The Host Unknown Podcast - Episode 66 - Our Time to Shine
Episode Date: July 30, 2021This week in Infosec (06:42)With content liberated from the “today in infosec” Twitter account27th July 1979: The first edition of Computer Security was published. It was written by David K. Hsiao..., Douglas S. Kerr, and Stuart E. Madnick.And to think, some of you probably are surprised there were computers in 1979, never mind computer security!Computer Security 1st Editionhttps://twitter.com/todayininfosec/status/1420498414874370049 28th July 1997: Tfreak (Dan Moschuk) released his program, smurf, a decision he later regarded as questionable. Exactly one year after he retired smurf in 1997, Tfreak published (papa)smurf.c v5.0, a new hybrid DoS attack based on Smurf and Fraggle. (papa)smurf.c v5.0 - New hybrid DoS attack based on smurf and fraggle Rant of the Week (23:23) https://twitter.com/shanselman/status/1420800992388415491https://www.idtheftcenter.org/google-voice-scam-tries-to-trick-you-while-you-are-selling-items-online/ Billy Big Balls of the Week (32.25)The Tech Support Scams YouTube channel has been erased from existence in a blaze of irony as host and creator Jim Browning fell victim to a tech support scam that convinced him to secure his account – by deleting it.Scamming the scam scammer Industry News (40:40)Apple patches zero-day vulnerability in iOS, iPadOS, macOS under active attackTech biz must tell us about more security breaches, says UK.gov as it ponders lowering report thresholdsICO ends its involvement in dispute between NatWest Bank and data breach whistleblowereBay ex-security boss sent down for 18 months for cyber-stalking, witness tamperingIranian state-backed hackers posed as flirty Scouser called Marcy to target workers in defence and aerospace'Woefully insufficient': Biden administration's assessment of critical infrastructure infosec protectionIsraeli authorities investigate NSO Group over Pegasus spyware abuse claimsUpcoming Android privacy changes include ability to blank advertising ID, and 'safety section' in Play storeSpam is Chipotle's secret ingredient: Marketing email hijacked to dish up malware Tweet of the Week (55:24)https://twitter.com/bryanl/status/1420925333864386562 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Who's that you're talking about?
F***
You don't f*** do you?
No, he's a complete charlatan
He's a dick jab, he switched on the recording
Oh mother f***er
You're listening to the Host Unknown Podcast
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us. And welcome to episode 66 of the Host Unknown Podcast.
71.
And you know what? It's our time to shine, boys.
And you know what?
It's our time to shine, boys.
We've got a lot of listeners out there who are going to have nothing better to do than to listen to us over the next few weeks.
Well, they never really did, didn't they?
Well, you know, what I'm saying is they will be starved of quality content.
I mean, some would argue they've been starved of quality content for a long time,
but they've been starved of quality content. I mean, what some would argue they've been starved of quality content for a long time, but they've been starved of quality content.
They'll be looking for something else.
And here we are.
And I think,
you know,
I can see our listenership.
We'll just go through the roof. We'll just,
you know,
surpass all expectations.
We may even have to start taking on sponsors again, but we can do it. That would be good. Well, do you know, surpass all expectations. We may even have to start taking on sponsors again.
But we can dream.
That would be good.
Well, do you know what?
And if that does happen, I will guarantee I will make some quality
sponsorship jingles, right?
I won't have either of you two reading stuff out because, you know,
that's just choogy, man.
You don't.
No.
And I guarantee if we get the right sponsorship,
I won't come back and host again.
Excellent.
Excellent.
But the price goes up every time.
This time it's £150.
All right, I'm good for £75.
You do know that was...
The episode you two did was one of the lowest listened to
for a long time.
I've got to say.
You know what?
I'd rather have no listeners but do it without you, Tom.
So you'd just rather sit...
He'd rather call me, Tom.
He's basically saying he'd rather call me.
And have a little chat.
Exactly.
Exactly.
I think that is far more enjoyable which sounds
a lot like our preparation time this morning in the green run while i was one running around trying
to get the audio to work oh geez i'm i'm i can only apologize dear listeners not good enough
because if javan andy if javan andy sound like they're a bit worn out it's because they've just been yakking for the last hour and a half while
i've been trying to work out what's been going wrong with the sound you know i i i used to really
enjoy the idea and i still enjoy the idea of doing the podcast but i wake up on a friday morning and
i look forward to this about as much as as i as i do herpes or putting a fork in your elbow i would have said
but you know if you want herpes that's fine well he's doing something that's relatable like he's
using a an analogy that he's he's experienced uh this is true this is true whereas memory elbows
for me is you know well i mean that's just a saturday afternoon yeah anyway jav how are you
well drained off my will to live right now but otherwise i'm doing good thank you
been a busy week for you it's been extremely busy but uh very rewarding
summer holidays have started so all the kids are at home.
So work is my escape.
Been busy writing presentations and doing whatever it is that advocates do.
Yes, that's right.
The real work.
Trying to look busy to our bosses.
Did I tell you about the time I put a facebook state this is years ago i was working at a bank and uh it was a joke status i put up it was like pretending to work
while my boss pretends to pay me and and what one of the managers saw it and then he reported me. He reported you? Yeah.
Wow.
I hope your next status was snitches get stitches.
Yeah.
What a scumbag.
Yeah, yeah.
I mean, I guess they were a scumbag.
Yeah, yeah.
