The Host Unknown Podcast - Episode 71 - Thank You For the Music

Episode Date: September 3, 2021

This Week in InfoSecWith content liberated from the “today in infosec” twitter account1st September 1997: Nmap was first released as a simple port scanner via an article in issue 51 of Phrack maga...zine which included the source code.http://phrack.org/issues/51/11.htmlhttps://twitter.com/todayininfosec/status/130086427849755852831st August 2014: A user of the message board 4chan posted leaked photos of actress Jennifer Lawrence and numerous other celebrities.https://mashable.com/archive/celebrity-nude-photo-hackhttps://twitter.com/todayininfosec/status/1300537361676283905   Rant of the WeekGuntrader site hacked and plotted onto Google Maps Billy Big Balls of the WeekScam artists are recruiting English speakers for business email campaignsAccording to Intel 471, forums are now being used to seek out English speakers, in particular, to bring together teams able to manage both the technical aspects and social engineering elements of a BEC scam. If a scam is to succeed, the target employee must believe communication comes from a legitimate source -- and secondary language use, spelling mistakes, and grammatical issues could all be indicators that something isn't right, in the same way that run-of-the-mill spam often contains issues that alert recipients to attempted fraud. "Actors like those we witnessed are searching for native English speakers since North American and European markets are the primary targets of such scams," the researchers say.In addition, threat actors are also trying to recruit launderers to clean up the proceeds from BEC schemes, often achieved through cryptocurrency mixer and tumbler platforms. One advert spotted by the team asked for a service able to launder up to $250,000. "The BEC footprint on underground forums is not as large as other types of cybercrime, likely since many of the operational elements of BEC use targeted social engineering tactics and fraudulent domains, which do not typically require technical services or products that the underground offers," Intel 471 says. "[...] Criminals will use the underground for all types of schemes, as long as those forums remain a hotbed of skills that can make criminals money." Industry NewsBangkok Airways Admits Attackers Stole Passenger DataMicrosoft Cloud Databases ExposedUK Government Considers New Regulations for Video Streaming PlatformsIndonesians Told to Delete Unsecured Tracing AppVictim of Cyber-Theft Sues Parents of Alleged CulpritsAustralian Couple Admits “Serious Cyber Hacking Offenses”WhatsApp Fined a Record €225m for GDPR ViolationsSacked Employee Deletes 21GB of Credit Union FilesUK Researchers Invent Device to Thwart USB Malware Tweet of the Weekhttps://twitter.com/JackRhysider/status/1433097343692324864https://cybarrior.com/blog/2019/04/05/eagle-eye-reverse-lookup-tool-for-social-media-accounts/ "The Box" © Charlie Langford Come on! Like and bloody well subscribe!

Transcript
Discussion (0)
Starting point is 00:00:00 have you donated to your mate matt hancock who's running the uh london marathon this year yeah i donated the minimum amount just so i could tell him what i thought of him just like half the country yeah yeah it's probably in the process raised so much money well i mean it is for a good cause but a cause that you know he could have it's just like the cyber equivalent of um you know old uh school fates where you could pay to throw throw something in your teacher's face yeah yeah that's exactly it you pay a small amount just so you can call matt hancock yeah you're listening to the Host Unknown Podcast.
Starting point is 00:00:56 Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us. And welcome to episode 71 of the Host Unknown Podcast. the host unknown podcast an auspicious day it would seem because uh well today there was an announcement that abba have just dropped two singles and will be releasing a new album uh we might as well just play the outro music now because nothing could top that i'll let you i'm gonna let you finish but first i gotta say kanye west also dropped a new album i thought you said you were gonna let me finish yeah but first i gotta say it's wasted man it's honestly all the culture oh is that a cultural reference oh my god you tell me you you haven't seen the memes i mean the one of the billion billion memes of kanye getting up on
Starting point is 00:01:45 stage and interrupting taylor swift saying i'm gonna let you finish but first oh well i remember him doing that and just thinking he's a bit of a cock so uh so that works and with what you just did last week you you did not get the reference to the eight mile rap and today you don't get the reference to Kanye West how old are you Tom he was the oldest person at ABBA's last concert in the crowd I believe they last performed 40 years ago their new concerts that they're going to be doing them sort of virtually not like through a zoom call or something but they're gonna they're gonna have sort of like virtual representations of them on the screen on the on the stage and they've called them avatars come on that's brilliant that's brilliant okay we can insert some tumbleweed music so i mean tupac did this at coachella, like, years ago. Oh, yeah.
Starting point is 00:02:46 Yeah, that's right. But, you know, technology will be much, much better now. So rather than sort of like just some, you know, old Victorian smoke and mirrors thing, it'll actually look quite good. And the music will be better. Debatable. Come on, it's ABBA. It's ABBA. I've got a lot of love for ABBA, but you can't go off to park like that.
Starting point is 00:03:13 You can't do dirty. Oh dear, Jav, how are you, sir? Very good, very good, thanks. I went to the cinema last night for the first time in like two years or so so so when when are you doing your pcr testing yeah exactly yeah no i done one this morning and my daughter was off this morning to get hers for school as well but yeah we saw free guy with ryan reynolds it was amazing i really want to see that film. It was really good fun. Highly enjoyable. Anything with Ryan Reynolds in it?
Starting point is 00:03:51 Yeah. Except maybe Green Lantern. Yeah. Yeah. I mean, he's good in it. The film's pretty rough. Yeah. Anyway, yeah.
