The Host Unknown Podcast - Episode 99 - Do You Think They Will Notice?
Episode Date: April 1, 2022This Week in InfoSec (09:55)With content liberated from the ātoday in infosecā twitter account and further afield31st March 1999: The hugely successful motion picture, The Matrix, is released on t...his day. Many call it a classic (ok, thatās me), many call it influential (ok, me again), but no one can deny that the impact it had on many aspects of our society from the emerging tech culture, to the movie industry, to science-fiction, to political thinking25th March 2010: Albert Gonzales was sentenced to 20 years in prison for stealing credit card data from TJX and other companies. He is currently serving his sentence at FMC Lexington, a Kentucky facility for inmates requiring medical or mental health attention.Sex, Drugs, and the Biggest Cybercrime of All TimeĀ Rant of the Week (19:32)Yale finance director stole $40m in computers to resell on the slyA now-former finance director stole tablet computers and other equipment worth $40 million from the Yale University School of Medicine, and resold them for a profit.https://www.dailymail.co.uk/news/article-10669329/Yale-School-Medicine-employee-stole-40-million-computers-electronics-school.htmlĀ Billy Big Balls of the Week (30:30)Ubiquiti sues Krebs on Security for defamationNetwork equipment maker Ubiquiti on Tuesday filed a lawsuit against infosec journalist Brian Krebs, alleging he defamed the company by falsely accusing the firm of covering up a cyber-attack.On March 30, 2021, Krebs reported that Ubiquiti had disclosed a January breach involving a third-party cloud provider, later revealed to be AWS, and that an unnamed source within the firm had claimed the company was downplaying a catastrophic compromise.Apple and Meta shared data with hackers pretending to be law enforcement officialsApple and Meta handed over user data to hackers who faked emergency data request orders typically sent by law enforcement, according to a report by Bloomberg. The slip-up happened in mid-2021, with both companies falling for the phony requests and providing information about usersā IP addresses, phone numbers, and home addresses.Law enforcement officials often request data from social platforms in connection with criminal investigations, allowing them to obtain information about the owner of a specific online account. While these requests require a subpoena or search warrant signed by a judge, emergency data requests donāt ā and are intended for cases that involve life-threatening situations.Industry News (37:24)Dental Practice Fined for Sharing Patient Data on Social MediaYandex is Sending iOS Users' Data to RussiaAttackers Steal $618m From Crypto FirmNew Research Claims Biden's Disclosure Deadlines Are UnrealisticNCSC: Time to Rethink Russian Supply Chain RisksCyber-attack on California Healthcare OrganizationNew Version of PCI DSS Designed to Tackle Emerging Payment ThreatsNo Patch Available Yet for Critical SpringShell BugCISA Issues UPS WarningĀ Tweet of the Week (https://twitter.com/AskAManager/status/1509246642364588040https://twitter.com/HackingLZ/status/1509529191439425540 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So, I think this episode we should dedicate to Jack Daniel.
Yeah, absolutely. Absolutely. I was, well, I was shocked to read that this week.
I know, it's a terrible, terrible loss to the industry. Massive void, big shoes to fill.
Yeah, exactly.
What?
You're listening to the host unknown podcast hello hello hello good morning good afternoon good evening from wherever you are joining us
and welcome to episode 99 ish of the host unknown podcast and uh and guys what the hell did you do
to my podcast last week hey hey what's all this my podcast business oh my god even my mother was
embarrassed by it hey right you know what any listener that has a complaint they can write we
will double their money back whatever Whatever they pay for the show,
our post-unknown listeners guarantee
will double your money.
Wait, wait, wait.
Wait, wait, wait.
Hold on, Andy.
Apart from that fella
that is not applicable to sponsors, okay?
This is purely listeners.
That's good,
because Mrs. Langford
is one of the earliest or first sponsors.
But I told you, Jav, if we really messed it up,
I told you putting it through that bit rate reductor,
adding all those pauses and stuff,
I told you Tom wouldn't be happy with it
and he'd just take over publishing again.
Exactly.
Good plan, well executed.
If you'll double my money back,
does that mean you'll double the amount of shame I had at listening to it?
I don't think anyone could double the shame you have
when you wake up in the morning and do your daily affirmations.
It was the first one my son listened to
because we listened to it in the car on the way back from London.
And I'm like, oh, my God, god this is awful and given that he's in the
media world he was just laughing at your skills is all I can say oh dear yeah probably not the
the best episode to first start listening no no no it's uh But in all fairness, now his expectations are sufficiently set
that he'll be pleasantly surprised by whatever we come out with after that.
Yeah, we did this for you, Tom.
So now when he listens today after you've edited the show,
he can say, wow, Dad, you're amazing.
You bring so much to the table.
Yeah.
Do you know what?
You know I did some food photography not so long ago i'm gonna
be doing some more in a couple of weeks and um the person i did it for posted the first uh shot
that she edited um on instagram and um you know tagged me in and i i added it to my story and
stuff i don't know how instagram works i just pressed next a lot of times until it worked but but anyway my son replied saying it's amazing what a new camera to do to someone's talent
charming even threats of of him not eating you know solid food at university did not sway him
better like the taste of ramen noodles yeah he said yeah
well he said i like the taste of yogurt so it's all right yeah no my standard response these days
for my kids is what's that you don't believe in inheritance okay no he knows that all his
inheritance is going towards his university fees.