Large international banks, they've got nothing better to do middle managers in there
let's be honest i mean let's look at other people's facebook yeah that's right that's right
who was actually looking on facebook hey uh dear andy how are you sir uh yeah as uh usual i'm the
one that's actually doing the hard work um yeah so you guys get paid to think about things,
and I get paid to do it.
So it's just been one of those busy weeks, unfortunately.
Yeah.
Well, you know, people have got to think about work for you to do
in the first place.
Got to strategize.
Yeah.
I'm telling you, mate, come to the dark side.
It's great.
Well, I do know vendors, they pay a lot of money,
and certainly I think your workload has
gone down um you know on a day-to-day basis so it's very attractive at the moment that's all i'll
say okay okay we could we could put in a good word for you we could get you in at the bottom
so what have we got coming up for you today in this week's show well this week in infosec takes us back to a time
before computers even existed allegedly and did you know that gargamel was actually the good guy
in the smurfs uh billy big balls shows how a scam scammer got scammed and scammed again
industry news brings us the latest and greatest news stories from
around the world, only this time from our temp news agency again. Rant of the week is some actual
InfoSec consumer advice on this InfoSec podcast. And finally, tweet of the week shows us the future
of programming and software project management and what could possibly go wrong.
So, Andy, let's go into our first segment, shall we?
Our favourite one of the week.
This week in infosec
so it's that part of the show where we take a stroll down infosec memory lane
with content liberated from the today in InfoSec Twitter accounts. So I have always considered InfoSec a fairly modern discipline in its own right.
And so by that, I mean that when I first started working in the corporate environment,
security was just part of IT.
Firewalls, antivirus, acceptable use policies, that was security at the time,
just all part of IT side of the desk.
So I was stunned to come across this one when I read it.
And I had to verify that it was actually, in fact, 42 years ago, which is obviously 10 years before I was born, shortly after Tom's 50th birthday.
And this is on the 27th.
What's that you say, Sonny?
Yeah, this is on the 27th of July, 1979.
The first edition of Computer Security was published.
And that was written by David K. Sow, Douglas S. Kerr, and Stuart E. Madney.
And so to think some of you are probably surprised there were actually
computers in 1979, never mind computer security, the tweet goes on to say. So I mean, I was actually
stunned that personal computer usage was so widespread in 1979. And not just that, but there
was actually concern for a focused discipline like security to warrant someone actually writing a book, you know, just dedicated to that topic.
Yeah, I thought it was only like 25 years old or something.
Yeah, exactly. Yeah, pretty much. Yeah. Just around the time I was born.
You look dreadful for your age, mate.
I was born for this discipline. That's what it was.
That's when it came through.
You weren't born.
You were made for InfoSec.
I was made for InfoSec.
But, yeah, so, I mean, I did look.
You can order a copy of the book.
There's a link in the show. You can still get it from the publisher.
It's about 60 quid, including shipping to the UK.
60 quid?
It better be a big book uh well i think it is you
know back then it was always like the chunky books and you know they they cut down the finest trees
to make them yeah you know really hand broke them it is tempting though i have to say because
there are certain infosec books which i will never read but would like to have on my shelf.
What is it?
The POC GTFO books, for instance.
I've got the first and second one of those.
I was hoping to pick up number three at DEF CON this next week,
which, of course, I'm not going to go into now.
But, yeah, there's something about certain books that you think,
you know, they get added to a collection. They're not to be read, or at least if they are, they're not to be understood by the likes of me.
But yeah, actually having something like that is something quite nice about it from almost a collector's perspective.
Yeah, I'd just love to know what content is in there.
It's not on Google Books, unfortunately, so you can't get any previews or anything.
is in there like it's not on google books unfortunately so you can't get the previews or anything i mean just looking through the table of contents it i wouldn't be surprised if a lot of
this is still applicable today oh yeah um yeah it doesn't seem very and i might have shared with you
a few weeks ago someone posted on twitter a picture from a a magazine um it was an article uh from 1983
and the the title is computer breaks in break-ins can they be prevented uh it was by michael kuzak
i don't remember the name but a lot of the um the content in there was it was just as applicable today as it was back then in 83 um and you know how how they
the the only difference really was that they were mainly the the curious type of hackers they weren't
criminal criminal hackers they were just like trying to find out how systems work they got in
and maybe pranking people or what have you but uh you know that um the uh that all the recommendations are exactly the same as
recommendations we give today like you know know your assets prevent physical access to it and
everything so uh it's it's amazing that this book was written so so long ago um before i was born
and uh you know still still seems very relevant today it's it's funny how the first
thing you say there is know your assets um there's there's a bit of a movement at the moment that
sort of says there is absolutely no way you can know your assets and you have to plan around that
well i've seen two tweets about that yeah i wouldn't i'd hardly call it a movement but
well you might have seen two tweets but some of us pay attention to the industry
some of us have real jobs rather than spending all day on Twitter.
But I see the point.
I see the point.
It's valid.
It's valid.
Absolutely.
It's a valid point.
But I don't think there's any viable alternative at the moment as well.
No, that's right.
It's all well and good saying in theory, oh, we need to plan around it.
But, OK, give us something to work with give us a framework yeah you need to plan around this how so i've missed all of this you're saying there's no way you can know where all your assets
are no well some people are saying some people are saying it's based upon the significantly
more mobile workforce,
the work from anywhere, the bring your own device,
whole series, you know, bring on casual workers, et cetera,
a whole series of factors means that knowing all of your assets
all the time is impossible.
