The Host Unknown Podcast - Episode 78 - A Record Breaking Breaking Episode
Episode Date: October 22, 2021This Week in InfoSec (13:03)With content liberated from the “today in infosec” Twitter account20th October 1996: Twenty-five years ago today. Happy birthday, Ping of Death. Ping of Deathhttps://t...witter.com/ajMSFT/status/1450833383597043713?s=2015th October 1985: 50 FBI agents raided more than 20 homes, seizing 25 personal computers (mostly Commodore 64s) after a group of at least 23 teenagers in San Diego County remotely broke into Chase Manhattan Bank computer systems that July and August.CHASE COMPUTER RAIDED BY YOUTHShttps://twitter.com/todayininfosec/status/1184283049204174849 On the Group Chat (20:27) From @maxsec friend of the show:Cybercrime gang sets up fake company to hire security experts to aid in ransomware attackshttps://twitter.com/campuscodi/status/1451241038908121099 Billy Big Balls of the Week (29:04)https://twitter.com/ImposeCost/status/1449738212696641538?s=20 Industry News (36:50)US Treasury Tracks $5.2bn of Ransomware Transactions in Six MonthsTwitch: No Passwords Were Taken in Data BreachUK in Midst of $200m Crypto Fraud EpidemicApple iCloud Hacker Steals NudesLightBasin Operation Compromises 13 Global Telcos in Two YearsMicrosoft, Intel and Goldman Sachs Team Up For New Supply Chain Security InitiativeTwitter Pulls Account After Argentinian Mega Breach ClaimsData Scrapers Expose 2.6 Million Instagram and TikTok UsersUS to Ban Export of Hacking Tools to Authoritarian States Tweet of the Week (46:02)https://twitter.com/ElJefeDSecurIT/status/1451232980463075332 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Record Breaker A record maker You're a record breaker
If you're the best, the worst, longest, immersed
If you're the bass, the ace, furthest in space
If you can score more than ever before
Then you're a record breaker
You're listening to the Host Unknown Podcast Hello, hello, hello, good morning, good afternoon, good evening from wherever you are joining us.
And welcome to the Host Unknown Podcast, episode 78 or 82 or whatever it is.
A record-breaking Host Unknown podcast, I'll have you know.
If Mr. Roy the Castle was here, he would be introducing Mr. Javad Malik right now.
Javad, how does it feel to be a record-breaker?
Well, thank you, thank you. It's a bit it feel to be a record breaker oh well thank you thank you it's a bit surreal
uh to be honest it hasn't doesn't quite feel like it i suppose because everything's just
done remotely it was just like delivering a webinar from home which is what i do every day
anyway um so what you're saying is it's not it's not a big deal at all so it's just bau for you then
yeah yeah you literally just had someone witness your job and uh they've given you a title yeah
unfortunately that that task fell to me yeah oh thank you oh well you you snore as if like i
didn't send you a brown envelope with used fibers in it uh just getting a little tap on the shoulder from the
lawyers there was no brown envelope oh is the official term manila manila that's right
council culture panamanian yeah
no it's you know it's so weird it's like growing up always watching record
breakers and never thought i'd be part of an attempt for one even though it's obviously it's
not like i'm the world's fastest man now or anything like that but still it's um you know
it's uh it's something for the record books, I suppose.
Yeah, interesting.
That theme tune we played was obviously from the 70s because it talked about the fattest and the thinnest,
which I think we probably wouldn't get away with today.
No, I mean, you'd probably get away with it in the 80s and 90s, though, right?
Well, yeah, true, true.
Definitely in the 70s.
Before my time, I wouldn't know.
Yeah. But I will, I wouldn't know. Yeah.
But I will tell you something really interesting.
Now, I don't know if I told you a couple of weeks ago,
someone fly-tipped a whole bunch of rubbish in the service road
behind my house.
So effectively blocking about eight of us houses from being able
to access any of our garages.
Oh, my God.
You couldn't even walk past it.
That's how much.
Literally, someone had refurbished an entire house or flat,
and they dumped absolutely everything.
So I received a message from one of my neighbours
who went out for a cycle in the afternoon.
He said he left about 12, came back about 1,
and it wasn't there when he
left and it was there when he got back so he couldn't even bring his bicycle back in through
the garage yet to go through the front of the house crikey and so he got in touch with the
council and the council said well it's a service road for your garages so this we don't really get
involved it's the resident's responsibility and I was like you
know what this this doesn't feel right so I was like okay 12 and 1 that's fine I've got a CCTV
at the front of the house and it covers the uh service road that goes to the back so lo and
behold about quarter past 12 I I see a big van pull in.
Now, unfortunately, it couldn't get the number plate on it.
It was just a bit too fuzzy.
But I went round the back again, and my other side neighbour,
she came down, and she was like, what's going on?
This, that, the other.
And I was like, this is what happened.
She said, this looks like a lot of residential
way she goes she grabs a massive
glove says there must be an address
in here somewhere
and she dives head first into it
she's ripping up bags she's like
really fuming
and she finds an address
printed on a letter
so
my other neighbour he's really fuming at this time, so he says,
give me the letter. And it's like half a mile up the road from us. So he storms down there.