So he's getting it early.
He's catching it in early.
Yeah.
Yeah.
It's a nice thing to do.
Anyway, Jeff, how are you?
How are you?
Have you been this week?
I'm very good.
This week, I'm really good.
Ask me next week once it's been a week of Ramadan.
Yeah, maybe next week will be the last show for a little while, eh?
Yeah, take an Easter break.
Yeah, no, it starts tomorrow, I think.
Maybe we should take a Ramadan break, I don't know.
Well, I won't say for the sake of our ratings,
I doubt it's going to make any difference.
Just Andy and my sanity and nothing else Well maybe Jeff just takes a break
What, more than what he's done already?
You know what
it's like you're saying that you heard the episode
with your son yesterday, I remember like last year
I was off for one day and I
I went with the wife
Which one?
I went with the wife and it was one of the episodes
you recorded without me.
And so we get back from the beach and we're in the car driving.
I said, oh, they've uploaded it.
So I'll start playing it.
And I had to literally stop the car and pull over because I was laughing so hard at what you guys were saying about me.
And my wife's looking at me with this weird expression, like, as if to say, these people are your friends.
And also then she said to me,
Oh my God,
that's exactly what happened on Friday to me.
She goes to me like,
I have genuinely never seen you laugh this hard at home.
That's because you've seen me with my clothes off.
Yeah. I don't know if that made sense, but yeah, that's because you've seen me with my clothes off yeah
i don't know if that made sense but yeah that's exactly what happened charlie in the back of the
car killing himself after you calling me what i can't remember it was a tumor that's right and uh
and then um my my uh you know my my um what's it called? Estranged wife, I guess is the phrase nowadays.
Just looking askance at me like, why are you laughing at this?
Of all people, she would appreciate the joke.
Well, exactly.
Exactly.
You should have been nodding in agreement.
Yes, he is a tumour.
I cut him out of my life.
You should too.
Andy, what about you?
What have you been up to, apart from working all known hours?
Just working, end of the financial year, so that's all good.
It's April 1st today.
Not heard of any good pranks so far.
So it's, well, apart from all your paperwork being in on time
for the end of the year, right?
Yeah, that's always a good one.
It's up there where you do your expenses within the uh allocated within policy within policy how about
within this year's policy let alone last year's when it was applicable oh dear no i um i told my
boss i still had some stuff from 2019 to uh february 2020 that uh I had receipts somewhere in the office.
I just didn't know where it's all,
all being moved around.
And he's just sort of shaking his head.
Everyone's laughing,
but he's like,
no,
he really is serious.
I know him.
You're going to,
you're going to cost that company a lot of money in the coming months.
It's not that much.
It's a couple of weeks in Peru. months. It's not that much.
It's a couple of weeks in Peru.
A couple of weeks.
Do you know how many guinea pigs you can get through in that time?
Yeah, I did. I got through one before I realised it was guinea pig because they didn't know the English
word for it.
At which point you ordered a full set of six so you could turn their coats into a set of coasters.
No, so it is guinea pig, isn't it?
Yeah, it's guinea pig, yeah.
Yeah, but I mean, I ate a lot of stuff out there that I wouldn't normally eat.
Stavecchi.
Isn't he a rapper or something?
You ate a rapper, wow
Rapper, I mean that's all I know, middle of the road or rapper
20 pounds is 20 pounds right?
Yeah
What?
Anyway, how are you doing Tom?
I'm alright, I'm alright, it's been a busy week
How were your travels last week?
Where was I last week? I can't remember.
Oh, yeah, we went to university last week,
to my son's new university.
That was good, really good.
Enjoyed that.
I'm trying to remember what else I've done.
I've been up to London.
I was at Rant the other day, the Rant event in London.
Is that the first in-person one they've done since?
No, no.
The first in-person one was the end of November last year.
Oh, OK.
The one I was talking at and you two declined to turn up.
To be honest, I don't recall getting an invite for that one.
Neither do I.
But that was during lockdown and everything,
and, like, no-one was wearing masks and, like...
No, you two declined to come out, as I recall.
Probably.
Sounds like something we'd say to you.
Yeah, exactly.
Oh, wow.
Go and see Tom speak again.
Doing the same talk that we've seen, like, again.
Look, look, no sharks or coconuts were harmed in that talk.
Oh, dear.
Anyway, let's see what we've got coming up for you today.
Anyway, let's see what we've got coming up for you today.
This week in InfoSec talks about the man behind the PCI DSS raison d'etre.
Rant of the week is a story about terrible asset management.
Billy Big Balls is a company taking on a real life Billy Big Balls. Is this a medical thing?
Industry news brings us the latest and greatest
security news stories from around the world and tweet of the week talks about inflation
hopefully not another medical thing oh dear what's a raison d'etre it's a reason for being
sorry a reasonable being. A reason for being. Oh.
Brexit means Brexit, man.
