or something like that. I get annoyed and send it. I do get annoyed with tech very quickly. And I do pick it up very quickly. Um, you did it. You did a video about the wifi pineapple.
Starting point is 00:12:41 I must've done a video. Yeah. I, it's, you know, it sounds like something popular he would have jumped on yeah yeah exactly yeah it's not about making the videos that you want it's about making the videos that they want what were you going to complain about next
Starting point is 00:13:00 really doesn't fly to him like you know superman doesn't really have laser eyes um but anyway so i am uh going on to our second story uh of the day this day in infosec um and we're gonna go back to 40 years so i just quickly 40 years there was no info check well so arpanet uh do you recall uh arpanet um indeed back in the day the predecessor to the internet right correct yeah the first wide area packet switching network so let me ask you guys a question um how bad have you messed up in your job uh you know what is the has anything ever come of you know like what warning labels were created because of you guys i didn't get where i am today without really screwing up yeah i'm getting on a podcast with two people go on jab you go first because i know you've you've screwed up
Starting point is 00:14:12 it's like which time yeah yeah and which version of the story did i say to not make it uh you try and protect the victims in the story i don't want to get sued like you know five years later or 10 years later or like a week later after didn't you take down a cash machine network once well actually it was but that was just uh asking for his balance though wasn't it so i worked at a bank and they had a precursor to internet banking. And it was only available to high net value customers. And basically, it allowed them to log on from home and check different account balances they had in different currencies. And they could do some very basic things like transfer funds between currencies to take advice.
Starting point is 00:15:03 But it's just something for rich people. And I was asked to make some permission changes to a couple of folders. And this was all, the back end was all on NT4. And being the NT4 expert back in the day, because I had been on the administering Windows NT4 course and course. I decided why go into file manager and manually change it when I can just write myself a quick cackle script and execute it on the server in production as you do. You wanted to write a script to change some permissions on some folders.
Starting point is 00:15:45 Yes, exactly. Because there was a whole long list of them and I couldn't be bothered doing it. Oh, right. Okay. And, you know, because of the stupid way that these scripts are actually designed through no fault of my own... LAUGHTER Oh, the hubris
Starting point is 00:16:02 is oozing! Oozing! It's not like now, kids, where you can just download one off the internet. You have to write it yourself back then. Yeah, exactly. You had to plug it up yourself. There was no GitHub. They were just gits.
Starting point is 00:16:16 So spread all over the place. And so, you know, if you missed a switch, apparently it would just replicate the top-level permissions all the way down to all of the sub directory. And it so happened all those sub directories, each one was for a different customer. So there's about four or five hundred of them, I think. And all of them got overwritten. And, you know, within like 15 minutes, there was a p1 incident on our queue and uh my boss who's like a couple of seats down oh jay his name was andy but as well um
Starting point is 00:16:54 and uh he's just like you white people you only have like three or four names it's like andy steve dave and that's about it but but uh he goes oh like you know this is dan and i was like i completely bricked it i was like oh leave it with me i'll go and to the meeting first thing i do go onto the server and flip the logs and uh delete you seriously cleared out the logs? I did, yeah. The fact that you're even able to do that is even better. I know. So this taught me that, look, you should have centralized logging, a SIM or something like that, and you should not give admins the right to go anyway.
Starting point is 00:17:43 It didn't teach you about actually writing shitty scripts. No, I learned I should outsource the writing of scripts to someone else. So I go to the incident recovery meeting and everyone's there. And I'm like, I have no idea what's going on here. It looks like some permissions are wrong. And they're like, yes, we've seen it. And then one of the guys like but there's nothing in the logs
Starting point is 00:18:07 and at which point you you thumped the table and said god damn it i've been talking about these logs for we need to see you're not too far off you're not too so i'm like look i can see where the problems lie let me go let give me half hour give me some space and you try and fix it and they're like let me work my magic as you click it you know click your knuckles yeah yeah so so we all reconvened after an hour during which time i was sweating buckets fr frantically going through the original project handover documentation and manually this time going through file manager permission here, click and read, write, whatever permissions were, went back in and lo and behold, you know,
Starting point is 00:18:58 everyone's like, yeah, it's all working now. It's been restored record turnaround time. hey, it's all working now. It's been restored. Record turnaround time. And, you know, but that wasn't the end of it. I thought I dodged the bullet, but a week later, the guy who was the head of the project that handed it over to Light, you didn't get like an employee of the month or something, did you?
