The Host Unknown Podcast - Episode 95 - Dammit He Came Back
Episode Date: March 4, 2022This Week in InfoSec (08:37)With content liberated from the “today in infosec” Twitter account and further afield7th March 1997: During a hearing on Microsoft’s alleged antitrust activities, Bil...l Gates admits Microsoft’s contracts bar Internet content providers from promoting Netscape’s browser. Eventually, Internet Explorer dominates the web browser market as it is shipped for free with every copy of Windows.3rd March 2009: “You may be wondering why I’ve turned myself into a zombie.Well, it’s in honour of National Zombie Awareness Week in Australia, which is highlighting the problem of compromised computers (known as bots or zombies).Zombie computers can be invisibly controlled by criminal hackers to launch distributed denial-of-service attacks, spread spam messages or steal confidential information.” Rant of the Week (15:36)The zero-password future can't come soon enoughSpyCloud highlights poor password hygiene of consumers and the threat to enterprisesPasswords, long a weakness in the tapestry of defences designed to keep enterprises and individuals more secure, continue to be a problem due in large part to the same issue that has haunted them for years: the users themselves. Billy Big Balls of the Week (27:41)Russian Company Outsourced The Main Components In EV Chargers To A Ukrainian Company, Hilarity EnsuesThe electric car chargers along one of the most important freeways in Russia are all down Monday after the Ukrainian company tasked with building the main components in the chargers used backdoor access to hack them, shut them down, and program anti-Putin/pro-Ukrainian messages to scroll past on their screens.The outage affects chargers along the M11 motorway, which connects Moscow to St. Petersburg. The Russian energy company Rosseti confirmed the hack in a post on the company’s Facebook. Industry News (33:52)Ukraine Asks for Hackers’ HelpRussian TV Stations HackedConti Encrypts Karma Ransom Note in Same Victim NetworkApple and Google Turn Off Map Features to Help UkraineNIST Seeks Cybersecurity Framework FeedbackNvidia Admits Hackers Stole Employee and Internal DataRussia Denies Satellite Hacking and Warns of Wider WarSwiss Bank Requests Destruction of DocumentsVulnerability Exploit Attempts Surge Tenfold Against Ukrainian Websites Tweet of the Week (40:40)https://twitter.com/gyarbij/status/1499289498005422083 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
To be honest, Jav, we just weren't expecting you back this...
Why not? Why not?
I need to literally change all the stories because it was just for me and Tom this week.
So if you give me just another two minutes, I will reassign the stories.
I love the commitment. I love the faith you have in me.
Well, pretty much what we think of you as well, to be honest.
And also, Jav, if you could just address the complaint that was delivered to us last week
as well.
Well, I've been gone for two weeks and you start getting complaints.
What is the matter with you for people?
See, it just goes to show I'm the moral compass of the show.
I'm around and I make sure things stay on track and, you know, you don't offend people
needlessly.
Well, I also don't know what
it says about our listeners because we also got a uh 12 increase 12 is probably regulators and
like you know watchdog bodies signing in to see like what what crap you've been talking about in
my absence hey a listener's a listener you're listening to the host unknown podcast
hello hello hello good morning good afternoon good evening from wherever you are joining us
and welcome to the host unknown podcast we don't care where you're listening from or who you might be, although Jav does apparently.
So, yes, ignore what Jav says.
Obviously, he's very insulting.
Jav, how are you?
Good, and I'd just like to say that anything self-incriminatory said on this podcast...
Backpedal, backpedal.
He just said in jest.
So, lawyers, please stand down.
Nothing to see. Or what is it? I do not consent to the federal agents listening to this podcast. So
please switch off now. I consent to them. We need everyone we can get.
Oh dear. No, I'm good. I'm glad to be back. It was a lovely two week break that i had yeah in uh foreign lands and i
was completely off social media so um it was actually not until the flight back where we
were told we're going to take an extra three hours to reach london because we're avoiding
ukraine that i was like what's going on there so detached don't mention the Ukraine or Russia or anything. That's where the complaint came from.
So, yeah, if you do happen to be listening this week, Mr. Complainer,
I don't think we were taking the side of Mr. Putin.
And I think what Andy said about, you know, Russia today,
that was a joke.
So, yeah, yeah.
All I'm saying, we're not taking sides.
It's too early to say who's in the right, who's in the wrong.
All right, all right, Mr. Complainer.
