The Host Unknown Podcast - Episode 55 - Hitting the Limit
Episode Date: May 14, 2021This Week in InfoSecLiberated from the “today in infosec” Twitter account6th May 1995: Chris Lamprecht (aka "Minor Threat") became the first person banned from the Internet. He received a 70 month... sentence for money laundering...and was banned from the Internet until 2003.https://www.wired.com/1997/12/twice-removed-locked-up-and-barred-from-net/https://twitter.com/todayininfosec/status/12578628173711564807th May 2004: 18-year-old German computer science student Sven Jaschan was arrested for writing the Sasser worm and the NetSky worm. One of Jaschan's friends had informed Microsoft that Jaschan had created the worm.https://en.m.wikipedia.org/wiki/Sasser_(computer_worm)https://twitter.com/todayininfosec/status/13906895366704209989th May 1990: Operation Sundevil was revealed in a press release. It was a US Secret Service crackdown on "illegal computer hacking activities." Raids occurred in ~15 cities, resulting in a measly 3 arrests.https://twitter.com/todayininfosec/status/1259301463102074880The Hacker Crackdown audiobook https://boingboing.net/2008/01/13/podcast-of-bruce-ste.html Rant of the WeekRansomware victim Colonial Pipeline paid $5m to get oil pumping again, restored from backups anywayColonial Pipeline's operators reportedly paid $5m to regain control of their digital systems and get the pipeline pumping oil following last week's ransomware infection.News of the payoff was broken by Bloomberg – which not only cited anonymous sources but also mocked other news outlets' anonymous sources for saying earlier this week that the American pipeline operator would never pay the ransom.https://www.theregister.com/2021/05/13/colonial_pipeline_ransom/https://twitter.com/KimZetter/status/1392923544753872896 Colonial Pipeline hackers apologize, promise to ransom less controversial targets in futurehttps://www.theverge.com/2021/5/10/22428996/colonial-pipeline-ransomware-attack-apology-investigationColonial Pipeline was looking to hire a cybersecurity manager before the ransomware attack shut down operationshttps://www.theregister.com/2021/05/13/colonial_pipeline_hiring_cybersecurity_manager/ Billy Big Balls of the WeekHackers Are Having a Field Day With AirTagsJust two weeks after their release, several hackers and security researchers are tearing Apple’s AirTags apart and finding some issues with them.https://www.vice.com/en/article/pkbpa7/hackers-are-having-a-field-day-with-airtags Industry NewsMisconfigured Database Exposes 200K Fake Amazon ReviewersRansomware Takes Down East Coast Fuel PipelineUniversity Cancels Exams After Cyber-AttackStaff Bonus was “Crass” Phishing SimulationGermany Bans Facebook from Processing WhatsApp DataAXA to Stop Reimbursing Ransom PaymentsMore Domestic Abuse Cases Involve TechHome Working Parents and Young Adults Are Most Risky IT UsersBiden Executive Order Mandates Zero Trust and Strong Encryption Tweet of the Weekhttps://twitter.com/browninfosecguy/status/1392503491042611202Olaf Hartong @olafhartong: FreemiumBackupsIain Cyto @IainCyto: Surprise Pen Test Posse.Biteater @illustrioushefe: WindowsOffenderDavid Shipley @davidshipley: Trailer Park Crypto BoysAdrian @Nutritionist_AP: RanSomewhereOld Navy Dude next @ DEFCON & HIMMS @0ldNavyDude: Ransom McRansomface Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
that's bigger than an outhouse that's like a proper it's got decking and uh and stairs that
go up into it andy that's quite used to have electricity as well really yeah until i just
turn that into your office uh it's full of junk it's full of spiders uh yeah full of spider full of junk it's not entirely um uh you know it's not watertight or anything like that it's the guy before you use it yeah
he used to use it as a um workshop like for bikes that he worked on so the right hand side has got
like lawnmower and stuff in there that i purchased during lockdown that i never used and left hand
side is just boxes from like like, my mum's house
and old stuff that I've never really gone back to
since I loaded it up in July.
Amazon deliveries that you haven't opened
and your wife just stuck in there.
Yeah, not far off.
You've got a proper Lego thing going on at the moment, haven't you?
Yeah, fascinating.
I don't know what it is.
So where are you storing all of this?
Well, this is a bit of a challenge, I have to say.
Next week on Hoarders, Tom has a shipping container full of Lego.
You know how some hoarders, you have to crawl through sort of crawl spaces
made by newspapers and stuff like that?
Mine's just made of Lego.
I don't have many sets as such, but they are quite large.
If you want to know where it is, but you're never going to access it,
I've got an outhouse you could stick it you're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening from wherever you are joining us and welcome to episode 55 of the Host Unknown podcast.
Yay.
Yay. Yeah, exactly. Yay. I don't know, 55 seems like, you know, that's quite a big deal really, isn't it?
So yeah. Jeff, how are you?
I'm very happy today. It was Eid yesterday. Ramadan's over, so I'm eating today.
I had a coffee not too long ago, so I'm awake.
Do you know what?
I really like Eid because you tend to send me baklava
through the post during Eid.
Baklava.
Yeah, that too.
I thought it was baklava.
You know, that thing you put on your face when you're doing a bank job.