Starting point is 00:19:28 He said, oh, the head of IT for retail banking is uh has called us into it has called us basically so you know what you know it's just like yeah you're gonna go there you're gonna by the time you're back your desk is all going to be packed up and you're going to be taking car keys with you frog marched off the building and uh went there and he was like, you guys were involved in the incident. Yeah. And he pulls out a certificate for your contributions to the bank. Thank you so much. We need more people like you. People who recognise the fuck-ups I've made and know how to fix them.
Starting point is 00:20:02 Oh, my God. That's proper PR, that. that is turning a negative into a positive that's true it's very true i mean no doubt as you as you no doubt uh just uh covered that point there that uh you know you need seams and uh admin rights privileged access shouldn't be given out like that so you know the the second story which I had was about ARPANET grinding to a halt 40 years ago today, purely because a bad status message propagated, which caused all the routers to exhaust their memory. But I think, you know, the thing about this was that the incident was such a big deal that a case study of it was published as RFC 789. that a case study of it was published as RFC 789. So, I mean, I'm not sure whether you have an RFC number yet, Jeff, but I definitely think you're worthy of one.
Starting point is 00:20:55 So, yeah, I don't think I'm going to top that one. No, no. It had everything, even the log deletion, which is... Frankly, Jeff, you should put that story on this week in InfoSec. Yeah. Rather than... I mean, ARPANET, it was old. It was creaky. It's expected.
Starting point is 00:21:15 Yeah, it's expected. Just bounce the internet or the ARPANET. It'll be fine. You? No, I'll fuck it up. I'll flip the logs. I'll take all the credit and then get a certificate at the end of it. Lovely. Thank you, Andy.
Starting point is 00:21:33 This week in InfoSword. In fact, any listeners out there, you've got to tweet us or send us your royal screw-ups. I think we could put a little section on the website, don't you, of screw-ups we have made. I think that would be a good one. Don't get me wrong. I've screwed up, but not to the point where I've had to delete a lot.
Starting point is 00:21:58 No, no, not to a whole financial system. I'll tell you what, Jeff. When you tell us a story about the mortgage market collapse in 2008, the subprime collapse, that'll be an entertaining one. Absolutely. He didn't just flip the logs. He actually spoofed them. No, it wasn't that technical back then.
Starting point is 00:22:26 What do you mean, back then? As to now you're uh yeah that's right when you're in your prime i at least know the terms exist and i can find someone and find that they do it for me that's the difference you're a subject matter googler right yeah exactly you you know you're not technical jav when you keep asking me my opinion on certain technical subjects on our WhatsApp chat. That's just to keep the conversation. You know it's wintertime, the nights are long. What else is there to do?
Starting point is 00:22:54 You mean you're being quoted in a story somewhere and you're trying to figure out what they're talking about. Right. Are we going to see a story about a raspberry pie hole in the next few weeks then? Because you seem very interested in, you know, have you built a Raspberry Pi hole? You know, the thing that, you know, the thing that sweeps up all of the ad traffic from your network before it gets to you. You mean like a sinkhole made by a Raspberry Pi? Is that what you're trying to say?
Starting point is 00:23:21 Yeah, yeah, that's right. That's right. But you just called it a pie hole, which is what it is. Speaking of pie holes, shut yours and move on. Yes, I think Jav might be a little bit quieter for the rest of the show. Right, in which case, yes, let's move on to this week's, and I can't find it. Where's the bloody button? I can't find it. Ah, there we go.
Starting point is 00:23:56 Yes, to this week's Tweet of the Week. This is why Tom is single. Oh dear. So this week's Tweet of the Week comes courtesy of Catherine Burgess at Caths Burgess. She has a little blue checkmark, but I'm sorry, Catherine, I don't know who you are.
Starting point is 00:24:17 But not that that means anything. Because you know everyone who has a blue tick. Tom is actually the person who hands out the blue ticks. Yeah, exactly. Exactly. There's a photo of me shaking Graham Cooley's hand while I'm giving him his blue tick mark. Anyway, so it normally means that somebody's reasonably well-known, right?
