The Host Unknown Podcast - Episode 89 - Normal Audio is Resumed
Episode Date: January 21, 2022This Week in InfoSec (06:23)With content liberated from the “Today in InfoSec” twitter account and further afield19th January 1999: The Happy99 worm first appeared. It invisibly attached itself to... emails, displayed fireworks to hide the changes being made, and wished the user a happy New Year. It was the first of a wave of malware that struck Microsoft Windows computers over the next several years, costing businesses and individuals untold amounts of money to resolve. 19th January 1999: RIM introduces the BlackBerry. The original BlackBerry devices were not phones, but instead were the first mobile devices that could do real-time e-mail. They looked like big pagers. It is alleged the name “BlackBerry” came from the similarity that the buttons on the original device had to the surface of a blackberry fruit.London riots: how BlackBerry Messenger played a key role Rant of the Week (18:01)Singapore gives banks two-week deadline to fix SMS securityA widespread phishing operation targeting Southeast Asia's second-largest bank – Oversea-Chinese Banking Corporation (OCBC) – has prompted the Monetary Authority of Singapore (MAS) to introduce regulations for internet banking that include use of an SMS Sender ID registry.Singapore banks have two weeks to remove clickable links in text messages or e-mails sent to retail customers. Furthermore, activation of a soft token on a mobile device will require a 12-hour cooling off period, customers must be notified of any request to change their contact details, and fund transfer threshold will by default be set to SG$100 ($74) or lower.MAS has also offered a vague directive requiring banks to issue more scam education alerts, and to do so more often. Billy Big Balls of the Week (25:49)Train Robberies Are BackFreight trains loaded with valuable merchandise sitting on apparently unguarded tracks make for awfully inviting targets.For months, Union Pacific freight trains have been getting systematically robbed in the Los Angeles area, according to local news reports, as thieves target valuable merchandise and online orders from retailers like Amazon sitting on delayed trains.Superyacht Security: The 10 Best Ways To Protect From Pirates And Paparazzi Industry News (33:12)European Regulators Hand Out €1.1bn in GDPR FinesNCA: Kids as Young as Nine Have Launched DDoS AttacksGovernment to Regulate Crypto Advertising in New Crack DownMan Charged with Smuggling Tech Exports to IranResearchers Hack Olympic Games AppRed Cross: Supply Chain Data Breach Hit 500K PeopleEleven Arrested in Bust of Prolific Nigerian BEC GangTwitter Mentions More Effective Than CVSS at Reducing ExploitabilityBiden Signs Memo to Boost National Cybersecurity Tweet of the Week (42:00)https://twitter.com/blkcybersources/status/1483826713561862159?s=21https://twitter.com/BLKCybersources/status/1483826713561862159/photo/1 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
sounds bad andy is that your pride struggling to go down
oh that that's i can't we can't talk about this i'm not i cannot believe what has just transpired
it's the most i was embarrassed sitting on this other side listening to you it was just the worst
oh man i need to put the fan on. It's
too hot in here. My cheeks are burning. You're welcome. You're listening to the Host Unknown
Podcast. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us
and welcome to episode 89-ish of the Host Unknown podcast.
Welcome one and all.
Andy, how are you? You're sounding a lot better this morning.
Yeah, we can gloss over this.
And yeah, let's just say that uh audio
audio input difficulties have been resolved and uh we'll just leave it at that did you
did you get outside consultants in to address it i uh i merely took advice from a an old colleague
an old friend an old acquaintance uh you know someone i knew wouldn't make a big
deal out of it and uh you know i wouldn't uh use it to humiliate me in public no no but i know
someone who would use it to humiliate you jeff how are you i'm very good you know i'll tell you
this has been the highlight of my week so far i'll tell you what kind of i'll tell you what kind of week it's been and it in the interest of of transparency and fairness
because i'm very transparent with my listeners and and fans and friends um andy does a lot of the
the legwork on this show in pulling together the show notes he's our little research machine he
goes out there he finds these stories,
and he's like, what do you think of this?
What do you think of that?
And last night, I'm putting my youngest to bed,
so I just like putting him to bed.
And I see messages coming through,
what do you think of this story?
What do you think?
And I'm thinking to myself,
Pandy's really on the ball tonight.
It's only Tuesday, and he's already thinking
about the stories for this week. And then I realized, no, it only Tuesday, and he's already thinking about the stories for this week.
And then I realised, no, it's Thursday, and today's Friday.
So that's the kind of week it's been.
But, yeah, last week, many of our eagle-eared listeners would have heard
that Andy was sounding really bad.
I mean, worse than normal, that his was sounding really bad. I mean, worse than normal. His audio quality was bad.
And it so transpires that Andy has got a brand new microphone
recommended by our tech expert, resident tech expert, Tom Langford.
He said, oh, I say tech expert.