Starting point is 00:04:01 So that was the highlight of your week? Of yesterday, yes. So that was the highlight of your week? Of yesterday, yes. Of highlights of yesterday? Get you with your I've had a good time. Yeah, it was a good day. I bet you don't know who said that either. You did just then. Oh, man, there's so much to teach
Starting point is 00:04:25 there's just not enough time I just don't know where to well maybe this will be proof of that you can teach an old dog new tricks
Starting point is 00:04:34 on the weekend watch the movie 8 Mile and then watch the movie Straight Outta Compton ah yes yes that's about that
Starting point is 00:04:45 popular skiffle beat combo from New York, wasn't it? Yeah, just watch it. It'll be good. Andy, what about you? What have you been up to? It's been all right. I was listening to
Starting point is 00:04:58 last week's show to hear you two come to talk about Oh my God. One of our best, I think. One of our best. You guys literally dissed the NCSE top 10 cybersecurity tips. Well, yes.
Starting point is 00:05:10 Because it wasn't detailed enough. No, that's not. Because we all know that one size fits all. That's not what we dissed it for. That's not what we dissed it for. And we didn't really diss it. Like, have an asset register. Oh, my God, what crazy.
Starting point is 00:05:25 What a crazy recommendation. Hatch asset register. Oh, my God, what crazy... What a crazy recommendation. Patch your systems. Oh, my God, what a crazy thought. That wasn't the... That's exactly what happened. This is you rewriting history again, like you saying that you've never been off on a show. So we can come on to that one afterwards, right?
Starting point is 00:05:44 When you guys tell me which episode I was off, right? show so we can come on to that one afterwards right when you guys tell me which episode i was off right and then we can come back to this one but as i was listening to that look i'm gonna let you finish but let me just first say it means i'm gonna have to listen to all the old episodes and i'm not doing that so it actually reminded me of a time i used to have a friend that worked on a cruise ship and he told this story of like an onboard guest an american uh who like chewed him out one day because of lack of information about how to get around the boat right and the cruise ship obviously had maps and signposts all over and you know guests were actually given a map as well how to get around and where to go and this guest actually came up to him complained that her portable map didn't have a you are here icon on it so she said it was
Starting point is 00:06:27 impossible to figure out where she was in order to navigate around the boat this is a paper map a paper map right and so what i'm saying is sometimes you have to stop spoon feeding people in order to make the world a better place and uh you know ncse can make recommendations but they can't do it for you no absolutely absolutely but what ncse normally get hands out really sensible down to earth advice and this just seemed to be really sort of up in the air well kind of obvious stuff rather than sort of say of course it's obvious because people still aren't doing it this is the problem it's not like you know the whole thing was that it would have been really useful to just say to caveat something in the document or whatever you're
Starting point is 00:07:12 saying these are not easy to do you know don't think of this as a as a top 10 checklist that you can just sit down one afternoon and go through i think we said that didn't we i think that's exactly what i said that's exactly if and Andy had been paying attention rather than trying to work out how he's going to be outraged at us, then maybe we would have heard it. I had to come back to save my show. So that was your highlight of the week, was listening to how good a show we did. Actually, upon listening to the show,
Starting point is 00:07:44 the funeral was actually the highlight of the week. Let's put it that way. Anyway. I thought you were going to say something worse, like smashing security was the highlight of the week. Oh, come on, let's not go that low. Come on, Carole does a brilliant job on there. She does.
Starting point is 00:08:03 It's just... Anyway, Tom, what have you been up to? I repaired two iPhones. Because I can. You're putting kids in third world countries out of a job now. Still on brand then, I see. Yeah. Yeah, right.
Starting point is 00:08:23 A couple of old iPhone SEs. I got some specific jobs, right. A couple of old iPhone SEs. I got some specific jobs for them. A couple of old iPhone 11X. 11X Maxes you no longer use. No, these are the original iPhone SEs. And one had a cracked screen, and both of them had really bad batteries in them, obviously given their age. So I opened up the first one which i just needed
Starting point is 00:08:46 to replace the battery on and then immediately snapped the cable to the touch id so had to order up a new touch id button um so yeah got um the battery and button replaced on one and the battery and the the screen replaced on the other it was it was quite interesting it was it was quite fascinating literally by the end of the um end of the the um repair i didn't even need the instructions i knew my way around it completely wow see your small hands have come in handy it wasn't my hands that I sent you a picture of the other week. Well, that wasn't your finger. I thought you just had a little stubby thumb. Sorry, Mum. So, yeah, that was the highlight of my week, really. Oh, and we had a little sort of off-site with the UK team of the company yesterday.
Starting point is 00:09:43 That was good fun. Good to see everybody, as always. So, yeah, it was nice. It was all very good. Well, speaking of your company, I saw that you are launching a new some sort of cyber chat or podcast. That's right, a new podcast. Well, I wouldn't say it's a rival podcast.