He comes back about half hour later, says that, oh, it's dry cleaners and they own all the flats
above the shop. And they said that one of their tenants had moved,
they had renovated, they had a lot of rubbish out front. And some guys came up in a white van said,
give us 50 quid and we'll take your rubbish away or however much they wanted.
They said they don't have their details. They don't know who they were. They just came,
they took cash, they took the rubbish and they thought they were going to dump off it responsibly.
They took cash, they took the rubbish, and they thought they were going to dump off it responsibly.
So I was like, okay, we have a case now.
So I put it all together.
Is this, I'm just, when does this become a record breaker?
It's not a record breaker.
I'm just really proud of like.
Oh, right.
Okay.
Okay.
Sorry.
Sorry.
Right.
Okay.
Yeah.
Crack on.
I don't realize I'm going on a bit about this.
This should have been a tweet thread. i would have got more likes on it but i so you know you have those local community policing like the pcso's and what have you yeah
oh yeah so i know i i know one of the guys because he sends an email every every month with with
stats about how many people in berg so i sent him an email with all the details in it.
He gets the council involved.
And lo and behold, today the council have taken all the rubbish
and they find the person that dumped all the rubbish.
So a happy ending.
How did they find the person?
Oh, they find the person that paid the unauthorised, you know tippers to to take it so it wasn't the actual
criminal that got caught but at least we didn't have to pay and now our garages are accessible
once again and the uh the infosec story here is uh osint in the wild. OPSEC. OPSEC. Dumpster diving.
Burn your... Oh, OK.
I was talking about the other side.
Burn your personal details before you dispose of them.
Shred them.
Yeah, exactly.
So, Andy, how many of your neighbours have you had arrested recently?
No, I just keep myself to myself.
I'm a good neighbour.
Yeah.
Yeah.
You don't like to grass your neighbours up to the council.
I ain't no snitch.
No, you even pay for them to have their trees removed.
Yeah, that's right.
Yeah, twice the going rate as well, apparently.
What was that, episode 50-something?
I can't remember.
I'm easygoing.
Or can I say I'm a good neighbour?
Yeah.
How's your week been uh mine i was trying to do a bit of cleanup really i sort of got uh following the conversation we had i started digging into some old accounts which i've got
i thought you're saying you you you cleared out one of your bedrooms and uh
some fella in a white van offered to take it all off your front lawn yeah and then
the council finally yeah um no it's all uh i've messed something up somewhere uh so i found
something well probably not that interesting uh one of my email accounts doesn't accept
emails from domains that don't have a pointer record and office 365 accounts do not have pointer records
yeah so i tried sending myself an email from another account and it uh it got rejected and
um so i i thought i was i don't even know what i've done if i'm honest but like i think i've
lost access to about 15 websites uh which i had under a web host manager um you know I need to
look at it I just I was doing something else at the time so yeah that's going to be my weekend
sorted you're as frivolous with your domains as you are with your cash to be fair some of these
domains were last updated in the 90s so and you're still paying for them on an annual basis I take it
still paying well i actually
became a web host myself sort of in the early 2000s because it was cheaper to to manage my
own host than it was to have how'd you become a web host uh you just buy a shed load of storage
as a reseller um from a from a company and you get your old web host manager like install all set up
and uh you just provision your own websites and your own DNS.
So you've lost access to your web host, your own?
I've got access to the host.
That's the funny thing.
I can control the host.
I cannot access any of the websites below it
or retrieve emails from any of those.
Hmm.
Interesting.
Not really that interesting, I'll be honest no no no i find it interesting and just how your mind works i mean did you one day set yourself as a as an importer of fine wines or
something because you found that it was cheaper than buying wine from your local shop down the
road or something is it no but i have set myself up as a as you know as a commercial entity because it's cheaper buying
uh you know haribo um you know in bulk as a reseller than it is to buy it so how much have
you saved on haribo over here couldn't even tell you and what what what was the last fine for late filing ah well you know we do we put these things in perspective right
you can't really tie one into the other right because one's about perky one's about
a tetchy tax office that uh you know is a bit anal with paperwork. They're not really related at all.
Anyway, how's your week gone?
Yeah, it's been great.
It's been great, yeah.
Yeah, yeah.
I destroyed an iPhone 4 this week.
I took it apart and stuck it into a picture frame.
Nice. For the picture, it looked very, it into a picture frame. Nice.
For the picture, it looked very, very nice.
It does.
There is a deliberate mistake in there,
which neither of you have picked up on yet.
But, yeah, so I'm going to do another one.
So I've just ordered another iPhone,
which I'm going to destroy and pin up on a special board.
iPhone 13 Pro Max.
Yeah.
Well, I did say there were some shares coming out soon.
But yeah, it was good fun, actually.
It's really interesting looking at how,
when you actually take something completely apart,
you actually do feel like, you know,
the sum of the parts is greater than the whole.
You wonder how the hell it all goes back in.
Okay, Dexter.
No, you know what?
I was thinking, I don't know if you ever saw the TV series Heroes
and there was a character Spider in it.
Yeah.