There's two criteria that Tom follows when he buys tech stuff.
If he's got an Apple logo on it, it's good.
Or he will look for the most expensive thing because if you pay more money, then that means it's good.
So he recommended an expensive microphone to Andy.
And Andy plugged it in, but he didn't know how to get it to work and so today before we started
recording Tom was taking Andy through the stage it was like listening in on one of those call
centers and Tom was reading from a script have you plugged it in have you turned it off and on again
have you done this have you make sure go into this setting, which box is ticked, which box isn't. And eventually, he actually managed to get Andy's microphone working.
It was amazing and scary.
And I can imagine a little bit humiliating for Andy at the same time.
So, like I said, someone who is willing to humiliate Andy in public.
Tom, how was your week?
It was very good.
It's very good.
Yeah, I've been working away.
I did some filming yesterday for a new talk I'm doing at work.
So that was fun.
Stood in front of a green screen with, you know.
And, yeah, I think the teaser is going to be a good one this time.
It's going to be really good.
I'm looking forward to releasing it. It's going to be good fun it it's going to be good i always look forward to your teasers
they're always so good i never bother listening to your talks but your teasers are amazing
well you you have to actually go to an event to to listen to one of my talks and uh since we're
in the same job job we know what it's like we we turn up do the talk and then uh jump in a
cab and go right so virtual or otherwise keep the engine running yeah exactly you you get a cab
are you on your you're on your push bike yeah roller skates mate yeah
so um well yes uh i I really enjoyed doing them.
And the thing is, neither of us know what we're going to be doing
for the teaser when we start filming the actual talk.
But by the end of it, we've come up with a couple of ideas.
And so we came up with this thing.
I'm not going to say what it is because it came together really well.
It ruined the surprise.
It ruined the surprise.
And then we just took it further and further. And then, oh, it's going to say what it is because it came together really well. It ruined the surprise. It ruined the surprise. And then we just took it, you know, took it further and further.
And then, oh, it's going to be great.
It's going to be really good.
Well, it better be anyway.
You've built it up a lot now.
I've built it up a lot now.
Yeah, yeah, that's right.
That's right.
Oh, dear.
So what have we got coming up for you this week?
Well, this week in InfoSec talks about the 90s.
Not the best era for music, but maybe it was for InfoSec.
Rant of the week is a story about a regulator not considering the implications
before mandating new requirements.
Funny that. Billy Big Balls dusts off the old school security skills. considering the implications before mandating new requirements.
Funny that.
Billy Big Balls dusts off the old school security skills.
Industry News brings us the latest and greatest security news stories from around the world. And Tweet of the Week gives career advice which smacks of sponsorship.
So let's move on to our favourite part of the show, the part of the show that we
like to call This Week in InfoSec. It is that part of the show where we take a stroll down
InfoSec memory lane with content
liberated from the Today in InfoSec Twitter account and also further afield.
So things I've learned this week include how to plug in a microphone.
But as well as that, did you know that on the 18th of January 1995, the domain name Yahoo was registered.
But that's not the interesting part.
The site was running prior to that.
And do you guys know what it was called?
Yeehaw?
Yeah.
Goggle.
It was actually called David and Jerry's Guide to the World Wide Web.
Nice. Snappy. Dot com. actually called David and Jerry's Guide to the World Wide Web. Nice!
Snappy.com.
Yeah.
Obviously, you know, things were different back then.
But we are still in the 90s, so this is where the story comes from.
So our first real story has taken us back a mere 23 years
to the 19th of January, 1999 1999 when the happy 99 worm first appeared and it basically
invisibly attached itself to emails displayed fireworks to hide the changes being made
and wished the end user a happy new year and it was the first of a wave of malware that struck
Microsoft Windows computers for the next several years,
costing businesses and individuals untold amounts of money to resolve.
Obviously, if they had a friend like Tom, they could just call on him for tech support.
I wouldn't be able to tell him how to fix it, but their call quality would go up immensely.
Absolutely. But what's interesting about this virus was in the Computer Security Handbook,
which was published in 2002,
Happy 99 was referred to as the first modern worm,
which made me chuckle because that was only 11 years
after the Morris worm had infected the internet,
which was still a much shorter timeframe
than the 23 years which have passed since then.
Which presumably was not a modern worm.
I don't get it.
It's what's the...
What's the distinction?
Well, that's where I was getting at.
You need to kind of make things sound good, right?
Yeah.
That was...
Is that like when vendors call their solutions like next gen or like you know
it's it's not legacy uh or like you know uh antivirus it's next gen antivirus that kind
of thing yeah this isn't this isn't a powerpoint this is you know this is actually a bunch of
moving images on on a screen that tell you what to do. This is visual stimulation.
It's a Prezi.
It's an immersive...
An immersive...
Whatever happened to Prezi?