Edit that, edit that.
Just start drafting it now.
Just start drafting it.
Andy, how are you?
How many fares have you poked this week?
I'm good, thank you.
I can't complain. It's been a busy week.
Yeah, obviously this whole conflict is causing all kinds of chaos.
I think anyone that works in the financial sector has been receiving updates from regulators
asking that they ensure they have their shields up and very specific vulnerabilities.
Is that GRC shields up?
Yes, good old, what's his name?
Gibson.
Gibson Research, yes.
Gibson is back.
Like all this time, they called him out of retirement and he'd be like,
boys.
They called him a madman at the time.
Yeah.
Boys, switch on the old web server.
It's time to put it back online yeah
they're asking all the government agencies asking us to go to this website and press uh you know
scan me now and uh if anything's showing them to address that these these are financial industry
um you know government websites not russian ones yeah, so it's GRC.ru, right?
That's the one.
Yeah, yeah.
And the Java and ActiveX stuff you need to install,
that's all standard stuff.
And Silverlight.
It's a Silverlight.
Teams as well.
Teams Viewer.
Teams Viewer.
That's right.
It's the new name for Microsoft Teams.
Yes. But no, I've done all of that and we're good, apparently. We'veer, that's right. It's the new name for Microsoft Teams. Yes.
But no, I've done all of that, and we're good, apparently.
We've got a nice green shield.
Actually, it's a red shield.
I've got a big shape of a hammer and sickle type thing.
And you have patriotic music playing in the background.
Yeah, it reminds me of that Tetris theme tune.
I've had that in my head always.
But anyway, how's your week been?
Good. I saw Jav this week.
He is alive.
He actually is back in the country.
So this is the message you sent.
When was the last time I saw you, Jav?
That was your message. It wasn't like, when was the last time I saw you, Jav? That was your message.
It wasn't like, when was the last time you saw me?
You put it on me. When was the last time?
Yeah, that's right.
And then when you sent the photo of
you, me, and pretend Jav,
it was like, oh yeah, I'd forgotten about that.
That wasn't Jav.
Yeah.
That was the week when the announcement
came out in today's performance performance the role of javad
will be played by yeah yeah yeah but that was really good so so tom and i were at the cloud
and security expo data center expo whatever it was called i don't know there's basically
three or four conferences all in one but it was the first live event I'd been to in like two years.
It was quite exhausting.
And his speaking session showed it.
Oh, no.
Let's not even go there, okay?
Let's just move swiftly on because not my...
So how big was the...
How long was the slot you had?
It couldn't have been more than seven and a half minutes
they allocated me.
That's right.
Damn, Jav, you've fallen from the,
I remember you used to headline events.
It's how the mighty have fallen.
I guess you'd lost a lot of ground during the pandemic, right?
When those who are more eager, hungrier than you
have been out there making a name for themselves.
And getting COVID, making a name for themselves and getting covid making a name for themselves yeah that's right and then uh and then suddenly not
being in gainful employment again it it's all right it's all right it's all good it was a good
event it was lovely to see some people in in in real life and it's the first time i think tom i've
seen you in what two years nearly two years something like that what was funny i i arrived um not only was jav stand opposite my former
employer's stand which was which was awkward did you go around the corner and text jab and say hey
jab like i'm around the back of the stand yeah yeah that's right but but yeah we got there and
jav said yeah it's it's
been been quite busy small but it's nobody here it's nobody we know here just not seeing anybody
and it's should we grab a coffee yeah took us half an hour to get to the coffee shop because
we kept on bumping into people constantly literally and then turn around and there's
another one and so and then otherwise we literally bumped into like six or seven people in the space of,
I don't know, 20 metres.
Hallway con.
It's always the busiest part of an event.
Always.
Always, yeah.
Yeah, we held court at the end of the day in Acosta
and were sort of waving at people as they went past.
Best way to do it.
Best way to do it.
It's like, mummy, those two old men are waving at me.
Come along, dear.
Don't worry. Ignore them.
They think they know you.
Oh, dear. So should we talk about actually something slightly more relevant?
And let's see what we get coming up for you today.
So this week in InfoSec talks about zombies of the past.
Rant of the week is a story about a problem as old as old man internet.
And no, it's not about porn.
Billy Big Balls is an unverified story of an Uno reverse manoeuvre.
How the turns have tabled.
Industry News brings the latest and greatest security news stories from around the world.