But anyway, yeah, I always like Eid because you send me nice stuff.
And it's very nice as well.
It's lovely.
But, yes, what's the phrase?
Eid Mubarak.
Is that right?
Yeah, Eid Mubarak.
Thank you very much.
Yeah.
See, I can Google as well.
very much yeah yeah see i i can know google as well um but yeah it must be you must be absolutely beside yourself with that coffee it must be the best thing ever it was it was yesterday i ate too
much as you do well yeah i mean yeah it wasn't that i ate too much it's like your stomach's
really confused as to why you're eating every so often during the day.
It's like, stop, stop.
So it turns out I've been celebrating Eid for like the last 15 years.
That's right.
Every day's a celebration for you, mate.
Don't worry.
I'll get it used to.
I'll beat my stomach into submission within like 48 hours.
Don't worry about that.
Yeah, yeah, you'll wrestle it to the ground
oh dear andy how are you what you've been up to uh not too bad thank you i am trying to uh
figure out what i was talking about just before i heard that music well because i didn't realize
we were actually recording so um i don't know what i don't know what you say i Normally, I was reading my WhatsApp group messages
and the picture of that Lego dildo that you sent.
I have no idea.
That's not a Lego dildo.
That's Darth Vader.
It's a Darth Vader helmet.
Come on.
The thing below it that you think looks like a vacuum cleaner,
a stand-up vacuum cleaner, that is a lego dildo
no no idea what you're talking about sorry
oh dear but i i am aware that there is a um a big moment in uh infosec history this week
uh for one of us yeah a big big big uh event that should be celebrated because it is a milestone.
And I understand, Jav, you've been at your job for celebrating an anniversary.
It is.
It's Jav's anniversary.
And some random fellow on Twitter congratulated you, right?
No, it wasn't a – so, yes, it is my two-year anniversary of being at Know Before.
Is it only two years?
Yeah, only two years.
It's like part of the furniture.
I remember that company before they floated.
Yeah.
I remember when they were a regular horse, not just a unicorn.
And I – it was just a horse with a party hat.
A horse with a party hat.
And someone emailed me on LinkedIn Carlo thank you for your
email saying congratulations on your
anniversary and say hope Tom
and Andy celebrate your achievement
adequately
on the podcast
which we just have done
Andy just did I'm not but Andy
just did
how do you know Carlo?
I have no idea.
He's a connection on LinkedIn.
Yeah, there you go.
Well, actually, Carlo's a member of the ISC Square Thames Valley chapter.
That's how I know him.
So, yeah, interesting that he reached out to you.
That's good.
That's good.
This is how we network, right? This is how we grow our out to you. That's good. That's good. This is how we network, right?
This is how we grow our community and network.
That's right.
So, yeah, congratulations.
Two years?
I can't believe it's only been two years.
It is literally like you've been there forever.
And, Tom, you were 75 this week as well, weren't you?
That's right, I was.
I celebrated a major milestone in the number of days I woke up alive.
Every day above ground is a good day.
Yeah, exactly.
Yeah.
Every day I have to go onto the tube in London.
I get worried.
But, yes, I was not 75.
I was 50, the big 5-0.
Lies.
So, yeah. Thank you for your birthday card, Andy. I was 50, the big 5-0. Lies. So, yeah.
Thank you for your birthday card, Andy.
I appreciate it.
You're welcome.
Right.
So, what have we got coming up today on the show?
Well, we've got a plethora, a veritable plethora of stuff.
This week in InfoSec obviously takes us back,
but it takes us back to when the first person in the world was banned from using the Internet.
And it wasn't by their parents. It was by a judge for 70 months.
Rant of the week is the age old will they won't they story of whether or not the victims will pay the ransom.
I think we know what they actually did.
Only to discover that, funny enough, it wasn't really worth it.
Billy Big Balls this week is hackers having a field day with air tags,
which I think is an outrageous thing to do with an Apple air tag.
Industry News brings us the latest and greatest infoset news from around the globe.
Industry News brings us the latest and greatest infotainment news from around the globe.
And tweet of the week solicits suggested names for the host unknown new business venture.
And apparently for National Password Day, they say that you need to create a password which includes at least eight characters.
So I chose Snow White and the Seven Dwarfs.
And that is all I have to say on the topic of the little people this week.
Yeah, I know.
I just move my mouth hold to these.
I don't write them.
But yes. So I think we should move swiftly on to...
I think we should move swiftly on to... This week in InfoSec.
And it is that part of the show where we take a stroll down InfoSec memory lane,
liberating content from the Today in infosec twitter account
so our first story is a real piece of history right here as it always is so on or around the
6th of may 1995 which was only a mere 21 years ago chris lamphret aka minor threat Chris Lanfret, a.k.a. Minor Threat, became the first person banned from the Internet.
So he received a 70 month sentence for money laundering.
And so he was actually banned from the Internet until 2003.
And this is like it's just one of those things that just seems absolutely crazy these days, especially when you consider prisoners, have phones with them in prison maybe not officially but you know do get to get them
in there so chris lamphrecht uh as we said known as minor threat or m threat as those um back then
um these days is is a respected uh software developer uh he was the first employee and
lead architect for Indeed.com.