Just nix the fucking joke.
Moving swiftly on.
This week in InfoSec. it is that part of the show where we take a stroll down infosec memory lane with content
liberated from the today in infosec twitter account and further afield and as i was caught
slightly off guard there as we move straight into this one our first story takes us back 23 years to the 31st of March 1999
when the hugely successful motion picture The Matrix
was released on that day.
Many call it a classic.
Many call it influential.
No one can deny the impact that it's had on aspects of our society,
certainly from the hacking tech culture to the movie industry to science fiction to political thinking.
So I've got a question at this point.
So after 99 episodes, why were you surprised that we went straight
into this at the beginning of the show, which is where it's always been
for nearly 99 episodes?
Well, do you know what?
Because we didn't prepare too much before this
show oh i see we got our cups of tea just said is everyone comfortable uh and i normally like
jot down a through uh you know a couple of notes uh and i haven't i'm just reading uh literally
directly from what happened on the day but you know obviously there were obviously some great
quotes from that movie um You know, dodge this.
There is no spoon.
Oh, that's my favourite.
I know Kung Fu.
That's a good one.
And you take the red pill, you stay in Wonderland,
and I show you how deep the rabbit hole goes.
Yeah.
Did you see the new film?
I haven't yet, no.
I was really disappointed after the third one.
Oh, don't worry about that.
This one is far more sort of, I don't want to say tongue-in-cheek,
but it knows what it's doing.
I mean, it even makes reference to the fact that Warner Brothers
demanded a reboot.
Right, okay.
So it takes itself as seriously as the Fast and Furious movies, then, does it?
Yeah, yeah.
Well, not as seriously as that.
No, it's probably more on par with a Ryan Reynolds, like Deadpool,
or the Lego movie.
The Lego movie is probably the best.
Yeah, it's not an out-and-out comedy by any stretch.
It's still a Matrix movie, but it's,
it's a little bit more self-referential,
a little bit more,
um,
knowing as it were knowing of itself.
Right.
But it's,
it's worth it.
It's a good film.
It's a good film.
And it's got Carrie Ann Moss in it.
Yes.
Um,
yeah,
it's been a while.
There's 23 years since the original.
I know.
I know. I can't believe that
crazy i remember watching that on one of the very first plasma tvs that were available at the time
wow most incredible thing i'd ever done a big 40 inch plasma tv it was about four inches thick
halfway through the film all you could hear was a of the fans kicking off you know it was
well but it was it was amazing it was really good so our second story takes us back a mere 12 years
to the 25th of march 2010 when albert gonzalez was sentenced to 20 years in prison for stealing
credit card data from TJX
and other companies. And he is still currently serving his sentence at FMC Lexington in Kentucky.
So Gonzalez, you probably remember him. So anytime you get into a discussion about PCI,
or you know, the whole reason for PCI coming about, they always reference the TJX case and
things like that. and it's because
of this guy Albert Gonzalez right so you know he was born you know in 81 by the time he was 14
years old he'd already hacked into NASA so he was already on the FBI's radar wow but he just had a
natural born talent for hacking right and you know by the time he discovered IRC, he joined chat rooms and, you know, he learned more and more about security.
And in 2002, when he was unemployed in the need of money, became one of the leaders of Shadow Crew,
which was one of the original sort of exchange services where, you know, cyber criminals swapped credit card information and social security numbers.
numbers um and so it wasn't until the following year 2003 he got arrested after he was caught by nypd plainclothes detectives withdrawing cash uh using multiple phony credit cards that he had
created uh and so law enforcement sort of um you know they realized he was more than just a
sort of bag man someone to take out the money but they realized that he was you know the moderator of shadow crew um so they convinced him to turn snitch and he basically became an informer for
them uh you know in order to avoid prosecution back then and it was during his time with the
sort of the sort of federal cybercrime task force that he realized how little the agents understood
about computers to have any sort of impact on cybercrime.
So his work with the government, it just basically encouraged his behavior, you know, because he always he knew that he was one step ahead.
And it was in 2004 when he was still sort of studying them that dozens of members of Shadow Crew sort of got arrested and put away.
And so he was sort of urged to move back to miami his
hometown um just because it was quite easy to figure out who the snitch was because you know
he wasn't arrested so they knew his inside information they knew there was a leak uh but
it was this sort of point when he's back in miami um you know he had sort of discovered the
vulnerability of corporate wireless networks back in 2004 um and it was similar to like how do you
remember like late 90s where as people sort of rushed to get online they didn't really take
um sort of security seriously it wasn't really sort of mature framework uh similar to wi-fi
back in the early 2000s right everyone was just oh let's plug in wi-fi and go for it
um and that's where he learned the technique which is um i don't know it's commonly used
but war
driving uh if you remember it was quite a common phrase back then yeah with a pringles can wasn't
it oh yeah exactly just sit in the car park uh in front of big stores and just sort of scan their
uh wi-fi's and just sniff all the traffic um those early those early wi-fi networks were all
wep anyway weren't yeah yeah that's if they were if they
used anything yeah yeah you know sometimes it's just not so good but yeah so he managed to you
know get all this uh credit card information and you know by that point it was actually 2007 is
actually bored of the uh war driving and that's when sequel injection um sort of became really
big so you know he'd kind of just daisychained all of these things on top of each other
and they'd managed to sort of intercept
all kinds of traffic that was going into corporate networks
and then just sniff all the data,
intercept the payment data
on those sort of point-of-sale things.