And Tweet of the Week identifies that type of person.
OK, let's go on to our favourite jingle of the show, the jingle that we like to call...
This week in InfoSec.
in infosec it is that part of the show where we're going to take a drive by infosec memory lane with content
liberated from the today in infosec twitter account and further afield and this week is more
of the further afield side of that equation because yet again, Steve has not updated
the Today in InfoSec Twitter account.
And we have the...
Does Steve need sponsorship?
Should we sponsor This Week in InfoSec for Steve?
We should.
I mean, all he has to do is just literally repeat stuff
he's posted in previous years, right?
Exactly.
It's not like he even has to find new stuff.
This is when Steve's now going to start
feeding fake stories in like the open source developer and say because i don't get paid for
this this is what you get a good show anyway our first story takes us back 25 years ago to the 7th
of march 1997 when uh during a hearing on on Microsoft's alleged antitrust activities,
Bill Gates admits that Microsoft contracts
bar internet content providers from promoting Netscape's browser.
So at this time in 1997,
Internet Explorer went on to dominate the web browser market
purely because it was
shipped for free with every copy of windows and as we covered a couple of weeks ago microsoft
refund day came sort of around 15 months after this antitrust case um all down because you know
the fact they actually admitted that you know they are just dominating the market, which is language you cannot use these days when you're trying to provide a service.
What I thought was interesting about this was at the time,
and to a certain extent now, I kind of didn't see what the problem was.
This is just bundling extra services and all that sort of thing.
The challenge for me came when, because they were so dominating
in the market, they just didn't bother with Internet Explorer. It just wasn't a very good
browser. And it actually introduced a lot of inherent insecurities into public life as people
were using it instead of better, more secure browsers.
And so as a result, it lowered the level of security across the board.
And that, I think, is the real problem,
not the fact that they happened to have an operating system
that came with a browser bundled.
But did it lower the security across the board?
It was dreadful.
But were other browsers better out of the box?
I don't think security
was the selling point for
browsers back then.
I don't think so.
I think Tom's barking up the wrong tree.
But Firefox
was a much
better browser.
Firefox wasn't around in 97, though, was it?
No.
We needed something that could display the blink tag.
Exactly.
This was when FrontPage was out there for anyone to create a website.
FrontPage was quite handy, it has to be said.
And loading WAV files in the background, one to create a website and uh you know it's quite handy it has to be said and loading wav
files in the uh in the background so a page took 15 minutes to load so you can hear i was more of
a hot metal fan myself but you know okay do you know i do you know i've got a as uh was it a zip
drive the iomega zip drive with my first uh porn collection yes and also my first website on there somewhere
written in front page actually do you know after this i'm going to go to the way the the way back
machine and see if i can find my my website find the geocities link that i don't think
the way back Machine goes that far. Yeah, it goes back and then it's got pre,
when Tom were a lad.
Yeah, well, I'm not saying I'm old,
but my website was a microfiche.
Tim Berners-Lee was your only,
it was the only person that visited your website.
Yeah.
Anyway, right.
Our second story will take us back a mere 13 years to the 3rd of
march 2009 when uh cyber security industry talking head and more than adequate replacement co-host
of this show posted and brought to our attention a story which opened with you may be wondering why
i've turned myself into a zombie uh well it was
in honor of national zombie awareness week in australia which was highlighting the problem of
compromised computers uh also known as bots or zombies and then he goes on to as he always does
explain what a zombie computer was and why it's bad um and there was a link to something called
national zombie awareness week which i thought was you know a good campaign but when you click
on the link it's now a dead link uh these days unfortunately uh so national zombie awareness
week uh is for sale and the domain is available for 2095 dollars which is a shame because i would
have loved to have known what they were talking about
back then uh if you consider what type of security awareness training is out there what type of
things we educate people about that there was an entire domain dedicated to uh zombie awareness week
um back in 2009 you know it's funny when you you talking about, you know, occasional co-host Graham Cluley.
Did he, in his article, did he then go on and explain it in plain English and with a really clever sense of humour and actually make the subject really interesting?
Because I never liked him for that.
Yes. And obviously he always, you know know chucks in whichever antivirus vendors
paying for him at the time as well yeah he's a proper mercenary see see we wouldn't sell out
like that would we no never never no absolutely not we would never sell out because you know
selling out like that would you know it's it's like not having semantic antivirus installed on
your machine it's just something you would never consider not having industry leading edge uh next
gen endpoint protection with fdr capabilities from crowd strike yeah anyway thank you andy that was
this week's...