Starting point is 00:10:03 I mean, that one's professionally produced and has some real guests on it. But, yes, it's coming out. It starts on Tuesday, and of which I believe you two are the guests in the final episode, episode number six. In about six weeks' time, it'll be worth listening to. Yeah. Well, the fact is it's taken about four months to even get this far so uh and didn't we also like record it like fourth
Starting point is 00:10:30 in like fourth in line or something yeah yeah that's right so why is it taking so long how much editing did you put into it that it took you four months to get everything i said yeah that's right that's right do you know how difficult it is to find a voice actor who can actually say things that make sense um you know this sounds like andy that isn't 12 years old but uh yeah we had a we had a few technical challenges and a few um production issues and uh some uh sorry more fundamental things like we changed the name which meant uh the teaser that went out um was dubbed over by me with the name uh so that was quite funny it's it does sound a little bit like a a badly dubbed indian film um at one point but i think we got away with it because
Starting point is 00:11:26 nobody said anything yet everyone's gonna go back into watch it again i know i know well if you spot it well especially after we've said the name change i mean i think it's quite straight quite easy now but uh yeah yeah you know right into the show we'll read it out we'll read out your incredulous remarks uh but uh yeah yeah yeah but it's good i'm looking forward to it because it's it's it's a bit of a labor of love and i we've got some great guests on there apart from the last episode but we've got some really good episode really good guests and um there was a point where we thought it wasn't going to be released at all which was really just was really disappointing because I had some great conversations with the guests,
Starting point is 00:12:07 really, really interesting. They're only barely half an hour long, to be honest with you, so easily digestible and probably a whole lot more educational than this podcast, to be honest with you. Lies. Okay. Well done. What have we got coming up for you today well this week in infosec we revisit theodore's gift to the infosec community i thought this was i thought this
Starting point is 00:12:37 was infosec not sort of tolkien um rant of the week is bad for the UK, but it would, however, be a welcome excuse in the USA to exercise your freedoms. Billy Big Balls is written in perfect English this week. Industry News brings us the latest and greatest security news stories from around the world. And Tweet of the Week is about stalkerware, which refreshingly does not pretend to be anything else. So let's move swiftly on to Andy and... This week in InfoSec. And I'm going to let you finish, Andy, but just before you... I was going to just before you did a great job last week yeah i was gonna say i'm gonna let you finish but let me just first say we i think we we nailed it last week didn't
Starting point is 00:13:34 we jeff i actually thought it was me talking it was uncanny wasn't it i literally pre-recorded it and sent it in for you guys. Yeah, yeah, exactly. That's why we nailed it. So to take our loyal listeners back to what they all tune in for, this is that part of the show where we take a stroll down the InfoSec memory lane with content liberated from the Today in InfoSec Twitter account. So our first story takes us back a mere, click on the calculator, 24 years ago to the 1st of September 1997, when Nmap was first released as a simple port scanner via an article in issue 51 of Frack magazine, which actually also included the source code at the time.
Starting point is 00:14:23 So if you do not work in cyber sec there is a free and open source network scanner created by gordon lyon aka fire door which is called nmap and it's extremely popular and when it was first released it didn't even have a version number because there were no new releases planned. But it got so popular that less than a week after it was released, it got an improved version. And then three months later, he actually registered in secure.org, and the rest has become history. Wow.
Starting point is 00:14:54 And it's a tool so popular, it was even used by Trinity in the 2003 film Matrix Reload. Right. Oh, that's right. Yes. Yeah, still very much part of any cyber security swiss army knife but it was spawned 24 years ago this week wow yeah what whenever i whenever i hear about nmap it always reminds me of the thing, what was it, nine years ago, 2012,
Starting point is 00:15:32 when the slightly dodgy online magazine, Hacking Nine, and they were known for sort of publishing stuff without any kind of editorial overview, blah, blah, blah. And so to highlight this, a bunch of people, and in fact, I think I've got their names here. Where is it? David Harrison, Sherry Davidoff, Avery Buffington, Sahil Khan, blah, blah, blah. They created a document called The Guide to NMAP. Chapter one was about the internet considered harmful,
Starting point is 00:16:10 otherwise known as DARPA-influenced checking kludge scanning, or DICS. And that was actually the entire, basically, how the rest of the document went. It was completely made up, filled with little sort of things like that. So they even sort of say to enable the Dix plugin, we also specify the dash SC, dash SV parameters, blah, blah, blah. Dix will trigger a remote pool overflow, blah, blah, blah.
Starting point is 00:16:44 So it's filled with stuff like this it's utter rubbish and hacking nine just published it without even understanding it in the slightest um and i'm not sure if hacking nine is still around now but they did seem to be um very prevalent around then and they were often continually asking for people to to publish in fact i even think they published something written by me once which just goes to show you absolutely no editorial oversight yeah exactly exactly so yeah that's what i think of whenever i hear about nmap yeah interesting our second story will take us back a mere seven years ago to the 31st of August 2014 when a user of the message board 4chan so you already know uh you know which direction this
Starting point is 00:17:33 is going um a user of the message board 4chan posted leaked photos of actress Jennifer Lawrence and numerous other celebrities wow so it's that long? It just feels like yesterday. No, it was just yesterday when you last looked at them, Jeff. No. This is, I mean, this was an event that got, you know, various names. And obviously, it actually had a massive impact in various online communities. And it still occasionally trends. It was Fapgate, wasn't it?
Starting point is 00:18:01 The Fapening. Oh, and the Fapening, yeah. Yeah, so it's known as the Fappening or Celebgate. Yeah, that's right. And obviously it's referred to the hacking and leaking of hundreds of nude photos of over 100 celebrities. I think the poster children for that were, at the time, Jennifer Lawrence and Rihanna.
Starting point is 00:18:17 Yeah. Just because, you know, their status at the time. But all these pictures were leaked, obviously, on the now closed image sharing forum. But they're still available, I believe. Yeah, as well as Reddit. And obviously, this is once they're published, that's it. It's difficult to get them down.