Starting point is 00:24:40 You know, in our field, you would tend to know. Anyway, so Catherineatherine it's not you it's me um so katherine posted a a photo from what i uh what we can only assume to be is her um uh some information security training from somewhere her organization or whatever uh and she's quoted saying, doing cybersecurity, et cetera, training. Gannett, I have a question. Gannett, I'm assuming, is someone she knows. Now, in the picture, which is in the show notes, folks, it says, so under home life, first bullet point, do not allow children, yes, your spouse, yes, or even your cat to touch your work devices.
Starting point is 00:25:27 Now, I'm not sure what kind of cats Catherine might have, but if it's anything like mine, then, well, actually, that's a fair point. My cat will probably try and stitch me up by browsing to, I don't know, cat porn sites or something like that. But your cat to touch your work devices. I think this is possibly one of those statements that goes into the training to see if actually, you know, people are actually reading it. Yeah, this is the brown M&M story, you know, just to make sure that actually you're reading it.
Starting point is 00:26:08 But that is brilliant. I do like that one immensely. And, in fact, it reminds me of my last place we did, we obviously did information security training, and we did the obligatory questions at the end. And we had one in there that talked about tailgating and propping doors open and that sort of thing. And it was something like, you notice somebody has tailgated behind you.
Starting point is 00:26:34 What do you do? And you say, you know, talk to them, escort them to security, ignore them, drop to the ground and growl at them like a dog. them drop to the ground and growl at them like a dog so yeah that's um that was uh um again our way of just trying to make sure people were reading it yeah yeah very well done so i'm just thinking there's a really funny video about security awareness training um which you can see on youtube it's uh really catchy it's to the tune of um ride with me got a ride with me yeah so it's a song called uh lost all the money i highly recommend you uh google um on on youtube lost all the money by a group called Host Unknown. Never heard of them. Maybe we could get them to sponsor the podcast. I hear they're terrible with money.
Starting point is 00:27:30 I hear they're absolutely terrible with money. They burn through it. Host Unknown. Sponsored by Host Unknown. You say burn through all the money. I've not seen any of it yet well i question that because you're the one that's been receiving the last couple well then again i saw i saw your company bank accounts
Starting point is 00:27:56 i swear my accountant thinks that i'm laundering money um i think your accountant just thinks you're an idiot. Yeah. So last year I, uh, borrowed two and a half grand from my company account with, uh, absolutely no reason whatsoever. Um,
Starting point is 00:28:12 it's just, it's called a what? Dividend payment. Uh, yeah, I'm pretty sure there's a formula behind that, but, um,
Starting point is 00:28:22 yeah, I was like, I'm just taking back cash that I'm owed. Um, and he starts, yeah, he starts going on about receipts and shit like that it's like just give me a break it's my company yeah you need you need to um at least put some false expenses in to get that money out yeah it's been a... Accounting's not for me, believe it or not. Anyway, that was
Starting point is 00:28:51 this week's Tweet of the Week. Very good. I haven't seen many good security awareness training recently. You haven't? No good security awareness training recently. You haven't? No.
Starting point is 00:29:10 I know content updated for the modern era, and this kind of sounds like it's been updated, children, spouse, even while we're all working from home these days. Yeah, yeah, yeah. It's a different kind of threat. I mean, we always talked about, you know, I guess because places I've worked at had a fairly significant work-from-home capability, so it was always recognised that it was there. Many companies didn't, obviously, until recently.
Starting point is 00:29:37 So, you know, this may be a new setup. But I think adding the cat in there is a stroke of genius. That's brilliant. Yeah, I like that. Alternate touch. You know what you overlooked, Tom, was that, new setup but i think adding the cat in there is a stroke of genius that's brilliant yeah i like that you know what you overlooked tom was and this is something that i think would have impacted you more than anyone else is the second bullet point on that which is slightly cut off at the end but it says while working limit other devices such as various smart appliances or other computers from connecting to your home network would you be able to disconnect everything else
Starting point is 00:30:06 from your home network while you're working from? That's the question. Says the man who came to my house and immediately connected to my guest network. Without even wanting to. Yeah, that's the problem, Tom. Well, if you didn't live in such a rural area where I could get some decent 4G signal, I wouldn't have needed to.
Starting point is 00:30:28 4G? We're lucky if we get 2G around here, or whatever that's called. G. G. Oh, dear. I think we found the G that Graham kept on adding to Wu-Tang Clan again. Right. So shall we move on?