Has it died on its arse?
I think people just threw up too much.
Too much seasickness.
Yeah.
You can actually replicate Prezi through PowerPoint powerpoint uh you know that sort of
scroll up and down you click yeah you just it takes a lot longer obviously oh no i know what
you mean yeah with the transitions yeah yeah yeah yeah no that's an interesting one prezi
we'll look into that yeah but yeah well i would guess yeah happy 99 it's a story we've heard 100 times before you know so it
did appear mid-january 1999 spread through email usenet uh ran in the background without people's
knowledge um but later that it basically served as a template for the creation of other self-propagating
viruses so later that year we saw the melissa worm the cat worm um before the following year
when the i love You virus came out.
And then that was even still two years before the Anaconda Cobra virus.
I was thinking about it.
This is the virus, Jav.
Yes, yes.
Yeah, so, I mean, it was a big part of history back then.
You probably remember all these viruses at the time used to come out.
Everyone was using Outlook.
So lots of people were impacted apart from the really big corps that were using Lotus Notes.
Yes.
Yes.
And they were all like, we're safe.
Yeah, exactly.
So our second story actually keeps us in the same time.
Exactly 23 years ago, it was to the same day, the 19th of January, 1999,
when I was barely five years old, RIM introduced the BlackBerry.
What?
Yeah, so the original BlackBerry devices were not phones,
but instead they were the first mobile phones that could do real-time email.
Yes, yes.
They looked like big pages.
And it is alleged the name BlackBerry came from the similarity
that the buttons on the original device had the surface of a BlackBerry fruit.
Huh.
How funny.
Yeah.
But, I mean, this is like iPhone before the iPhone, right?
Yeah. this is this is like iphone before the iphone right yeah and it was funny to see that in
uh the blackberry handsets were actually the smartphone of choice for the majority
and it which was 37 of british teams according to a 2010 off-com study which was actually four
years after the first iphone came out And where I was interested in this thing,
and basically where this fits into InfoSec history was,
do you remember BlackBerry Messenger?
It was a secure messenger service.
Exactly that.
But it allowed people to send one to many messages to network contacts,
all via Teams.
And it replaced, almost replaced text messaging overnight
because it was free, instant, and you could do a much larger community.
And obviously, unlike other social media that was popular at the time,
Facebook in particular, BlackBerry messengers were untraceable
by authorities, which is why it became a huge hugely popular device in um the emirates
um because it was used to spread so you know gossip about officials and things like that and
you know the laws actually change in those countries to actually give them backdoor access
into that um but it was also understood to be the, I guess, the communication tool of choice during the London riots, you know, back in 2010.
If you recall, when Oxford Street was vandalized, when places were burned down in Croydon.
And it was all the, yeah, the BlackBee Messenger.
And then obviously, you know, the iPhone had the iMessage, which was also considered secure.
But this was far more, you you know available to to teams with a
a lower income and it had everything you needed you know great features email secure messaging
terrible games it was terrible games it was really good i i remember getting a blackberry from work
and it was brilliant the keys were so good they were perfectly spaced apart and they had a nice
tactile filter you could compose emails really quickly and easily yeah it was and you know what
really made me uh surprised so when we started getting these at the time we like one of our
sales directors he was a bit i thought it was a bit of a dinosaur um and so we did a trial with
certain people and he was the one he just loved he took to it like a fish in water like he would not live without it after you know he tried it for like a couple of days and i was
like damn this thing might actually be successful it's because you know we've been through everything
prior to that you know the palm pilots and you know all the other phones scribble yeah exactly
but yeah no the blackberry and also the battery life was just
phenomenal as well um but yeah they were still punching punching strong after the initial launch
of uh iphone but and now of course they're they're they're the largest phone producer in the world
is that blackberry i thought they uh it was only recent was it this year they shut down now
haven't they
yeah
so they stopped production
they completely
misread the market
didn't they
they completely misread it
they did
they did
to be fair
yeah
sorry go on
sorry
I was going to say
I remember trying
one of the
one of their first
touch screen devices
and it was horrible
oh yes
absolutely horrible
I mean it was the iphone had come out
obviously which was what prompted them but their implementation was dreadful the whole screen would
click if i'm if i recall correctly yeah a lot of those early ones were like that i i can't remember
which it was a htc phone i had and uh the first one i had it it had a slide-out keyboard from the bottom half.
Oh, yeah, yeah. So, like, you know, horizontally or lengthwise.
So, it was really good.
And the keyboard, the screen would tilt up slightly as well.
Yeah.
And it was brilliant.
And then the next phone, they wanted to copy iPhone, and they had a touchscreen.
And it was dreadful.
Yeah.