Starting point is 00:18:38 I know that even now, every month, there's people that go out, trace and try and delete these images from the web um and it's just a messy legally challenging just damn near impossible task to keep up with it's one of those things that the the more effort you put into deleting them the more likely they are to stay around and if you were harder it gets yeah yeah if you were just to leave it alone they would just you know before you know it they they'd um they just end up being on on the dark web otherwise known as page two and three of the google search yeah well i mean yeah i mean it's a tricky one um so i mean the guy that leaked all of this back he was 36 years old at the time ryan collins um he essentially hacked into these icCloud accounts by sending phishing emails to all
Starting point is 00:19:28 of these celebrities. Probably spear phished them. Targum explicitly said that I think the account was something like Apple Privacy Security or Apple Security Privacy at iCloud.com or something like that. And he basically asked them to provide their usernames and passwords and emails that were crafted to look exactly like an official email from apple or google and then once in he downloaded all these photos uh from the alkali the iCloud and then published them obviously I think he started off selling them um before you know someone got just decided to dump the whole
Starting point is 00:20:02 lot um and he did go to trial in 2016. So two years later, he was sentenced to 18 months in prison on account of hacking into more than 600 people's iClouds. Wow. After pleading guilty on account of unauthorized access to a protected computer to obtain information. But as you say, like this, it does feel like yesterday because i guess the fallout from this uh was huge across the industry it wasn't just it really highlighted so i guess
Starting point is 00:20:32 how women are targeted way more than men you know like yeah yeah definitely um you know in quite a toxic way as well but it also highlighted other issues like apple's lack of um two-factor authentication or lack of enforcement of or enforcement of yeah and how um reddit manages communities yeah um you know how how all of these people sort of self-regulate themselves i mean even 4chan um you know came in for criticism and you know they they kind of said yeah it's not great um but i know that you know reddit moved to ban all of this stuff and they got a lot tighter on what was published and stuff. And it turns out that I think two of the celebrities were under the age of 18 on some of the photos, which obviously in the US is, you know, counts as like child porn.
Starting point is 00:21:20 Yeah. You know, under their law. So it's quite a like a massive event. And as you say, it's still going on now. You know, under their law. So it's quite a like a massive event. And as you say, it's still going on now. You know, sites will occasionally pop up. And then other people sort of added their I guess added photos to it, you know, sort of said, oh, I also have photos of this celebrity, you know, pay me X amount. And, you know, I'll give you access to them. But, you know, they kind of mix and blend in the fakes with the real stuff. And it's just it's just become a nightmare to kind of manage that information going on. But, yeah, only seven years ago.
Starting point is 00:21:50 It's one of those things that I think you have to be quite binary about in the sense that you either lock down everything, you make sure you don't even, you know, the best, just like the NCSE advice last week, you know, if you don't want your photos being leaked on the internet, don't take photos, you know, that might be leaked. Or conversely, just, you know, if they're out there, forget it. I don't care if there are photos out there of me, you know,
Starting point is 00:22:19 and the less interest I pay to them, probably the less interesting they will be to other people as well. I mean, that's difficult to say because you're not an attractive young celebrity lady in her early 20s. I'm certainly not a lady, no. But there are plenty of people out there. And I think it's slightly more common amongst younger people uh that there is no such thing as as real privacy and if if stuff gets out there then fine publish and be damned well i mean it's different if you send it to someone versus if you're taking it for yourself
Starting point is 00:22:59 oh no absolutely it's automatically uploaded to icloud you know this is the problem that a lot of these celebrities they weren't sending these to other people. No, no. You know, they were taking pictures of what they thought would be private. Well, they were. I think even Jennifer Lawrence said that she was sending it to her boyfriend at the time. Oh, she did to her boyfriend, yeah. But then there's plenty of others where, you know, they were just, you know, taking photos at home.
Starting point is 00:23:22 Yeah. Yeah. Yeah, but, yeah, it's, well, I mean, anything, sharing the unauthorised sharing of stuff like that anyway is particularly heinous and upsetting and disgusting anyway. And, you know, people should just learn not to be quite such horrific dicks for a start. And it's illegal in many cases. I think it falls under revenge porn
Starting point is 00:23:46 now it does now it does yeah which is which is absolutely how it should be um and uh but yeah i think you're right andy i think there was a huge amount of movement on the sort of the two-factor authentication front uh as a direct result of this yeah i think jennifer lawrence came out with it with a few statements then that were very very on the point because she she human she said look i'm a human and deserve human rights and and what have you and um i think she said something that even some of her friends or people that she she had a lot of respect for said that, oh, yeah, I saw the pictures. Yeah. And she said that, I respect them a lot.
Starting point is 00:24:32 I love them. Some of them are very dear to me. But I was thinking I didn't say, I didn't give you permission to look at my naked body. Yeah. And, you know, it's like so. And I think that's such a powerful statement because strip away all the 2FA or all the technical controls or the security and everything. There's that certain common human decency there that is like, you know, you don't have permission, so don't do it.
Starting point is 00:24:57 Yeah. Yeah, that's right. That's right. And also, why would you say to somebody, oh, those photos, those naked photos of you that were leaked, I saw them. You look great, honey. I'm so sorry. It's like, really? A kind of vacuous kind of thought process is going on in your head when you say that. No idea. Yeah.
Starting point is 00:25:19 But it is Hollywood, so I don't know. Very true. Very true. So, Andy, thank you very much uh for this week in infosu that almost turned into a rant of the week i have to say uh which is good and quite uh quite coincidental actually because let's move straight on to... Listen up! Rent of the Week.
