The Host Unknown Podcast - Episode 47 - What's Happening With ISSA UK?

Episode Date: March 19, 2021

Our regular know our regular features, so here is our regular update for our regular features for our regular listeners.This week in InfosecTweet of the WeekBilly Big BallsRant of the weekIndustry New...sThere is no Little People, there has never been a Little PeopleWill we have a Sticky Pickle of the Week?  This Week in InfoSec(Liberated from the “today in infosec” twitter account):6th March 1995: The SATAN (Security Administrator Tool for Analyzing Networks) security tool was released by Dan Farmer and Wietse Venema. The release stirred huge debate about security auditing tools being given to the public.Fun fact: @neilhimself drew the tool's documentation artwork. https://www.latimes.com/archives/la-xpm-1995-03-01-fi-37458-story.htmlhttps://twitter.com/todayininfosec/status/1240452423778308097 Rant of the WeekCatalin Cimpanu:Check Point says it is seeing a doubling in ProxyLogon exploitation attempts every few hours.Please, red teamers, explain it to us like we're 5 how releasing PoCs for highly-dangerous bugs too early doesn't help threat actorsWe're listening!Dave Kennedy:Blaming red teamers is already an inaccurate statement as it's typically security researchers who publish these.It was already actively exploited with hundreds of thousands of already compromised systems with little to no direction from Microsoft.Yet offsec is to blame?https://twitter.com/HackingDave/status/1370424240801996809?s=20 Billy Big BallsTIKTOK INTRODUCES NEW ‘KINDNESS’ FEATURES AS IT URGES PEOPLE TO BE NICER TO EACH OTHERTikTok has introduced new features in an attempt to make its users be “kinder” to each other.They include a new prompt that will attempt to spot cruel comments and advise people to reconsider their posts before they are sent.Video creators will also be able to filter comments – removing any comments at all, unless the owner of the video approves them.That feature is called “filter all comments” and TikTok said it was an extension of existing tools that look out for “spam and offensive comments” so they can be filtered out, as well as a feature that allows for the hiding of specific keywords.https://www.independent.co.uk/life-style/gadgets-and-tech/tiktok-update-new-feature-kind-comment-b1815148.html[That was this week's BILLY BIG BALLS]Our source on probation over at the Infosec PA newswire has been very busy bringing us the latest and greatest security news from around the globe!  Industry NewsEncrypted Comms Firm Denies Police Cracked User MessagesEncrypted Comms CEO Indicted in Drug Trafficking ConspiracyExchange Exploit Attempts Surge Sixfold as Ransomware LandsOVH Data Center Fire Impacts Cyber-criminalsUK Nurseries Get First Official Cyber-Attack WarningTwitter Updates 2FA to Enable Use of Multiple Security KeysDropbox to Make Password Manager Feature Free for All UsersSecurity Consultant Indicted on Cyberstalking ChargesMom Charged in Deepfake Cheerleading Plot Javvad’s Weekly Storieshttps://mashable.com/article/joe-biden-green-screen-conspiracy-debunked/?europe=truehttps://futurism.com/the-byte/deepfake-elon-musk-zoom-meetings Tweet of the Weekhttps://www.nytimes.com/2021/03/18/business/hacking-cars-cybersecurity.htmlhttps://twitter.com/WeldPond/status/1372530409536380931 Sticky Pickle of the WeekTheree is no Sticky Pickle of the Week Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 I cannot believe it. It's shocking. That has just messed up totally. Yeah, and that's why they have to work through the lawyers now. Unbelievable. Harsh, harsh. You're listening to the Host Unknown Podcast. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
Starting point is 00:00:27 This is the Host Unknown podcast. Week, or no, sorry, not week, episode 47, I think it is. 51. My goodness. Sorry? 51, but yeah, whatever. 51, 47, 51. Yeah, it doesn't matter. It doesn't matter. Just because you didn't hear them, it doesn't, it doesn't matter. It doesn't matter. Just because you didn't hear them doesn't mean they weren't recorded. That's all I'm saying. Exactly.
Starting point is 00:00:49 Does a podcast that isn't listened to not make a sound when it falls down in the forest? No. Hang on. If there's a podcast that no one's listened to, is it still a podcast? Yeah, exactly. Please tell us the answer to that, Graham. Yeah. You should know. So, Andy the answer to that, Graham. Yeah, you should know.
Starting point is 00:01:09 So, Andy, how are you, sir? Not too bad, thanks. All good, can't complain. The sun is shining today, so it's going to be a good weekend. Did you rage mail anybody this week? I always rage mail people, as you know. I am very short-tempered. I'm a keyboard warrior in the professional arena. I mean, thank goodness you haven't got a keyboard like Jav's
Starting point is 00:01:34 because otherwise, you know, we get news reports of sonic booms. Jav, I don't know if we've ever heard it on the show. Jav, just give us a quick toot on your keyboard. Not the euphemism. It's like Sammy Davis Jr. tap dancing on my desk. It is beautiful. It's a work of art. It's more like a training exercise at military barracks or something.
Starting point is 00:02:05 Yeah, that's right. Well, you know, can never be too prepared. Oh, dear. Jav, how are you? Me? I only offended or made my colleagues uncomfortable two times this week, so I'd say it's been a win. So the recovery programme is working.
Starting point is 00:02:24 It is, it is. You're on, what, step five now, is it? The fact that Eric was awful this week sort of helped because he normally receives the brunt of my, I was going to say abuse, but no, my good-natured humour at work. Yeah, bant, I think they call it in the UK, and locker room pork in the US. Yes.
Starting point is 00:02:48 So who did you upset and why? I can't go into details. And that's why we have to go through the lawyers. That's right. What do we have up for you this week? We've got This Week in InfoSec, Tweets of the Week, Billy Big Balls, Rants of the Week, Industry News. We don't have a little people because there's never been a little people.
Starting point is 00:03:10 That's a fun fact. People think that our host unknown podcast had a little people segment, but according to our lawyers, never been. No. Why would we be so derogatory towards people? Exactly. Exactly. It's just not what we do.