Starting point is 00:30:46 Blimey, we're half an hour through already. Yeah, let's move on to this week's... Oops. Oh, my God. To this week's... Billy Big Balls of the Week. You really suck out all the energy from the podcast when you don't hit the button.
Starting point is 00:31:09 Do you know what? I was going to edit that out, but when you crash the end of the jingle with a comment like that, it's got to stay in. So, here's what we've got. So, Billy Big Balls of the Week. Here to save 2020.
Starting point is 00:31:25 Now, this is the opening line of a tweet which went out. So, if I talk to you guys about your first shoplifting experiences, is there a particular store that comes to mind? Yeah. No. Woolies. Exactly. It's good old Woolworths.
Starting point is 00:31:44 And boots. I remember boots in Dover. Oh, Woolies. Exactly. It's good old Woolworths. And Boots. I remember Boots in Dover. Oh, Boots. So home of the pick and mix at Woolworths. Not to be confused with the Woolworths that they have in Australia and that side of the world, which is completely different. South Africa. It's a holding company, isn't it, Woolworths, elsewhere?
Starting point is 00:32:03 Possibly. But whatever you do, those places don't have pig and mix selections. No. Or the Top 40 singles or a selection of screwdrivers and screws. Exactly. A bit of everything. A bit of a variety store. So this tweet went out.
Starting point is 00:32:20 Here to save 2020, Woolworths is coming back to your high street as a physical store a couple of legal things to get sorted but we're full steam ahead at Woolworths HQ you want to get oh we want to get this right so we need your help what do you want at your UK your Woolworths um so this caused a lot of people to get excited, as you can imagine, because, as I say, very fond memories of pick and mix. I think we know where your focus is on this story, Andy. Yeah.
Starting point is 00:32:59 So just for the avoidance of doubt, it's the pick and mix. That's right. However, so this went out and people replied and it went viral. It started showing up in news outlets. None of the reputable ones, I'll admit. It's all the red tops. So the sun, the mirror, et cetera. It's like Woolies is coming back.
Starting point is 00:33:23 It's coming home. It's coming home it's coming home exactly so this store which sold everything from chocolate bars to toasters and televisions you know sewing kits if you need it just pop down to Woolies
Starting point is 00:33:40 yeah where can I get Woolies that's where I can get it and they have these uh sort of free samples of sweets you can eat as you're walking around the store as well no that's the pick and mix yeah they're not free mate they're not free well i never paid for them that's all i'm saying i don't know what your local woolies was like um however this whole thing uh despite getting people elated and uh you know sort of really um you know something good to look forward for a 17 year old student
Starting point is 00:34:13 has uh stepped forward um to claim responsibility he's entrepreneurial isn't he well indeed I'm sure the uh the accounts would probably look the same as they did uh when the shot went into administration first time around if he did run it uh so he basically um you know said that you know the 17 year old from york um he's a marketing student and he he sort of posted this uh as part of his digital marketing course in his business a level um just to show um how people will believe anything uh you know and fake news is so easy to spread if they want to believe if they want to believe it yeah so it took twitter maybe i think 12 hours to shut down the account and he deliberately put spelling mistakes in as well uh so he didn't include a website uh and he spelled it uh
Starting point is 00:35:06 walworths instead of walworths as well uh when when talking about it um so he sort of well he's saying he deliberately put in these uh little gotchas to sort of give give people the red flags um but then there was one actual journalist who just contacted the very PR department who owned the Woolworths brand, and they said, is this a real thing? And they said no. And so there it was. They didn't run with the story.
Starting point is 00:35:33 But all it takes is just someone's little bit of background. I'm surprised Brian Krebs wasn't on it. Well, yeah, unfortunately, I think this popped up and, you know, disappeared before Krebs woke up. That time difference. Krebs doesn't even get out of bed for a storyline. There's an article on it, which is on Russian underground forum. Naturally, Jav was quoted in five of these stories that were published.
Starting point is 00:36:05 Mostly about the opening of Woolworths, not about the fact that it was a fan. If I was quite, if I had been approached, my quote would have been... If it's true.
Starting point is 00:36:17 If true, you're just true. If everyone had a pie hole, this wouldn't have happened. Oh, man. I tell you, I was getting excited about Woolies coming back because Wilco's, which is kind of like the replacement. They tried. They tried.