That's how we figured out how people's powers worked.
He used to...
Oh, pull them apart.
Slice their heads off.
Take their brains...
Look at their brains, basically.
Yeah.
That's the guy who went on to play Spock, wasn't it?
Yes.
It was, yes.
Yeah, not Leonard Nimoy.
No.
Anyway, let's move on, shall we?
What have we got coming up for you this week?
Well, this week in InfoSec reveals a hero's origin story
that actually had him starting out as the bad guy.
On the group chat makes all of us question precisely who we are employed by.
Jeff and I had quite the conversation about that.
Billy Big Balls is an impressive display of memory usage
as a data exfiltration technique.
Industry News brings us the latest and greatest security news stories
from around the world.
And Tweet of the Week is going to be an entry-level position.
So I think we should move on very swiftly to one of our favorite parts of the show
this week in infosec
it is that part of the show where we take a stroll down InfoSec memory lane
with content liberated from the Today in InfoSec Twitter account
and other sources this week.
So the first story comes from a tweet posted by Alan Jones,
who is the Senior Director at Microsoft's Threat Intelligence Center.
And on the 20th of october he said 25 years ago today happy birthday
ping of death and that's all he needed to say to get the old people remembering what it was like
back on the 20th of october 1996 and then the subsequent two years after that.
So in a nutshell, it was possible to crash, reboot,
or otherwise kill systems by sending a ping of a certain size
from a remote machine.
So it was a serious problem,
mainly because it could be reproduced really easily
and from a remote machine. And the
attacker needs to know nothing about your machine other than your IP address, which back then was
common to see in chat rooms and IRC and things like that. You'd always have someone's IP address
next to them. And there was a chat site that I used that you could actually page become a VIP.
And as a VIP, they hid your IP address when you went into the room.
Absolutely brilliant.
Very easy to exploit.
Did they hide it behind a velvet rope?
Yes, a virtual velvet
rope it was.
You can make it out in the distance, just not
to see it easily.
As a place you wanted to be.
Not once.
Take down half your infrastructure with PingerDev. You once take down half your infrastructure with ping or death.
You could easily take down your infrastructure.
So systems did not like being pinged.
I think Java's been a little bit more specific.
Yeah.
Didn't you, Andy, take down your infrastructure with a ping or death
or one of your staff?
No, I've taken down sort of of a very big large multinational um company with that
with a uh scan that was set to uh automatically exploit anything it came across oh yeah that's
right iss uh locked out pretty much every account when we're not going to mention the name of that
company but it is in your linkedin history in my linkedin history from the uh yeah late 90s early 2000s just just to narrow it down
i was there for the millennium uh anyway uh systems do not like or did not like being
pinged with a packet greater than 65 536 bytes uh where the default thing is normally 64 bytes.
So this spawned utilities
such as WinNuke and
BitchSnap, if you recall those,
which just provided
just years
of amusement, and giving
you that sort of prefect complex in chat rooms
throughout the late 90s.
Prefect complex?
Well, cyber prefect complex it was fantastic
like if you chat someone in a chat room you didn't like just the tone that they were typing in
uh so you just punch in their ip address you know you see them disappear but uh good times
back then it was uh you just needed to make sure your system was patched. Yeah. Yeah, exactly.
Not much has changed these days, right?
No.
The vulnerability patched the system.
But unfortunately, back then, you know, the patch was you had to wait three months for it to appear on a floppy disk on the front of a magazine.
Yes.
It's not like you could download it.
Yeah.
It was, yeah, brilliant. Anyway, so the second story takes us back 36 years to the 15th of October 1985, when 50 FBI agents raided more than 20 homes, seizing 25 personal computers, which were mostly Commodore 64s, after a group of at least 23 teenagers in San Diego remotely broke into Chase Manhattan Bank computer systems.
I want to know who the two rich kids were that had two Commodore 64s.
I know.
Well, yeah, I mean, yeah, mostly Commodore 64.
So there were 25 machines that were confiscating that.
So the FBI basically stated that, you know, this group of teenage computers broke into Chase Manhattan.
That's how old it is.
It's still called Chase Manhattan Bank.
You know, back in the July and August months,
early in the year.
And they said they significantly damaged bank records.
Now, obviously, Chase went on, you know,
standard damage control.
Chase officials insisted that no money was stolen
or transferred out of customer
accounts as a result of the break-ins and they also said no intrusions had been detected recently
but yeah that makes it all good this is the equivalent of uh today's uh you know no credit
card data was compromised um but federal officials said that you you know, in several cases, the youth change passwords, preventing customers and in one case, a unit of the bank itself from gaining access to their own computer files.
Now, the best part of this story is that one of the teens arrested went by the handle Lord Flathead.
Now, if you are familiar with that name.
Did he run for parliament a few years back
oh close very close that's the other guy that's bucket head that's bucket head yeah
18 was it lord phillips lord phillips who was that monster monster rave monster raving loony
party screaming lord such that's it screaming anyway lord flathead 18 years
later founded myspace uh yes lord flathead was tom anderson uh you know the friend who did not judge
or discriminate uh and i remember there's a very popular tweet many years ago where someone said, remember, Tom, remember how he just sold his five hundred and eighty million dollar shares in MySpace and retired so he could have a nice life.