So if you know that job listing site, you know, that search engine for job listings,
you know, if you ever want to know what technologies a company is running, it's a great
place to look because you can see what jobs are advertising for, what skills they're looking for.
But anyway, Chris has been living the dream since his conviction in 95.
What's funny about this is obviously, like Al Capone,
he was obviously sent down for something other than you'd expect him to be sent down for.
And this guy, I don't know if you knew this,
he was actually the original author of Tone Lock.
And when I say Tone Lock, I'm talking about, you know,
the shortened name for Tone Locator.
It's not pronounced Tone Low?
You're thinking about the rapper, aren't you?
Or Tone Low?
Oh, yes, of course.
Yeah, Funky Cold Medina.
That's the one, yeah.
Yeah, so it was actually a wordplay on that.
So he wrote that in the 90s.
I know my rappers.
Yeah.
Your 90s rappers.
Your 80s and 90s rappers. Yeah.
Your 80s and 90s rappers.
Yeah.
So Tone Lock was actually a war dialing program.
It was written in C for the DOS system.
And if you're not familiar with war dialing,
because why would you be if you were young into the industry?
In the early days of the internet,
this was like the equivalent of scanning for open Wi-Fi networks to connect to.
So, you know, you'd set your computer to dial a range of numbers.
If there's a computer on the other end of it, it would typically respond, you know, on the first ring.
Anything else would like to be a landline or if you got unlucky, someone would answer.
And if that happened, then, you know, your war dialer would just disconnect and, you know, keep scanning for the numbers onwards.
And it's actually quite common
in the 90s for like you know remote workers uh to have to call a bank of numbers that you know
into the company and then their modem would hang up and the company would call you back and connect
you to the network to basically save your phone bill um which just seems absolutely ludicrous
these days um so anyway he was sentenced 70 months in prison for money laundering
and given the punishment of no access to the internet until 2004
and is still regarded today to be the first person banned from accessing the internet back in 1995.
Did he actually stay off the internet until 2003?
He was actually given early release.
So I think from 2000 so
he actually only served five years um and yeah so he's given early release in 2000 um i believe it
was four and a half years uh so he did get back uh you know onto the internet and has since you
know it doesn't seem to have impacted me he said a very successful uh career sense once again you know
shorten your career arc by um by doing something illegal yeah yeah and so talking of uh people
getting caught so 17 years ago on or around the 7th of may 2004 uh 18 year old german computer scientist sorry computer science student
sven yaskan was arrested for writing the sasa worm and the netsky worm and he was ultimately
caught after one of his friends had uh snitched on him uh you know to microsoft so if you
weren't aware of the time 2004 Sasa was a worm that you know
impacted as always Windows 2000 Windows XP machines it was particularly virulent in that
it could spread without anyone doing anything you know but also easily stopped if you had a
firewall running or if you patched your machines with the updates that released nearly three weeks prior to that, I think.
But the great thing about this worm, why it sticks out, is that it was when the worm crashed,
a timer would appear to tell you when it was shutting down your machine.
So, you know, you'd have people working in the office, a timer would pop up and it'd be funny,
especially the developers, you know, because they all knew that you could have bought the shutdown by,
you know, running command prompt typing shutdown minus a uh which still works to
this day if you're on a corporate network and uh you know they force you to to update your machine
if you can get access to the command prompt um you can run shutdown minus a without a privileged
access and that will abort the shutdown um but anyway so this worm was released i think 30th of 29th of april
which was also his birthday and it was a week later on the 7th of may uh he was actually
arrested for writing the worm because microsoft as part of their bounty program they offered
250 000 um and yeah one of his friends just rolled over straight away
and said well i mean you would right yeah i know who wrote i mean i mean i love you guys but 250
grand i mean that that would pay off my credit card well most of my credit card would it would
it i mean that's 250 grand dollars then you probably get taxed on it so you're losing like
half it then you convert it to pounds
you know you're not left with much maybe a few lego sets you can buy with that
yeah yeah but it just goes to show how little i value our friendship
yeah yeah i'll do it for a tub of haribo yeah especially especially the german variety where
it's yeah yeah the proper ones yeah the ones with smurfs in it and
stuff like that um but yeah so yeah microsoft offered the bounty his friend snitch and him
said that you know he wrote sasa uh they discovered he also wrote netsky as well netsky
um and he was tried as a minor because when he wrote the worm he was 18 and so this was a hard
hat when he went into court yes exactly with a light on yeah um and so
because it had been released on his 18th birthday um you know he had effectively written it prior to
that so he was still a minor uh he was found guilty of sabotage and illegally altering data
and uh got a 21 month suspended sentence which was a um good old days when they didn't throw the book at you
and yeah and his mum his mum was told to turn the wi-fi off in the house
if they even had wi-fi back then yeah that was still yeah you did in 2004
i'm trying to remember i i'm pretty sure when this hit and i was working and then several
colleagues they were like oh get zone
alarm on your home pc and it will stop it or something like that and do you remember sorry go
yeah no i just had zone alarm running for the longest time ever and i thought
yeah it was like so cool and the other one was um steve gibson Was it that his name? Yeah. Yes.
Yes.
Yes.
The Gibson research cop corporation.
Yeah.
Scan my machine.
I'm safe.
Yeah.