Starting point is 00:03:23 But do we have a sticky pickle of the week? We'll find out. I suspect not. But who knows? Who knows? It depends what Andy can do to the show notes between now and 50 minutes time. Let's go straight on now to This Week in
Starting point is 00:03:42 InfoSec. So this is part of the show where we take a stroll down InfoSec memory lane with content inspired by the Today in InfoSec Twitter accounts and embellished by us. So I'm still deciding if that tagline works for us. You know, I like it. It's unique, but you know, it does lend itself to being Belford. Although I did have a very angry voicemail from somebody earlier this week. Really?
Starting point is 00:04:16 Yeah. Unrelated, I'm assuming. Unrelated. Wait, let me guess. Was it from Royal Mail? No. It was... Was it from Royal Mail? No, it was. Was it? Carol Baskin? Carol Baskin.
Starting point is 00:04:32 John Terrier? I can't remember. But anyway, she was upset about our jingles. Weird. I can't say. Anyway, so. Anyway, this week in InfoSec, a mere 26 years ago, on or around the 18th of March 1995, the Satan security tool was released by Dan Farmer and Weetzie Venema. And the release of this stirred a huge debate about security auditing tools being given to the public.
Starting point is 00:05:04 leads to this stirred a huge debate about security auditing tools being given to the public. You know, can you believe it? So for those who don't know or didn't know Satan at the time, it stood for Security Administrator Tool for Analyzing Networks. And it arrived on the scene to like great fanfare, thanks to some amazing press which came its way, you know, ahead of its release. And I think we'll stick a link to the article in the show notes. But just to give you a little taste of this one, L.A. Times writer Amy Harmon, you know, created this hype prior to the release with, you know, an article that really sort of helps set the scene for the era, if you want to sort of put yourself in that mindset.
Starting point is 00:05:43 So at the beginning of March 1995, she wrote, Mountain View, California. Now that hacker legend Kevin Mitnick is safely in federal custody after an elaborate electronic chase ended last month, the biggest threat to the security of the world's computer network may well be Dan Farmer. And it says, yeah, he would disagree, but if all goes according to the 32-year-old security expert's plan,
Starting point is 00:06:12 his controversial brainchild, a soon-to-be-released program called Satan, may in fact render the internet safer for private information than it ever has before. And this all came off the heels of Dan and Weetzie after they wrote and published an article titled Improving the Security of Your Site by Breaking Into It, which at the time just caused heads to explode because that type of thinking was just too far out there.
Starting point is 00:06:41 So Pharma had previously written software called COPS. He's a big fan of the acronyms. And that stood for Computer Oracle and Password System, just to date how old this is. That was, I think, 89 he wrote that. And Wixi was famous for writing the Postfix Mail program, which I'm sure we've all experienced in our time uh i used to place heavy reliance on that in a high transaction environment um so anyway these guys were the pioneers they developed satan one of the earliest automated vulnerability scanners and they gave it away for free via anonymous ftp which as was the way you receive software back then um so the article went on to say you know pharma Pharma and Venom have planned to
Starting point is 00:07:25 release Satan over the internet where anyone who wants a copy can get it for free. And therein lies the rub. The analogy we use is that Satan is like a gun. And this is like handing a gun to a 12 year old. And this was a quote from Mike Higgins, who's on the steering committee chairman for the Forum of Incident Response and Security Teams, which was a group of 43 cyber cop squads responsible for security on the Internet. And he said, you know, an awful lot of people are going to use this in a bad way. And it's like they're holding the network hostage. And this guy, Higgins, was also the chief of the Defense Department's computer security team. And he had actually asked Farmer to limit the release of the program, you know, just to a small
Starting point is 00:08:13 number of people who he said could be assured to use it responsibly. But obviously, Dan refused on that. And Dan's whole position on this was that you know you need to hold internet operators to account you know to make sure that computers they put on the on the network um you know are secure uh and you know the reason i mean this was you know back then no one thought about just going out and automating tools to hack things for there and satan was the the first tool that was like easy to use it um mimicked Mosaic web browser. So it was proper GUI related, really easy. And law enforcement thought this was going to be this massive tool
Starting point is 00:08:54 that people just used to find vulnerable systems across the internet, not dissimilar to Showdown these days. And it's so bad at the time, Dan actually lost his job. His employer terminated his employment. Really? Yeah, it's like a real big thing. You know, no one did this. No one had these tools back then.
Starting point is 00:09:13 And so, you know, obviously not for the first time. They had to write their own, in which case they had to have a certain level of expertise in the first place. Yeah, and that's the thing. I think, you know, the term script kidKitties came along a bit later on after these tools went mainstream. Well, ScriptKitties really became mainstream after HDMore stuff, right? Because that was the stuff that really made it easy.
Starting point is 00:09:35 I mean, I think even with something like Satan and given it's 95, you had to know what you were doing in order to use it anyway. Yeah, but also the other good thing about Satan is that, you know, it wasn't just like, you know, it didn't, well, not meta-sploit, you know, it didn't have like an autopone feature. Yeah, yeah, exactly. It wouldn't actually exploit the vulnerabilities. It would just identify them.
Starting point is 00:09:58 So you still had to have that knowledge back then. It wasn't like, you know. Well, it's a bit like, you bit like the cult of the dead cow tools and all the back orifice and all that sort of thing. Well, I mean, that stuff did actually exploit. Come on, that... You ejected people's CD trays or turned their screen upside down. How malicious.
Starting point is 00:10:18 I mean, having said that, back in the day, as Andy probably knows all too well, even if you ran a scan at the wrong time, you'd pop laser light. Take systems out. Yeah, there's a large credit bureau, which may have experienced an outage around about 2000 when I got my hands on ISS for the first time. And who knew there's an unpatched SCO Linux box in the comm room,
Starting point is 00:10:47 connected to the network. Oh, dear. Teach you to give me root access. But fun fact about that Higgins fella, after he got sacked, he then became Magnum PI's sidekick. Yes, that is. So it worked out well for him.
Starting point is 00:11:05 It did. His fondness for dogs. Yeah, although he had to grow sort of like 20 years older overnight in order to take the role. Well, if you see what these guys had to deal with back then, they aged quickly. Yeah. It wasn't a young person's game.