And they even started building lists
of Fortune 500 companies to target,
you know, to figure out the best return on their time.
So, yeah, it was all of that stuff. You know, by the end of 2007, I think, you know to figure out the best return on their time uh so yeah it was all of that stuff um you know by the end of 2007 i think you know gonzalez was it had been tagged with breaching
more than 50 million credit card accounts um by targeting or hacking into target office max
barnes and noble tjx and many other companies. And in all cases, the data was just there for the taking,
just completely unencrypted.
You've got to wonder what someone like him could have done
if they were applying themselves to the greater good.
Well, do you know, you think that,
but when he was arrested in sort of May 2008,
they also discovered a million dollars of cash in a barrel buried in his back garden
so you know that's uh that's yeah he he wasn't doing too bad you know i'm thinking if he applied
himself in the corporate world what would be on you know back then in 2008 easily a six-figure
salary right but yeah come on what do you have a million in cash in his garden that's actually
Easily a six-figure salary, right?
Yeah.
What do you have, a million in cash in his garden? Yeah, exactly.
That's pretty gangster.
In a barrel.
Yeah.
That's some Walter White stuff right there.
It is, yeah.
That's the first thing I thought of.
He wouldn't be worried about the cost of electricity going up, right?
He would just bring in some cash and burn it for warmth.
Yeah, exactly.
Excellent, excellent. it for warmth yeah exactly excellent excellent my god that's so this this is the guy behind the
the tjx um point of sales attacks right yeah wow yeah which many people don't remember no well
many people i think well i know many people remember that particular thing but not the
you know the person involved in the whole story
and actually how that was just literally the tip of the iceberg.
Yeah, and here we are now with PCI DSS version 4,
just released this week.
See, he should have like, well, you know,
he might have made a million,
but think of all the millions he made for all these QSAs around the world.
Can you imagine facing someone like him as a QSA?
Yeah, he'll just say, you owe me royalties.
And I'm like, okay.
No, he'll be like, you said, well, this is secure.
And he'll go, tap, tap, tap.
No, it isn't.
I've secured this.
Tap, tap, tap.
No, you haven't.
I think you really are overestimating the intelligence that the average QSA has.
This week in InfoSec.
In the category of most entertaining content, the winners are Post Unknown.
It's also strange for us because we voted for Lazarus Heist 2.
Yes, we did excellent time to move on to the part of the show where i uh regularly have heart palpitations
it's time for listen up rent of the week it It's time for Mother F***ing Rage!
So, the headline is Yale Finance Director
stole $40 million
in computers to
resell on the sly.
Wow! How many?
That must have been like
five Mac Studios
or something like that.
With an Adobe subscription.
No, it's three of those monitors, but with the extra stand.
But as if the headline isn't bad enough, as you read into it,
it gets worse and worse and worse.
This particular person, Jamie Patron, 42, on
Monday this week pleaded guilty to one count of wire fraud and one count of filing a false tax
return, which is actually how they were caught. So they were Director of Finance and Administration at the Department of Emergency Medicine, Patron of Lithia Springs,
Georgia. And as part of their role, they had authority to make any purchase they wanted up to
$10,000. So she actually started working there in 2008.
And it took her five years to obviously work out the system or, I don't know, run up a huge debt or something, allegedly.
And in 2013, she started to order equipment, lots and lots of equipment up to the value of $10,000. So this wasn't somebody who was
just reselling kit that was left in a storeroom because it was old or out of date, because let's
face it, you'd have to sell an awful lot of that to hit 40 million. She was actually buying brand
new Surface Books, iPads, and all sorts of other equipment, having it shipped somewhere and then reselling
it as new. Now, we all know, we've all run our own businesses. To get anything like a turnover
of 40 million is, well, to even get a turnover of 250,000 is quite impressive if you're a sole trader.
She, over the period of, what was it, 2013 up until 2021 or August 2021,
she made $40 million.
She's outperformed a lot of the companies on the sort of AIM index.
Yeah, mainly because she didn't pay for the equipment in the first place,
in fairness.
No raw material costs.
Exactly, exactly.
And, in fact, over three months, May 27th to August 19th,
she ordered electronics totaling nearly 2.1 million.
Now, at $10,000 an order, how many is that?
How many orders is that?
So how many 10,000s are there in a million?
Is that?
Insert the calculator sound.
Yeah, exactly.
I wish I actually had a calculator.
So 10 is 100,000 and 100 would be a million.
100. So she made over 200 purchases.
In fact, she made 210 purchases in three months.
But because she was the head of finance or director of finance,
nobody noticed.
Do you know what? Someone must have been in on it.
There's other people that had to be in on this.
I cannot believe one person has that much autonomy
without any sort of checking going on.
The thing is, she's gone down for 20 years.