You couldn't type to save your life.
dreadful yeah you couldn't type that for to save your life and uh but i do think it's when apple came out with the ipad is when they really broke into enterprises because yeah all the execs
wanted to take them into work and then you know you had this sort of like uh now it needs to
relax their rules and you know byod became a thing and then i then I think iPhones, in a corporate sense,
as a corporate-issued device, started to really catch on.
Well, I mean, the first iPhone was crippled, let's be honest.
I mean, it was the first operating system
they could get running on the damn thing.
It was only with iOS 2 when they started to introduce
the App Store and stuff like that that things actually took off
because up to then, you couldn't do much. much i mean it literally was just a phone and a browser
there was nothing else that it was it was capable of doing unless you jailbroke it of course
um but uh but but yeah it was and then as you say the ipad what was fascinating about the ipad was
actually the average user the average person on the street could see themselves using the iPad.
You know, not everybody said, oh, I don't need a Mac.
I don't need a, you know, top-end machine.
I just need something to browse or do whatever with.
But the iPad was, yeah, I can see myself sitting down
and reading email and reading books and checking the internet
and documents and all that sort of thing.
And it was a very accessible device as a result.
Indeed.
Excellent.
Well, Andy, thank you very much.
That was – God, I do enjoy little trips like that.
Very nice.
Thank you, Andy.
This week in InfoServe.
You're listening to the award-winning Host Unknown podcast.
Officially more entertaining than smashing security.
In your face!
In your face, Graham.
We still haven't gone three weeks without talking about them.
Dreadful.
You're thoughtful running the jingle, Tom.
Actually, I've just got them labelled as jingle 1 to 12.
I hit them randomly now.
So I didn't know it was that one.
It's how I've saved my kids' names in my phone.
Yeah.
Right, let's move on.
Listen up! Rant of the Week. It's move on. Listen up!
Rant of the week.
It's time for Mother F***ing Rage.
Eons of tradition dictate that I should take this.
This was an interesting one because when I first read this, I thought,
oh, yeah, fair enough, you know, crack on, you know, give them a hard,
give a hard deadline and get people to meet it. And then
kind of think about it a little more. And as Andy was discussing with me earlier about, you know,
he couldn't believe that I was actually on the side of the government in this case. But yeah,
maybe this is a little bit short-sighted. But the headline is that Singapore, which has been hit by numerous
financial phishing scams and malware, et cetera, et cetera, over the last few months,
the Singapore government has given banks two weeks to fix their SMS security issues.
So there's been a, like I said, there's been a massive phishing operation that's targeted the Southeast Asia's second largest bank, the Oversea Chinese Banking Corporation.
And it's prompted the Monetary Authority of Singapore to introduce new regulations
for internet banking. So they have two weeks to remove clickable links in text messages or
emails sent to retail customers. Activations of a soft token on a mobile device will require a 12
hour coolingoff period.
Customers must be notified of any requests to change their contact details.
And a fund transfer threshold will be, by default, set to 100 Singaporean dollars,
which is roughly 74 US dollars or lower.
The Monetary Authority of Singapore has also offered some vague directives requiring banks to issue more scam education alerts and to do so more often. So like I said,
I think initially I thought, you know, right, let's get these banks to spend some of the money
that they keep making from us and do what they should have done in the first place, in fairness.
And a lot of these things should be in place already.
But in hindsight or on reflection, giving them two weeks is going to do one of two things, I think.
People are either going to fail to meet the deadlines or they will implement solutions that are hastily and probably not with the best of intentions be implemented so that basically things will go wrong.
Stuff's going to happen.
Customers are going to be inconvenienced.
There's going to be mistakes made, etc.
Or the banks will simply look at this from a risk based perspective and either do nothing and just take the financial hit as just the cost of doing business.
Or hopefully we'll spend that period of time doing the right thing and making the changes when prompted to do so, but in their own time.
to do so, but in their own time.
So bottom line is customers are not going to benefit from this at all because of this two-week period.
It's just far too short, far too vague,
certainly as regards more scam education alerts
and all that sort of thing.
And these are, well well like all banking systems these are intricate intricately
assimilated old legacy systems with new technology etc and they're not particularly easy to unpick so
I do think the Singapore government here is actually going to end up shooting themselves in the foot.
Well, I'm usually a huge fan of MAS, like the Monetary Authority Service.
They do a lot of stuff, you know, in conjunct with the Bank of England as well.