Starting point is 00:25:49 It's time for Mother F***ing Rage! So a few months ago, there was a hack of a site called Gun Trader, which is a UK site. It's been likened to Gumtree. a uk site it's been likened to gum tree uh it's basically a an area where uh gunsmiths and private gun owners uh that's legally registered gun owners um can go and trade uh the firearms that they have and what it does it's got a big sort of crm database and it it does a lot of the paperwork for you because anybody who um who knows anything about owning firearms is that it's a paperwork nightmare uh so i used to own shotguns i used to do clay pigeon shooting quite a lot uh i've
Starting point is 00:26:41 since sold them but every time you sell a seller a gun you have to um synchronize with the person you're selling to uh you have to fill in each other's gun certificates you then have to send a letter to the um your local constabulary or your your county constabulary confirming that a trade has happened etc what gun trader does is selling a car with the v5 logbook right yes but it's it's but but you like i say you have to actually write a letter there's no form to fill in that you just sort of tick a box and off you go it's you know writing a letter um etc it is that principle but it's it's just a little bit more old-fashioned but what gun trader would do is deal with all that for you in the background um as well as facilitate the uh selling of the of uh selling and purchase of the weapons and um the the the key thing here as well is is if you are
Starting point is 00:27:39 a uh a gunsmith and you're buying and selling weapons a lot, it takes a huge amount of the paperwork away. All very good. Unfortunately, they were hacked a few months ago. 111,000 UK firearms owners' addresses and details, including longitude and latitude, as well as IP address, location of where the account was last used, etc. That data, whilst it was breached, it was lost a few months ago, somebody in their infinite wisdom, and I'm sure it's for malicious purposes, has plotted the list of those 111,000 details into a Google Earth file on a site for hunt saboteurs. So as Gareth Caulfield tweets about, and he makes a very simple statement, this is a worst-case scenario. tweets about it and it makes a very simple statement this is a worst case scenario so for our non-uh uk listeners uh hunt saboteurs as you know we're in the uk or as you may know in the uk uh there's a an old tradition of hunting foxes using horses and dogs and it's a very divisive
Starting point is 00:28:59 sport in adverted commas uh not something i partake in despite what uh andy and jav might say um normally done by the uh slightly more sort of upper middle classes etc um because well for a start cost a lot of money to own a horse um and um hunt saboteurs are people who are trying to stop this uh from happening um without going into too much detail, there's various government legislation, blah, blah, blah, but hunt saboteurs go and literally saboteur the hunts. By actually making these details available, these home addresses of these people available to hunt saboteurs, you've quite literally set up an environment where hunt saboteurs can go directly to gun owners, to their homes, and actually either break in or cause extreme distress.
Starting point is 00:29:55 Not least because just because you own a gun doesn't mean that you agree with blood sports and hunting, et cetera. agree with blood sports and hunting, etc. It's going to lead to potential criminal acts which would be classed under the Terrorism Act of 2000. It's likely to cause, to be used by criminals for targeted break-ins and the theft of said guns. And worst case scenario, and thankfully I didn't use Gun Trader, but people who have sold their guns, who have no firearms whatsoever on the premises, they may well be targeted as well for break-ins as a result of this. The other thing as well is since it also gives the physical location,
Starting point is 00:30:47 the longitude and latitude of where you last logged into this account, various people have said that they've logged into this account from their parents' house, from partners' houses, from friends' houses or whatever. So those people who have very little relation with the weapons themselves, even if they exist, are also going to be targeted. So this is a, well, quite literally, as Gareth Caulfield says, this is the worst case scenario.
Starting point is 00:31:15 So this is just horrendous and just goes to show that, you know, just a simple breach of your records, if a company says, ah, but no credit cards were stolen, that means nothing. Actually, people can use this data for various other reasons to target you for other criminal acts as a result. So yeah, this is really concerning and um very scary to be honest with you it's a good rant and surprisingly i've got nothing to disagree with other than the u.s would just be everyone's house right yeah exactly well this is it this is this is
Starting point is 00:32:01 why i said in the intro you know bad news for the uk UK. At least in the US they'd be able to say, well, I can exercise my freedoms by shooting you. It's easier to say who hasn't got a gun in the US. Well, yeah, exactly. But what I found really strange in that whole thing is that you said that you've never been fox hunting. Nope. You don't have friends that, you know, been fox hunting and no you don't have friends
Starting point is 00:32:25 that you know go fox hunting lies i do know i didn't say that i do know people who go fox hunting um and i can't like i said i don't agree with it it's not something i feel is needed um i think it's a tradition that was based out of a need to uh reduce you know centuries ago out of a need to... When you couldn't shoot peasants anymore, right? Yeah, that's right. Well, you used them to flush the foxes out. But no, I mean, foxes are particularly vicious animals. They have a very cutesy image.
Starting point is 00:32:57 They are particularly vicious animals. If they're hungry, they'll break into a farmer's chicken coop. They will kill all the chickens and take one away with them if he's you know so they they are very destructive animals but there are far better ways of controlling the fox population than hunting them with horses and dogs and horns and you know people wearing red jackets and white jodhpurs although frankly everybody looks good in white jodhpurs but um it's i i don't know, you know, as an aside, I don't agree with it. But whether you agree with it or not, publishing people's, you know, home addresses on a site dedicated to violent acts, albeit in defence
Starting point is 00:33:41 of something they feel gives them the moral high grounds, but, you know, that's a purely subjective viewpoint. But publishing home addresses on a site that is known for carrying out violent acts against people is not a good thing. That is just particularly scary. It is. Especially as your address may be in there just because someone happened to log into this website from your address.