Never sold our data.
Never tried to influence elections.
Never lobbied against privacy legislation.
What a man.
Yeah.
MySpace was just too pure for this world.
Yeah.
And that's why we can't have nice things And that's why we can't have nice things.
That's why we can't have nice things.
But, yeah, so, you know, a guy that turned it around
and, you know, did all of these nice things
actually started off as a bad guy.
Well, you say bad guy.
They were just a dicking around.
Yeah.
Just dicking around.
Just breaking through a bank of little boys.
They're teenagers hanging around the bus shelters,
you know, throwing cigarette butts at people.
Yeah, at least they didn't go in with guns
and try and stick the place up, right?
Yeah, because that would have been scary.
They would have had to go out and meet people then.
Yeah.
I like that little twist at the end.
It was good.
This week in InfoServe. end it was good so it falls to me to do the next one which uh traditionally is a rant of the week
but we're going to mix it up a little bit we're going to call this one if you're not in the group
you won't know from the group chat with host unknown just kind of from the group chat with host unknown. Just kind of from the group chat.
Well, a friend of the show, Max Sec,
he has sent us a few stories the last few weeks,
and we've often missed them.
But this one we are going to catch.
So the link's in the show notes, of course.
But the tweet came from Katalin Sinpanul.
It talks about the well-known Fin7 gang,
and they created and operated a fake security company
called Bastion Secure, which it used to recruit
and then trick security researchers into executing ransomware attacks. Now,
this is incredible. This is incredible. So if you do click on the link, it'll take you through to...
An installer that you need to download.
Yes, that's right. It says host unknown heavy industries.
uh this is host unknown heavy industries um but uh if you look at the image there the actual the website is very convincing it because it looks like 99 of every other you know security
consulting uh website out there and the genius behind this is that they're actually getting
um you know the twisted genius i should say is that they're actually getting, you know, the twisted genius, I should say, is that they're actually getting the legitimate and talented security researchers to carry out a criminal act on their behalf.
An actual, you know,
carrying out ransomware attacks and cyber attacks, et cetera.
And these researchers are thinking they're doing genuine research
and genuine work for clients.
Incredible.
And they get paid, I'm guessing, a reasonable salary.
But, of course, the criminals are raking it in,
and they don't even have to have the skills to do it.
I mean, even an ex-recovering CISO could probably run a scam like this
of some description.
And it's not the first time that Fin7 have actually run
a fake security company because they also ran a company
called Combi Security a few years back.
And it was that was back when it was focused on running point of sale malware operations.
But I just think this is, well, it's so creative.
It's straight out of an Ocean's Eleven film or something similar.
straight out of an Ocean's Eleven film or something similar like that.
And I just think, how would you know?
I mean, for all we know, Jav could be working for Know Before,
and Know Before is just some kind of front for a criminal enterprise that's trying to get, you know, poisoned movies
and awareness films inside your organisation.
Yeah, yeah.
You know those simulated phishing emails?
Yeah, exactly.
They're not simulated.
Exactly.
You know, I work for an endpoint company and, you know,
you don't get much sort of central into the heart of an organisation
and going through the sort of, you know,
it's implementing their endpoint protection so yeah i just i think this is is fascinating and how do
you even protect against this um which can i just so what i love but so i'm reading through the
story and so they've clearly got you know a successful company has certain key positions
right you know you've got a good cfo you've got a good coo you've got good m, you know, a successful company has certain key positions, right?
You know, you've got a good CFO, you've got a good COO, you've got a good MD, you know, all of this stuff.
And clearly, you know, what I like about this, they're saying that a group like Fin7, you know, one of the questions,
why would they go to such great lengths to operate a fake security company, not only once, but twice?
And they've put it down to operational costs.
once but twice um and they've put it down to operational costs and they're saying that it's actually cheaper to hire a security researcher in russia you know for between 800 and 1200 a month
than it is to recruit criminal hackers from the underground who often want a percentage cut of
ransomware payments well yeah they know the value of what they're doing yeah so they've done you know
they've done all their costumes they're looking at the margins they know exactly how to run their
company i mean these guys have literally just taken you know sort of yeah 500 mentality to
this is this is kind of like akin to those movies where the best spy is the one that doesn't know
that they're a spy so it's like the brainwashing thing
it's like because then they they can pass all the all the lie detector tests and there's a total
recall isn't it it is yes that's the one yeah that's genius i like this in fact i actually
want to go and work for them because i think you can learn a lot from yeah you might learn a lot
but you wouldn't earn a lot you certainly won't maximize
your uh your your earnings potential though hey what twelve hundred dollars a month i'll take it
do they need someone to manage their risk i don't know it seems like they're doing it pretty well
andy well that's what i'm saying i'll be going there to learn so so i mean one thing is that
that that jumps out and it's's not an accurate sort of analogy,
but when has that ever stopped me?
But how is this...
It's about fly-tipping, right?
How is this any different from going to work
for a criminal organisation like Facebook?
Yeah.
I mean, just because it's listed or what have you,
or they have lawyers and they're not working for Russians overtly.