They provide really good guidance on, you know, red team exercises,
how banks should be assessed, you know know why it's not just a standard
you know tick in the box for this and you know it's very specific and it's usually
really detailed you know guidance which is why I am just absolutely stunned that they've half
asked this yeah and sort of chucked out and I know that a lot of people are kind of happy in that
oh good I never get anything useful from the banks
at all you know i don't know you know should never get links in messages or anything like that and
you know i do think that's a debate for another time you know i think that's something that needs
to be looked at how you know what what services legitimately send out links and for what reasons
um you know and to just tell someone to switch that off in two weeks especially a bank
which we know is not um you know let's just chuck the word agile in there do you mean they have to
plan things to you know to to get them out live it's not like you can just switch off applications
uh you know change so the the fundamental way a lot of these applications work um you know we'll have
links and i get it if it's pure marketing then you know i i don't yeah i've got no defense for
that it's yeah absolutely switch that off but some of these people will use links for like password
resets and things like that you know purely on your mobile device um you know it's a very mobile centric country um which is why it's yeah it just seems
really very knee-jerk yeah and very it's very unlike them as well and i think what what it is
like you took but correctly illustrated the technical issues but think about the problem
they're trying to solve is people are getting phished if they're going to put out something like this in two weeks there's going to be a
whole lot of communication they're going to send out to people they're going to confuse them and
i think in that process there's going to be more phishing attacks because criminals are going to
be like well yeah this door's going to close in two weeks, probably. But now there's utter chaos.
So let's send them a text message saying,
hello, we're your bank.
We're now moving you to a more secure system.
Click here.
And people are going to listen for it.
I think it's just going to cause, you know,
you're not fixing the issue.
And again, I think this is, again,
where you take a tech-centric approach to to issues as opposed to figuring out
what is actually the process here where are there flaws in the process and how are they being
being attacked is is you know like andy it's very unlike the mass uh to to go down this route so
um you know maybe maybe they've got like a new CISO in place who's like,
I want to make a name for myself.
Let's do this or something.
I don't know.
Either that or the guy on the end of the call had a really dodgy microphone
and he misheard him.
He said two years and he heard two weeks.
I mean, it could happen, right?
Yeah, I mean, mics can be tricky.
You know, some of these modern day
mics
and grits as well
anyway
excellent
that was this
week's
rant of the
week
you're listening
to the host
unknown podcast
bubblegum
for the brain
and talking
of bubblegum
for brains,
let's move on to this week's Billy Big Balls with Jav.
Yes, it is me again.
And have you seen the movie Captain Phillips with Tom Hanks in it?
Yes, about the pirates that take the ship.
Yeah, yeah, yeah. I am the captain now exactly if you if you haven't seen the movie you must have seen the meme where the somalian pirate
is there look at me i am the captain now and it was a great movie because i i had no idea that sea
piracy still existed but seriously yeah i mean i've never really taken a boat into open
sea so i have no idea like i just thought their boats are their yachts and like you know um what
do you call it there's the sewers canal thing that happened that's because of dodgy directions
and um what keep going straight yeah and other that, I just thought they were used for making hip-hop music videos.
You know that most yachts these days come with anti-piracy,
so stop people climbing up the sides or they've got turrets to mount guns on for you.
It's still a massive problem.
Really? Wow.
Yeah, and you literally get paths to navigate through because there's no
pirates in certain waters that is fascinating i i i learned so much from you too when you said
yachts have anti-piracy i thought oh my god i do my multi-region dvd won't work there
so that was funnier than it should have been.
So now you're probably going to laugh at me when I read out this next story
because I had no idea this still existed.
But in America, apparently train robberies still exist as well.
Ah, interesting.
Yeah.
ah interesting yeah so uh there's a story about um there are some union pacific freight trains in the la area uh which um sometimes they get delayed or whatever so they sit on the tracks
for a while and their carriages are full of like orders like amazon deliveries and everything and
what have you so uh what's been happening is that the tracks have been
unguarded and there's there's a jurisdictional sort of like ambiguity as to who's responsible
for guarding a train on a track so while the um there is a a a transport, they're more responsible for crimes on the train, like between people, I suppose.
And the LAPD is not really, they don't actively monitor it, I suppose.
So no one's like taking responsibility for it.
That's not my job.
I'm going to finish my donut.
Yeah, exactly.
It's really funny saying LAPD and not saying it in an ironic sense
because I'm always like, it's a real thing.
It's not just something in pop culture.
But, yeah, so, you know, people have been going in.
They've been cutting the locks.
And they've just been systematically robbing these trains.
And what they found is like, you know,
dozens or hundreds of boxes like littered all over the place as they open them
up, go through it, take what they want and, and just leave the mess there.
So, so the trains are at a standstill.
Yeah. They're not coming up on horses or motorbikes.
That's really disappointing yes
really just i i had in my mind these kind of you know these chases as i said motorbikes horses
whatever push bikes doesn't matter because i know how slow american trains go according to hollywood
i mean you can just run and catch up with them right and jump in and the open door yeah exactly
and then you close the door afterwards, yeah.
Yeah, that's right.
Well, it's only polite.
But, oh, God, disappointing.
Where's the chase?
They should have people running along the top of the carriages,
ducking as bridges go past and as the LAPD or the transport police
are shooting at them to keep them off.