That was,
I had a UPMP,
um,
disabler on it as well.
Yeah.
Yeah.
One of the,
one of the checks we spoke about that last week
but yeah no those were some handy tools actually i was really uh i had all of them if you want to
hear more about the upnp uh that we discussed last week listen to this week's uh smashing security
yes next week next week smashing security or next week sorry yeah probably i don't know love you carol love you great no we don't
it was uh one other story from uh 9th of may 1990 and this is 31 years ago uh operation
sun devil was releasing a press release and it was um the u.s secret service crackdown on illegal computer hacking
activities and they talked about you know raids occurred in like 15 cities it was like this
massive event and it only resulted in three arrests but rather than talk about yeah i know
it's brilliant um and but as i read into this to you know get the dates confirm the dates and all
of that uh i there's a great book
about this uh written by bruce sterling it's called the hacker crackdown um and i highly
recommend you read it and if you don't want to read it and you enjoy listening to podcasts
uh i've put a link in the show notes where you can actually download it as an audio
is it a free download it's free download yet free to download but it's in multiple parts that's the only thing so it was um you know voiced a while back but definitely a great great story and i
upon reading that book i'd always believed that steve jackson games almost went bust
as a result of operation sun devil um as you will be told in the book as well however it turns out that that may have been a media error
um as i read about it now they sort of say well it wasn't quite that cut and dry but um
definitely links in the show notes read the hacker crack now excellent thank you very much andy
this week in infrasound
This week in InfoSword.
Fascinating. I love this stuff.
It really does bring back some distant memories of,
Christ, yeah, I remember sweating bullets when that particular virus hit.
And then you realise you're closer to 2050 than you are to 1990.
Oh, shut up you know someone someone sent uh
sent me a picture the other day said like if you want to feel old i said this is what they were
stealing in the first fast and furious movie and they were like old tvs and video players and dvd DVD players or something. And I was like, what is this antiquated technology?
Oh, yeah, I had that with, I watched American Pie the other night.
And it was made in 1999.
So, yeah, 21 years ago.
But then Stifler's mum, remember, like, she was supposed to be this older woman.
And I looked up, she's actually only 37 when she filmed that.
Oh, wow.
I was like, oh, man, this is not good.
This makes you feel old.
But thank you, Andy.
You know what? I was thinking about this.
I was listening to the podcast last night.
I went for a drive and I was listening to it.
And this is perhaps I think if there was ever a segment I think deserves a
spinoff and get its own version,
it would be you just talking about this week in InfoSec.
I think you do a really good job on it.
Yeah.
Sticky weeks in InfoSec.
Yeah.
Of the week.
Yeah.
I think that's a genius name.
I think genius.
Anyway, Jav, I think you're up now for this week's...
Listen up!
Rant of the week.
It's time for Mother F***ing Rage.
Like last week, this week I've been off work.
And yesterday I was eating myself into a food coma.
So I haven't really been up to date with a lot of stuff.
Except ransomware. myself into a food coma. So I haven't really been up to date with a lot of stuff, except
ransomware. It's one of those things that's always there now. And I'd say it's really difficult to
find a security story these days or an incident that happens these days that doesn't involve ransomware in some form or way shape or form but um last uh you know a week ago so
colonial pipeline uh a big gas as in petrol gas operator in the u.s was uh hit down was hit down
was hit with uh some ransomware.
Now, apparently it was only on the billing system.
The customer side didn't impact the critical systems,
according to them, but they shut it down as a precaution.
And the story was broken by Bloomberg,
the most reliable of security sources do you remember when they
broke the story about the other chip that's the size of the grain of rice and then they never
respond anyway nobody ever found one possibly because it's just really small and hard to find
exactly exactly it just just really tiny it reminds me what? It just reminds me of Guardians of the Galaxy 2
where Drax sees Kurt Russell's character.
He's like, he's a tiny man.
He's like, why was he tiny?
He goes, maybe he was just far away
and that's why he looked tiny.
That's how all kids appear.
Like, no, he was a tiny man.
So yeah, the chip was really tiny
because we saw it from far away.
Anyway, Bloomberg, the highly reputable source of security knowledge,
in their story, actually, they not only cited anonymous sources,
but also mocked other news outlets' anonymous sources for saying that earlier this week
that the American pipeline
operator would never pay the ransom. So make of it what you want. I don't know what I'm ranting
about, but there is something there. I'm sure if you listen really carefully, play it in reverse,
you'll figure out what I'm ranting about. Kim Zeta, she's probably written the best sort of write-ups on this topic.
You know, there's two of them.
She's got a sub stack.
It's free for now, I'm sure.
Like, you know, once she builds up, she's going to start charging people.
So get it while it's free.
But the group behind it is dark side and they're they're one of those
groups that have been around since last year i think and they they have this whole manifesto
on their site that they don't attack hospitals and you know whatever you so that so they're
ethical and what have you and i saw a tweet by i think it was a
malware tech um he said it's surprising hardly anyone knew anything about these this gang because
they they operated quite stealthily and what have you and since last week nearly every vendor's been
writing a blog about them and their tool taxes and you know how they go about stuff and uh you know there's a bit of ambulance chasing
going on um but um you know it's um you know that yeah so they have a a press release describing
their principles they claim they won't infect hospitals and other medical facilities schools
or universities non-profits or government agencies instead they target victims they know can pay the ransom.