This week in InfoServe.
We are officially the most entertaining content amongst our peers.
Yes, we are.
Okay.
I think it's time now for this week's... Listen up! the week it sounds a mother rage uh yes it is and
it's down to me as usual as you can tell uh so this week's rant of the week is an article where
company spy cloud highlights poor password hygiene of consumers and the threats to the enterprise.
So as we well know, passwords have long been a weakness in all of security online, basically.
It's the one thing that seems to have stood the test of time, even despite the fact it should have been they should have been killed with fire a long, long time ago.
But really, again, the findings here are quite interesting. sophistication of bad actors and headlines surrounding cyber attacks many users unsurprisingly
continue to use poor hygiene when it comes to passwords including the same or similar
two-thirds of passwords that have been breached in previous years are still in use so uh you know
that password one two three that qwerty that uh uh whatever you like to call it, name of your dog, plus the date that you had your first kiss.
I think it was, what was it, Gypsy 89, I think it was.
So you kissed your dog in 89.
That's right.
But the rant here is not aimed at the end user, for me.
here is not aimed at the end user for me this is not aimed at people using you know bad passwords uh and repeating passwords and all that sort of thing the this rant is twofold surely either
we do away with passwords entirely and come up with something a whole lot better and there's
various different um uh organizations out there and there that are pushing it. So I
even saw one a few years ago that used the rhythm of your heart. And no, that's not a song. It's
actually the rhythm of your heart to unlock your devices. And it wasn't just the beat. It was the
underlying electrical signals and all that sort of thing,
which I thought was quite fascinating.
People might have trouble logging into their Pornhub accounts, of course,
but during that point.
So if I run downstairs to grab a drink between video calls
and then come running back upstairs and my heart is going,
Jesus, son, you're running too fast.
That's not the type of exercise you're used to.
How long do I have to wait before I can log on to my machine?
Well, that's the clever part is because it's not about your heart rate.
It's about the underlying electrical signals from your heart,
which are apparently like a fingerprint.
Obviously, of course, you'd have had to carry the ECG machine down with you
and around.
But in print, the principle is sound.
But the rant here is twofold.
One, companies who are insisting on using passwords are, one,
not checking that what's being put in is a bad password.
Two, are not allowing things like in many cases, cut and paste
of passwords from, from password managers, um, you know, and, and things like that. And, and,
and, or even encouraging poor passwords because they're the maximum number at length of a password
you can put in is eight characters and you can't use any special characters and things like that so so it is utterly unsurprising to me that this is a
continued problem when lazy and poor programming and lax attitudes to uh the the the embedding of
a password system into any kind of website that you visit is done so poorly.
It's done really, absolutely poorly.
You know, friends of the show, Troy Hunt, he's got his, you know,
have I been pwned and his password checker.
And, you know, one of the ways that he pays for that service is that he gets money in by allowing companies
to connect to his database of passwords.
And if somebody tries to use a password, they might, you know,
in all genuine unawareness, be typing in a password that someone
somewhere has had breached and is in a rainbow table somewhere.
Well, it will actually check against that and stop them from doing it in the first place.
So, yeah, really, really frustrating, I find this.
Microsoft have just recently, I think, were the first ones
who said that passwords should be dropped
and that using biometric and eye scans and all that sort of stuff.
And they're actually making big moves to this.
And in fact, if you were to buy a Microsoft device today,
after you've initially created your accounts
and all that sort of thing,
it will use the, I think, the Hello camera
to log you in every single time,
even after a fresh reboot.
Dare I say, even Apple devices don't know that.
You always have to initially, after a restart,
type in your full password before you can use the fingerprint reader.
So it's, yeah, really frustrating.
I used to laugh at all the old men in Infosec who used to complain about,
you know, passwords should be dead a long time ago.
And now, unsurprisingly, I have become said old man yes i think to be fair
you became the old man before the password issue yes that aside so i i agree with everything
you say um like in terms of what is good what isn't good bad practice however so i am someone
who will especially if it's a website i do not trust i will use a crap
password like password one um because they're not checking it so channel four you know itv any of
these sort of tv stations that need me to register to watch something free online why would i go
through the effort of putting in a you know a complex password because I don't trust their security.