Starting point is 00:11:21 Well, when you see, you know, Magnum driving off in your red sports car, that's going to age you. Yeah, you know, you immediately lost. The reference is lost on like half our four viewers. Well, I don't think anyone that was around when Satan was released will get the references. But unfortunately, when you think it's 26 years ago, and I'm thinking about, you know, mentees that you have had
Starting point is 00:11:48 at recent B-Sides events when, you know, rookie tracks were running, none of them are anywhere near 26 years old. Even now? Even now, yes. Yeah, so this is a long, you know, a key pillar of Internet history here, security history. And just off the back of Satan's reputation, there was a tool released called Saint,
Starting point is 00:12:18 which stood for the Security Administrator's Integrated Network Tool. And Saint still runs today. That went commercial and that is i thought roger moore was the same yeah again i mean we're losing people we've lost people hey my mother knows it my mother's getting this oh yeah this episode's for the duchess so anyway, Satan's no longer in development, but it did pave the way for other tools such as Nmap, Nessus, and all these youngsters who take Metasploit and Kali Linux for granted.
Starting point is 00:12:53 Which I think is really interesting because you said it paves the way for Nessus, Nmap, et cetera, et cetera, which have done a huge amount of good for the industry, right? Yes, of course they can be used badly, you know, and you can use them, you know, as an attacker, et cetera. But actually those tools have done immense good for the industry. And so I think it's really interesting to see how when Satan first came out and it was demonized almost as a, as a, as a tool. Oh God. Yeah. Pun.
Starting point is 00:13:30 Sorry. That pun was unintended. Anyway, it was demonized for, for, you know, handing a loaded gun to teenagers, forgive the, you know, the analogy there but borrowing their own but uh and yet ultimately what came out of it was was a whole bunch of good and some good changes in practices as a result of um of testing basically yeah and uh just to say you know that whole demonizing thing so he actually did release an update for it. And I think it was called Remorse or something like that, which changed. Well, no, what it did, it changed the references to Satan to Santa.
Starting point is 00:14:14 Oh, that's right. Yes. Yes. I do remember that. So, yeah, it was. Yeah. Either that or he became dyslexic. Yeah.
Starting point is 00:14:29 Which is, what is it the dyslexic insomniac who and demon worshipper who sold his soul to Santa yeah wow that was a laborious set up there that was painful that was painful because i forgot
Starting point is 00:14:47 the third part that he forgot the punchline yeah i knew it was a funny joke i got the punchline actually no i had the punchline i had to work backwards oh it's like jeff isn't it i like that one cool yeah so that's uh yeah that's what we got this week there was a fun fact to go with that is that the tools documentation artwork uh was written by neil gaiman oh sorry drawn by uh neil gaiman was it really yeah so yeah the uh the guy wrote bale wolf and uh various other more recent famous things um and there's a great uh if you actually follow the the link in the show notes the original tweet you've got uh dark tangent himself jeff moss uh provides a link to when dan farmer talked about um uh satan at the first defcom and you also got neil gaiman as well um tweeting that yes he did he did draw that artwork.
Starting point is 00:15:48 So it's like a real party bringing people back from the 90s. Yeah. Yeah. And a little bit of showing off who you know. It was, yeah. Oh, man. This is like the original old boys club, you know? Yeah. Yeah, that's right, Old Boys Club, you know? Yeah.
Starting point is 00:16:07 Yeah, that's right, except it's a lot cooler. Yeah. Excellent. Thank you, Andy. This Week in InfoSec. Oh, I like that. I like that a lot. That was actually from the This Week in InfoSec Twitter feed, wasn't it?
Starting point is 00:16:27 It was, yes. We're back, baby. We're back. Or rather, what they did was they did this for about, I don't know, a six-month period in the middle of the year. And so in six months' time, you're going to have to start researching your own again. Yeah, well, to be fair, this wasn't actually from this year's. This was from last year's.
Starting point is 00:16:50 Why would you not just repeat the same stuff? I don't know. Well, yeah, exactly. And then seed in a few different ones. I mean, like, who's checking? Exactly. Who's checking? Anyway, let's move on to this week's...
Starting point is 00:17:03 Listen up! Rant of the week. It's time for Mother F***ing Rage. So who doesn't like a good bit of drama on the internet? We all bring the popcorn, right? Yes, exactly. And this is really interesting because this actually ties in a lot to what you just spoke about, Andy, with the Satan or Santa.
Starting point is 00:17:31 So this is inspired by a tweet conversation between Katalin Kimpanu, one of my favourite reporters, journalists, and Dave Kennedy. Dave himself. Dave himself. So Kathleen put out a tweet saying, checkpoint saying it's seeing a double in proxy logon exploitation attempts every few hours. Then he goes, please, Red Teamers, explain to us, like we're five,
Starting point is 00:18:08 how releasing POCs for highly dangerous bugs too early doesn't help threat actors. We're listening. So, you know, and this goes back to that age old argument, you know if if there's a vulnerability um or or some sort of known exploit you know how quickly do you release it is it full disclosure is it not you know why have you it's it's very similar to the satan example in the sense that you're giving tools in the hands of people and you know there's no assurance you don't know how they're going to use it and what happened. So Dave Kennedy, he came back. He's saying blaming red teamers is already an inaccurate statement, as it's typically security researchers who publish these. Get your facts right, girlfriend.
Starting point is 00:19:07 It was already actively exploited with hundreds of thousands of already compromised systems with little to no direction from Microsoft. Yet, OffSec is to blame? So this kind of went back and forth. And some people are saying that, well, yes, it was already being exploited, but exploited by, say, some Chinese state actors by releasing the POC too early. You've given it in the hands of every criminal out there or a curious researcher and hacker. criminal out there or a curious researcher and hacker um and then the the counter argument is well you know releasing stuff does make us stronger we know what to look for we know how to search for it it's the same old arguments that were made against satan it's a meta exploit has has faced
Starting point is 00:20:00 these for for years and you know all these tools these tools. So if you just go to the Twitter link we'll put into the show notes, grab yourself some of those Butterkist toffee popcorns and start having a read through. Post Unknown, sponsored by Butterkist. Yes, exactly. I don't think we're going to ever... Get a sponsor? Yes, we're not going to...
Starting point is 00:20:30 Well, yeah, I suppose their sales have been dropping ever since cinemas have been closed. So maybe we can help them boost some sales if they sponsor us. Yeah, Butterkist actually started doing home packages during the first lockdown, where they would send you like these giant cinema-sized bags of popcorn. That's basically all the stuff they'd had popped ready and going stale.