Don't agree with it.
No, I mean, I don't agree with it.
I actually think it's a lot easier.
In today's day where
you have cloud uh services and nearly all your software is a subscription um you know you just
look at the receipts of everything and you can work out what everything is and where someone
has to look through those receipts well no so you've got different things here right you can
like to say you don't know where your assets are you've got to make the decision do you want people
to access your systems from any device or from known assets i guess that's
the key thing if you're happy with people um you know accessing their email whether it's like g
suite or office 365 or whatever uh from any device then you know that's not a problem but then if they
have the ability to download documents from that suite so whether that's your google drives or your
sharepoints or your um you know team sites and that that type of thing um you've got to be
confident that you're happy with that data going anywhere yeah absolutely that's uh yeah so i think
it's just lazy if you're saying it's not possible to no it's not lazy you've got to think about
definitely lazy you've got on if you're happy with it you've got to think about it's definitely lazy you've got to if you're
happy with it you've got to think about the the risk of loses losing something out versus the
actual finite amount of resources you can put into tracking something like that i mean you're you're
talking from a um you know a very closed off environment half the the links we send you on
whatsapp oh i'll have to wait till i get home i can't access that on my work machine you know that sort of thing you're talking about
it's from a very pandemic days closed environment what yeah because uh that they've definitely
loosened up since then but uh but you know there are organizations out there that rely on
really flexible working and um you know bringing people in for like an
hour's worth of work uh and things like that you know it's it is very difficult to actually
identify where everything is at all at all times still don't agree well i've got use cases where
you know we use bpos in the philippines or uh you know other regions where you've got temp workers.
You come in and it's easy to spin them up.
But again, you're looking at it from a single viewpoint, though.
No, it's not just one company that I look up.
I came from a startup, right?
I know how to be flexible and mobile.
I think it's pure laziness.
If people say they can't manage assets um you heard it here you heard it here yeah i i agree with andy surprisingly
um it's well as opposed to agreeing with me yeah right yeah i mean that that is super painful
trying to agree with you on anything you've got to be really convinced about something there.
Yeah, yeah.
I mean, you say water is wet.
Well, I'm not too sure, Tom.
Well, no, water isn't wet.
What it touches becomes wet.
Okay.
Think about it.
I was trying to think of a
that's what she said joke
to get in there but
I was going to say
something then I self censored
out of respect for the Duchess of Ladywell
thanks mate
I do appreciate that
you're welcome
she sends her love by the way
and we love her too
anyway shall we move on rather than arguing about She sends her love, by the way. And we love her too.
Anyway, shall we move on?
Shall we move on?
Rather than arguing about whether water is wet, quite literally.
Yeah, so I'm going to take to the second story I've got.
It's going to take us back to the late 90s, 24 years ago, the end of the Britpop era.
And when a young AA was cruising around the towns
in his lowered car, tinted windows, neon under lighting,
music blaring, just all around good times, okay?
Funny enough, at the time, one of my friends,
who's a stuntman these days, he's actually been in various films,
like Kick-Ass and what's that, Tom Cruise,
The Edge of Tomorrow.
Who? um he's actually been in various films like kick-ass and um what's that tom the edge of tomorrow and it was quite funny so he used to always lean out the side of my car uh like literally one arm out the window and he'd be like leaning out and every time we stopped at lights or we passed girls
his chat online would just say hey baby and i was just like proper tlc no scrubs material um but it literally had a hundred percent success
rate at least 30 of the time um so you know what was his actual chat up line hey baby hey baby
like literally he would say it like that he would just lean out that's like yeah brilliant hey baby
did he did he become a stuntman because he got so used to being smacked in the
face but you know like we used to uh work together in a bar like years prior to that
and um at the end of the shift at night time we'd drive around the car park and he would surf on the
roof of my car and this was before he even you know decided to become a stuntman so i think he
was always destined for uh that type of life um but anyway so anyway yeah the reason i got into that and like i massively digress because
you know when there's certain dates that come up it puts me in a frame of mind um and obviously
the 90s were like a very great time for me um and you know like to put yourself in the context
of right what's going on at the time so hit songs at the time included Puff Daddy's Missing You,
that tribute to Biggie.
Oh, yes.
Picture of You by Boyzone, Freed From Desire by Gala.
Oh, yes.
Do You Know What I Mean by Oasis, Bitch by Meredith Brooks.
So there was everything, like The Verve, Seahorses, Coolio,
Ultronate, Hanson, Eternal, Michael Jackson.
A proper mixed bag, okay okay i recognize some of those hansen right please i got beef with hansen
is it because you always fancied the young one in hand you always fancied the young girl in hansen
um but anyway my point is we tolerated a bit of everything back then okay so everyone's
living in harmony it wasn't too bad so you know 24 years ago uh on around the 20 28th of july
1997 uh dan moschuk aka tea freak uh released his program smurf a decision he later regarded as questionable.
And then exactly one year later, in 1998, he retired Smurf,
but he published Puppersmurf version 5,
which was a new hybrid DOS attack based on Smurf and Fraggle.
So during your CCNA or CEH or CIWSP syllabus,
obviously everyone's done at least one of those,
you would have had to have studied what a smurf attack was for the exam.
But for those who are not yet enlightened,
the smurf attack is basically a distributed denial of service attack, right?
Where you send packets to a...
An overwhelming number of packets to a... Yeah, but you spoof the source IP address, right?
So the ICMP will reply to whatever that spoofed address is.