I think when you look at Silicon Valley and you look at all the,
a number of startups that get funded and you know,
they've got no actual plan to go develop a proper product.
They just burn VC money for a couple of years and then on to the next.
Do you know what I think would be a really good project
for some kind of board PhD student or master's student or whatever?
It would be to do an analysis of a company like this one,
Bastion Secure, and a company like Facebook,
and actually dig down into how many laws have been broken
during a 12-month period by each company.
How many actual laws are broken?
I would imagine, I'll put it out there,
I reckon Facebook break more laws
on a regular basis
than a company
set up by Fin7
Bastion Secure
who would
trick researchers
into carrying out malware attacks
and this is Tom's personal opinion
this is Tom's personal opinion
a hypothesis
I reckon that they
probably pay taxes as well because it would keep people off their backs yeah yeah yeah and i think
also that when you look at it it's other than laws you look at the harm done to individuals
on a personal yeah yeah you. If you could measure that,
if there was a measurement that you could use
that says actual harm to society.
Yeah.
I mean, does Bastion Secure cause a high number of teenagers
to have body issues or suicidal thoughts?
Yeah.
Yeah.
How many deaths have resulted directly from bastion skill versus facebook
yeah asking the big questions not that we're siding on the criminals here no no no we're just
saying who who's really the bad guys yeah yeah absolutely oh dear. That got a bit deep, didn't it?
It did.
I did not expect that.
Yeah.
Anyway, that was...
If you're mutus, you'll never know.
From the group chat with Host Unknown.
This is the Host Unknown podcast.
The couch potato of InfoSec broadcasting.
And now, Jarrod, it's over to you for...
Billy Big Balls of the Week.
This is Billy Big Balls.
It's kind of like a tweet of the week
because I saw it on Twitter.
And it's also kind of like today in InfoSec
because it's from yesteryear.
But there's absolutely no relevance to having
this here today other than we just
saw it this week. And in fact it's actually
more of a Carol's Colossal
and it's
from the group chat right so we completely
got that wrong.
Oh dear.
I'll go and speak to our guy to
get a jingle made.
No we do have a jingle, isn't it?
We've got one.
What, Carol's Colossus from the group chat, Billy Big Balls?
Oh, right, I see.
All in one.
Yes, actually, yeah, do that.
That would be good.
Then actually we could just play that one for every single segment
and it would cover everything.
Delete as applicable.
Yeah, exactly.
Anyway, Javav do go on so anna montes um has been
billed by some as the most dangerous u.s spy you've never heard of and she was because she
didn't know that she was a spy maybe maybe she was uh the queen Cuba, apparently. That's a tag. That's a nickname that she wasn't really the Queen of Cuba.
She worked for the Pentagon's Defense Intelligence Agency between 1985 to 2001, just a few days after September 11th, actually, they'd done a crackdown. And she was passing a lot of sensitive information to the Cuban government.
She was spying for them.
And she was recruited from her college days when she was at Johns Hopkins.
Yes, she was recruited there.
And it was basically ideological.
She just believed that.
She didn't believe in America's foreign policy,
so she worked for the DIA and she stole the data.
And what was really interesting and what came across in the tweet, DIA and she stole the data. And
what was really interesting and what
came across in the tweet, and it's
really funny, it's like, to escape
detection, Montes actually never
removed documents from work
electronically or in
hard copy. Instead, she kept the
details in her head
and went home and typed them up
on her laptop. And the caption caption is where are your dlp
gods now this is just fantastic it reminds me of like i actually thought it was a joke remember
when you sent that picture i thought it was a joke um but do you remember a film called johnny
mnemonic yes oh yeah i started to watch that about three weeks ago it was awful i couldn't finish it
it is a terrible film i never watched it all to be honest but no i got the gist of it yeah i like
the gist of it his his head had a capacity of something like 10 gigabytes he tried yeah he
transported data in his head like they remove his childhood memories and use his brain as the
courier device.
Oh, and he used a memory doubler, basically,
which reminded me of things you could do
in the old days on the old DOS machines.
Is that the equivalent of pressing the
turbo button on your phone?
Exactly.
Exactly. Oh my gosh,
watch it. Oh, Jesus, it's
awful. It is not age-locked. Anyway, Andy gosh. Watch it. Oh, Jesus. It's awful.
It is not age law.
Anyway, Andy, Johnny Monomic.
Yes.
Well, no, this is what it reminds me of. It's just being able to remember that much information and just regurgitate it once you get to your destination.
Fantastic.
But then again, I guess if you're going to, you know, probably her very first sort of few months of reports were probably a bit light on details.
But if she was doing it every day, she would be getting better and better at reading a document once and then retyping it or, you know, recounting it a few hours later at home.
Because in practice, right, her brain would have become better and better at remembering those details.
would have become better and better at remembering those details.
So it was probably a slightly long game, but, you know,
over the long term she probably had some really detailed accounts.
Yeah.
You know how people sort of come up with these memory tactics where they sort of create rooms or, you know,
and so she's probably built this entire, well, I don't know,
I'm guessing built an entire, you know, sort of ecosystem
with all these different prompts and stories that, you know,
she can just create.