Starting point is 00:20:54 Yeah. No, it was, yeah, good bargain. But, yeah, I mean, going back to the whole, you know, old is new and new is old. Same old arguments. And where do you go with this? So there's an exploit out there and there's facts to prove. You can disclose to a company responsibly.
Starting point is 00:21:13 Depending on the maturity of that company, they'll do something, come back to you and say, right, give us two weeks. Other times, there are stories of companies that have known about stuff for three months, done nothing on it until it's been released to the public. And then, you know, that, that pressure gets to them. So I don't know what the answer is on this one. The thing is I, years ago, I was on the end of a, a researcher, an independent researcher. This particular chap was in India and he did a responsible disclosure to us about a site that we were working on for a client.
Starting point is 00:21:50 And it took so long for us to respond to him, not because of what we as information security, the GSO wanted to do, but because everybody else felt that they had to do something different, if you see what I mean. So, you know, do we need to get legal involved? Let's get legal involved. We need to, you know, send a cease and desist. Get that gagging order out there.
Starting point is 00:22:14 Yeah, it took more than one phone call, which I find utterly astounding, but more than one phone call to put across to them that actually, you know, one of my guys knows this person. They've already reached out to him. All he's looking for is an acknowledgement that we're going to fix it and can he have a bit of our swag, you know, like branded stuff. Yeah. And that's all it took. And, you know, I met him at at um uh besides delhi and handed over a bag of stuff he was the coolest guy he was like oh this is awesome you know he was like really
Starting point is 00:22:52 pleased he was just happy that something that's a piece of work that he'd done was ignored she resulted in something but but i i can actually empathize with companies that don't do anything until it goes public because it's almost like analysis paralysis. Do you know what I mean? They just, you know, they just want to, well, we should do this.
Starting point is 00:23:12 We should do this. No, we should do something else. No, we should, we should, we should, we should sue him.
Starting point is 00:23:17 We should cease and desist him. We should, you know, it was, it was ridiculous when actually just had to cut across and say, it's fine. Yeah, that's why all these things like incident response or whatever, and everyone says it, but you need to just have playbooks well in advance
Starting point is 00:23:34 when you can sit there with a clear mind without the heat of the intensity of battle on you and say, okay, what is our stance on X, Y, and Z, and what's the process process and just really streamline it and just go through that. I mean, granted, nothing's going to be the same on every one, but you at least know what, from a corporate perspective, what your stance is and who are the people that do need to get involved and they have a rough idea as to what what their processes are i have a slightly different view on
Starting point is 00:24:11 that go for it i love it when you disagree i'm not a huge fan of playbooks because every situation is unique um although you know they are but all derivatives of well yeah and also but it's also what do you define as a playbook as well. You know, the playbook could have three things, you know, three sentences in it, or it could be 3,000 words. You just don't know. But my thing is that in any given instance, there is always a single person who is clearly identified as the final decision maker.
Starting point is 00:24:48 And it's that person that has to... The Ouija board, right? Sorry? Ouija board. Ouija board, yeah. Yeah. But that person is actually identified by the group the moment the incident starts.
Starting point is 00:25:03 So who is best qualified to be the sort of the you know ultimately accountable for the decisions in this incident and that could be the most junior analyst on the call you know or it could be the ceo it depends you know yeah exactly the company the uh the lower the rank no but but if if that analyst is the one who has, you know, all of the, actually understands all of the detail, there's no point the CEO saying, well, I'm going to make the decision. You know, actually, whilst the CEO might be saying, yes, you go ahead and I'll support whatever you decide,
Starting point is 00:25:40 but actually it's that person that decides what needs to happen. And I think that is a playbook, isn't it? That is your method because you're going to have a way of deciding who that most competent person is and you're going to have agreement up front from, say, the CEO or the CISO, whoever that, yes, I will let so-and-so take that responsibility. I think, again, my problem was that the term playbook is often misused. And before you know it, you've got a 50-page document trying to outline
Starting point is 00:26:12 every activity and therefore every action that needs to be taken. And that just doesn't work. Yeah, no, fair point. Fair point. I think there's, you're right, the term is used in, I was talking more from a broader response perspective, not necessarily from a SOC perspective where, hey, if this port is left open and this happens, then what, you know, then let's use our automation system to do this, that, and the other. And that's called a playbook as well, but that's completely different. Yeah, yeah.
Starting point is 00:26:43 Cool, right. Thank you very much, Jav. You're welcome. Rant of the Week. Right, that was this week's Rant of the Week. But, by the way. Sketchy presenters, weak analysis of content, and consistently average delivery. Like and subscribe now. So Andy
Starting point is 00:27:10 let's move on shall we to Billy Big Balls Thank you and just a quick reminder please do not assume a gender
Starting point is 00:27:22 of Billy Big Balls No We should change this to billy billy big cojones william grande cojones yeah yeah or something else it begins with c's katie's colossus yes we could have billy big balls and Katie's Colossal Cajonas. Boom, we're there. Yeah, we'll leave that one on the scratch pad for now, Tom.
Starting point is 00:27:52 We might revisit that. This is the planning session, right? Yeah. So I love the idea that people think we actually have a planning session. If I read this morning, it was like's like hey andy are you joining us and then it's like yeah i'm just brewing my tea yeah then i get here and like you're on the phone and jab's like i don't know he's been gone for a while it's like right let's just go straight into it uh anyway so this is uh slightly different um from the norm it's a bit more to me it's a bit more of a positive story um and you probably may not be
Starting point is 00:28:33 aware and certainly i know regular listeners will not be aware either but i am a fan of a social media platform called tiktok um and they have recently introduced a new kindness feature in the app which urges people to be nicer to each other so the introduce this feature in an attempt to make people be nicer to each other and it basically includes a prompt that attempts to spot cruel comments and advise people to reconsider their posts before they're sent. And also it gives the power to video creators who are able to filter comments, you know, removing any comments that, you know, may trigger these things. Or they can just, you know, just keep comments stored until they approve them. So that features, you know, filter all comments. And TikTok basically says an extension
Starting point is 00:29:20 of existing tools that look out for spam and offensive comments. So they can be filtered out as well. And also allows you to hide specific keywords or any posts that contain specific keywords. And I think, you know, the reason I like this is that if you think TikTok is a relatively new platform, you know, when you compare it to the likes of YouTube, to Facebook, to Twitter, and these guys have just tackled it straight on. You know, we know it's a platform that, you know, prior to lockdown was predominantly used by the younger generation, the type of age group that's typically targeted with bullying and harassment and things like that. And so for them to actually, you know, just do something about it and not worry about, you know,
Starting point is 00:30:03 reducing the usage or, you know, be concerned that it's going to drive people away. Or, you know, just do something about it and not worry about, you know, reducing the usage or, you know, be concerned that it's going to drive people away. Or, you know, Facebook saying, oh, you know, they've got too many false positives. You know, they couldn't possibly manage every comment. Yeah. You know, these are people who can, you know, 11 years ago, can identify people you might know based on proximity. Trashes on your camera lens. Yeah, and yeah, they'll say, yeah, but it's too difficult to sort of filter out comments that might be offensive.