So either that other person has a vast amount of dirt on her
or I don't think there is anybody else because she would have
she would have gone for a plea bargain and got as taken as many other people down as possible
if she was facing 20 years in my humble opinion but holy moly so not you know this is a university
and this is american right this is so all for profit. Everything is profit-based,
so it's not like it's taken from taxpayers per se,
but she's the director of finance for a department of emergency medicine.
So this money is being taken away,
and we can't quite sort of put it in the same category as the NHS
and taken away from frontline services, but it's exactly this sort of put it in the same category as the NHS and taken away from frontline services.
But it's exactly this sort of thing, which is driving up those massive costs in healthcare
in the US, which means that their healthcare is 10 times worse and 10 times more expensive
in many cases.
But what an abuse of power here. This isn't just somebody who thought, actually, I could do this,
and then 40 grand or even half a million later thought,
oh, my God, I'm pushing my luck here.
She just went for it.
She went for it.
Go big or go home.
Oh, my God.
The hubris on this woman must be incredible. But holy moly, that just.
Oh, it sickens me. It sickens me.
This is this isn't, you know, dipping into the bins behind IT to take out old equipment that's been, you know,
thrown out and et cetera, and strip mining it for stuff that you might be able to sell on eBay.
This is buying stuff upfront as an asset,
which hits the books for a minimum of three years anyway,
and $40 million.
Jeez.
I just cannot believe.
And she was caught because she didn't file a tax return.
That's how they get you in the u.s that's the
al Capone strategy isn't it yeah it is isn't it yeah so top are you more upset that she done these
things or that you've never done had the opportunity to make a you know 40 million on the side oh i've
had the opportunity haven't we all christ come on no not me we've had the opportunity
anybody in security has had the opportunity to make a lot of money but we we don't well also i
just can't like there's so many other people that have to be involved in this to make this work
successfully well if she's the sole director of it you know maybe she you know every invoice
comes across her desk but she
doesn't raise the orders herself though surely she has to of course she has no i don't know
breakdowns here in progress so many breakdowns what she could have done is actually tell them
that there's a breakdown and they could have improved the system, right? Yeah. And as a...
I'd done this pen test myself
and I ordered Ā£40 million just to prove my point.
Exactly.
So she bought cars and houses.
She gave up two Mercedes,
a Range Rover,
two Cadillac Escaladesades which sound like dreadful cars uh a dodge charger three properties in connecticut and a home in georgia this was not feeding a drug habit
this was living like do you know this is this is a Billy Big Balls. This isn't a... Oh, believe me, don't even think about...
It is.
Andy is right and you are wrong once again, Tom.
This is not a rant.
This is a rant.
This is outrageous.
An outrageous abuse of trust.
No.
Well, you know, a large company shouldn't have a system that's so open to abuse like that oh so
you're you're oh so you're victim blaming do you know what i see i have found a link
so this yale university shouldn't have dressed like that that particular night is that what it's called there's a uh a link on the um daily fowl website
which i will post in the show notes and so i it's got pictures of what she looks like and the clothes
that she spent her money on and i don't watch it but if i imagine it's something like the um you
know the real housewives of orange county or something like that, or real housewives.
She strikes me as someone that dresses like someone out of those programs.
Yep.
Like the fake tan, the big bling, the big long nails.
Oh, my God.
They're like talons.
Yeah.
No, there's anything wrong with that.
You know, I'm just saying.
No, it's just you wouldn't expect the director of finance at Yale University
to dress like that. No. You'd look like someone who'd be on love island or something like that yes yeah so she
was flaunting it big time five thousand dollar louis vuitton bag yeah i mean the signs are there, right? Yeah. Yeah. But nonetheless, outrageous.
Outrageous.
Speaking of signs, Andy, have you seen Tom's Lego collection?
Yeah.
Do you know what?
If the tax man wants to know how you're funding that,
that's going to be a...
Well, I do have a Taj Mahal I have, you know.
A life-size replica.
That's right, that's right, in my two-bedroom flat.
In fact, I don't live in my two-bedroom flat.
I live in the life-size Lego replica of the Taj Mahal inside it.
Yes, and because it's classified as a Lego,
you don't have to pay any council tax on it because it's a toy.
No, exactly.
have to pay any council tax on it because it's a toy.
No, exactly.
So don't let either of you ever make this a Billy Big Balls.
You're listening to the award-winning Host Unknown podcast.
Officially more entertaining than smashing security. Eat your face!
I do that one because I know that's Carole's favourite jingle.
So, moving on to...
Yes, and I had a really tough time trying to decide between two.
So, I'll start on my first story and then maybe I'll go on to the second one.
Otherwise, we'll just put it in the show notes.
So, you know, Ubiquiti, the company that makes those really expensive.
They're like the Apple of the wireless networking and networking sort of world.
If you want a Wi-Fi signal in your back garden, it's got to be Ubiquiti, right?
Yeah, exactly.
And, you you know otherwise poor
people want one like troy hunt yeah yeah that that'll that'll set you back quite a bit um
yeah i i've done the poor man's thing and i just ran a cat6 cable from the router to the back and
it's not as good as an ubiquity because I think that in anyway. So you remember that last year they had a bit of an issue where there was maybe ransomware.