So I think that's going to be leaked anyway, right? So unique passwords for every site. Okay,
right. I get that. However, we tell people passwords are not the solution, right? Use a
key pass manager, copy and paste. However, to access your key pass manager, you have to put
a password in. You have to put in a password yeah we're saying right passwords
are insecure you know you need to do this you need buy our product oh yeah secured with the password
yeah right so totally agree totally hardware keys have it you know that like a yubi key or
something like that oh yeah in your pocket would be a that was the future about 10 years ago wasn't
it yeah i've got like seven of them.
They were giving away a B-Sides London that year,
isn't it?
Well, I bought the new ones, you know,
the mini USB ones and the nano USB-C ones.
And they're really good because, you know,
as a second factor of authentication,
but they haven't replaced, you know, anything.
And they're not as widely adopted as they should be.
No.
It's like, you know,
passwords are like the politics and religion of cyber security yeah you're always gonna mention it
yeah it's better off because whatever you say you're going to be wrong and well tom you're
always wrong in in in many cases anyway well in your eyes actually as azure i think microsoft
with their azure they um they started doing the the checking your passwords against breached,
known breached passwords or something and stopped you from using that or asking you to change it
when it was in a breach. But I think with the passwordless push, the thing is that it's easy
for someone like Microsoft to implement something like that. For a lot of companies, it's just the cost of doing it at the moment
and the complexity is high.
And then also the big problem with all of these alternative methods
is kind of like to your point, is what happens when you forget
or lose your token or your device isn't there?
How do you then authenticate?
It's gone.
It's gone.
It's either gone or, well, the backup process is you use a password
or you send a...
But there's loads of different ways of authenticating.
People emailing magic links and all that sort of stuff.
There's different ways.
And also you say the cost of implementing good password hygiene
or whatever is prohibitive.
It's not.
It is not prohibitive.
What they should do is fire
their shitty fucking
developers and put ones in that
actually know what they're doing.
Well, you say the cost
is not prohibitive.
Why are people still
doing it?
How do we know? The fact that we
already know all these passwords, right?
So we can say, oh, this site was breached.
This is a list of their passwords.
We should not be able to decrypt those passwords.
No, exactly.
It's by bad developers.
Bad developer, in your box.
In your box.
Get back.
But the thing is, and we can see this challenge as insiders.
We can see this challenge as insiders.
The average person on the street, the average man on the Clapham omnibus,
has got no idea about any of this.
They're just like, oh, this is a secure password because I put a star and an exclamation mark
and I've got a capital letter at the beginning.
That's not in the slightest.
Oh, I've replaced all the all the numbers
with letters that you know that's already been worked out already the fact is that the systems
and the people who are building these environments are not changing their behaviors at all not
changing the way that they are coding these systems. And then they're saying, oh, you know, we've had a password breach
because you use such a shitty password.
It's absurd.
There's no incentive for anyone, really.
It's like as an end user, so many people have received notifications
your password was breached.
But, you know, what's been the direct impact?
For most people, none. You know, or if there is, that it's been the the direct impact for most people none you know or
if there is that it's been in such a way that they haven't been able to tie it back to it yeah
well it's low risk but high impact when it does happen it really screws up your life because it's
used you know across a variety of different accounts and used for, you know, some privilege escalation. And before you know it, you know, you, you,
you, you've been Tinder swindlers and you're, you're in for 250,000 pounds.
Yeah. I mean, I don't disagree with it. I don't disagree with the sentiment.
I just think you're taking a very simplistic view to life and it's a rant this
is why you're an ex-fever it's a rant we don't do this this show for logic we did this we did
this show because we had nothing to do during a pandemic and now we're struggling to do this show
so you think logic applies we started this show long before the pandemic. Yes, we did.
Many years before the pandemic.
2015, Thomas.
It's actually during the pandemic that, Tom,
you finally got your finger out.
You mean I finally managed to work out...
To publish it.
The technology caught up such that we could do it
in almost real time.
Yes.
Anyway,
anyway,
bug you all,
that was this week's Rant of the Week.
The host unknown podcast
orally delivering
the warm and fuzzy feeling
you get
when you pee yourself.
Right, Jav,
let's see you do better
with this week's
Rant of the Week. Right, Jav, let's see you do better with this week's...
You know, I just... The thing that I miss the most about being on this podcast
for the last two weeks is just being able to disagree with Tom
just for the sake of disagreeing.