Starting point is 00:36:39 But it's not quite the same. It's good. I like Wilco's. The Picker Mix is pretty good. I presume you've tried it, Andy. I have. I don't know whether it's that nostalgic thing or whether it's just more chemicals back then,
Starting point is 00:36:51 but I still think the Woolies Pick'em Mix was better. Yeah, I think it's probably a combination of the both. The fact that the chemicals probably came out of an industrial waste somewhere back in the 70s and a bit of nostalgia. So, yeah. So 17 year old teaching people you shouldn't be believing everything you see online. And he even threw in some red flags to highlight the errors. But unfortunately, our trigger happy press was all too keen to get this story out there and didn't do any checking.
Starting point is 00:37:27 So a 17-year-old teaching people what they should be doing. What a Billy Big Balls. Billy Big Balls of the Week. Although the T on the picking mix is like a Blue Balls. A Blue Balls. Is that like a gobstopper? Oh, dear. Oh, so I think we move on.
Starting point is 00:37:56 And I think it's that time of the week, Andy, isn't it? It is that time of the week. We're now reliable. Are you trying to read this off the show notes by any chance? No, normally I usually just reel this out. I just had a look at our show notes and I can see that it's been edited quite heavily and it made me lose my train of thought as to what I should be saying. You are like Anchorman. You'll read anything that's put onto the autocue. So I normally say our reliable sources over at the InfoSec PA Newswire
Starting point is 00:38:34 have been very busy bringing us the latest and greatest security news from around the globe. Very good. Time for... Yeah, that's not what's written in the show notes let me put it that way that's industry news us and uk issue sanctions to iran and russia industry news amazon warns users of insider disclosing details to third party. Industry News. Report. Application flaws
Starting point is 00:39:07 being fixed faster, although bugs persist. Industry News. Akamai boosts mobile security offerings with... Industry News. They'll put it together. And that was this week's...
Starting point is 00:39:27 Industry News. Slow week. and that was this week's industry news slow week huge if true I mean after last week's you know absolute feast mother load yeah this feels like a little bit of a famine yeah exactly but also isn't there
Starting point is 00:39:41 spelling mistakes as well isn't there second time I've noticed a stick has has misspelled acquisition, you know, in a title. That's, I mean, yeah, run a spell check. Yeah, come on, Mr. or Mrs. Stig. You know, you're letting down the side. I don't know. You know, there's certain words that you know how to type them or spell them, but every time you type them, the muscle memory in the typing always gets it wrong for some reason.
Starting point is 00:40:07 Yes. And, you know, funnily enough, acquisition is one of those words I frequently misspell, which is a bit of a problem. That's a bit of a problem. Yeah, exactly. But, you know, I use a spell check, so I always sit and I'm like, how do I – it's just one of those words. You need to do – like whenever you type M& i just it's just one of those words that i need to do like whenever you
Starting point is 00:40:25 type m and a it should just put acquisition or do you know do a little code word because you can do those replace things in in work yes i don't do that after i've got a couple of things where uh where i do that maybe you should if you can't spell yeah i guess that's what it's for yeah one thing i've started doing and tom this might help you with the problem you discussed right at the beginning where you're saying you're really struggling with writing is i found that the the voice dictation on the phone is is so much superior than any other voice dictation there is out there so i i tend to nowadays open up google docs on my phone and just hit the dictate one and i just just start talking for like five, 10 minutes.