And yeah.
But how do you defend against that?
Right.
How do you defend against someone?
I think it's called the monk attack.
I think it has a name of the monk attack.
Oh, really?
Yeah.
So the monks of old who would copy books by hand, write them down.
Ah, okay.
So, or it's certainly a derivative of the monk attack i'm not familiar with that i'm just
you know so you don't you don't sort of copy the data electronically you copy it by hand
onto a piece of paper or something yeah there's a film with um denzel washington there's always a
film yeah what's denzel what um i. I'm trying to think of Denzel.
He reprints the Bible.
The world's gone to shit and he remembers the Bible.
Book of Eli.
That was it.
Was that?
Do you know what?
I'm glad I haven't watched that.
Yeah, and he's memorized the whole thing and he goes to a library
and then just dictates it.
Yeah.
I suppose in this
case i don't think she would have had to maybe she didn't have to remember that much information
like no it's probably very specific she probably just needed specific like this is what they're
working on these are some military tactics or this is like well this this this is the current
stance towards cuba in the government today.
Exactly, exactly.
So it might not have been all that.
But she was a model employee.
And I think what's really interesting is, A, yes,
we've established DLP, technical control won't work if someone's memorising them.
But also the fact that she was already effectively a cuban spy before she was
hired um that's a hr vetting issue not a control issue it's a hr vetting issue and it's there's
nothing you can do once they're in to say oh they've suddenly now changed their behavior
because it's not like oh you know that you look for all the telltale signs,
like maybe they're gambling and they've got debts or suddenly they used
to be very social and then suddenly they were working late every night
or what have you.
There's nothing you can see.
There's none of that kind of, yeah, behaviour analytics that you can that you can rely on so um it's it's interesting
um you know what what you could do i think like like andy said it's it's really a hiring issue
it's a hiring issue if you can't fix a control find someone to blame. Blame HR. Yeah. Oh dear. Nice one.
Thank you,
Jav,
for
Billy Big Balls
of the Week.
We are officially
the most entertaining
content
amongst our peers.
Andy, what time is it?
It is that time of the show where we head over to our news sources over at the InfoSecPA Newswire
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
industry news us treasury tracks 5.2 billion dollars of ransomware transactions in six months
industry news twitch no passwords were taken in data breach industry news
uk admits of 200200 million crypto fraud epidemic
Industry News
Apple iCloud hacker steals nudes
Industry News
Light Basin operation compromises 13 global telcos in two years
Industry News
Microsoft, Intel and Goldman Sachs team up for new supply chain security
initiative. Industry news. Twitter pulls accounts after Argentinian mega breach claims. Industry
news. Data scrapers expose 2.6 million Instagram and TikTok users. Industry news.
US to ban export of hacking tools to authoritarian states.
Industry news.
And that was this week's...
Industry news.
Lots of juicy stuff there.
There is.
Huge, if true.
Guess which story I'm clicking on.
Apple.
Yeah.
Don't, isn't it like 2014 wants its hack back?
Yeah.
No, it wants its fap back.
Yeah, exactly.
The fappening.
This is old school, right?
Third year old forum.
Oh, it is.
It is that story.
Oh, is it really?
Oh.
Yeah.
So the court heard that the 30-year-old former resident of Detroit
admitted infiltrating and hacking into the UPMC's human resources
server database in 2013 and 2014.
What, he's only just gone to court?
Yeah. Is this story the right story? 2013 and 2014. What? He's only just gone to court?
Yeah.
Is this story the right story?
Wow.
I tell you, we're going to have to have a word with our sources. Do you know what?
It looks like the Apple iCloud hacker steals nudes.
This story and then the story that follows is not that story.
Interesting.
The title is wrong. or the story is wrong or the story is
wrong oh oh oh dear me stig come back infosec stig come back all is forgiven here i was really
looking forward to this story we depend on this this stuff, you know, people. This is not good enough.
I think anybody who's listening should click on this story
from the show notes and then write in and complain.
Not to us, obviously.
So I am looking at the Microsoft, Intel and Goldman Sachs
teaming up for a new supply chain security initiative
because if there's one thing this industry needs is another player who says they will help you to manage your supply chain security.
So they are working under the auspices of a non-profit trusted computing group.
A non-profit what computing group?
It's called Trusted Computing Group.
And the companies have created new supply chain security work groups.
So, you know, I've got issues with all of these types of companies, right?
So I work in a sector which is heavily regulated.
And there are so many different companies offering this sort of supply chain assessment as a service.
And, you know, certain banks will choose one vendor.
You know, certain banks are actually founding members of another vendor.
Yeah. banks will choose one vendor you know certain banks are actually founding members of another vendor yeah um and yeah i too many too many stand you know too many different vendors like there's no difference to the we're not saving any time by having these groups set up because you almost got
as many groups as you do clients yeah and it just it just really it makes the the sort makes the working market really confusing.
Who do you follow?
Whose advice should you go to?
And if you two are offering exactly the same advice,
why are you saying it twice?
Why not just get together?
Exactly.
Oh, dear.