This isn't a story. This is a disappointment.
This is just super low hanging fruit.
This is.
No physical security.
This is not low hanging. This is falling onto the floor.
This is almost like a honeypot, isn't it?
Yeah. Yeah. You know, this this is the perfect analogy for how uh security
works there in real life people often think who don't work in the industry that you mean bait and
switch no it's like oh you know um you know to hack into something you have to do this you have
to do that whereas in in reality you just you know running a few commands and sending a few phishing emails or what have you.
Or phone someone up and saying,
hi, my name is Bobby McPassword from the password office.
Yes, exactly.
Can you tell me what your password is?
Yes, yes.
I'm the wallet inspector.
Yeah.
And it reminds me actually of this.
An old colleague of mine tells me that he was working
and in the lobby of one of the buildings,
they had like a kiosk machine for which,
I don't know what it was for staff to check in or whatever
or see something.
And one of the internal red teamers,
he was asked to do a pen test on it.
So he was like, okay.
So he walked in.
The cabinet was open from,
well, it wasn't locked properly or something.
So he just like opened it from the back,
picked up the computer and walked out with it.
And he goes, that was the easiest assessment I ever done.
Oh dear.
It'll be interesting to see how much this Union Pacific freight train
has spent on, like, cyber controls.
I bet they've got, like, state-of-the-art DLP
and, you know, next-gen AI sort of endpoint detection.
Yeah.
Yeah, the entire stock, which is physical,
just sits unguarded in the middle of nowhere.
I know. I know.
I know.
Next week, I'm hoping we can find some highway robberies like stagecoach robberies.
What, those buses that go on the motorway?
Yeah, exactly.
Exactly.
Or as they sometimes call megabus these days.
Megabus.
The one-pound megabus.
No point in robbing them.
They're all poor people.
Those are the buses with a picture of Dara O'Brien on the back.
Yes.
Yeah.
Billy Big Balls of the Week.
Attention.
This is a message for all other InfoSec podcasts.
Busted.
We caught you listening again.
This is the Host Unknown podcast.
Andy, do you know what part of the day we might be in at the moment?
Let me just check the clock.
Oh, it's that time.
It's that time of the show where we head over to our news sources
over the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news
from around the globe.
Industry News.
European regulators hand out 1.1 billion euros in GDPR fines.
Industry news.
NCA.
Kids as young as nine have launched DDoS attacks.
Industry news.
Government to regulate crypto advertising in new crackdown.
Industry news.
Man charged with smuggling tech exports to Iran.
Industry news.
Researchers hack Olympic Games Iran. Industry news. Researchers hack Olympic Games app.
Industry news.
Red Cross supply chain data breach hits 500,000 people.
Industry news.
11 arrested in bust of prolific Nigerian BEC gang.
Industry news.
Twitter mentions more effective than CBSS at reducing exploitability.
Industry news.
Biden signs memo to boost national cyber security.
Industry news.
And that was this week's...
Industry news.
industry news whilst huge if true is that twitter mentions more effective than cvss at reducing exploitability
is that to do with that story we did last week no it's not but this is really interesting because
i'm just looking at it it's kenna security done done some research and they say that if you monitor
twitter mentions of vulnerabilities it might be twice as
effective as cvs has scored that's keeping or helping organizations prioritize which bugs to
patch first so i'm so hear me out startup idea guys okay as soon as jav says hear me out we're
going on some crazy journey no no no we we no, no. We monitor Twitter for mentions.
See, last week's plan about the phone call to phone you up
when there's a thing was flawed because it relied on volunteers.
We're going to pay now.
We don't.
No, no, no.
We just monitor Twitter.
We find the mentions, and anyone that has over X number of mentions
automatically gets converted into voice and phones up someone and tells them.
Now, can we do all of this with free services?
Of course we can.
Just don't use the developer that's going to change his code afterwards
and screw us over, you know, the one we spoke about last week.
Just don't use any of his open source stuff.
There's plenty of open source stuff.
I'm confident this time next year we can be a unicorn startup
in our own right.
Okay, right behind you, Jav.
Who are we going to get to code this i can do that haven't you haven't you seen i i i've created coded my own uh uh there's a couple of years
back you're gonna use that you're gonna use that tool which does the uh if this then that aren't
you yeah it's called if this then that that's the one that that's't you? Yeah, it's called If This, Then That. That's the one.
That's apparently the new Python.
So it's like, you know.
And if you embed enough of those statements within each other,
you can actually call it AI.
Intellectual property.
AI, IP, whatever.
It doesn't matter.
It doesn't matter. It doesn't matter.
The other one that caught my eye,
kids as young as nine have launched DDoS attacks.
Well, that's given what you can download,
well, even from just the web, let alone the dark web,
given what you can download,
it's actually not difficult to launch a DDoS attack, is it?