And so, you know, the idea is that, you know,
large numbers of machines then attack one single person.
And, you know, the phrase numerous attackers overwhelming
a much larger opponent is where, you know, the Smurfs come along. Today, it's a relatively easy fix for network administrators,
right, to, you know, avoid this type of thing. You just don't respond to broadcast addresses.
And you can like filter out these packets. And then the Fraggle attack was a variation of this.
And also the same author, T-Freak, actually wrote the Fraggle Attack as well,
or the tool for the Fraggle Attack as well, which is obviously the similar sort of thing, but UDP
based. So he did divide opinion at the time, but he was very well respected in Linux communities
and other sort of security circles at the time. But he published a statement at the time in 1997 when he said it. He said,
a year ago today, I made what remains the questionable decision of releasing my program
Smurf, a program which uses broadcast amplifiers to turn an ICMP flood into an ICMP holocaust,
into the hands of packet monkeys, script kiddies, and all-round clueless idiots alike and then he
went on to say if you want to hold me personally responsible for turning the internet into a larger
cesspool of crap than it already is then may i take this opportunity to deliver to you a message
of the utmost importance fuck you if i didn't write it someone else would have and it's uh it's
exactly that sort of attitude that got us to where
we are today yeah exactly exactly wasn't it governor so you say it's uh the smurf attack
is a relatively easy fix nowadays for uh but that's a that's a very closed-minded view you're
taking from a very controlled network what about all all these open organisations that want to be flexible out there?
Yeah, well, I know you can't...
What's the phrase?
You can't take the paintbrush away from Leonardo, right?
What phrase is that?
Oh, maybe that's one.
Maybe that's one that I use.
Maybe that's one you just made up.
You can't take away leonardo's paintbrush i thought it was his pizza not his paint or picasso's paintbrush rather
like you can't stifle the creativity of these people right you're talking about all this
openness that's where it kind of comes from oh i see i see. But yeah, so anyway, T3 sadly passed away in May of 2010,
his Canadian residence.
But as the author of tools that created the Smurf,
Papa Smurf and Fraggle attacks,
he made life exciting in the late 90s.
And he's made a huge contribution to the syllabus
of every network security related course.
Yeah.
Yeah. very good.
Very good.
Thank you, Andy.
And that was this week's.
Yeah, that was...
This week in InfoSword.
Very good.
Very good indeed.
Fascinating stuff and the fact that you guys, you know, actually agreed on something in the face of utter logic from from from me,
I'd like to I'd like to say, but but nonetheless, you know, water isn't wet.
I'm just telling you that now. So shall we move on straight away to.
Listen up!
Rant of the Week.
It sounds like mother f***ing rage.
So this Rant of the Week this week is, well, a couple of things. One, it's firstly some actual advice, some actual consumer advice,
InfoSec consumer advice on an InfoSec podcast,
which one, will be amazing in and of itself,
but also two, are we still falling for this kind of thing?
I mean, my goodness, the fact that this is still an issue.
So this came from a tweet from Scott Hanselman.
Details in the show notes, folks.
And he says, what is this scam?
I'm selling something on Facebook Marketplace.
And then this lady wants me to share a Google Voice SMS validation.
Is she trying to log into my Google Voice number?
So Scott is trying to sell something.
There is an image of his messages, and the other person says,
did you get the six digits from 22000?
Presuming that 22000 is the Google authentication number.
They say, sorry, this is weird, and they say not to share it,
so I'm not going to.
If you'd like to buy the device, I'm happy to chat with you on Facebook
and you can come pick it up.
Yes, don't share other person, but share me personally because I sent it.
So a few clues here. So one, you know, the grammar isn't great, obviously.
But what actually it turns out is going on is people are identifying folks online who are selling stuff.
as people are identifying folks online who are selling stuff,
and this is more prevalent in the US and other countries,
less so in the UK, you can actually create a Google voice number,
a US-based number, using your Google account. And what people are trying to do is to create those accounts in your name. So basically use your identity to create a Google
number and then use those numbers, and you can send texts on them as well, but use those numbers
to go on and carry out other online scam and criminal activities. Of course, with all of the communications seemingly sent by
you. So yeah, a couple of things here. One, just sending your authentication codes to random people
from the internet or SMS, always a bad idea. And at least Scott here has definitely picked up on that.
But two, it's incredible that obviously this is still a vector of attack
because people are sending these things.
And I think that's really, again, companies like Google
should be absolutely doing more about this to try and stop these kinds of things.
So for instance, the sending of digits obviously to certified accounts and certified numbers,
which they've done here. But if you're putting your phone number on a listing or something like that, you're going to open yourself up to exactly these kinds of attacks, you know, stick to emails or something like that instead, you know, or even a landline number as well.
So the Google Voice thing actually works with landline numbers as well.
In what sense?
As in you can receive a text and they can use your landline numbers as well in what sense as in you can receive a text written they can
use your landline number no but if you pub if you uh yeah but what this person has done in this
instance is got hold of scott's mobile number yeah so it's on um, uh, he's put an advert on Facebook marketplace, right? Yeah.
He's used his mobile number. Yeah. But if you use your landline number,
you can still get hit with the same thing.
So they can call that number and give you a code.
Right. Okay. Well, you heard it here first folks. Um, so yeah, it's, um,
just let's be careful out there, folks.
Always people out there trying to scam you. So, yeah, it's just let's be careful out there, folks. Always people out there trying to scam you.