It's like, Tom breathes.
Well, actually, I don't think breathing is that essential, Tom.
Do you know what?
You know, it doesn't feel like a proper week if I haven't,
if you haven't just bluntly disagreed with whatever I've said.
I've missed you, Jav.
What can I say?
I've missed you in the last couple of weeks.
Well, I'm not in agreement with that.
In your eyes, you think it's wet.
No, water isn't wet.
It isn't.
It isn't.
Water's not wet.
When you put an object into water and take it out,
that object is then wet.
Oh, man.
Yeah, we best move on this is what happens when you have
you know a teenage son who likes logic problems yeah okay so billy big balls move off the week
is uh brought to you from our good friends over in um ukraine um. And it's...
Hey, for balance, we've also got good friends
in Russia. We don't want any more complaints.
Yes, yes, yes, yes. Of course we do.
Hi, Liron.
Hope you're well. Anyway...
He's not in Australia.
He's in Australia, actually.
But, you know, if you... Is he really? Is it Leron's in Australia? He is, yeah. He moved there a few months ago, I thought.
Anyway.
He didn't tell me.
I only know because I saw it on LinkedIn
and he was posing with a kangaroo, as you do,
when you go down under.
That's no way to talk about his new wife.
Yeah, I better hop to it.
Anyway.
Definitely move this one on.
Moving on.
Moving on.
If you're a country and say you might think in the future,
hey, I might invade the other country,
what's one thing you probably don't want to do?
Tell them. There's telling them and you probably don't want to outsource any components to them or have them in your supply chain because then you're
literally shooting yourself in the foot. Which is whatgers to a Ukrainian company. And as a result,
as it does, whenever you outsource anything to a company, they often leave in an admin
backdoor to help you troubleshoot things when things go wrong and what have you.
So there's remote support support all that kind of stuff
you know it's all part of the SLA of you know five nine up times so um there's a massive
motorway in Russia along the M11 which there's a many of these EV chargers
there to help charge their uh their russian version of teslas wherever they are but um
yeah it's just pronounced tesla tesla
the russian uh the ukrainian company they um they decided to brick the devices so that no one could
use them to charge their cars and uh also on the screen there were some anti-Putin pro-Ukrainian messages
that were scrolling on it so can I just make a point of order here go on you're away for two
weeks and then you come back with a with a with a story that you stole from another podcast
I didn't steal anything from nobody how dare you good sir admittedly that other podcast series
also steals from us oh oh them oh dear oh dear well look there's only so many stories in a week
and there's only so many podcasts this is true anyway so so what this got me thinking of actually
a it's a it's a bill Big Ball's move on behalf of Ukraine,
because, you know, who doesn't want to support the underdog in this scenario?
But then it got me thinking, like, how many things do we buy from countries like China or specifically the US?
How many things do they buy from China that is electronic in nature?
And what if there was some sort of like, oh, we don't like you anymore. the US, how many things do they buy from China that is electronic in nature?
And what if there was some sort of like, oh, we don't like you anymore.
Here's some sanctions on you, China.
What could they do to all of those devices?
So it pretty much turned most of mainline Northern America to an Amish community overnight.
Pretty much what i was thinking so uh i think it's it's a
billy big mong's move but it's also highlights the irresponsible underbelly of many flaws that
we have in the supply chain so if if you want to set up a supply chain or a third party auditing firm, I think now's a really good time and you have the marketing all done for you. your analytics space um i think this story alone can help you really inject uh you know
many many rounds of of vc money into your business so go for it people
very good billy big balls of the week
it doesn't matter if the judges were drinking.
Host Unknown was still awarded Europe's most entertaining content status.
Now, Andy, if you were to look out of your window right now,
presumably you can see the sky, yeah?
I can.
And do you know what?
I have the ability to tell the time based on the placement of the sun.
Can you? So what time is it?
Give me two seconds. Let me just stick my head out. It's a cloudy day.
I can just about make out the position of the sun, which means it is that time of the show
where we head over to our news sources over the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
Ukraine asks for hackers' help.
Industry News.
Russian TV stations hacked.
Industry News.
Onti encrypts Karma ransom note in same victim network.
Industry news.
Apple and Google turn off map features to help Ukraine.
Industry news.
NIST seeks cybersecurity framework feedback.
Industry news.
