The Host Unknown Podcast - Episode 100 - Can We Go Home Now
Episode Date: April 8, 2022This Week In InfoSec (10:15)With content liberated from the “today in infosec” twitter account and further afield1st April 1998: Hackers changed the MIT home page to read "Disney to Acquire MIT fo...r $6.9 Billion".https://twitter.com/todayininfosec/status/1245550127806201857MIT says "Disney buys MIT" hack revealed by low price1st April 2004: The now ubiquitous Gmail service is launched as an invitation-only beta service. At first met with skepticism due to it being launched on April Fool’s Day, the ease of use and speed that Gmail offered for a web-based email service quickly won converts. The fact that Gmail was invitation-only for a long time helped fuel a mystique that those who had a Gmail address were hip and uber-cool. Rant of the Week: (16:25)Bank had no firewall license, intrusion or phishing protection – guess the restAn Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees. Billy Big Balls of the Week (23:20)Bearded Barbie hackers catfish high ranking Israeli officialsThe Hamas-backed hacking group tracked as 'APT-C-23' was found catfishing Israeli officials working in defense, law, enforcement, and government agencies, ultimately leading to the deployment of new malware.The campaign involves high-level social engineering tricks such as creating fake social media profiles and a long-term engagement with the targets before delivering spyware. Industry News (30:50)Scottish Power Parent Company Hit by Data BreachTrezor Customers Phished After MailChimp CompromiseCadbury Warns of Easter Egg ScamJail Releases 300 Suspects Due to Computer "Glitch"WhatsApp 'Voice Message' Is an Info-Stealing Phishing AttackGermany Shuts Down Russian Darknet Marketplace HydraAttack on Ukraine Telecoms Provider Caused by Compromised Employee CredentialsBlock Warns Eight Million Customers of Insider BreachEmployee Info Among 13 Million Records Leaked by Fox News Tweet of the Week (41:50)https://twitter.com/_sn0ww/status/1511857122966835200 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Cool. Okay, hit record and...
You're just going to have to do the fillers.
Yeah, we'll just wait two seconds and then we'll fill it in.
And now I've got a space to fill it in.
What you mustn't do is sort of bleed from one part to the other
because then it's really hard to...
To magnify the screen, to zoom in and then slice it in the middle, right?
the screen to zoom in and then like slice it in the middle right well yes but you can't do that if there's sound all the way throughout well if it's a different track don't don't you have
multi-track okay we won't we won't tom that's all right just just leave a gap we'll do what you say
we'll do what you say yeah mind the gap mind the gap dear me we have a tech no this is what you get for being a
non-technical season i'm starting to have a fucking sense of humor failure here cue the music
you're listening to the Host Unknown Podcast.
Hello, hello, hello, and welcome one and all to the Host Unknown Podcast.
This is our centenary-ish episode.
What is it?
Well, it might be 100, might be 104.
I meant to actually go through all of the last episodes and count them individually, individually curate them and find out exactly
what number we're on. So allegedly this is the 100th episode.
104!
Exactly. So what preparations have we done for the 100th episode?
We have nothing planned to do.
To do something special when Ramadan's
finished. Yeah.
Because Jav's weak
with the hunger and all that sort of stuff.
I wouldn't say weak
with the hunger. I'm just tired
of you two.
Oh, I know the feeling well right
now after the start
we've had to the day. Oh, very frustrating. Anyway, listeners don't care. Isn't that right, Jav? That well right now after the start we've had to the day.
Oh, very frustrating.
Anyway, listeners don't care.
Isn't that right, Jav?
That's right.
They don't.
Yeah.
So, Jav, what have you been up to this week?
Fasting.
I've been hungry for the whole week.
That's all I can remember.
It's not been bad because the weather's been pretty cool. It feels like winter again, which is good because when it's summer,
then you get really thirsty and that makes me even more miserable.
So I've been like on a scale of 1 to 10, I've been at 8 as opposed to 9.5.
So it's not been bad.
Sorry, 9.5 when it's not fasting, when you're not fasting?
Yeah, yeah.
Right, okay, okay.
What are you normally when you're fasting then?
A ten.
What?
It doesn't matter.
Ten as in happy?
No, one as in, one out of ten of misery.
See, now you're even confusing me.
You were telling us about someone earlier who
can't even get their acronyms right and now you're you're you're misconstruing my words
are you sure the problem isn't somewhere in your cognitive abilities tom
my cognitive abilities are absolutely fine it's everything else that's screwed up
tom tom's just in daniel yeah just in daniel what instead of in denial you're in daniel
now he gets it
oh dear oh man that is terrible that is terrible andy how are you sir uh good can't complain i
think it's all changed,
isn't it? I mean, you're starting a new job. I shall soon be starting a new job.
Oh, I think you've just officially announced that now.
Well, now it's more public, I think is fair to say. But yeah, no, I will be coming to the end
of a 10-year stint with my current employer.
Wow.
And assuming I pass the background checks.
I mean, they've been going on for two months.
They're still not done.
Two months?
I know.
At this point, I'm just like, Guy, what do you want?
Why is it taking so long?
What else are they looking for?