Then it was an external thing.
And then Krebs reported it.
And then they were being extorted.
And then it turned out that it was an insider.
It was an employee who'd done it and developer.
And, you know, so it was a bit messy.
It was an employee who'd done it and a developer.
So it was a bit messy.
Anyway, Ubiquiti is now suing Krebs on security for defamation.
Defamation.
Defamation.
Defamation.
Defecation.
So they, on Tuesday, filed a lawsuit against Krebs alleging he falsely accused the firm of covering up a cyber attack.
So there is a whole court thing and whatever.
And saying that, you know, they claim that Krebs saw the Department of Justice announcement when they, you know, when when details came to light. And he knew that the that in the articles, the the person who he the unidentified source that he was claiming to have given the information was the inside man.
But Krebs refused to change his story. So they're like,
and he gave it the impression
that there was more than one people,
more than one person involved.
And anyway, so
they're basically saying that he defamed us
and he hasn't
changed his story or
corrected it. And
Krebs is being quiet
on advice of his counsel, he's being quiet.
I'm seeking legal, yeah.
On advice of my counsel, I cannot answer that.
It is a big move going after Krebs because, you know,
he's been swatted, he's been threatened by so many people.
You know, he's had Russian underground, had Russian underground criminals coming after him personally
and stuff like that.
Well, like the Russian Mole Man.
Yes.
Yeah.
He's not spooked easily.
No.
He usually tends to do his homework.
Well, as a reason why everybody knows Krebs,
it's because he does good work right he's
yeah well he does work yeah so yeah we're sitting on the fence on this one
no that's my job yeah it's your job to tell me that i've got splinters in my ass
yeah so this week's show is brought to you by Ubiquity Networks.
Yes.
So they said that the publication of these stories on March 30th and 31st in 2021 coincided with a $4 billion decline in Ubiquity's market cap.
So got nothing to do with the fact that they were breached.
$4 billion.
So do you know what?
The fact they've put monetary value on it indicates damages.
They're seeking damages.
Yeah.
Yeah.
Seeking damages from who?
Like Krebs is going to give them like has even got anything close to that.
He'd have to start selling, I don't know, Yale's computers to start, you know, making that kind of money.
Yeah.
But it's an interesting thing.
I mean, like, you know, I'd understand if it was like a random blogger throwing, you know, unsubstantiated claims and what have you,
then it's a different story.
But, you know, well, then it wouldn't have had any impact
on ubiquity, I suppose, as well.
But, you know, this is not a road you want to see companies going down
or the industry going down.
You don't want to stifle it.
But there's a link to the story in the register,
and at the end there's a note where they remind us that Keeper Security once tried suing Dan Gooden for an article he wrote in 27.
But the suit was subsequently dropped.
So hopefully that's what we hope will happen in this case.
May your suits be dropped, but your packets not.
May your suits be dropped, but your packets not.
And I do think it is indeed a very big Billy Big Balls move on behalf of Ubiquity. I cannot get the words out today to save my life.
You are struggling.
You're struggling as much as my computer is today.
Well, the fact that you've had to reboot four times during the course of this recording has really thrown me off my game
it's it's cosmic karma given how much shit i just gave you about the show you did last week so you
know what java said every time you've dropped off he said he basically needs a fluffer to keep him
going he's he's losing momentum uh every time you drop off and there's like a five
minute gap he's uh he's losing momentum and he's working himself back up if there are any fluffer
friends of the shows out there just uh contact me anyway are you doing a second one jav no let's
move on because i'm really struggling
excellent thank you for this week's billy big balls No, let's move on because I'm really struggling.
Excellent.
Thank you for this week's.
Billy Big Balls of the Week.
So, Andy.
Hello.
You know that thing where I try and come up with another analogy for you know the time of day and how we
might be able to sort of bring that into the conversation casually yeah i think we just want
to get to the point before you drop off again really to be honest it's not off one of the
anyway what time is it andy it is that time of the show where we head
over to our news sources over at the InfoSec PA Newswire, who have been very busy bringing us the
latest and greatest security news from around the globe. Industry News. Dental practice fined for sharing patient data on social media.
Industry news.
Yandex is sending iOS users data to Russia.
Industry news.
Hackers steal $618 million from crypto firm.
Industry news.
New research claims Biden's disclosure deadlines are unrealistic.
Industry news.
NCSE says time to rethink Russian supply chain risks.
Industry news.
Cyber attack on California healthcare organisation.
Industry news.
New version of PCI DSS designed to tackle emerging payment threats.
I thought that's what it always did.
Industry news.
No patch available yet for critical spring shell bug.
Industry news. These are issues up, swanning.
Industry news.
Tom Langford reboots computer again.
Industry news.
And that was this week's
Industry News.
I think that's UPS rather than UPS, Jeff.
Yeah, what's UPS, dog?
No, no, no.
So I thought about this because
either I go with CISA issues UPS warning
or if I'm calling it CISA, I should
call that ups. I mean,
there needs to be consistency. Where's style
guide here? Like, you know, AP style.
Sorry, this is
host unknown.