Starting point is 00:34:13 Yeah, yeah. So you used to own a shotgun for clay pigeon shooting? Maidstone 3. Yeah. So why was it then when we in Vegas a few years ago went down to the gun range, were you so bad? I wasn't bad. And anyway, it's a different type of shooting. OK. He was holding it side on.
Starting point is 00:34:41 It's because I wasn't allowed to shout, pull. it's because I wasn't allowed to shout, Paul! That was this week's... Rant of the Week. You're listening to the award-winning Host Unknown podcast, the show which Smashing Security sets their out-of-office to.
Starting point is 00:35:04 Right, Jav I think we should move on to you actually for well we all know which one it is because we're all doing the same ones every week but it's this week's Billy Big Balls of the Week
Starting point is 00:35:19 yes Billy Big Balls this week are our friendly neighbourhood cyber criminal gangs and we know that over the years criminals they try to adapt their techniques and processes they try to get better and better try to increase their chances of success and one on one side they they improve their technical abilities soft skills are just as important in the criminal world as they are in the real world so when you receive a phishing email what's one of the biggest red flags on it language language yeah definitely language exactly exactly sense of urgency all that stuff yeah yeah so it's it's a lot of it is grammar spelling and my favorite is when they the
Starting point is 00:36:12 at the end of the uh email they they use the word kindly so so thank you for your cooperation kindly tim cook apple you know that that kind of but anyway it's it's language and so scammers are getting a bit fed up of their their perfect plans being foiled by some pesky kid who doesn't know how to speak english properly or type it properly so according to intel 471 forums are now being used to seek out English speakers, in particular to bring together teams able to manage both the technical aspects and social engineering elements of a BEC scam. BEC stands for business email compromise. It's one of those nasty ones where they, it's also known as CEO fraud, where they will claim to be someone within your
Starting point is 00:37:06 organization or a trusted partner or vendor. And the thing that's tricky about these ones is that there's usually no malicious link or attachment in there. So there's nothing you can scan. It just comes through and it's like, hey, I'm the CEO, this invoice needs to be paid now. Or it'll come from your partner and say, we're updating our bank account details. Please, can you make future payments to this bank account in the Cayman Islands or wherever? Thank you kindly.
Starting point is 00:37:36 Yeah, thank you kindly, John Walsh. Sure. But, you know, so grammar and all these things are a problem. So these actors are now using native English speakers to draft more convincing or more accurate BEC scams. And what this research has found that in addition, they're also trying to recruit launderers to clean up the proceeds. Is that North launderers or South launderers? I'm not from Bolton. I've never been to Bolton. So they're also looking for money launderers who can set up their cryptocurrency mixers, which is basically how they launder stolen bitcoins or cryptocurrencies. And one advert asked for a service that could launder up to $250,000.
Starting point is 00:38:46 That's not a lot. It's not a lot, but, you know, if that's like one pop at a time or something, I think, you know. Oh, I see. I see. Not here's a whole stack of cash, go do it, but up to $250,000 each time we drop you the cash, as it were. Yeah, something like that.
Starting point is 00:39:03 Gotcha. we drop you the cash as it were yeah something like that gotcha um so i i think it's it's quite a a big billy big ball move on their part well a advertising on these forums which they know are being monitored by researchers and law enforcement all the time but they just don't care and you know really upping their game in in that. I think that's the key thing. They're just doing product improvement, right? They are. It's just weird. How can they improve the quality of their leads?
Starting point is 00:39:32 It's obvious, right? Improve the language. But how has it taken them so long to get to this point? It is something I think they've been doing for a while. It's just... Really? Not from what I've been receiving. Well, there is that other aspect, isn't it, where they deliberately misspell things to get the sort of people
Starting point is 00:39:50 who are more susceptible to scams. Exactly. This is true, yeah. It's almost like a reverse psychology, isn't it? Yeah. It's just trying to find the more gullible people. The other reason, I think, is also that maybe in a sort of scam, the scammer kind of way, they've advertised for the last decade
Starting point is 00:40:12 for native English speakers, and they've had lots of people saying, oh, I'm definitely a native English speaker. He says desperately trying not to do a foreign accent. But, you know, and so and a great he's a he's a proper english speaker and then they come up with something that says you know please do the needful thank you kindly yes yes i mean like google translate only goes so far yes but it is an interesting thing um and like to Andy's point, it is product improvement. Yeah.
Starting point is 00:40:47 Because I have also read reports about how some of these actually do like A-B testing on their emails, just like our marketing department. So they send two variations of them out and they'll see which one gets a better response. And then they'll go with that to their main customer list, or hit list, whatever. It would be fascinating to see if they send out the perfectly spelt one versus their traditionally misspelt, which one really does get the more hits. If their original idea of weeding out the fools, as it were, or weeding out so that they do just get the fools,
Starting point is 00:41:26 whether that is actually going to net them more people. Wouldn't you love to see – they should publish research papers on this. They should. They should go speak at conferences and all that. Yeah, yeah, absolutely. Virtually, of course, because otherwise there would just be people waiting in the wings with a set of handcuffs yeah spot the fed becomes a very real game that's right
Starting point is 00:41:49 but yeah no i think you know this this will carry on improving you'll get better i think along with advancements in spearfishing or or like um more oscent to facilitate better spearfishing um i think this will just get worse and worse in in fact i've i've heard of some use cases of um uh some of this deep fake type of ai type of technology to send uh to automatically put together a spearfish email based on social media data that it goes out and collects. So you put it in that this is the person, this is their profile, and it will find out keywords and everything. It's still not very good at all, but it will try to figure out things like, oh, this person posts a lot about, know foxes so maybe if i send a send a phishing email claiming to be from the you know fox hunting society of uh of um oxford or something then maybe they're more likely to click on that link interesting god how dare they use this technology against us, eh? I know, I know. It's just not fair, is it?