We do not want to kill your business, they wrote. And I think, you know, it's, it's, it's, wow,
you have ethical hackers now out there who will only target criminals. Yeah, the ethical criminals.
But I suppose part of it, they must be shitting themselves
because the US government now is issuing emergency orders against them
and they're now a hot topic.
So it's probably not the coverage they actually wanted.
It's brilliant that they go after an oil company
and then they're like, Ashley, do you know what?
We know you've got the money, but we didn't want this much media attention yeah yeah or or even you know we're um we're not
gonna we're not gonna ransom you know companies like you in the future but if you could just pay
up now that'd be great yeah yeah the the best thing was though, and you must have seen some of the memes, is that because they shut down the pipeline,
there's been shortages of petrol in some of the states.
The government has authorized the transport of fuel by road again,
which they don't do in the US and things like that.
Exactly.
But what's really funny is that you must have seen it.
Because of the shortages, there's been this mass panic buying.
Yeah.
And people have been filling up petrol in plastic carrier bags
and putting them in their boots or their car and everything.
It's just like, you know, I'm just waiting for explosions to happen all over the place.
Not that I'm waiting for it.
I'm just assuming that something like that will happen because it's just so ridiculous.
I mean, it's absolutely scary.
Some agency had to issue a warning saying do not put, you know, petrol gas into plastic bags.
you know, petrol gas into plastic bags.
I mean, the fact that, well, it's a bit like the warning on a pack of peanuts saying warning may contain nuts.
I mean, don't put this incredibly explosive liquid into a bag
that could, into a container that can split or burn really easily.
Well, yeah, but having said that, we're talking about America,
the country that had to issue warnings to citizens not to shoot into tornadoes
because the bullets might come back.
Yeah, but they were hunting sharks.
Yeah, there is that.
This whole ransomware thing right so also the the irish um uh hse's like you know
their equivalent of like the health services shut itself down you know voluntarily shut down
overnight due to a ransomware attack like where is the failing here are we saying that
anti-malware tools are not doing their jobs or people have too much privileged access or you
know what why is this still so prevalent in i think it's all of the above it's all of the above
there's there's a lot of tools out there that aren't effective there's a lot of organizations
security teams that aren't effective or are non-existent um you know and and i think there's there's there's
a lot of security controls and a lot of pressure on people sorry to to actually click things to
get their job done for want of a better term uh so yeah i think it's all of the above yeah ransomware
is an easy it's an easy win and it's also an untraceable easy win if you're taking payment in Bitcoin as well.
This reminds me, there's a story put out by Sophos that they were doing an investigation
into something. And there's a research lab that does biomedicine and they're doing some COVID-19
testing. And anyway, they got hit by ransomware
in the investigation they found that there was a user who needed a free version of virtualization
virtualization software um and he couldn't find he couldn't get one from the official
site on his personal machine so he downloaded a cracked version and it was malware and triggered
a security alert from windows defender and the user done what a user did uh he disabled defender
to get his job done and two weeks later they were hit by ransomware so i think there is an awful lot
of pressure on people trying to get their jobs done. They're not being malicious intentionally,
but again, if they're not given the tools to do their job or they're not given the flexibility
to do their jobs, then they're going to try and take shortcuts or try to do it in whichever way
they can. Yeah. It's like a lack of joined up thinking at a business level. You must do this.
Okay. In order to do that, I need X, Y, Z software. Oh no, no, no.
You're not approved to get that software. Not on that machine.
You know, but, you know, and, and therefore something like this happens.
Yeah. Yeah.
You know, it's, it's, it's, yeah, it's not good. It's not good.
But I, I, I get very frustrated because, you know, the, the criminals, right.
They say, oh, well, we're not going to target hospitals,
we're not going to target, you know, charities, blah, blah, blah.
And then charities and hospitals are hit and it is literally like,
oh, okay, yeah, sorry about that.
Give us some money though.
But, yeah, we'll try not to do it again in the future.
It's ridiculous.
The criminal gangs are so efficient and so well run that you know
they can disable it remotely if they find they've hit a hospital
or whatever, but they don't.
They just let it happen.
So criminals are doing what criminals do,
which is basically hit the softest and fattest targets they can.
Andy, he's talking about you.
I'm prepared.
Bring it on.
Come on.
I'm behind seven proxies.
No, no, those are gummy bears.
Oh, dear.
Anyway, Jav, thank you.
Rant of the Week.
Thank you, Jav.
I think it's time for...
This is the Host Unknown Podcast.
The couch potato of InfoSec Broadcasting.
And we're going to move straight on to...
Rant of the Week... Okay, so do you know what?
I'm in two minds with this one.
Because one, the story unsurprisingly involves my beloved Apple.
Come on, Tim, we know you're a fan of the show.
Get your sponsorship checkbook out.
But I also agree with what's kind of going on with it.
So basically, bottom line is hackers are having a field day
with a new AirTag.
So these AirTags are the location tracking devices that you attach
to your keys and your pets and your, you know, whatever else,
you know, your slippers, anything that you
regularly misplace. And you can use then Find iPhone and the tracking capabilities of iPhones
around the world to identify where your devices are, even if they're outside your house and,
you know, miles away from your phone. Really good, lovely devices.