Yeah, I guess it's just the accessibility.
Because when I was nine years old,
I was probably playing Super Mario Brothers or whatever
and discovering hidden worlds beyond level four
where you jump over the wall instead of jumping on the flag.
Jet Set Willy and Manic Miner for me.
I guess it's just the modern-day equivalent of that, right?
Here's something that's easy to replicate and mimic
and share with your friends.
They're basically scrumping apples in the 2020s.
Yeah.
See, scrumping apples is something I've heard about, but it's not.
Yeah.
Yeah, weird thing, scrumping apples.
It basically means stealing apples from somebody else's tree.
Yeah.
Because it's kids, it's cheeky.
Nothing else.
Rather than theft.
So, yeah, in fact, my neighbour,
they've got an apple tree that drops apples into my garden.
I toss them back over.
Oh, no, you should eat them, mate.
You should take them.
They're all bruised and battered if the branches are hanging over into your garden then they actually you are allowed to take the fruit uh yeah so it's uh i won't go into it but it's
kind of funny so i've got like a tree that uh goes under their tree so So they're both kind of overlapping on our shared hedge.
So it's, yeah, it's a long story.
Anyway, the story I was interested in,
this Red Cross supply chain data breach
where they're saying that 515,000 highly vulnerable victims
have had their data stolen from a Swiss contractor
that stores data on behalf of Red Cross.
And it was more the response that the Red Cross came up with to this.
They're basically pleading with the hackers not to release it
because it is vulnerable people.
And I'm not sure whether that is, judging by what's happened
to healthcare industries and things like that in judging by, you know, what's happened to healthcare industries and,
and things like that in the past.
I'm not sure that the hackers are going to honor,
you know,
those requests.
Yeah.
It's an interesting one,
isn't it?
Cause you,
you know,
it depends how you view criminality in a sense,
doesn't it?
Cause if,
if,
if you're a criminal,
because basically you've been a vulnerable person,
it's the only way you've been able to live, et cetera.
And then things escalate obviously, or whether it's just, you know,
hardened career criminals. Yeah.
Just wonder which way, um, which way they're going to go.
Cause they've said, Oh, we're not going to attack hospitals.
And then hospitals have been attacked,, yeah, I don't know.
It's a tricky one.
It is.
I mean, what you just hope it's not some nation-state sponsored one
where, like, some dictatorial regime is like,
I want you to hack into that, you'll be able to find all these people
who are dissidents.
Dissidents in our country.
Yeah, exactly, exactly.
I mean, I think actually the Red Cross are probably,
I'm hoping they're doing like a multi-pronged response,
if you see what I mean.
They're not just saying, oh, please don't share it.
They're taking other courses of action as well.
But I can't think of a better one for them to take,
literally appealing to their better nature. better nature but it's a risky strategy it is but i don't know i mean it
this sort of thing it reminds me i think uh rowena uh fielding friend of the show she said it's like
we need to appreciate now when when we when we do do cybersecurity in a lot of places,
we're not protecting data, we're protecting people.
The data is irrelevant.
And this is a clear example of that.
It's like, you know, the data, it's not really data that we're protecting,
it's the people behind the data that we really are trying to protect.
But then ultimately, we're really protecting the company behind the people.
Because the company doesn't want to be sued.
The true capitalist company man, Andrew Agnes.
Thank you very much, gentlemen. That was this week's...
Industry News. It doesn't matter if the judges were drinking
Host Unknown was still awarded
Europe's most entertaining content status
We're going to have to see if we can renew that this year
Yeah, who do we have to pay?
Yeah, I can't remember
Let's check the bank account from last year
You keep the receipts?
Yes.
Do you also have a blue dress in your cupboard, Tom?
Might do. What?
Right, let's move on to this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And this is one which I have got,
and it is from someone called Minority InfoSec Professionals on Twitter.
And it's one that I didn't originally want to get into,
but then the more I looked at it, the more it kind of wound me up.
I don't know how you're judging this, right?
Coolest careers in cyber.
And the tweet goes on to say, here are some cybersecurity careers for those whom are interested.
Whom?
Did you say whom?
It says whom.
I'm reading verbatim.
OK.
Sick.
So they're English?
Yes.
So it is ultimately a poster from SANS, right?
And we know how these kind of cybersecurity careers thing comes out.
I think ISC2 squared have their own posters about, you know,
which jobs are in demand and ISACA do their own jobs in demand.
And it's all ironically based on courses which they can support you with
in order to get qualified.
But what made me interested with this one is it claims that the coolest careers
in cyber based on the most in-demand job by employers.
And this is from 2021. And it shows the top 20 jobs.
And had I been asked what were the top most in-demand jobs in security,
I think I would have probably guessed maybe three out of this top 20.
Oh.