Starting point is 00:41:07 And it doesn't make any spelling mistakes at all. Well, I say it doesn't, but unless it mishears you, but you get this nice stream of conscious that you then just have to sit down and edit. And I actually find you can get like a 500 word blog post written really quickly that way. Yeah. It might not be a very good one but but didn't um i mean it just probably goes on about some really hard stretched
Starting point is 00:41:30 analogies to a an old 80s film but you know aside from that um so i thought didn't you earlier this year accuse um a mutual friend of ours of being you know an old man for dictating into his phone whilst you know to do texts and stuff you know it's it's funny you say that and i wrote a blog about a week or so ago on my on my site it's called the future often looks silly and in that true story i was this was in the early 2000s before the iphone came out and only a few people had blackberrieserrys. You had to get approved. So just so you could see emails and what have you. And I was in one of these project meetings,
Starting point is 00:42:09 like security meetings and like, you know, where I'm the designated security consultant there. And there's like someone from every department and you sit around for like five hours of the day, and everyone only gets like half hour to speak or 10 minutes. And this was one where we had a whiteboarding session to to draw it out and normally you at the end of it someone would just jot it down but the project manager he was this young guy who was new new in the company he whips out his blackberry and takes
Starting point is 00:42:38 a photo of the whiteboard and today that seems perfectly normal back in that day we were all looking at each other around the table and one guy was like wanker he was like you'd have made the hand gesture he was like what is this guy doing what why would you be so stupid who the hell takes out their phone which is crappy resolution blackberry just to take a photo just to save you writing it down and everyone in that room was like like, shocked and mortified. And it was almost like he sort of, like, walked on someone's grave. But today it's perfectly normal. And not only that, the cameras are set up to even adjust
Starting point is 00:43:18 for taking the photo at an angle, to straighten it up, to convert it into, you know, just a colour-based, you know, image, you know, like a flat file, not a full colour file, if you see what I mean. Yeah, absolutely. It's completely changed. And I think that's the thing. When you first see something, it's like, where are you from, future boy?
Starting point is 00:43:44 What kind of is this but only after a while when you catch up with the lag you think you know what this is actually genius that person's ahead of their time if only i bought bitcoins back then like they did instead of making fun of them so like i tell you the future is asking your bedroom window blinds to open twice before they do. That is the future, I'm telling you. No, see, see, I came to your house. You just look silly doing that, Tom. Yeah, fair enough, but, you know,
Starting point is 00:44:18 the wanker sign was a little bit hurtful, I have to say. In your face, yeah. Yeah, exactly. And a bit too close to home anyway yeah well close to home you're in my damn home right jav let's move on um you've got this week's rant of the week if you're following the show notes there was actually a sponsor jingle before then If you're following the show notes, there was actually a sponsor jingle before then. Oh, whatever. Look, we don't all follow the show notes.
Starting point is 00:44:52 I mean, Andy didn't just before on the industry news. Amateur. Because they've been edited literally as I'm talking. Actually, there's only one edit done today. One word was changed today. The rest has been slowly changing over a number of weeks. Well, there's certainly more profanities in those, in that extra long sentence than I originally. Yeah.
Starting point is 00:45:16 And you know, just to keep you happy, Jav. You're listening to the Host Unknown podcast. more fun than a security vendor's briefing okay so this week's rant is uh i took one story but i think it's going to tie into a couple of stories that have happened over the week or a couple of weeks and in finland a psychotherapy clinic was uh hacked uh data was exfiltrated and there's about 300 patients uh personal records or maybe more were stolen so they were exfiltrated and then they're the criminals instead of doing the traditional, let's just encrypt all the files of the clinic and try to extort money from them, they started getting in touch with all the patients and saying, we have all of your notes, pay us 200 euros or we're going to release them. Game changer. Game changer.
Starting point is 00:46:22 Salami slicing. Bear in mind, this like this is psychotherapy clinic i assume some of those people are already suffering from paranoia or delusion of some sort yeah and to get this kind of thing is probably not helpful the the only time i've heard something similar happening was last year in florida a cosmetic surgery clinic was hacked, ransomware. And so they were also asked to pay ransom. But then their customers were also targeted saying, hey, we have details of all of your procedures before and after photos, notes, pay us money or we're going to release those as well. So it's it's it's one of those cases where you think how low can these um criminals go because
Starting point is 00:47:09 i mean everything is ransomware from a criminal perspective everything revolves around ransom we call it ransomware but it's it's not just ransomware they go in they they they work out what's the best files to uh encrypt, what files should we exfiltrate, how much money should we actually demand from this organization, how much can they afford. So there's many steps now involved in that, and it's just become quite bad. Yes, so I guess the – sorry to interrupt. So you're right in terms of what they're doing is bad, but also probably more likely to pay out than your typical ransomware attack
Starting point is 00:47:50 because where you've got companies not willing to pay at all, here you've got a high number of obviously vulnerable people and an achievable € euro ransom fee per person. Yeah. So, you know, potentially this is going to pay higher rewards than going for the big one. It is. Or rather they're getting, you know, a slice of the pie
Starting point is 00:48:17 rather than no pie at all. Yeah. Exactly. Exactly. And, you know, it um krebs actually posted yesterday or day before that uh the department of home and security and whatever they've warmed off an imminent credible ransomware threat against u.s hospitals that's right so not something that we're worried about but um it's it's one of those things where well well, you know, you kind of like should always be aware that, you know, you might get attacked by some of these guys because, you know, it is such an easy way to make money.