And also my other piece of consumer advice is, you know,
delete your account from Facebook.
Move on.
It's a bad place.
And if nothing else, here's the evidence for it.
But, yeah, so my rant of the week is basically don't fall for this stuff.
People are constantly going
for it really you know we should be very much more aware of these kinds of attacks at all times
so there you have it but you know what i mean he has actually said something in his response with
this uh scammer he's done the right thing absolutely the right thing like he's obviously
got a message it says like you know says, don't share it with anyone.
Yeah.
So I think Google are doing their bit to say, look, guys, don't give this stuff out.
And I see the guys, like, yeah, you're right.
You know, it's like, no, no, don't share other person, but share me personally.
Yeah.
Because I sent it.
Yeah.
Don't worry.
Just verify for my safety.
Just send the code. i will call yeah yeah yeah
exactly yeah that sense of urgency is always well sense of urgency and pressure and all that sort of
stuff you know yeah it's it's it's um it's a sad indictment of society right yeah but you see on
the what so facebook marketplace craigslist gumtree uh all of
those things and in the uk you know we got auto trader for selling um cars and things like that
and they actually change the numbers um so when you publish your number that's right they do
actually replace your number with yes yes number yeah and they filter out like all this sort of
spam and stuff like that yeah because you get so many scams whenever you list anything.
And there's just no real alternative for people.
They want to sell something.
They put their number on.
Not everyone's got burner phones just for the sake of selling stuff.
I'm selling some car parts on eBay.
And on there it clearly says, you know, pick up only, I won't deliver because they're big
and bulky. It's going to be expensive. I've already had two people say, oh, can you send
this to my friend in Nebworth? And then somebody from Australia said, I really like to buy this.
Can you deliver it to Australia? So I said, yeah, bang, 250 quid on top of what you send me,
and I'll refund the difference.
You know?
Yeah.
Haven't heard a thing since.
Yeah, where you received the check.
Yeah.
You know, I'm sending you a check for £6,000.
I know it's only £4,000, but if you can send me the difference back.
Yeah.
Yeah, that would be classic.
Oh, some great scams.
It's brilliant.
Some of these scams have been going on for so long.
Well, they are very clever.
I mean, they really are, well, the majority of them are well thought through
in that sense.
It's almost like a sleight of hand magic trick, isn't it?
You know, it's very carefully thought out it
makes you focus on all the wrong or right things for that matter but you know it takes your
attention into into a direction you wouldn't ordinarily have it taken yeah and and then
before you know it you're screwed yeah yeah exactly before you know it you're giving them
your your credit card number over the phone with a full CVC number. A friend of mine, he actually got caught by one of these scams.
They offered him a phone upgrade for a ridiculously low price and, you know, on a small contract.
And he ended up giving them his bank details or card details,
and they withdrew money.
But the interesting thing was they actually spent six months on that.
So they actually phoned him up six months prior, and he was like,
no, I'm in contract, I can't do it.
And then they called him up afterwards, you know,
just before his contract was set.
Oh, you know, we spoke to you a few months ago.
Excellent.
So they've got like something
like a sales force yes i was exactly gonna say sales force yeah that was this week's rant of the
week this is the host unknown podcast the couch potato of infosec broadcasting so let's move very swiftly on to this week's...
Billy Big Balls of the Week.
Thank you for that, Tom.
And the Billy Big Balls story actually ties very nicely into what we were just talking about.
story actually ties very nicely into what we were just talking about and so if you've ever been on youtube there's an account run by a gent who goes by the name jim browning and he actually is a
anti-scammer he he does he hates all these tech support scams that come through so yeah but
there's not aware it tech support scam is you get a phone call from
someone claiming to be from microsoft saying that there's a virus being detected on your machine
and they're there to help you so you're like very worried they're saying there's there's
hacking attempts going out from your machine or you know they scare you in different ways
so you're like okay what can i do to help and they they tell you to read off some things from
your screen and basically they they remote desktop into your your machine or they they get remote
access and then they'll they'll do some things that cause pop-ups to occur they'll scare you
even more and then they'll be like don't worry I can help you um just pay me some money and we'll
clear it up for you and uh sometimes they take money sometimes they're like
oh can you go get a gift card and and uh you know read off the serial number to us and and all that
kind of stuff really despicable human beings uh and Jim Browning he's a anti-scammer so he'll set
up these honeypots they'll they'll call him and ask him to, to do it. And he'll play along with it.
But he's plays the reverse Uno card. And he actually gets into their systems. He and his
YouTube videos are great, because you can see their desktop. And as he's talking to them,
he's going through their files, he's, he's deleting files, he's finding out where they
actually base what their real name
are uh you know pictures of their friends and family he even got into i think some of their
cctv cameras oh it was him was it i believe so i believe right um so so he does all this um you
know legally we can't condone or uh approve of this spectacular work that he does yeah but um so he's he's a smart guy one
of the good guys really raising awareness and giving it to these um these scammers and you
think he's probably one of the most savvy people on the internet but unfortunately in a cruel twist of fate he received
an email from YouTube support saying that he has a duplicate AdSense account and as a result
his account will be suspended from YouTube. If you want to reply to us uh try on the click on chat button underneath um if it was uh something
unattended unintentional so he was like can you send me the details as far as i'm aware this is
there how do i see if they're duplicates anyway they they checked him for a bit and they convinced
him that what he needs to do is delete his account and then they'll restore it and make sure it's not
duplicated oh no and you know what they're playing with his emotions right he's obviously making a lot of
money from his adsense or yeah you know all that this is like his bread and butter you know he's
thinking about losing his his livelihood here yeah you know his judgment's clouded it is exactly
and and it this has got to be a bunch of them getting together and working out
the best way to hit him right yeah yeah yeah definitely wow and it just goes to show that
even if you're the most savvy person out there with the right conditions you know if the timing's
correct and you hit this right emotional trigger point for them, then people will fall for it.