So I'm seeing the U.S. Treasury is tracking 5.2 billion of ransomware transactions in six months.
And the UK is in the midst of a 200 million dollar crypto fraud epidemic.
So is the UK just doing less volume or is it the value of the pound is so strong?
Well, it's Brexit for a start. Brexit tax. Gotcha.
But also this tracking 5.2 billion of ransomware transactions.
Is that actually money that has been paid to ransomers, to the criminals?
I'll probably be able to answer that after I've clicked into the story and read it.
Yeah, it's just exactly what I'm doing.
However, I went in the opposite direction about these data scrapers
exposing 2.6 million Instagram and TikTok users.
But no, it wasn't TikTok or Instagram.
Obviously, the big pool was those named as a headline.
But it was a firm that provides marketing insights on social media users that actually got scraped.
So, yeah, obviously, you wouldn't have clicked in it
if it said IG Blade loses data.
Yeah.
Yeah, exactly.
This 5.2 billion is associated with 177 crypto coin wallet addresses
mentioned in the suspicious activity report sent by banks to authorities.
So I know that, Jav, you and I use this figure.
And obviously, it's an out-of-date figure that, you know, in 2019, the FBI said that, what was it, 1.6?
No.
Yeah, a billion was lost to ransomware.
Billion or million?
I can't remember what it was.
Million. No, no, no, no, no. Billion or million? I can't remember what it was. Million. No, no, no,
no, no. Billion, because they had
like some groups were making like 50 million
a year or something. Oh, right, okay, yeah.
But this, this is,
this really sort of summarises
it quite dramatically.
Of quite
how much money is being
lost and made as a
result of ransomware. It it is uh what i what i
found was an interesting story again this this looks like it's something from from years gone
by but the u.s to ban export of hacking tools to authoritarian states yeah yeah good luck
we've seen this with encryption yeah exactly encryption exactly, encryption. And what was it?
Do you remember years ago when Bluecoat got done for selling stuff via a reseller
that they apparently didn't do to Iran?
And Bluecoats were the SSL decryption, SSL inspection.
Yeah.
Yeah, the gateway, whatever.
Expertise ran out at the critical moment there.
So you can tell that none of us are going to be used as couriers
for exporting data out of companies.
Well, we might be because we won't have a clue.
Yeah.
You're going to have to hypnotize me to get that
yeah what is that music that's playing in the background that's great if someone could tell
this to the nso group then then i think we'll be good but but yeah otherwise you're just going to
end up with lots of laws like this that just penalise legit companies and researchers trying to do their job.
Yeah, exactly.
And also, you know, so the US bans export.
Most companies have got subsidiaries outside of the US
that would be perfectly happy to export these tools, right?
We see that happening.
Wasn't there that one that was used against a
bunch of journalists yeah the nso one yeah yes thank you yeah yeah exactly of course yeah so it's
it it may have worked in the 50s when you know companies were you know there's only about seven
truly international companies, but not any more.
No, I think it's a really difficult thing to do,
to enforce via this kind of legalese.
But, oh, well, I suppose people need jobs in the Pentagon.
Indeed, indeed. Huge if true.
Industry News. Indeed. Huge if true. Talking of which, Andy, I think it's time for you to take us home with this week's Tweet of the Week.
We always play that one twice. Tweet of the Week. It is a lighthearted story. No sad. No,
we're not ending on a bum note today. So this is one of those stories which regularly appears on
social media platforms in various derivatives. And it's from El Jefe de Security.
And it simply says,
I just hired a junior security person with no coding experience.
Ask me anything.
Great person.
Yeah, exactly right.
And it has, it's already got, I don't know, you know, people are fine.
Okay, excellent.
We do the same.
Other people, you know, what made you hire him?
And I actually like that one because he said it's a her.
She had gumption, discipline, growth mindset.
And, you know, we sparred on security topics.
It was good.
And this comes back to, you know, that constant debate about, you know,
what should be, what does a security person look constant debate about, you know, what should be,
what does a security person look like, right?
You know, what should be high for?
Must have code and ability,
must have certificates,
must have, you know, X years of programming,
must understand, you know,
you don't need all of that stuff.
And just seeing some of the responses
to this thread is just, you know,
one of them says, you know,
what sort of compromises, you know,
have you both, you know, arrived to in order know what sort of compromises you know have you both
you know arrived to in order to get them the job so like an example did you say that in one year
you need to have your ccna or your security plus certs um you know and there's this i don't know
i don't know where this mindset you have to have particular you know stat you know certificates or something to to do a job in security i think i think some people are
well it's two things one people have invested a lot of their own personal time effort and money
into uh into getting themselves where they are and therefore they think that that's the most
valid way of becoming a security professional i think the other part of it is that there's a certain
amount of, um, uh, well, a certain lack of confidence in them almost, you know, in their,
in their position that if I don't have this qualification or if I'm, if I am not able to,
uh, prove that I can code, et cetera, then I will not be a proper security professional.
And it's that lack of confidence, I think,
which really comes across as well, rather than really just saying,
frankly, it depends.
It depends on the role.
It depends on the specifics.
It depends on the organization.