Starting point is 00:48:54 And the Reval or the R-Eval ransomware gang, I don't know how to pronounce it, but R-Eval, they claimed a couple of days ago that in the last year they made over a hundred million dollars in profit now this might be a bit of exaggeration so when you say profit you're are you saying they're actually deducting costs and uh balancing their books properly you know what yeah they're not criminals for god's's sake. No, you know what? A lot of these are, you know, they are run as legit companies. And the thing is, the amount of profits they're making, the problem is that they can now afford to hire really talented people. They can pay off, like, officials in certain countries where they might have their data centers or operations
Starting point is 00:49:44 or, you know, local police force, all that kind of stuff. So this is really, really serious thing. And I think I suppose where the rant part comes in is not that this is unexpected or not that, you know, the criminals shouldn't be doing this because that's their game. They're there to make money and do whatever it is. But this is a real failing on behalf of the security industry. We often see things coming and we will, like, use it as an ambulance chasing moment to say, oh, this is great, let's now, like, point fingers at how, you know,
Starting point is 00:50:18 so-and-so's technical solutions are inferior and my ones are superior or my approach is better than someone else's or we now need to be adopting this model or that model and you know with this I think the industry's really taken their eye off the ball and like it's it's now getting to a point where it's getting highly toxic where every organization potentially could be a victim of something like this and there's no real easy way or a consistent advice as to how to defend or or respond or negotiate or or do any of those things it's it's pretty much every every person for themselves so um just just to wrap it up um i think even the the the criminals are
Starting point is 00:51:01 feeling a bit bad for all their success they're like like, oh, my God, this is a bit too easy. This is like a one-legged man in an arse-kicking competition, as JR used to say. That's quite difficult. Yeah, exactly. So a ransomware gang, the Darkside ransomware gang, a few weeks ago, they donated 10K to charities the children international and the water project yeah so it's tax deductible so so you think like what when you know when it's so easy that even they
Starting point is 00:51:35 feel bad about making so much money that they're giving money to charity i think you know the industry needs to step up its game yeah yeah very true although i'm pretty sure you've got your analogies mixed up with your one-legged man in an ass kicking contest but i do you know i often think that what would you do in in this situation if you were the target of this so you know there was that one recently that used old um email accounts and passwords that have been on Pastebin, et cetera, and then emailed people saying, I've watched you do filthy things in front of your webcam and here's your password to prove it.
Starting point is 00:52:16 Send me money. When you first get that, obviously you're filled with a little bit of dread. And then the second part of you, if you haven't realised that actually this is a scam, thinks, ah, screw it, publish and be damned. I'm wondering how effective this tactic really would be in this instance. Now, I know it's a psychotherapy centre of vulnerable people, that sort of thing. I wonder what kind of return
Starting point is 00:52:45 they would get based on really are people going to be that interested in my psychotherapy reports well i guess that that's a thing it depends isn't it on what they're talking about um yeah i mean you know if i was talking to a mental health professional um you know and unloading all my deepest darkest secret i'll probably give them a bit extra as well so let's say you will actually A mental health professional. Yeah, and unloading all my deepest, darkest secrets. I'll probably give them a bit extra as well. So I'll tell you what, actually just destroy the files. So no one's got a record. You know, that password thing, I mean, I get that.
Starting point is 00:53:16 You know, my password's actually the subject of, you know, I receive the emails. But, you know, with that, it's like, well, that's just, you know, it the emails uh you know with um but you know with that it's like uh well that's just you know it's just very generic i think with this one it's so specific that you know this place has actually been hacked and it's a lot more it's not that scat gun approach it's a lot more personal in terms of they can actually prove that they know um you know enough about you it'd be interesting to see if in the coming months we find out exactly how much they made from this or how many people paid.