I've got some, Andy's got some in his hallway in an Amazon box somewhere. They're lovely,
cute little devices. They've literally only been released, what was it? Was it last? No,
two weeks ago, wasn't it? Two weeks ago. I actually got mine before you, Tom.
two weeks ago wasn't it two weeks ago i actually got mine before you tom yeah by about an hour that's because you're london and i'm in the i'm in the uh outskirts um but literally so two weeks
after they've been released some hackers and researchers have obviously opened them up and
i think that's fair game you know if you something, it's yours, you can do what you want with it. And they found, well, I think the tagline is they found some issues with them.
That's not entirely true. They found some issues with them if you're really good at soldering and
hacking microcontrollers and all that sort of thing. But bottom line is what they've done is they've opened it up
and they've broken into the debug mode,
which is obviously disabled in the factory,
and that's required a fair amount of hardware hacking as well.
So it's not a pretty hack by any stretch.
But what they have found is that it can actually deliver malicious URLs to
any phone that scans it. And the upshot of this, and this is what I really liked in the report,
is that you can have an AirTag on you that will rickroll any iPhone that decides to connect and scan your AirTag.
So you could be walking through the town centre
and everybody with an iPhone will suddenly have
Never Gonna Give You Up by Rick Astley playing on their phones
as their phones naturally connect to your AirTag through,
I think it's NFC, isn't it?
I love how you have to explain, how you explained what a Rick roll is.
It's never going to give you up by Rick Astley.
Well, yeah, absolutely.
It doesn't explain the technology that does it.
No, no.
I think it's NFC.
Look, we all know I'm explaining for my mum.
That's all.
My mum doesn't care about NFC.
She cares about Rick Astley.
He's a singer from the 90s, mum.
Anyway, so in one sense, I'm kind of like, oh, God, Apple.
Of course, they've decided to pick on Apple products,
all that sort of stuff.
But the flip side is what I hope happens as a result of this
is Apple will release
some firmware, they'll release some updates and they'll update the air tags, et cetera.
And they will produce a better product as a result. Because ultimately that's what
security researchers are looking to do. They're looking to improve things a bit like
all of the medical devices out there,
the insulin pumps and the pacemakers
and all that sort of thing,
which can be, well, barely hacked,
just merely connected to via Bluetooth.
And the net result of that was better products out of it.
And I'm hoping that this benign research,
and in fairness, it is benign.
These are people just doing it, one, to find out how it works,
and two, because shits and giggles and all,
and there isn't a malicious intent, although it could be used for that.
But my hope is that because researchers are out there doing this and really putting some really intelligent and inquisitive, what can I put it, sort of thoughts and power behind this that the products that they break into as a result will improve.
So this is a really interesting one but it only
took two weeks uh but then again that's an upshot of it being quite a simple uh low power device as
well so but yes i do like that go go on andy well so it reminds me of um it was a few years back when there was a special character in one of the indian dialects
that iphones couldn't process um and so when you sent it to like a group chat or something it would
literally kill your phone or if you had preview on uh you know as soon as and i remember ricey at
the time had an android and everyone else in the group chat had iPhones.
And he was just like, you know, full-on disaster,
just sent it around, text messages, WhatsApp, everything.
No one's phone would boot up because it was trying to show on the preview screen
and just crashing again.
It was like an absolute nightmare.
You had to keep trying, keep trying, keep trying,
and then just try and clear it before it showed up.
But it kind of reminds me of that like you you probably could have done something a bit more malicious than a rickroll uh you know if you were aware of um you know
other things at the moment that would crash them but any malicious url right i mean that's yeah
yeah yeah so so i, it's really interesting,
but just listening to how much reverse engineering they need to do
to get it to do that,
is that very different from just getting components
and building something that does it yourself?
So, I mean, I'm not convinced it's a major, major major major issue no i think it's going to be a bit like
it's going to be one of those things that pentest is going to love they're going to do them in in
assessment say hey we can breach your air gap system because if we lob one of these into your
offices or you know fly it in via drone then you know your phone can connect to it and by this we can do that but in in reality
i think there's there's probably lots of better ways to go about doing malicious stuff if you if
you want to do it but it's still super interesting i i completely agree you know i think that the
actual threat of it as a you know should it go on our risk registers? Probably not. I think what it will do
is, as I said, hopefully create a better product, but I can't imagine, it's not like you'll be able
to mass produce this. That said, this is the very first iteration of it. And it's a bit like
anything. If you saw the very first iPhone, it took up about half a square
meter because of the way it was laid out and wired up and all that sort of thing. It was a concept
as much as anything else, just like this. And sooner or later, somebody will be able to
reprogram a chip on there that means you don't have to solder wires and bypass connections
and stuff like that.
But in the meantime, hopefully Apple will firm up some of the security protocols
on the chip, et cetera, or even do something as drastic
as set the entire thing in resin or something like that,
which just makes it much, much harder to access
the electronics without actually breaking the electronics in the first place. So there's all
sorts of ways around it, but you're right. I think it's very much a low risk issue, but as you say,
absolutely fascinating nonetheless. Billy Big Ball balls of the week
all right andy what it's that time isn't it it is it's that time of the week where we head over to
our multiple news sources over at the infosec pa newswire who have been very busy this week
bringing us the latest and greatest security news
from around the globe.