You know, so I won't read out out all 20 but links in the show notes but uh
job number one threat hunter straight in there uh job number two red team uh job number three
digital forensic analyst job number four purple team uh job number five malware analyst
and i think out of all of those only red Red Team would have been one I guessed from that.
But all of the jobs are technical.
Well, except maybe number six, CISO, number 15, security awareness officer.
But then other than that, everything else is technical, which is, I mean, sheer coincidence that SANS offer a lot of technical courses,
sheer coincidence that sands offer a lot of technical courses um you know which tend to be on the upper end of the scale for costs versus their non-technical courses um but yeah i don't
know take it with a pinch of salt i guess is where i'm going with this one because none of these jobs
here you know have a module on powerpoint or uh report Word, which I think, you know, the more time you spend in cybersecurity,
the more time you'll spend with Microsoft Office.
Yeah, it's a weird one.
It's self-serving, but I just really find it weird that how they say
just because there's more of these jobs out there,
that makes it a coolest career. No, it just means it's the most available career the most
underskilled area it doesn't necessarily make it cool um or people want to be seen to be hiring
hiring in that area exactly yeah yeah that's it i think it's a title that came up before they
actually looked into the jobs themselves they They wanted something, some alliteration, coolest careers in cyber.
Yeah.
Yeah.
I mean, how many companies do you think are hiring for a purple teamer?
I don't know.
Yeah.
I mean, it's very specific.
Yeah.
It's very specific.
And, you know, to get to purple team
you're assuming you already have your red team
and your blue team sorted
it's a very mature
sort of area to be going into
well maybe that's what makes it cool
you know if
you're at the top of your game as a result
but are they really the most
in demand by employers
which is what the top of the post room implies well that's a criteria in and of itself why is it cool if the most in demand by employers, which is what the top of the post implies?
Well, that's a criteria in and of itself.
Why is it cool if it's in demand?
Again, you know, so it's very odd.
Yeah.
So the last one, number 20, is a media exploitation analyst.
Joe, I thought that's exactly what you guys did.
But then I realised it's not actually that type of media.
I think they're actually talking
about you know forensic uh media as in you know peripherals and so number three on the list is
digital forensic analysts and I'm not sure what the difference between the two is
we're just so out of touch here is it us who are out of touch no it's the industry who's out of
touch tell me CISOs in there somewhere uh number of touch. Tell me CISO's in there somewhere.
Number six, you'll find that CISO's are in demand.
Yeah, good.
But I think that's the only non, yeah, other than the ISO,
you know, up at number 15.
I think everything else is pretty much a, you know,
a strong technical background required.
Which in itself is very unbalanced, right?
I mean, what's cooler than being an internal auditor?
Oh, don't get me started on internal auditors.
Not enough time.
Internal affairs.
Yeah.
Oh, brilliant.
Excellent.
Thank you very much, Andy, for this week's Tweet of the Week.
Well, we come crashing and banging and landing like an eagle towards the end of the show.
I hope you enjoyed yourselves. Gentlemen, thank you so much for your time.
What are our plans for the weekend?
Gentlemen, thank you so much for your time.
What are our plans for the weekend?
I'm going to go up into the loft and I need to do a sweep up.
So issue with cluster flies.
A couple of weeks ago when I was up there in the loft, I realized that some cluster flies had set up in the corner.
If you don't know what they are, you can Google them.
Cluster flies loft. I ended up getting up getting this is a really uninteresting story i ended up getting
like these smoke bomb things that you let off in the loft uh and can you also use them when you
want to leave a conversation quickly yeah and along with all this i ended up buying a eufy vacuum
cleaner which is like a handheld turbo vacuum
cleaner uh way more expensive than it should be so i can uh clean up the uh remnants uh this weekend
so yeah my weekend's sorted what are you guys up to when you said i'm going to go up into the loft
it's like okay and thank you very much uh jav what about'm not going to go into the garage yet because the... No, I'm not.
No, Andy sucked all the life out of me and enthusiasm.
Talking about his trees, his loft.
Stop talking about last weekend
when he sucked all the enthusiasm out of you.
Anyway, gentlemen,
thank you so much, Jeff.
Thank you very much for the show.
You're welcome.
And Andy, thank you very much.
Stay secure, my friends.
Stay secure.
You've been listening to
The Host Unknown Podcast.
If you enjoyed what you heard,
comment and subscribe.
If you hated it, please
leave your best insults on our Reddit channel.
Oh no, Meatloaf died.
He was fantastic in the Rocky Horror Picture Show.
And even better in Fight Club.
And that's pretty much the highlight of his career.
More than you've done, Tom.
Well, I'm not an international rock star, am I?
Well, technically, actually, I think if you look at the YouTube videos
and where they've been viewed from,
I guess it is more gangster rap than...
Yeah, that's me down to a T.