Starting point is 00:53:49 Wait until they publish their accounts at the end of the financial year, right? Yeah, that's right. That's very true. Unless they do a statement, you know, an earning statement. A quarterly statement. Quarterly statement, yeah. Anyway, sorry, Jav, you were going to say something? No, just to tie in, i think there's a book by
Starting point is 00:54:06 ron johnson called so you've been publicly shamed and oh that's right it's a few years old but it's it's a really interesting book about how people's careers and lives have either been destroyed or taken a very bad turn uh because of something they might have said or done online or have been exposed online and then they just haven't been able to recover their reputation or their standing in society since and I think it's it's a really good look at many case studies but it's it's it's a very real fear that people have I mean but it's it's not a black and white situation though is it it's not like if you if you are exposed your career will fail it depends well no it depends but it's the fear that it puts into people's heads oh yeah yeah yeah yeah and that's and that's what criminals
Starting point is 00:54:57 are playing with it's not the the absolute certainty it's the fear if you can scare someone into getting like oh you know what i like andy said i'd rather pay that extra just delete the files that's what they're that they're relying on and and i think you know we we all have so much of our digital lives online or we give so much up online like andy uses tiktok without a vpn or anything and he you know it's like the joke about the being in court. And I have your, your Google browser history for the last week. I'd rather confess to the murder,
Starting point is 00:55:31 your honor. I think that's the fear that people have. And that's where the criminals have so much leverage. Yeah. Yeah, absolutely true. Absolutely true. Oh,
Starting point is 00:55:41 thank you, Jeff, for this week's rant of the week. Now I know this is the moment everybody has been waiting for. Do we have a little people? We do indeed. What? What?
Starting point is 00:56:00 Incredible. Yes. Who've we got? We have got an absolutely absolutely wonderful individual individual today madeline howard she's the socio-technical engagement manager at friends of the show sygenta who's run by jess barker and fc and um not only does she work there but she's also heavily involved in ncse and getting kids involved in cyber first and what have you so I thought well you know Madeline why is it important to get kids
Starting point is 00:56:33 involved in cyber and what role can the NCSE play in it? The little people. Hi Javid that is a really good question and i think the ncsc have done an amazing job at showcasing what can be done when you engage with young people through their cyber first program and their cyber schools hub program but ultimately i do think that the responsibility comes down to us as an industry we talk about how awesome the industry is and as a community we absolutely love it but why aren't we going out and speaking to young people, engaging with schools and inspiring them and telling them about all the awesome opportunities? That's something we really need to do. And I think that's important for three reasons.
Starting point is 00:57:16 The first reason is that within school, computer science can typically be quite boring. And so we need to get into the school, role models, inspirational speakers, run workshops, and we need to show them how it applies to the real world. We need to give them those opportunities to apply their learning and see the impact and the positive impact that it can make to help secure individuals, organisations and businesses. The second is that as the industry continues to grow and more threats emerge and cyber criminals get more savvy, we need to make sure that we have the best people at our disposal. And kids are so excited to be part of that.
Starting point is 00:57:55 But we have to show them. And the third reason why it's so important, and this is a bit of a, you know, a bit of a secret, I'd say, is... Wait, Javid, are you recording the little people good points well made yeah i like the third point myself that was actually uh very professional um i'm kind of uh i feel like i should sit up straight and um sort of behave a bit more now finally someone bring a bit of professionalism to this show yeah yeah very true we've had a few people on here and uh yeah professionalism is not the word that springs to mind right yeah so mads if you want to come on and replace andy if you'd like to come on and replace Jav.
Starting point is 00:58:46 Mads, if you'd like to come on and replace Tom and Jav. And Andy. Yeah, this CV stain of a show will ensure you. Oh, dear. No, very good. Very good. Yes, I've heard of Madeline. I've not heard her speak. I've never met her but um excellent stuff very very um very compelling yeah and madeline like these two
Starting point is 00:59:14 would get involved more but they're not allowed near school so on that lovely note thank you jav um much appreciated um i hope you have a lovely weekend thank you and andy thank you very much sir stay secure my friends stay secure host unknown the podcast was written performed and produced by andrew agnes javad malik and tom langford copyright 2015 or something like that insert legal agreements here as applicable and binding in your country of residence. We thank you. Cutting a bit fine there. You're going to have to edit out about a minute's worth of work. I don't think that's going to be a problem in the slightest. It's a bit random. Just drag the slider across and just chunk out a minute of anywhere. It's not going to be a problem in the slightest. It's like a random sort of just drag the slider across
Starting point is 01:00:25 and just chunk out a minute of anywhere. It's not going to make a difference. You know that whole story that I told you about flipping the logs? Just delete that whole section. No, that's staying. That's staying.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.