Industry News.
Misconfigured database exposes 200,000 fake Amazon reviewers.
Industry News.
Ransomware takes down East Coast fuel pipeline.
Industry News. Ransomware takes down East Coast fuel pipeline University cancels exam after cyber attack
Staff bonus was crass fishing simulation
Germany bans Facebook from processing WhatsApp data
AXA to stop reimbursing ransom payments.
Industry news.
More domestic abuse cases involve tech.
Industry news.
Homeworking parents and young adults
are most risky IT users.
Industry news.
Biden executive order mandates zero trust
in strong...
Industry news.
And that was this week's...
Industry News.
So that staff bonus story, which is huge if true,
but staff bonus story...
Did you hear about it?
It was a crass fishing simulation.
That's been done over and over again.
That's happened so many times, hasn't it?
Yeah.
Yeah. Yeah.
I wonder if it's the same.
Is it the same sort of phishing company behind it?
Do they have like a template of congratulations,
you've got a massive bonus?
Ha-ha, you clicked.
You know, this is, again, it's a problem with disconnect
between the security departments
and the rest of the organization.
Phishing emails are great if used properly, but you need to have the right relationship
with people.
And the objective shouldn't be to just catch people out.
It should be to educate and inform.
It's kind of like training in a, you know, if you want to learn a martial
art, you go into a dojo or a gym or what have you, and, you know, you put on the pads, you put
on the headgear, and then you drill when you train and you learn, you know, sometimes you
might get hit a bit hard, but that's part of the learning. It's not that you're walking down the
road and your instructor comes up behind you and puts you in a chokehold and said, there you go, punk. I was testing you and you failed miserably,
which is what this feels like. It just feels like people haven't built the right context.
They haven't got the right relationship with their employees. And they're just
sending out these things and sniggering like Beavis and Butthead saying, hey, we got you.
There's nothing big in sending out a phishing email that, you know,
especially if you know, you know, what are the hot buttons of your employees.
So, you know, it's a low blow.
But that said, this is exactly what the criminals would do, right?
They would, if they had any kind of intel on the company
and knew when sort of bonus cycles were,
because it doesn't take much from social media
if you're really looking to find out, you know,
woohoo, bonus time, you know, or whatever,
then this is exactly the sort of thing they would send, though.
Yeah, and I think you can get to that stage
if you've
built up the trust and the relationship with your employees first. You don't start with that.
You start off with something slow. You get people used to the fact. You get people familiar with
the fact that these things happen. And you know what? It's not about getting people
to become security experts. It's just to get them to get their spidey sense tingling when they get an email
so that they can question it or report it or do something like that.
But if you're just going to make people feel bad about themselves,
then, you know, shame on you.
Yeah, so don't use all of the possible entries into phishing, just the tip.
Yeah.
So do you know what's – I actually received a phishing email this week,
and we've got like report phish button in the mail client.
And I clicked that, and it popped up, and it was like, congratulations.
It was like, please don't tell your colleagues you know running a simulated and uh i thought it was
like a really friendly message i was like oh nice you felt all warm and fuzzy after that i did it
was uh i thought that was very well done that one i remember when when when we were doing it
um back in my old cso days that uh it would take them to a url and we'd have because we were doing it back in my old CISO days,
it would take them to a URL and we'd have,
because we were using restricted intelligence at the time,
and you'd have one of the characters pop up from restricted intelligence
with the text underneath saying, you know,
oh, you clicked on the link, blah, blah, blah.
But it was very clear that it was part of the same program,
if you see what I mean.
And we tried to of the same program if you sort of mean and we tried to use
the same same language in the same sort of slightly fun attitude to it as well um but uh yeah it's it
is difficult i because like i say i'm still on the fence around well a staff bonus email is exactly
the sort of thing the criminals would do and you don't you don't get eased into that by them no and i don't think it's not about easing into that i think it's more about the
relationship people have it's like when people click on something and they they assimilated
phishing do they feel like ah good one um thanks for showing me that or do they feel like you just wanted to
catch me out and i think that's the relationship that you need to work on so but so it's also
partly in the messaging of what happened afterwards i guess as much as the actual message itself and
how it's treated um yeah it's uh you get you get a phishing email that promises you your bonus,
and then it says, oh, because you clicked on this phishing email,
we're going to take away 5% of your bonus.
Yeah.
Oh, no.
That's the worst thing ever.
That would be harsh.
That would be harsh.
The other thing that caught my eye was the Biden executive order
to mandate zero trust and strong encryption.
And the thing that really you know
and i'm just reading the headline and giving my opinion here i'm not even clicking on it
um but the thing here is you've got zero trust which is this um you know so quite highfalutin
concept everybody every expert in adverted commerce i've spoken to about zero trust says
oh it's not about a destination. It's about a journey.
You never fully achieve zero trust, but it's a really important thing,
which makes me think it is just a marketing term as much as anything else. But then paired with a really simple fundamental of InfoSec,
strong encryption.
So you've got this kind of like esoteric you know ethereal concept and a really
basic simple control being put together here as you've got to do both of these and i i that's
quite um interesting messaging i would say it is it end-to-end encryption though because
because our parliament doesn't want that now?