Well, I mean, he caught 99.999% of all the attacks against him, right?
He just missed that last final one.
Yeah, and that's because normally he sets up the honey he sets up the honeypot and or and they so they
think they're calling up some pensioner or what have you but this is like a definite spearfishing
attack against him directly and they want to delete um uh delete his account and what have
you so it was a a pretty billy big balls move move on part of the scammers.
I'm sure once he gets his account back and he's going to go all like Liam Neeson on them.
I bet he is.
I bet he is.
But it does go to show how misplaced the kind of victim blaming side of things is,
because, frankly,
it just takes one tiny slip up and you can get caught, right?
Yeah.
And the quality of the attacks is increasing all the time.
And it is getting harder and harder to differentiate between them.
It is.
You know, so it's, again, as you say,
someone like this who really knows all the tricks in the book just got caught out.
Well, God, my heart goes out to him.
I mean, that must be that must be a real neck Mohican time, right?
It's all right.
I mean, I'm sure you two will restore his account quickly.
And since you went public with it they would yeah well and it's good on him for going public on it right i am assuming it the
he was the one who went public on it oh yeah he did he did yeah yeah and good on him for going
public on it it takes all the power away from the actual attack itself.
Yeah, that's right.
That's right.
I'm sure people will be like, why is your account no longer available?
So it would have taken genius to figure that out. I think there's also just an element of how there's, you know,
criminals will always find a way to mimic whatever process
any organisation puts in place.
And the fact that they baited in with the use the chat function here
and what have you.
You know, we always say, oh, if it's like that,
don't click on the link in the email, navigate to the site directly.
But, you know, it's one of those things that you just, like Andy said,
when it hits your emotion at that point,
you just don't think clearly.
You're like into panic mode.
Maybe you're in the middle of dinner and all of a sudden,
you're like, hold on, love, you know, I need to sort this out.
My channel's about to go under.
Yeah, don't cook the steak yet.
We might not be able to afford
it yeah yeah cancel the tesla from what i heard the tesla can cancel itself yeah yes that's right
but um yeah no i thought it was a billy big mall's move on on part of the criminals i'm sure i've
heard unconfirmed rumors uh jim browning's taken a sledgehammer into his
garage he's he's he's smashed a hole through the hollow wall he created where he's got his
his prized hacking laptop and he's got
the barber jaga off the internet scam world yeah yeah taking a couple of gold coins out yeah well I think
yeah
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go
go go go go go story. Thank you so much, Jeff. Billy Big Balls of the Week.
Sketchy presenters, weak analysis of content and consistently average delivery.
Like and subscribe now. Andy, what time is it? It's that time of the show where we head over to our news sources
over at the InfoSec PA Newswire, who are now offline.
So for the third week running, we're using a temp agency,
and they've been very busy bringing us the latest and greatest security news
from around the globe.
Industry News.
Apple patches zero-day vulnerability in iOS, iPodOS, MacOS under active attack.
Industry News
Techbiz must tell us more about security breaches, says UKGov, as it ponders lowering report thresholds.
Industry News
ICO ends its involvement in dispute between NatWest Bank and data breach whistleblower.
Industry News. eBay ex-security boss sent down for 18 months for cyber stalking and witness
tampering. Industry News. Iranian state-backed hackers posed as flirty scouser called Marcy
to target workers in defence and aerospace. Industry news.
Woefully insufficient.
Biden administration's assessment of critical infrastructure infosec protection.
Industry news.
Israeli authorities investigate NSO group over Pegasus spyware abuse claims.
Industry news.
Upcoming Android privacy changes include ability to blank advertising ID and safety section
in Play Store.
Industry news.
Spam is Chipotle's secret ingredient marketing email hijack to dish up malware.
And that was this week's...
Industry news.
Huge. Huge if true but upcoming android privacy changes are they following apple's lead here do you know what i knew you would hone in on that one straight away which is why your very first
story was about apple patching zero day vulnerability across the estate, but not telling anyone why or what it's about.
It's like,
which is typical Apple,
right?
They're just like,
there's these huge vulnerabilities.
We're not going to,
we're not going to address it.
It's a paternalistic,
don't worry your little selves about it.
We've got this,
we've got you,
but anyway,
anyway,
anyway,
anyway,
anyway,
anyway,
anyway,
anyway,
anyway,
anyway,
are Android doing the same thing as,
as Apple's TSS?
They are, right? To me, Android is basically like the unmanaged assets of mobile space, right?
You've got your Play Store.
You do what you want.
Anyone can upload it.
Google, you're just lazy.
You're just lazy.
So, yeah, they are putting that stuff in, yeah, to sort of make it better for that default tracking.
Wow, the advertising and market industry is going to be all over the place on this.
They'll find new ways.
Yeah.
Like the accelerometer or whatever.
Yeah, I just find that amazing.
Listen to the vibrations going.
Yeah, yeah.