Starting point is 00:43:05 No. No, exactly. Exactly. Thank you very much, Jav, for this week's... Billy Big Balls of the Week. So when I ask you this next question, Andy, don't take it literally like Jav did last week. So, Andy, what time is it?
Starting point is 00:43:30 It's that time of the show where we head over to our news sources over at the InfoSec PA Newswire, who have been very busy bringing us the latest and greatest security news from around the globe. Industry News. industry news bangkok airways admits attackers stole passenger data industry news microsoft cloud databases exposed industry news uk government considers new regulation for video streaming platforms industry news indonesians told to delete unsecured tracing app industry news victim of cyber theft sues parents of alleged culprits industry news australian couple admits serious cyber hacking offenses industry news whatsapp find a record 225 million euros for GDPR violations. Industry News.
Starting point is 00:44:31 Sacked employee deletes 21 gigabytes of credit union files. Industry News. UK researchers invent device to thwart USB malware. Industry News. And that was this week's... Industry News. Huge, if true. How do we find out if we were one of the people that was in that 21 gig of deleted files? Are you a credit union customer? I've never heard of credit union but it sounds like i should be um yeah so uh yeah i don't think you're going to be um involved in this
Starting point is 00:45:12 is that like a credit card uh it's a credit union based in new york you just say the same words again what's a credit union is a credit union yeah but in New York. So I'm just going to keep saying it as I click on the link and read the story, okay? So I'm stalling here. Yeah, now, I recognise that I could have done that, but this being an audio podcast. Mortgage loan applications. Ah, right, right, right, right, right, okay. In New York. Okay.
Starting point is 00:45:40 That wouldn't have benefited anybody, would it? What, deleting the data so this is an employee that uh uh before he actually left before they disabled his account he actually just went in and destroyed all the data um so all of their customers uh 20 000 files 3 500 directories that's probably rather than sort of you know struck one against the big man has probably just fucked up a lot of people trying to buy houses, right? Well, and also people who have mortgage loans with these people as well. Well, now that might be a good thing.
Starting point is 00:46:14 Oh, you no longer have a mortgage with us. The house must be yours. Yeah. So the story actually says that although she may have thought she was getting back at her employer by deleting files, she's done just as much harm to customers. Yeah, yeah, I can see that. Yeah, not good.
Starting point is 00:46:32 Not good. It's not like Fight Club where, you know, the end of it where you blow up buildings and suddenly there's no credit cards. Spoiler alert. After she was terminated, after her employment was terminated it took them 40 minutes to disable her account 40 minutes now i would suggest that 40 minutes is probably not that bad on average yeah i wouldn't yeah that was bad either that's right but it does go to show how important it really is to be better at that yeah wow frog march people out immediately
Starting point is 00:47:14 yeah well i mean the thing is what as they are in the meeting it should be suspending the account right not deleting it but just suspending it so that they can't log in because if for whatever reason at the end of that meeting they decide not to fire that person will you just you know re-enable the account but during that meeting there should be a coordination between hr and whoever and it that at this time their account will you know must be um you know suspended yeah oh Hang on a second. Do you know what? So she is facing 10 years behind bars.
Starting point is 00:47:50 Whoa. She's pleaded guilty. No, she's submitted a plea. No, yeah, admitting one count of computer intrusion. But it says two days after she was fired, but yet later on it says that the it the company didn't request termination until you know two days later and then 40 minutes after they requested it was disabled two days yeah oh well there you go there you go if and if i was a customer, I would be suing the company for incompetence.
Starting point is 00:48:27 Yeah, definitely one up there. If you've lost my mortgage application and caused me untold pain and misery as I'm about to buy my dream house, that's through your incompetence. You should sue them anyway. And if they say we don't have you as a customer, say exactly because my records were deleted. So what happens to my house? Yeah.
Starting point is 00:48:51 Yeah. Brilliant. I think you should just pay me all the money. Yeah. Yeah. Oh my God. Um, and also the other story about WhatsApp,
Starting point is 00:49:03 uh, gents, I think we need to find another place to, to have our, uh, my God. And also the other story about WhatsApp. Gents, I think we need to find another place to have our conversations on. So what were they actually doing? I saw that it was this record fine, but it's Facebook and I. No idea, but it can't be good, and it can't be good for us and our private conversations that must remain between us all at all times. But if they've been fine, surely they've now learnt their lesson and now they're going to do things better isn't that the
Starting point is 00:49:28 whole i'm sorry who are we talking about here drop in the ocean 225 million euros learn their lesson we're talking about facebook right because they're known they're known for actually implementing changes as a result of fines and doing better, aren't they? Lots of doing business, my friend. Well, that's how they view it, exactly, because they're scumbags. Hold on, this isn't rant of the week. You know, if you want a rant, I want to see how, like, you know, the airline, they really Bangkoked up with their breach.