No, our parliament doesn't want it.
But, I mean, as long as you've got a backdoor, you can have it.
But, I mean, some of the other things they're enforcing is that end-to-end encryption, like encryption at rest by default, multi-factor authentication to access any services.
Yeah, EDR.
Table stakes.
Table stakes.
Table stakes.
Any services.
Yeah, EDR.
Table stakes.
Table stakes.
But they also have set up a new department that does, like,
air crash investigation style after major incidents.
So they can give sort of lessons learned and sort of come up with new mandates after that.
So I know there's a lot of things here that you think,
well, why aren't people doing this already but you know to me i think it's actually yeah i actually a fan of this um you know
funding is going to be an entirely different different question yeah oh i'm a fan of this
because having it pushed at that kind of level it's a bit like getting your your board engaged
on your security program yeah you know uh and boards are going to suddenly take a bit like getting your board engaged on your security program. Yeah. You know, and boards are going to suddenly take a bit more interest in this.
Absolutely.
But it's just, you know, why did it have to come to this,
which is an unfortunate thing, which is on us, you know,
as infosec professionals, without a shadow of a doubt.
But it's just a real shame that it takes quite such a thing
to get such basics in place
yeah i think this this kind of ties in nicely with the story about axa insurance to stop
reimbursing ransom payments yeah and i was reading about this uh the other day and there
were some other insurance insurers cyber insurers who are thinking of pulling back or reducing the coverage that they provide because, in their words,
it's just too easy for organizations to take out their insurance
and then not do anything themselves and then say,
oh, we've been hit, give us the money.
Yeah.
So I think having something like this would help set the bar.
So it's like, okay, you can get insurance if you've met these sort of basic requirements or what have you.
It's like driving your car.
You're insured as long as you're not drunk.
You maintain your car regularly.
You've got your MOT and all that.
Yeah.
Well, I remember doing the annual insurance renewals at my last place
at CISO, and I had to present alongside the chief privacy officer
about what we're actually doing from an InfoSec perspective
for them to even accept us.
For corporates, they're huge.
It's almost like a sales pitch.
Yeah, it is.
That's exactly what it felt like, yeah.
Yeah.
Yeah.
Anyway, thank you very much.
I think, well, time's marching on.
In fact, I think we should get cracking onto this week's...
Tweet of the Week.
And because that's so cute, we always play it twice.
Tweet of the Week.
So this is a tweet from a guy called Sonny,
at BrownInfosec guy on twitter
and he raised a question which i liked if you were to start your own ransomware group
what would you name it and it uh you know raised some uh queries on that and i have selected
uh a couple of my favorites i thought we could probably take one each on this one.
All right.
So if you were to start your own ransomware group,
what would you call it?
And Olaf Hartong says,
freemium backups.
I got Ian Saito,
at Ian Saito,
says surprise pen test posse.
Big tinker at illustrious.
FAC.
Says Windows offender.
And then I've got David Shipley saying trailer park crypto boys.
I have from Adrian who's at nutritionist underscore AP.
Ran somewhere.
As in ran somewhere.
And old Navy dude at old Navy dude. or AP ran somewhere as in ran somewhere. And,
uh,
old baby dude at old Navy dude,
ransom,
muck ransom face.
But no,
there's a few more suggestions on that list.
Uh,
links in the show notes.
Um,
yeah,
but yeah,
it's a great thing.
I mean,
anyone can start a ransomware group these days,
right?
It's like ordering stuff from Alibaba and dropshipping.
You know, you create that method, whereas, you know,
you can actually buy ransomware kits and, you know,
dropship it elsewhere and you just need to focus on your brand.
It's all about marketing.
It's all about marketing.
It's all about the marketing.
You can get those dice, the attribution dice that you roll, and it gives you the name of the gang that did the attack.
Yeah, yeah.
See, I might call it Got Your Hat, and then when it hits you,
we're ransomware, a picture of Logan Paul comes up.
Oh, dear.
I watched that video.
What a zoo.
He's a Muppet, isn't he?
Well, not just him, but the whole thing.
And the press just following him around like a baying pack of wolves.
It was, I don't know, awful.
Anyway, thank you, Andy, for this week's...
Tweet of the Week.
Well, we draw to a close.
That went very quickly, I have to say.
Very quickly.
We're doing well to stay on track this week.
Well, you know, we work hard to produce quality content
at less than an hour for you, dear listener, is all I can say.
Jav, thank you very much indeed.
I appreciate it.
Oh, you're welcome.
Jolly good. And Andy, thank you, sir indeed. I appreciate it. Oh, you're welcome. Jolly good.
And Andy, thank you, sir.
Stay secure, my friend.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
R slash smashing
security so what is going on with the soundboard then why why are we hearing uh really sort of slow
jingles and stuff it's just the the audience isn't going to hear that we fix it in post
oh right you're actually going to edit that oh okay yeah i i will do some editing don't worry
don't worry god Oh, God.
Next week, we'll be going full on Smashing Security.
Give me three weeks before I edit this and get it published.
But if you're a Patreon subscriber, you can get it 24 hours earlier.
Wow, I live for that.
Harsh.