Starting point is 00:30:33 Yeah, you know, TikTok have done it, you know, within three years of, you know, going live. And, you know, I mean, the whole platform, you know, there's far less advertising, you know, intrusive advertising like, you know, Snapchat. If you ever use that, you know, there's far less advertising uh that you know intrusive advertising like um you know snapchat if you ever use that you know you can scroll through videos and like every two videos you've got to watch a a 10 second video you know before you can continue and stuff like that um you know the adverts on tiktok don't follow me around like facebook you know if i go to you know
Starting point is 00:31:00 walk down the street and say mcdonald's that smells good you know i don't then get home and open my phone and see an advert for mcdonald's or you know something like that um and it also tells me to go to sleep when i've been using it for a while you know you know it's literally you'd be scrolling through the uh through your timeline and the video pops up and it's like interesting engaging and then it realized you know that the girl turned around says you, don't you think you've been on for a bit too long? Time to go to sleep. And it's actually from TikTok. I think what you'll find, Andy, is that's when you're hallucinating.
Starting point is 00:31:35 Well, the best thing is when you go to the comments and everyone's like, hey, this is the fifth time I've seen this today. It's like, me too, me too. It's like, yeah, where's my 2am crew at? But it is, like to me, it's a platform that, despite all that, you know, the initial press it got, you know, about being Chinese owned, and I wouldn't put it past Zuckerberg to be behind a lot of that campaigning.
Starting point is 00:32:05 I'm just saying, you know, potentially he could be. He has the power to do that. But, yeah, just the fact that these guys are really taking the lead on this and trying to make platforms safer for people. And it's, you know, every year I think there's a committee after, you know, a teen suicide or someone that was bullied, you know, with classmates and things like that. So for me it's really good, you know, with classmates and things like that. So for me, it's really good, you know, they do something like this.
Starting point is 00:32:29 And even Jeff this week, I think, you know, you got hooked on a lot of wholesome content that came through TikTok rather than the usual sort of, you know, funny, witty stuff that we normally send around as, you know, you're like, man, I just love this wholesome content, you know. It is. Honestly, it was so good. But thanks for bringing this topic. send around is uh you know you're like man i just love this wholesome content you know it is honestly it was so good but but uh thanks for bringing this topic up though i think it is such a positive spin and i think it goes back to stuff that we've kind of discussed in the past is
Starting point is 00:32:57 where you know the technology is there to do good but if you put profits before your social responsibility or what have you you're never going to see these come through. I mean, we were talking about this yesterday, and it's like Google has probably some of the best speech detection and analysis, context analysis out of all the platforms. The voice recognition is so good on the Android phones. In your Gmail or in your search, it can autocorrect stuff for you. It can find out the context, all that kind of good stuff.
Starting point is 00:33:33 Yet, if you go to YouTube, which is owned by Google, and you go into the comments section, it's the most vile pit of horrendous malice and nothing really good comes out of it. And to your point, I mean, they've been around for years, decades, and TikTok comes along and they're like, hey, you know what? We want our platform to be a bit nicer. Let's introduce this feature. And, you know, for these other companies, it shouldn't be a big thing. But I was telling Tom about this a bit earlier.
Starting point is 00:34:04 I think one of the problems is that there are bean counters that are just counting stuff. Beans? Yeah, they're counting stuff, and that gives them the valuation of their product. So it might be number of active users, but also number of active comments and what have you. And this is what gives them leverage to say to advertisers hey
Starting point is 00:34:31 look we can put you in front of this many viewers an audience of 10 million and of which 3 million are highly engaged they don't say that these are highly engaged because they're like bullies or trolls or what have you the majority of them um and and this is what how they inflate their their value and self-worth and um i think for for tiktok to do it is is brave from a financial position but also like how much money do you actually need where you put all those profits before the well-being of of the actual people that use the platform. Yeah. I mean, even –
Starting point is 00:35:06 I'll start going. Well, I was going to say, I think YouTube, the best they do, in the comments section, actually just says, please keep it civil or, you know, follow community guidelines, keep it civil. And that's it. That's all it says at the top. Yeah.
Starting point is 00:35:19 There's nothing proactive about that. Yeah. I must admit, when I read this story, it did warm my cockles a little bit, I have to say, because I felt like everything you've just been saying, both of you, it's so true. Why can we not use all this technology that allows us to connect people to actually try and induce some positive behaviours rather than just allow space for people to run riot with their negative behaviors. I think, I won't say the jury is out on TikTok for me because I think, you know, they keep surprising me with the types of things that they do. And this is probably one of the
Starting point is 00:36:02 biggest ones. And I think it's a massive move. But they are still a very young company and I think there's still time. I mean, Facebook was never as bad as it was today as it was 10 years ago or whatever. It's almost like the death of a thousand cuts. It's just gradually become more and more, you know, poorly. The culture at Facebook seems to have sort of gradually fallen down
Starting point is 00:36:33 and become just very commercial and therefore, in adverted commas, evil. Well, all right, in adverted commas, evil, if you will. But I think it's, you know, it's a really insidious platform. I don't like it in that sense. I'm just laughing because you almost implied that Facebook had a culture. Let's not forget it was founded on the principle of waiting for the hotness of females at college. Yeah.