But it's really interesting you know all this there's
been a huge shift of advertising revenue gone towards android as a result of apple's thing and
and now android are now doing exactly the same thing uh it's that there's
well is it copycat or is it there is some inherent benefit to google doing this um
uh in the light of apple doing it i i'm well i think it's more regulatory driven right so
things like gdpr uh it's becoming a nightmare for these people to manage it the california
um legislation as well i just think the world's changing. But for who to manage it?
For Google and Android?
Surely not.
I think they make it easier.
If you think the admin will go behind having to check every app is compliant
with this and then having to sort of take it down,
I think it's just the direction of the industry.
Ultimately, it's the way it's heading.
But the Google Play Store is not known for the quality of its check-in anyway
right?
it's open
season
maybe they've just got to
that part of their
list of things to do
yeah
after
clean the windows
mop the floor
sort out privacy and Google Store.
Wow.
I mean, Google themselves, they can't get too stringent on this
because a large portion of their revenue still comes from advertising themselves.
Yeah, yeah, that's right.
This is why I find it fascinating they're going that way
because their whole model is, you know, their operating system is free,
their devices are heavily subsidised and, you know, all that sort of stuff.
And it's being paid for by the advertising and marketing.
So I think this is something we need to do a bit of a deep dive on
at some point.
Let's find some headlines and read them out.
Yeah, exactly.
Oh, dear.
There was that other one there.
Yeah, Jav, it's that one that you read out.
Yeah, this one really caught my eye. It's the ICO ends its involvement in dispute between NatWest Bank
and Data Breach breach whistleblower.
And this caught my attention because NatWest is near and dear to my heart
having been my,
my first ever job on one work placement.
And there there's a,
it's a really bizarre case.
And I had to read the story a few times and I'm still not sure I get all the
details,
but there was someone that worked at a branch and they, for some reason,
personal reasons, they were working from home and they had a agreement with their branch manager
that they could work from home. And from between 2006 and 2009, they're working from home and they
would either be posted or they'd go in once a week to collect some paper documents um and this they were i think a mortgage
and loan advisor so they had a lot of personal information in these in these files and uh
the worker she realized that um hr or no one really senior was involved in this and she got a bit worried that
i've got all these personal details in my home and no one's really signed this off
uh at the bank my just my manager just said let's work from home so she wanted to try and
return it and this is where it gets really complicated because – where's it gone?
She tried to give it back, and they were like,
I think the bank was reluctant to take it back or something.
Like the document's back.
Yeah, yeah, there's this whole weird thing in between
where she then raised some grievance.
HR advised her to put the whole thing in writing,
so she'd done,
and that led to a whistleblowing incident being raised.
Yeah.
Yeah.
Because it lacks data security practices.
Went through some grievance process,
and then she was dismissed in May 2009
for not returning documentation. The official
reason for dismissal was gross misconduct and flagrant disobedience following a reasonable
instruction from a more senior employee. A tribunal later upheld the decision.
The employee then said she was advised by the FSA to get a receipt from the bank before handing back information to print
her own position from potential future litigation. So you're getting that part, yeah? So she's got
this documentation. She's got three years worth of customer data. Exactly. From like mortgage
applications and stuff like that, just sitting at home on her desk right that's right that's right and in 2012 she informed the ICO like you know help me out here there's a potential data breach
and the ICU ICO who are probably too busy trying to figure out who leaked Matt Hancock's videos, they ended up responding about 10 years
later saying, this is not our problem because only electronic information was covered by the
Data Protection Act 1998. And regardless, that GDPR has come into effect since then but this is all pre-gdpr so it doesn't
doesn't come under that this is like real no man's land like one of those use cases it's
just slipped through the cracks yeah but the information commissioner's office surely deals
with paper records because you know the clues in the name if it was the
digital commissioner's office yes but the information you know and what if she scanned
it would it then be covered well well yeah so the former employee is eager to hand the files back
what wants to be indemnified against future claims
from former and current NatWest customers.
Yeah.
And this has hit a stalemate,
and the ICO has withdrawn its advisory support.
What?
You guys deal with this yourself.
You kids buy it.
You kids sort it out.
You know, I spoke to a couple of ex natwest colleagues and they were like
this is pretty much on brand this is this is on point for for what um what what things um
things would do i don't think anyone comes out this looking particularly good the ico or rbs or net west no no um yeah it's not not great i'm still hazy over
the fact that she's got this these documents but didn't hand them over and was fired for not
handing them over i think she i think there's a thousand there's lots of them she handed over
most of them she kept 1600 records because of the. She kept 1,600 records because of the FSA's advice
that she should get a receipt,
and she wants indemnification against future claims
because if a customer says that this is a data breach,
she doesn't want to be held personally liable.
So Nat West are refusing to give her a receipt for these documents?
I think they've given her a receipt.
They're just not indemnifying her for any potential claims.
Right.
So therefore she's not handing the documents over.
Yeah.
Yeah.
Something like that.
And the advice of the Financial Services Authority, right,
which you'd think is a reasonable authority.
So I wonder what the FSA is doing about this then.
I think when they saw this story published they had a big like right who was responsible for
this let's scrub all the records yeah yeah no i mean obviously the fsa wouldn't do that invoke
the enron protocol yeah exactly is that the sound of shredders i hear in the background
everyone that's working from home with these personal records shred them now
yeah wow the last statement uh like so they asked why the bank hasn't just um got a court order to
go into their house and and get the records and a lawyer said that oh the bank has probably made a decision that on the balance
of things it's not worth it the data is stale and it's not really a risk because people don't live
in houses for more than 10 years no no or and they change their name and date of birth yeah exactly
exactly jeez i think in in reddit parlance, ESH and ETA.