NVIDIA admits hacker stole employee and internal data
Industry News
Russia denies satellite hacking and warns of wider war
Industry News
Swiss Bank requests destruction of documents
Industry News
Vulnerability exploit attempts surge tenfold against Ukrainian websites.
Industry News.
And that was this week's...
Industry News.
Wow. Huge, if true.
Huge.
A lot going on over in Eastern Europe.
There's a theme across many of these.
Do you know what? We actually cut out a lot of stories from this week.
It was difficult to avoid that one.
The one that caught my eye, NIST seeks cybersecurity framework feedback.
Make it smaller.
Make it less complicated there you go but this is only uh like you know 400 pages though right it's quite digestible and uh easy to read yeah digestible
by a shredder there's a there's a mnemonic uh mnemonic around it where you can just remember
everything right yeah um the story which caught my eye because
i instantly thought you know that spider-man meme where there's like two spider-men pointing at each
other yeah yeah it's the uh the conti encrypts karma ransom note in the same victim network
um and this is a story about an unnamed canadian healthcare organization which was struck by both
conti and karma ransomware. Oh, my God.
Yeah, so whilst the Karma people stole the data,
they didn't encrypt it because they said,
hey, you're a healthcare provider, we're just going to steal the data.
Conti had absolutely no issues with that.
They're like, well, we're here, we're just going to encrypt everything,
so give us some money.
Oh, my God.
Yeah, within the same week week hit by two different groups
um so yeah data's gone out the door with one company and been encrypted by another
talk about bad week right oh dear oh no i i like this story by um swiss credit suites
they request destruction of fucking...
Just looking at that.
They're doing an Enron, aren't they?
Yeah, that's like when someone sends you an email
and then there's an email recall notification.
You just like, no, not hitting that recall.
Let's just see what they said.
But I use that.
If I want someone to read a message, I will recall it
shortly afterwards and then just resend it i used to i used to have this system in place
uh a few years back because um and whenever i and i didn't do this reggae i think it happened
like two or three times whenever i sent something to entirely the wrong people like you know here's
this week here's this uh this year's sort of salary increases.
Oh, God, I've sent it to the person whose salary increase
we're discussing, that sort of thing.
I had this really good system in place where basically
I just call up George, the exchange admin.
George, fix it.
Go into their mailbox and remove it.
And that's exactly why your mail admins know exactly
how much you're paid
yeah i've been uncomfortable with that happened before they um
one of the the guys accidentally sent the whole company's pay rise right he's supposed to send
it to the ceo but somehow sent it to the office and um so everyone had a copy but this was before
you know blackberries were
widespread yeah yeah so late night call saying hey you need to delete all of this information
from everyone's mailbox what what this info this information with this spreadsheet let me just
confirm it's the right spreadsheet i'm going to open it look at it yeah yeah i'm just going to
confirm it's all right i'm going to open it up and read out the first few lines to you. Make sure I'm doing the right one.
Yeah.
Yeah, yeah.
Proposed salary increases.xls.
Yeah, or even worse, layoffs.
Oh, dear.
There's a lot of stuff here, you know, of companies,
either, you know, Russian companies either being hacked
or Russia having their stuff turned off.
So Apple and Google here, one we didn't cover.
Pornhub have stopped their service from being available in Russia.
Yeah, that's like bombing hospitals, right? You just shouldn't do it.
There's rules to war.
That's going to
go down as a
war crime in and of itself.
Man's got to relax.
I think the UN is updating
their human rights charter as we speak.
Exactly. Yeah. If you're thinking
Putin's looking a little bit more stressed than normal,
now we know why.
Oh, dear.
Oh, brilliant.
Brilliant.
Those were good stories.
And that was this week's...
Industry News.
You're listening to the award-winning
Host Unknown podcast.
Officially more entertaining
than Smashing Security.
In your face!
We are colliding to the
back end of the show, so let's go
to our second favourite part of the
show, the part of the show that we let's call...
Tweet of the Week. And we always play that one
twice. Tweet of the Week. You can tell which uh tom's favorite jingle is can't you yeah yeah
uh anyway so this week just reminds me of the sounds i hear as i walk past building sites in
my best clothes tweet of the week uh this week's tweet of the week is, well, it's kind of a two for one.
It's the initial tweet and then a response to it.
So the initial tweet comes from Costas.
And he says, when InfoSec people tell me I'm more active on LinkedIn than Twitter,
I just know the type.