Host unknown. You want a style guide?
Yes, exactly.
I think it's a
four letter, or sorry, a four word
style guide. Freestyle.
We have no style.
And that in itself is the style.
So I am correct on my pronunciations.
Thank you very much for clarifying that.
Sorry, pronunciations.
So this is a story about the Cybersecurity and Infrastructure Security Agency, CISA,
who issued a joint statement with the Department of Energy
warning against internet-connected interruptible power supply devices.
Oh, so it is about power supplies, not the shipping company.
Not the shipping company, yes.
So it's not a text message scam or an email scam.
You've got a package on its way.
So it's not a text message scam or an email scam.
You've got a package on its way.
They're saying that people are just, or threat actors,
just connecting to UPS devices because they have default usernames and passwords.
Oh, heaven forbid.
Yeah.
So, yeah, internet connected.
I like this dental practice find for sharing patient data.
Is it basically a bunch of x-rays of people's teeth?
Ooh. Is it? I thought this was about a male patient no no no this is about a patient visited the office for for
treatment uh between 2013 and 24 and then in 2015 he left a negative review of the practice
uh using a pseudonym and then the the the practice posted a response uh dismissing the
accusations as unsubstantiated uh accusations um and in the response they named the patient
the symptoms the patient experience and the treatment recommended but not provided to him
oh my god uh the response which included three
mentions of the patient's name also featured the condescending and derogatory statement
uh from you know and there's a link to it so um you know it's it's obvious that the person
uh whose name is redacted level of intelligence is in question and he should continue with his manual work and not expose himself to ridicule
which is probably not far from the truth anyway but you don't go and start naming people yeah
that's a bite your tongue moment yeah it's probably the office manager who got really
or as the dentist would say please don't talk while i've got my hands in your mouth yeah and uh the other story i thought was really funny it's like from the department of
the bleeding obvious the the ncse uh time to rethink i knew you would take the piss out of
them i knew you would pick on this one you know me too well andy
you know me too well i know tom's always like on the good side of mcsc but
they do good stuff man they do good stuff i know it's a bit late in the day i know it's like the
horse is already down the road and they're just sort of shutting that stable door now yeah the
horse the horse has been pulled off the road by the tractor.
The horse in the glue factory already.
The horse fled.
It found another horse.
They settled down together.
They had baby horses.
The horse died and has been buried.
But now they think, you know what?
That horse escaped.
Let's now bolt the barn door.
But this does pick up on something we were talking about a couple of weeks ago
about Kaspersky, because they've really doubled down on that at the moment.
And we have a mutual friend at Kaspersky.
Eugene.
We won't mention his name here.
Eugene.
But he was saying it's really quite
challenging now i'm not going to sort of publicly say you know repeat what he said but something
really challenging and in kaspersky even in in the uk and um yeah with with you know russia the
russian sanctions and the inability to move money and all that sort of thing, really difficult. So it's having an impact across people who are effectively not Russian
and who are employed by Russian companies across the rest of the country.
Why don't they pull a Zuckerberg and just rename Kaspersky
to Metersky or something like that?
Metersky. No, to Jim Jones.
Yes, exactly.
John Smith Incorporated.
No, that one's already taken by the beer.
Oh, yeah.
Do you know the other thing that's funny?
As I read through that article, right, going down at the bottom,
also on Info Security magazine, predictions for the year ahead.
Javad Malik reveals some of the cybersecurity trends he expects to come to light in 2022.
Oh, man.
Okay, okay.
You know it's a dodgy publication now.
Don't click on it.
Use both your crystal balls for that one, Jan.
Don't click on it because I probably did not predict the Ukraine war.
I'm just looking.
Continued development of Web 3.0.
Extortion on steroids.
Eye for an eye, hack for a hack.
The rise of a dark economy.
Oh, come on, dude.
Come on.
The rise?
It's already risen.
Yeah.
Is this like bread? Yeah. And he wonders why it's mentioned in. Yeah. This is like bread.
Yeah.
And he wonders why it's mentioned in the same breath as NCSC.
Oh, you sons of bitches.
That's a step too far.
I don't know.
This is what happens when you sell your soul for security.
You know, you've got to come up with these vox pops and, you know,
all that sort of thing.
You wouldn't find me doing that.
Not as of Monday, you wouldn't.
Tom's YouTube channel is linked in the show notes,
and you can check out all his promo videos there.
I wouldn't associate myself with a company that demanded me make predictions.
Or at least I wouldn't, like I said, as of Monday.
Excellent. A veritable cornucopia of stories there.
Except the one about Jav, maybe.
And that was this week's...
Industry News.
this week's Industry News
You're listening to
the host unknown
podcast
Bubblegum
for the brain
Did I just clear
my throat on air?
Yes you did
I heard it
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs
Amateurs Amateurs Amateurs Amateurs Amateurs Amateurs Amateurs Amateurs amateurs anyways time for this week's sweet of the week and we always play that one twice
sweet of the week it is and so because we play that twice i'm going to give you two for the
price of one tweet to the week the first one because uh i think it's not directly related
to security but you can apply it to any industry and this is from the ask a manager account
and uh they have included uh someone's uh i guess views on life where it
says this is why for every vacation for years i've told my co-workers i'm camping everyone has
poor boundaries when it comes to time off and people frequently join zoom calls from vacation
they all think i'm this big camping person i have never camped in my life i worry that one day we'll hire someone who is super into camping and will try and talk to me about it.