Everyone sucks here.
Everyone's the asshole.
Yes.
Yes.
Just to give you an insight into what middle management at a place like that is,
if you remember back in the day um uh there was the bird flu pandemic and a lot of businesses went
through you know some sort of like uh business planning and what have you what if people get
infected with the bird flu and it spreads how we laugh at those simpler times and uh there was a
meeting and uh in in that the advice was like regularly wash your hands with soap and warm water.
And there was one guy in the meeting, a middle management, who didn't want to take, obviously, responsibility for decision making.
He helpfully pointed out, we don't have warm water in our building.
What should we do?
Oh, my days. To which the guy that was leading the meeting, he looked over at him and he was like, really stared at him for like 10 seconds and just said, just water in that case.
Oh, man.
So that whole bird flu pandemic, right?
So I used to like to have a bit of fun when I worked, right? And at the time where I was working,
we had a lot of customers asking us for our pandemic plan,
you know, how we'd continue to function
if this bird flu did reach our shores and stuff like that.
And so I got this request in.
It was like a high-profile client.
And so I just assumed that it would be vetted
before it got sent out.
So the FD sent me this thing.
He said, right, you know, really important one.
Can you provide the response for this?
Like detail out the pandemic response plan.
And so for a joke, I said, you know, for the IT department,
I actually wrote the plan is as soon as the first person coughs,
we execute them on the spot and shipping replacements from India.
And I sent it back to him, like, you know, for a joke or whatever.
And then just forgot all about it.
And then later that day, I said,
oh, I guess you haven't got around to reading that pandemic response yet.
And he said, oh, no, I sent it straight back to the client.
Oh.
Basically, I was like, you're joking, right?
He's like, no, why?
I was like, that is not the real plan.
Never got a follow-up, though.
So you never read it?
Yeah, I'm sure the bank's never read it either.
Wow.
I guess it was a time everyone's looking for, you know,
what are people doing?
Let's get some ideas.
We were agile back then, right?
Nice.
All right, Andy. It's time this week for...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And this is a jovial tweet, trying to end on a high
after Jav tried to bring us down last week at this stage of the show.
Yeah.
So this is a tweet...
This is a tweet from someone called Brian Lyles.
And he's basically screenshot another tweet.
So this is like tweet section really.
But he brought it to my attention.
So I have credited him and he says,
this is why I visit Twitter.
And what he's done,
he's got a screenshot of another guy who's saying in less than one year as a
project manager at
facebook i've created zero tickets or tasks we don't do sprints either pm's here focus on vision
strategy and partnerships less on project management and tasks engineers carry most of
the project management responsibility and create their own tasks it It's great. And obviously, this is something I'd expect to see on LinkedIn.
But, you know, the first response says, so assuming you're using the product you manage and notice a bug, how do you communicate it?
You know, which is a valid response.
The next response is, well, you write a strategy vision about how bugs shouldn't be part of the project.
It's great. I mean, I can't get my of the project. It's great.
I mean, I can't get my head around what he's actually saying.
I'm not quite sure how that works.
Yeah.
So project managers don't do project management.
Yeah, that's pretty much what he's saying, yeah.
Yeah.
They're visionaries.
I guess it's kind of like you guys are advocates, right?
You don't actually do any security.
You're just security advocates, right?
Yeah, absolutely.
We've been there. We've done that, Andy. we've done that andy we put our time in we put our time in when you've done your time you too can become an advocate
that's right that's right we do whatever the we do exactly what the job title says we do
this guy has a job title of project manager and he's saying i don't project
manage yeah at least we do what we say on the tin as it were yeah wow that was an excellent one me
and tom in violent agreement i know right i know right you're gonna tell me that you agree that
water isn't wet next. Dogs and cats living in harmony.
Tweet of the week.
Oh, dear.
Excellent.
Excellent.
Lovely.
Very good episode.
Enjoyed that.
Gentlemen, what have you got up for the weekend?
A cancelled barbecue.
Ah, that would be nice. So it's no longer going to be a barbecue yeah that'll be that'll be nice
hope you enjoy your your uh not barbecue yeah i've got a bunch of science experiments with my
kids where we'll be testing uh water and whether it's wet or whether it's just a feature water
isn't wet water makes things wet it's like darkness is no such thing
it's just the absence of light yes that's exactly it share your findings with us via the group chat
i will i've got like my first chemistry set
by heisenberg Industries. Well, I'm making my electric bike this weekend,
so that should be fun.
A Lego one or the actual electric one?
No, no, a real one.
An actual real one, yeah.
Yeah, absolutely.
Absolutely.
When you say making it,
are you assembling something that you bought
or have you bought separate parts
and you're actually building it?
I'm assembling something.
It was shipped in a big box.
Well, that's quite lazy
isn't it it is lazy i thought i'd have an easy weekend for once anyway jav thank you very much
and uh do have a lovely weekend thank you you're welcome and thank you andy and i hope you enjoy
your your unbarbecue stay secure secure, my friend. Stay secure.
You've been listening to the Host Unknown Podcast.
If you enjoyed what you heard,
comment and subscribe.
If you hated it,
please leave your best insults
on our Reddit channel.
Worst episode ever.
r slash smashing security.
We got through it then,
later than planned.
It's only like a a half day project now and that's uh that's without the editing what what's two and a half hours between friends