Am I biased? Maybe. But then I open LinkedIn and
think, nah. And I think this is right. And so, you know, there's a certain type of, I guess,
the stuff that always comes up in feeds. I don't know why people like it or, you know, like them
just to boost visibility for everyone else in the network. But those that are just showing off about
their day, you know, like the 2 a.m the 2am club and you know most productive work weeks and those type of things
um but then there's the other side of linkedin which i liked as well and this was a reply to
that tweet and it says sometimes you just feel down in the dumps you go to linkedin skip home
go straight to messages and read all the love letters from recruiters. And you think, you know what? I'm awesome.
And they're right because you read some of these messages and you think, you know, I am awesome.
But, you know, this guy gets me. This person wants to place me in this job.
They have this opportunity. They think I am perfect for it.
When was the last time I ran a sock probably about 15 years ago
yeah they have just the job for me right now 24 grand cash exactly take it or leave it i yeah i
came across your profile thought you would be perfect for this um but yeah no it's a good
little ego boost i think if you go on to – you've got the two types.
You've got your regular feed where you think,
God, I just cannot relate to these people at all.
And then you go to your messages and you're like, you know what?
There's so many jobs out there.
There are.
There are.
You know, and more than the –
There aren't.
You know.
Oh, that's only if you've been picky, though, Tom.
Come on, let's be honest.
If you were prepared to run a sock for like 24K,
you'd be placed, you'd have offers coming out your ears.
I'd like to offer my kids joined up meat to eat
on a semi-regular basis.
Yeah.
You know, other than the 2am club,
the other thing that really annoys me in the feed
is when someone says something really, really blatantly obvious,
but they drag it out into a long rant post
and then they just, like, agree, question mark, at the end.
Like, invading Ukraine was wrong.
Yeah.
Exactly.
I think every human should have the right to
clean oxygen and food and education i know some people won't you know will hate me for this but
what do you think agree i know this isn't the place to post normally yeah but you know but i'm
gonna do it yeah i have an issue with children starving around the world.
How many people stand with me?
Yeah.
What, in the queue at McDonald's?
Yeah.
Oh, dear.
Very good.
Thank you, Andy.
Tweet of the Week.
Okay.
Well, we come to the end of the show.
Gentlemen, thank you so much, both.
You are welcome.
Thank you.
Jolly good.
Good to be back.
It is.
It's good to have you back.
Despite what we say, Jav, we could definitely do it without you.
Okay, I won't come next week then.
Let's see how.
Oh, good. Let's see how...
Oh, good. Let's see if our numbers boost again. Yeah.
Yeah. With complaints.
My money's on an
8% increase when Jav's
away. What's your money on that, Andy?
I'm actually going to go higher. I think
12 was before. Word's going to get around that
Jav has been off. They'll come back today
and say, oh, balls, he's back. But then they'll
hear us say, he won't be here next week. And so they'll be like, all right, yeah, they'll come back today and say, oh, balls, he's back. But then they'll hear us say, he won't be here next
week. And so they'll be like, all right, yeah, I'll come
back next week. You're like Bruce
Forsyth, isn't it? Higher than 8%,
higher than 8%, no, lower, lower
than 8%.
Oh, Jav, nice to see you, to see you.
Nice. All right, my loves.
What are the scores on the doors?
Missed doors or whatever it is.
We lost anyone under the age of 42 and who's not in the UK,
but that's how we roll on this podcast.
That was shooting stars as well, not the price is right.
Wow.
Now, shooting stars was with Vic Reeves.
Yeah, Georgie Doors, scores on the doors.
Oh, yeah, it was, wasn't it?
He probably did it
in a Bruce Forsyth accent.
Anyway, Jav, thank you so much.
Always a pleasure.
Good to have you back
and it was lovely to see you
just a couple of days ago as well.
You're welcome.
And Andy, thank you, sir.
Stay secure, my friends.
Stay secure, my friends.
Stay secure.
You've been listening to the Host Unknown podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash smashing security.
Yeah, no, really, I might not be able to make it next week.
Oh, no, we believed you.
Yeah, there's absolutely no doubt.
If you say you're not going to be here.
Not a problem, mate.
We won't hang around.
Next time, I'm just going to let you know on a Thursday night that I'm not going to be here.
As opposed to the Friday morning.
Yeah, pretty much.
See, we're maturing, giving you more of a heads up.