Starting point is 00:50:04 Oh, I'll tell you what. They're set up for that. I mean, I'll tell you what, you could have seen that coming a mile away. It doesn't matter. Well, they should have seen it coming a mile away because someone was able to exfiltrate, what is it, 200 gigs of data from their network, and no alarm bells went off no nothing went off luckily
Starting point is 00:50:27 no nothing operational off the airline was impacted just passenger data yeah yeah and even in passenger data the credit it's only partial credit card information i bet they focus on that yeah that's what they say yeah there is no evidence that credit card data yeah exactly exactly but what was taken i'll tell you what was taken it was your name if you're a passenger it's your name your passport number yeah your your address yeah your flying history yeah your special meal requests um so someone could find out you're lactose intolerant and poison you you're you're you're no that what they could do is say you know um well say you're say you're always um getting a halal meal or a uh i switch mine up every time i fly yeah ain't no one building a profile on me that's it that's it again focus on the on the on the on the piece of data that is the most easily replaceable of the lot the credit
Starting point is 00:51:36 card yeah exactly whereas your passport your your home address you know not easy to replace your home address is it no especially if your data has been deleted by credit union exactly exactly or if the data is uh if that home address is also a registered gun owner see what we did there folks see what we did there anyway i think we need uh to move on but um yeah that was that was this week's industry news industry news andy over to you in the dying embers of the show uh let's uh see what you've got for us for this week's Tweet of the Week. And we always play that one twice. Tweet of the Week.
Starting point is 00:52:31 So this is a tweet from Jack Recider. I don't know how to pronounce his surname. I've never... Recidor. Recidor. Recidor. Yeah, Recidor. So Jack is the host of the darknet diaries podcast um and he has surfaced this
Starting point is 00:52:49 tool brought it back to people's attention his tweet basically reads this is eagle eye it's a tool used to find people's social media accounts you feed it the name of the person and an image of them it does a reverse look up on the image uses facial recognition and then tries to find any instagram facebook youtube twitter and other profiles of that person um so it's actually been around for a few years there's a link in the show notes as to how this tool works um and it as it says it uses facial recognition to try and get the right profile because obviously there's a lot of people with certain names on there um and yeah it's i guess it what's really good is it does that validation right it compares the photo you've given it with the other profiles and instagram
Starting point is 00:53:37 accounts and facebook and things like that and at the end you get a nice little pdf report uh so it's open source you can modify it however you want. It's very similar to Sherlock, which you may be familiar with, but Sherlock can't do the reverse image searching. But obviously, the great thing on this thread is that a lot of people are kind of creeped out by it. But there's nothing here, I think, that people don't do manually, if you know what I mean.
Starting point is 00:54:04 It can do it at volume and speed. Yeah. I think that people don't do manually, if you know what I mean. Yeah, it's just it can do it at volume and speed. Yeah, and also you get a nice little presentable report at the end of it. Oh, I could do a nice report. I couldn't do the techie stuff, but I could do you a nice report. Oh, you can reverse search someone's image, right? Yeah. It's just doing that matching, right, to figure out whether or not it's the same person. Yeah, but I just…
Starting point is 00:54:24 Rubbish with faces. That's what I got i got people for actually i don't have people now those days are long gone those days are yeah well you're last at an abba concert right and on a plane and on a plane but yeah just the fact that people are freaked out by it and i i kind of get it but also and this is one of those things where you know we talked earlier about how women are sort of more unfairly targeted by yeah um you know sort of men when it comes to sort of leaks and you know those sort of creepy shots i actually think women do more of this like osin research on guys they're dating or guys that their friends are dating well yeah kind of do it better than guys do yeah because because dating a bloke sometimes you know results in very real physical danger if you're dating the
Starting point is 00:55:12 wrong guy yeah for sure but you don't need to go in and figure out that you know his this guy's sister went on holiday to you know fileraki you know six years ago you know there's a level it gets to and sometimes where she says oh my brother jack is back in prison again for hitting his missus that's that's what they do it for yeah well i think that's where it starts off and then it becomes kind of like entertainment as well so sometimes you know you know my wife does it all the time she'll like you know start looking at you know she'll oh we know yeah yeah no no she'll she'll like you know be really interested and some of it's just curiosity but i think there's a there's a very real reason why so many people do it and and uh shockingly i'm i'm with tom on this one i think. I think it's really easy to say from a safe place that it's unneeded.
Starting point is 00:56:08 But I think anyone that's in that position... I don't think anyone said it's unneeded. I think this is more people are freaked out that it's automated, I think is the point. Whereas there's nothing here that you can't do yourself. It's all about efficiency. It is. It is about efficiency
Starting point is 00:56:26 and and the thing is it just makes it more accessible to the more casual stalker and yeah and on the bombshell of jav agreeing with me uh thank you andy you're gonna kill it here yeah just just i'll quit while i'm ahead and andy thank you for this week's tweet of the week well folks we have sped around the corner and we've just crossed the finishing line of this um of this week's podcast gentlemen thank you so much for your time efforts contributions and love as. Jav, thank you very much, sir. You're welcome. And Andy, thank you very much. Stay secure, my friend.
Starting point is 00:57:12 Stay secure. You've been listening to The Host Unknown Podcast. If you enjoyed what you heard, comment and subscribe. If you hated it, please leave your best insults on our Reddit channel. Worst episode ever. R slash Smashing Security. What do you want, Jav? Because you agreeing with me makes me feel very uncomfortable.
Starting point is 00:57:36 I know. It's awkward for me too. Let's not speak about this to anyone. You complimented me earlier this week on Twitter and now you're agreeing with me. I'm like, yeah, something's going on.
Starting point is 00:57:50 I'm bringing you up for the big four. Yeah. You know what? You're going to see like in a few weeks, the signs are all there. Why don't we see? Oh dear. I'm just glad that you're not going to ask me for money.
Starting point is 00:58:06 I know you have got none

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.