It depends on what that person's career goals are. So many it depends on the organization it depends on you know what the that person's career
goals are so many it depends um and and frankly you could become you know you could become a
really good coder with any you could become a better coder in a year if you wanted to than
somebody's been coding for 20 years yep yep, yep. It really doesn't matter.
It's down to the individual.
So, yeah, I like you, Andy.
I'm gobsmacked by some of these responses
and really saddened, actually, that people are so narrow-minded.
I know, but you've got to worry, right,
if the job spec's for a junior and you need to know, like,
15 different languages, have all these certs,
like, you know you're the
person that's going to be doing everything on a junior salary right yeah it's was that i saw a
tweet from somebody and i i know i've got the name of the language wrong i'm going to say ruby on
rails but it said something like this you know this junior position needs 10 years experience
of ruby on rails and at the time this guy said that, you know,
I would not be qualified for this position because I only have seven years
experience because that's when I first invented Ruby on rails.
Yes. Yes. I remember that tweet. Yeah.
That's brilliant.
That's right. You know,
people have just such a narrow minded view of what, you know,
cyber security is and what it should be.
And, you know, a lot of these are people that have been in the industry for a long time.
They used to be firewall admins when it was called data security or IT security or network security, whatever one they were working in.
They begrudgingly accepted the morph into information security but now they're like
sitting pretty they're like oh i've got 30 years experience and this is how it all should be
and uh forget coding experience you also need to have a uh a cve uh published in your name or
something yes which books have you written yeah orauthored? Exactly. Exactly.
Because I've coauthored a book and therefore it's a necessary hurdle for you to jump over.
I did like there's one reply where someone says,
we hired a junior DBA with no sequel experience who was a barista at the time.
It all went to shit.
He says, I joke. They did work out okay i joke but yeah but you know i i know it's a joke but you know what they could have hired an experienced sequel
person and it could have all gone to shit yes you know i mean that's a hot yeah it's i don't know
we seem to have this uh this challenge comes up regularly,
this disconnect between recruiting practices and real world,
what you're going to be doing day to day.
Yeah, but let's face it, at the end of the day, the recruiting section,
the HR, do what we ask them to do.
Yeah.
Eight times out of ten.
Yeah.
It works every time.
Yeah.
But, you know, these job descriptions are written by InfoSec people.
Sometimes.
I mean, some really large companies, they have, like,
really horrendous processes, and there's lots of bureaucracy
that they have to go through and meet the
standards of whatever it is i'm not saying it can't be done it's just a lot of effort and people
usually don't don't want to put in that much effort or they don't have the time to put in the
effort to go through that process and you end up with shit you know the thing is that it's
this this goes back to the also the old adage adage of you won't get fired for hiring IBM.
No one will get blamed or fired for taking the safe option here.
For hiring a CIWSP.
Yeah, if someone's got a CISP and they've got a couple of years coding experience and you're hiring for a job that might not even need either of those things if they turn out to be bad no one's going to turn around
to you and say oh you know you made a mistake because you know it's it's it's it's the it was
the traditionally the conventional right thing to do the fear I think there is that if you take
the chance of getting a bit creative or imaginative with your
hiring practice and that doesn't work out then people will say well see I told you so why didn't
you do this yeah we have established practices I mean there's a quote I read this like no one ever
got fired for being unimaginative in their job like I suppose it doesn't apply for, for a creative industry. If you're an advertiser, but generally speaking,
I know what you mean.
If you're,
your analogies are really hit and miss,
aren't they?
Yeah,
I know.
You know,
there's sniper analogies.
They hit the one person in the room.
They're intended to damn the other 300 people.
Yeah.
Sniper analogies.
But yeah, no, if, if you play it safe, no one's going to fault you afterwards
because, ah, you tried your best.
You did the right thing.
Yeah, you did everything right.
Yeah.
Yeah, ridiculous.
Excellent.
Thank you very much, Andy.
Tweet of the week.
Well, we draw to a close folks uh jav uh thank you very much
indeed for your time and your um somewhat hit and miss sniper analogies you're welcome um i'm here
all week if anyone has any problems with uh fly tipping get in touch absolutely other than that
i believe you got rid of that rubbish
on in
in behind your house
in record time
stay secure my friends
and thank you very much Andy
stay secure my friends
stay secure
you've been listening to
the host unknown podcast
if you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
r slash smashing security.
I was going to say, if anyone needs any tax advice, then, you know, don't call me.
Accountancy, bookkeeping taxes nah running your own web hosting business being able to analyze profit and loss between haribo purchased and cost of operating
a business yeah hey i'm one of those uh you know i i don't look at the negatives tom all right you
know it's you've got very unimaginative thinking.
So by negatives, you mean money that goes out of your company?
As long as I can.
I don't think my company's ever made a profit, if I'm honest.
Well, you know, lifestyle business and all.
No, no, no.
All very successful billionaires never actually make a profit in their company.
Well, exactly.
Yeah, it's all tax write-offs.
Tax efficiency is priority number one.
Then why aren't we as host unknown billionaires?
Well, maybe you will be soon.
Yeah.
And even if we are, I wouldn't admit to it on live, where the taxman could be listening.