Starting point is 00:37:04 Actually, you know what? You're right. Well, yes, you know what? You're right. Well, yes, you're absolutely right, which should have been a bit of a giveaway in a sense. But it didn't peddle false narratives deliberately. It didn't get involved in- Influencing elections. Yeah, exactly.
Starting point is 00:37:21 But it's almost like it can't help itself now. And I think, you know, I think if TikTok carries on like this and actually has some morals in its core values, etc., I think it's going to grow to be a much better platform as a result. Yeah. But, you know, I can also hear the opposition and what their concerns are going to be, that this is just another form of censorship. It's against freedom of speech. This is how they start. They call it the kindness feature, but then they're going to start stifling any voices
Starting point is 00:38:01 that, you know, the Chinese government finds, you know, distasteful and there's a history of that so i'll just say a key part of this is that the control is with the uh the creator to um so that the people that i know jav you were uh in the old days you didn't used to uh put comments allow comments on a lot of your videos you were no no i don't think yeah whereas here you know this is by default you know the creator is um you know someone that may get unwanted attention um you know they can actually control whether they allow these comments or not so to your point of censorship it is actually still within the creator's control
Starting point is 00:38:43 yeah that's what they want you to believe. I'm waiting for Quentin Taylor to send me a DM at the end of this saying, Andy was wrong about this, that, and the other. He's been doing it for three weeks in a row. Yeah, exactly. Tell me how Andy is wrong. Q, if you send us another correction this week, we'll get a jingle made up just for you. QA by Q.
Starting point is 00:39:08 Yeah, exactly. QA by Q or quack for short. But picking up on something you said, Jav, about people complaining about freedom of speech, the people who complain the most about freedom of speech don't understand what freedom of speech
Starting point is 00:39:24 actually means. Let's face it. Freedom of speech means that you're not going to get arrested for what you say. It doesn't mean that people have to listen to you or have to, you know, have to air your views on their platform. It just means that your government can't arrest you for what you have to say. So to say that TikTok or Facebook or whatever, this is a restriction of my freedom of speech, no, it's not. Not that I feel strongly about it. Anyway, thank you very much, Andy, for this week's billy big balls of the week that was a good one that's good i like that so andy what time is it uh it's that time where we
Starting point is 00:40:23 head over to our sources on probation over at the infosec pa news wire who have been very busy bringing us the latest and greatest security news from around the globe industry news encrypted comms firm denies police cracked user messages Industry News Encrypted comm CEO Indicted in drug trafficking conspiracy Industry News Exchange exploit Attempts surge sixfold
Starting point is 00:40:55 As ransomware lands Industry News OVH data centre Fire impacts cyber criminals Aww Industry News UK nurseries get first official OVH data centre fire impacts cyber criminals. Aww. Industry news. UK nurseries get first official cyber attack warning.
Starting point is 00:41:13 Industry news. Twitter updates 2FA to enable use of multiple security keys. Industry news. Dropbox to make password manager feature free for all users. Security consultant indicted on cyber stalking charges. Mom charged in deepfake cheerleading. Industry News. And that was this week's... Industry News.
Starting point is 00:41:44 Huge if true. Huge if true. Huge if true. So very quickly now over to... Javad's Weekly Stories. So what we should just call this is Jav's kind of like deep insight into some of these things. Or how about Jav's Weekly Excuse? Javad weekly excuse? Jav's weekly stories.
Starting point is 00:42:07 So what I really liked was the last story was the mum charged in the deepfake cheerleading plot. And that is absolutely true. That is not a sensational headline. So she wanted her daughter to be on the cheerleading team or she had some rivals. And she used deepfake videos to besmirch. A smear campaign.
Starting point is 00:42:38 A smear campaign, yes, against some of the other girls. And she just used one of those phone apps and created these deep fakes of them engaging in bad behaviour or unapproved behaviour. What? Yeah. And photos and videos. And sent it to the coach saying, you need to kick these girls off the team. Look at how inappropriate they are. Oh, my God.
Starting point is 00:43:03 That girl, that woman's daughter, must be beside herself with shame. Yeah, yeah. So there's no evidence found by police to suggest that the daughter was aware of what her mum did. I bet she wasn't. I bet she wasn't. But they found the images and the evidence on the mum's phone.
Starting point is 00:43:24 God, she didn't even have the sense, mind you, if she didn't have the sense to not do it in the first place, she wouldn't have the sense to remove the... Yeah, yeah. She's arrested and charged with three misdemeanor counts of cyber harassment of a child and three misdemeanor counts of harassment. That's going to stick.
Starting point is 00:43:42 That's going to hang around for life. It is. Cyber harassment of a's going to stick. That's going to hang around for life. It is. Cyber harassment of a child as an adult. She's 50 years old. She's like, you know, she should know better by this point. Well, actually, whilst, you know, she's absolutely right, she should be charged, she needs help. It's as much an indictment, again, of America's healthcare
Starting point is 00:44:04 and mental healthcare care services. Yeah, you're not wrong there. I mean, come on. The one I liked, though, was UK nurseries get their first official cyber attack warning. And all I could hear was, in a kid's voice, my first cyber attack. I'm sure Fisher-Price will come out with a little set,
Starting point is 00:44:27 a play set to reflect that. Yeah, yeah. You know, on the topic of deepfakes, there was a video that was circulating about Biden a couple of days ago. Oh, yeah. Was it not real, though? It wasn't.
Starting point is 00:44:43 No, that's the thing. It's been discredited by all these fact-checking sites and everything. Okay. Was this when he forgot somebody's name? I don't know. He was doing this interview outside, and there's some microphones just in the thing. It was just on the lawn of the White House or something.
Starting point is 00:44:59 Yeah. And it's been disproved as being a thing. But the thing is that it's been circulated widely amongst the QAnon and what have you because if you believe in something, then you can be shown all the evidence in the world that this is fake or look at the shadows don't match or this is inaccurate. The thing is that you've already made up your mind and this just serves, you know, only serves to reinforce that fact.