And I'll be caught in my lie.
But it hasn't happened yet.
And yeah, she goes on to say we tend to go to outdoorsy places.
So they are see pictures.
They just show a picture of her and her husband on a hike.
And they don't need to know that they're staying at a holiday inn with full Internet access.
But definitely one for when you take a holiday.
Everyone seems to be connected these days, joining calls from holidays.
I remember camping, and you get full Wi-Fi when you go camping,
unless you're going into the back and beyond.
But if you go to a regular campsite, you get full Wi-Fi.
Yeah, but people don't need to know that.
No, I know.
I know. I know.
I've just ruined it for about a whole bunch of people.
Exactly.
Go off grid.
None of whom listen to this podcast.
The second tweet we have is the security one.
This is from Justin, the CTO at TrustedSec.
And he says, I love InfoSec.
And he says, I love InfoSec.
Everyone is debating how the OSCP class went up $399 over 14 years and not how SANS is $8,000 for a class.
So true.
You get a free iPad, don't you?
What?
No, you get a free T-shirt, maybe a lapel.
I'm sure it's SANS courses where you get free, you know,
an iPad or a Surface or something like that.
I don't think that's a joke that you expect to get one of those
for the price that you pay.
Certainly the most expensive training I've seen.
But very good, very good quality.
That is ridiculous, though.
That is ridiculous.
How long is that class? Is that like, I don't know, $8,000? That is ridiculous. That is... How long is that class?
Is that like, I don't know, $8,000?
So is that like...
Well, it depends.
So usually...
So, well, when I last did it, it was like seven days
because they have like capture the flag on weekends
and you can join the day before and stuff.
But they do remote sessions now
where you sort of get access for six months,
I think it is, but it's all, you know, online access for six months.
Right.
Definitely an in-person type of learning.
Yeah, yeah.
I mean, I've tried taking some learnings online,
and it's just not the same.
At least when you're in a room, there's less distractions.
You're out of your comfortable environment with the Haribo's
within arm's reach.
They're in his pockets.
Yeah, I travel with Har with her or his cheeks yeah of course the funny thing was last time i'm hairy there
last time i did a sand because jav was uh was also there um you know which which provided a
distraction outside yeah so jav was doing his G-Pen, his actual penetration test.
No, no, no.
I still can't say that without laughing.
No, it was theā¦
It was the G-Pen.
The G-WAP.
He did the G-Pen.
Oh, the G-WAP, sorry.
Yes.
It was definitely something technical.
I was like, what?
I can't remember whether it was that because I've done two of these courses.
One was the G-WAP and the other one was the Network Forensics one.
And you can't remember the difference
between the two? No, I can't remember
which one I was doing when Andy
was there.
Do you remember making a
joke about wet-ass pussy while
you were with Andy during this course?
This was a long time ago.
It was before the song came out.
Oh, okay.
I think you were doing the incident response one, weren't you, Andy?
I was, yeah.
Yeah.
Yeah, GCI8.
The one that was relevant to his career rather than what you were doing, Jeff.
You know, this is only because, and i saw you were on the security masterminds
podcast tom and there's a sound clip from it that where you you again are maintaining your position
a cso doesn't need to be technical no one needs to be technical only the cleaner needs to be
technical if you've got a problem ask the cleaner it's like i'm in the room so you just hate on anyone that tries to acquire any technical knowledge or skills and what have
you no i just hate it when people take up valuable um you know valuable places on courses for things
they're never going to do hey anyone can join for,000. It's not unreachable. Put me a spaces on those courses, trust me.
You didn't get a free laptop, Jav.
I didn't get a free laptop.
That was this week's Tweet of the Week.
Gentlemen, thank you so much for your multiple contributions
across multiple topics.
And Jav, thank you so much for your multiple contributions across multiple topics. And, Jav, thank you so much.
Get lost.
This was the worst podcast I've been part of.
It recorded in so many parts,
and you guys just, like, compared me to NCSC.
I'm never going to forgive you guys.
We are through.
It's Ramadan already.
We are through.
Here's a Ramadan preview from Jeff.
He's priming his anger.
I'm not making it to episode 100.
I hate you guys.
It's a pleasure, Jeff.
Thank you.
And Andy, thank you, sir.
Stay secure, my friends.
Stay secure.
You've been listening to The Host Unknown Podcast.
If you enjoyed what you heard comment and subscribe
if you hated it please leave your best insults on our reddit channel worst episode ever r slash
smashing security so i um like you think about how we actually open this I have not been on Twitter, so I did not realise
that Jack passed away
What? Who said anything about him passing away?
He's not dead
He retired
I thought we were going to do the special
Oh my god, you said a Muppet
We do have London bridge has fallen for uh uh you know
for host unknown and jack daniel and he knows this actually but uh uh not this time andy i'm afraid
not this time