Starting point is 00:45:29 It's like the moon landing, you know, the fake moon landing stories. Yes. You know, the people who think that we, you know. NASA faked it. Yeah, the whole thing that NASA faked it. And the fact is that statistically, or rather I should say mathematically almost, you could say it's impossible because the sheer volume of people that would have to be involved to know that it wasn't
Starting point is 00:45:57 and who knew that it was faked, you could never keep that quiet. Yeah. And it's also not just NASA that have done it. You know, you've got the Chinese agencies, the Russian space. Yeah. Various people have been to the moon. Well, we all know anyway that, and let's face it, the moon landings were faked and they actually hired Stanley Kubrick
Starting point is 00:46:22 to do the filming based on his 2001 footage and all that sort of thing. But he was such a perfectionist that he insisted on filming on the moon. Yeah. Oh, dear. Well, I thought that was funny. It was, yeah. It was funny the first, like, 50 times I heard it, I think. Mum, he's bullying me!
Starting point is 00:46:53 Don't get mums involved now, don't you dare. Otherwise, I'll get my mum to start making deep fakes of you and sending them around. Yeah, well, that's it. Mum, get the deep fake machine out now i was going to say let's put andy in some compromising positions but actually there's no need for deep fakes well that's i've got a video yeah i've got that video the other day of uh you know some guy is death snorting coke and it was me and i I was like, hang on a second, I don't remember that. But no, it was a deep fake, fortunately.
Starting point is 00:47:27 It was. But they are looking more convincing. It was the part where I stood up with a gun that gave it away. Yeah. Do you remember years ago, it's the early days of deep fakes. Someone sent Gemma Patterson at rant events a deep fake off your bare bottom, Tom, at the urinal. No, there was no bare bottom involved.
Starting point is 00:47:50 I remember that. You could tell the moles were out of place anyway. What was I going to say? Oh, God, I can't even remember. Oh, yes, that's right. So I did a talk yesterday and I was asked afterwards about, you know, what do I think is going to happen this year, blah, blah, blah. And as Jav knows, Andy, you won't be familiar with this, but as Jav knows, as respected
Starting point is 00:48:12 industry commentators, we always get asked every year what are our predictions for next year. And in December, I said that this year, we're going to see our first deep fake phishing campaign, video deep fake phishing campaign, whereby somebody is phished for money by who they think is their boss on a Zoom call or whatever. I reckon that's going to happen. Oh, I thought you were actually going to say, yeah, that's happened and here's the proof.
Starting point is 00:48:43 No, no, no. But it's going to happen. I've got nine months. I'm only just starting to sweat. So I've got nine months. You know, I did see a story about that not too long ago. There was an audio deepfake. No, no.
Starting point is 00:48:59 I'll find the link. I'll put it on it. But someone's got this open source software you can use and they actually had Elon Musk on the call. Oh, dialing to a call. Well, yeah, it was basically the other person, but, you know, puppeting what looked like Elon Musk's face. But it didn't look very good, though, did it?
Starting point is 00:49:21 No, but, you know, it's, you know... And that was 18 18 months ago something like that yeah from concept to uh to improvement and execution it's not going to take too long no absolutely yeah absolutely it's uh it's a bit like there's stuff that they is it on ancestry.com you can load up your your pictures of your ancestors and then they uh animate them yeah and that's that's and and actually some of the you know just seeing these these old pictures come to life is amazing enough but then um there was some sort of well reaction videos which normally i think are just the cheesiest thing in ever but um there were reaction videos of kids showing their parents pictures
Starting point is 00:50:05 of their parents that they had done. And their parents were just really overcome with emotion because they looked so good, you know, and actually seeing them move. And it was, I think that's where stuff, that's where the technology can actually be used for good in the sense of, you know, bringing the past to life and all that sort of stuff. Incredible stuff. Yeah.
Starting point is 00:50:27 I mean, I went to Hogwarts, so, you know, that stuff wasn't. That wasn't deep faked. No, absolutely not. Yeah. Well, it's nothing as great as when they hologrammed, was it, Tupac at Coachella. Yes. Well, I remember the hologram of Liam Neeson
Starting point is 00:50:46 in War of the Worlds, the stage show. That was good. Except he kept on shouting into his phone about having a special set of skills and honed over a very long period of time or something like that. It was very off script. Anyway, anyway, let's move very quickly.
Starting point is 00:51:06 I'm going to run this next story very quickly because we're running over time. But let's look at this week's Tweet of the Week. We always play that one twice. Tweet of the Week. So this tweet is from Chris Weisepal or at Weld Pond. And it's a picture of the inside of a car. And it says, it's even possible that future Windows stickers on new cars may point out that a vehicle meets cybersecurity standards. We should rate vehicles for cybersecurity the same way we rate them for crash protection.
Starting point is 00:51:44 I'm presuming he means the physical kind of crash, not the computer kind of crash there. But this, I think, is really very interesting. If we see the amount of autonomous vehicles hitting the market and electric vehicles generally, the increasing amount of computer control systems, drive-by-wire, brake-by-wire, all that sort of stuff involved in cars, all of which is ultimately, I think, a good thing because it can improve massively the efficiency and the safety of a vehicle, but only if it's done on a secure platform in the first place. But this reminded me of, in the same way that we rate cars
Starting point is 00:52:29 for crash protection, I think it's the NAACP or something like that. The people who use the crash test dummies and rate cars for how many stars they get for crash protection and all that sort of thing. And I think I absolutely agree with Chris on this, that there should be an equivalent agency for any car that has any kind or meets a certain threshold of computer integration. Obviously, you know, cars from 10 years ago may have some very basic engine management systems that you can only get into if you're physically attacking, etc.
Starting point is 00:53:09 But certainly some of the later stuff is really quite intrusive, I would say, possibly the wrong word, but is integrated as better across the entire car. We certainly need something that can test that. And we should do this without security vendors per se. It should not be an industry-funded effort. I believe it should be a government and international effort. Well, I mean, there's so many threat vectors that need to be thought of for this. I mean, I know that article sort of covers a couple, but things like, you know, your car reading the signs wrong
Starting point is 00:53:50 because someone's manipulated the road signs. You know, over-the-air updates. You know, you can make an entire fleet of cargo disappear just by editing, you know, the location of a vehicle and deleting those logs. You know, malicious code being uploaded, all and deleting those logs um you know malicious code being uploaded all this kind of stuff uh you know tricking sensors and cameras there's just so many angles to hack cars um you know when you lay out all these things so i actually agree with
Starting point is 00:54:16 you on this one it definitely can't be a um you know a particular vendor uh you know for example you know we recently used a third party to carry out diligence for us and they gave a maturity assessment on, you know, the company we were looking at acquiring. And, you know, it's a nice 21-page report and it says maturity high, maturity high, maturity moderate, you know, maturity. Everything apart from where it comes to end point detection
Starting point is 00:54:42 and response and it says maturity low. And it just so happens that the company we use is specialists in endpoint detection and response. And it's like, okay, it kind of discredits a lot of everything else that's written here. It's so transparent as well. Yeah, you know, it just so happens the one thing that you specialize in just happens to be the one thing that they need a lot of help with.
Starting point is 00:55:08 Yeah. And that's what I think with these cars. It would save each manufacturer coming up with their own security teams that specialize in a different standard. Yeah. Absolutely. Because the NACP, whatever. Sorry, NCAP. NCAP, yeah. Thank you. Yeah. Yeah. Thank, because the NACP, whatever. Sorry, NCAP.
Starting point is 00:55:26 NCAP, yeah. Thank you. Yeah. Thank you for looking that up. In fact, it could even potentially be a branch of NCAP, right? In fact, why reinvent the wheel? Just have that expertise grown within. But isn't that like having InfoSec reporting to HR? Yeah.
Starting point is 00:55:45 What? What? When you say why not have it as a branch of, you know, isn't it a different discipline? Yeah. It's the testing safety of vehicles, right? They know vehicles. Yeah, but I mean health and safety know, you know, health and safety. But, you know, I wouldn't trust them to uh you know sign
Starting point is 00:56:05 off on in the nicest possible way without knowing their credentials i'd be looking for someone with a bit more uh subject matter expertise and yeah well you can still build that internally you know but i i take your point yeah then again then you get start to go down the vendor route oh well in which case let's get somebody with credential oh this company they've got all the credentials oh you know i think there's two sides to this isn't it and and this is like so i am the cavalry has been trying to i mean vehicles has been one of their focus areas for for a while so it's vehicles and medical and healthcare yeah yeah whatever yeah so uh they they have like a kind of like they laid out a five point safety program for vehicles. And it was kind of like high level, like, you know, safety by design and evidence capture and security updates and isolation of systems, those kinds of things, which is fine.
Starting point is 00:56:59 I think that's one half of the equation. It's like everyone agrees on what the standards should be. one half of the equation is like everyone agrees on what the standards should be. The second part, and to the point you two are just discussing about NCAP, is who's going to assure that the systems have been built to that specification. And NCAP, they can easily do, they know how to do, let's ram a car into a wall at this speed and see if the dummy survives. And that's kind of like easy to do. It's not so easy. That's easy to do. Are you kidding? Have you seen what's involved?
Starting point is 00:57:31 I said, it's, it's, it's easy to do. It's easier to do by comparison because you have the physical evidence and there's less ambiguity when you, when you, um, I, you know, it's like building a wall and stuff. These disciplines have been around for much longer than the cyber discipline. The threat vectors are far more limited, to Andy's point as well. Like, you know, you're going to hit something or something's going to hit you. Like, you know, you're going to hit something or something's going to hit you. And you want to make sure that you can preserve the integrity of the cabin to protect the occupants.
Starting point is 00:58:13 That's primarily what it is. But with the electronic component, the cyber component, there's so many things. It's not just about protecting the individuals in the car. It's protecting other cars around it it's protecting pedestrians it's protecting the the the actual vehicle itself and you know gaining assurance on that is difficult we can't even gain proper assurance of websites today i mean this seems to me to be the cybersecurity equivalent of negging. Negging? Negging. You're putting down NCAP. Well, you're okay, I suppose.
Starting point is 00:58:51 No, no, no. But I bet you couldn't do this. I bet you couldn't do anything to do with cybersecurity. You know, I bet you. I don't think it's just me. You just throw things into walls. No, no, no, no, no, no. You just throw things into walls.
Starting point is 00:59:04 No, no, no, no, no, no. You know, it's like you can't even build a reliable, within cyber, you're not going to get like five security experts to agree on what good assurance looks like or how you can do a pen test that absolutely guarantees that website is not going to be broken. You know, you've just got to reduce the risk. That's exactly what NCAP do. They try and create as best they can the conditions in which a normal, in inverted commas, crash would occur. But the fact is there are so many variables in a
Starting point is 00:59:41 crash, even down to the surface of the road. And if there's a tiny little pothole somewhere or the height of the curb or, you know, how the tires are inflated on that particular car and if they're in balance or not and all that sort of thing, you know, so they do what they can and say, here's our rating based upon our testing. And by the way, here's the testing criteria we use and you know check out our youtube channel for some funny you know action videos sort of thing that's exactly what you do within a pen test and no one's negging no one's negging end cap and and uh i i take uh offense to the point that you're trying to put words into my mouth or Andy's mouth by saying that we are...
Starting point is 01:00:25 I'm just repeating your words back to you. No, you're not. No, you're not. And you know very well what you're doing, you weasel mouth. What they do is easy. Order! Order! Order! I will not have this. Right, I'm going all I****** this one right you can speak to my lawyers allegedly allegedly anyway anyway that was this week's
Starting point is 01:00:55 i think we need to end very quickly that's what she said oh dear so we don't have a sticky pickle of the week uh dude we've got no time we're like no no time i've got a job to go to i'm out of here yeah it's same here i've got a podcast all right see you liz's anyway thank you very much jav thank you so much uh for coming out to play today really enjoyed it i was here first and you're welcome. What? And Andy, thank you very much, sir. Stay secure, my friend.
Starting point is 01:01:32 Stay secure. You've been listening to the Host Unknown Podcast. If you enjoyed what you heard, comment and subscribe. If you hated it, please leave your best insults on our Reddit channel.
Starting point is 01:01:44 Worst episode ever. R slash Smashing Security. We almost got away with it as well. It's all right. Just bleep it out. Bleep out the name. Well, that means I've got to download the bleep sound effect again. Why isn't that the number one button on your soundboard?
Starting point is 01:02:09 You're right. You're right. Because he doesn't actually edit anything.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.