Well, do you know the funny thing is they're having a problem
confirming I went to
secondary school where i said i did are you serious yeah it's straight up is like have you
got any evidence that you i'm like look mate at this at this point i don't care why don't you
write to them phone them or something i mean but also who cares what exactly what does it matter
whether i went there or not like at this point in time, trust me,
cybersecurity was not in our secondary school syllabus.
It was not a GCSE offer.
And if you said, given that going to secondary school
was a legal requirement and still is,
if you had said that you'd lied about your degree
or something like that, that's fair.
That's complete sort of, you know.
Force of deception.
Yeah, exactly.
And it's, you know, you're showing a very poor lack of judgment
and all that sort of thing.
Lying about which secondary school you went to,
which you legally had to attend anyway.
Well, if he was in the country, that's the question.
Well, that's checked.
That's a different control.
You're checking his passport.
You're checking, you know, all that sort of stuff.
Legal right to work.
That's if he was travelled on the same passport.
You see, that's why.
So what?
These are the little holes.
This is a little thread you start pulling on,
and it starts unravelling his gypsy.
What, and it turns out he's from outer outer space and he's a watcher or something,
you know, watching this.
You know, really?
It just doesn't make sense.
There's no – what's the risk?
Have you seen the masses of land he's caught in Mauritius?
Hey, let's move in swiftly on.
Tom, how is your week?
But again, what has that got to do with it?
Let's not start piecing things together, OK?
Let's not speculate on each other.
Let's not look at the bigger picture, the big full picture here.
Some parties are like, we want that CISO to order us on our compliance
because he's like, easy.
Massive holes.
Oh, what difference does that make?
You're right, it makes no difference at all. Let's like easy. Massive holes. Oh, what difference does that make? You're right.
It makes no difference at all.
Let's ignore it.
If only I had evidence that that is exactly what I'm not like in an audit.
Oh, dear.
No longer a recovering CISO.
You fell fully off the wagon.
I'm off the wagon.
Yeah, absolutely.
I'm back into it again.
Oh, man. So, yes yes i started a new job blimey on monday guys this is what it feels like to work for a living you know it was
fine you know it was all right as an advocate as jav knows you know that's why he's always a 10
he's so happy he's making bitcoin for no effort but uh yeah this cso gigs hard work you've got to learn a lot of stuff
if the advocacy was so easy tom why didn't you stay with it
i wanted to pursue other avenues
other opportunities
oh dear but yeah i tell you what my my head is hurting after four days four days although i think
go on i was gonna say it's like if uh say like you've been on a diet for like you know a couple
of weeks and then you you come back you get a real massive sugar rush like you eat you know
two kilos of haribo a giant one kilo bar of chocolate. That's kind of what it was like.
Like when you weren't working in the last month and you were taking the megabus to London.
And then all of a sudden we see you on Monday in the back of a black cab, like going, you know, a three minute walk down the road.
Giving the cabbie 10 quid, telling him to keep the change for a two pound fare.
That's what's happened to you over the last month so when you're saying it's draining it's just a sugar crash like you've hit the good life again yeah that's right that's right uh well you say
the good life i was issued my laptop on monday oh uh it's It's a second-hand
ThinkPad.
That African funeral
music playing in the
background at the
moment.
Second-hand ThinkPad.
And to top it all,
so I got this
second-hand ThinkPad
and then behind me
in the office is the
IT guy swapping out
everybody else's
machines for brand
new ones.
Oh, that's a bit insulting, isn't it?
It is, isn't it?
It is.
So that has remained in the bag,
and I'm taking full advantage of bring your own device at the moment.
So, oh, God, yeah, it's been a bit of a week, I'll have to say uh been a bit of a week i'll have to say been a bit of a week
a real sort of drinking from the fire hose as the americans like to say
we truly are an international podcast catering to all of our audiences around the world both of them exactly okay
well let's see
what we've got
coming up
for you today
as Andy types
in the final
part of the story
did you see that
as it was
I did
I did start to think
oh crikey
I may have to time
this quite carefully
so this week in InfoSec
talks about joking about hacks.
Rant of the week is a
Pikachu shocked face meme.
Billy Big Balls is a story
about a bearded Barbie.
Industry News brings us
the latest and greatest security news stories from around the world
and tweets of the week
reflect on the InfoSec
vernacular.
So it's time to move on to our favourite part of the show,
the part of the show that we like to call...
This Week in InfoSec.
InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane with content liberated from the Today in InfoSec Twitter account and further afield.
So our first story takes us back 24 years to the 1st of April 1998
when hackers changed the MIT homepage to read
Disney to acquire MIT for $6.9 billion.
This is Cambridge, Massachusetts, 1st of April 1998.
People woke up to the news on the MIT website stating
Disney to acquire MIT for $6.9 billion with an illustration of Mickey Mouse pointing to the MIT dome, which then had Mickey Mouse ears on it.
And MIT spokesman Ken Campbell said, I knew it was a hack as soon as I saw the price.
Only $6.9 billion dollars much too cheap and he also noted that the Mickey
Mouse Club theme song had long been a tradition at MIT the Sloan School of Management with the
spelling of Mickey's name replaced by his summary of the value of an MIT degree so he then sang MIT PhD M-O-N-E-Y um and obviously it's uh you know I
guess with this one there's not you know for those that didn't get it it's the first of April so it
was actually an April Fool's prank uh which was played uh that MIT didn't actually get hacked
they uh deliberately put that story up there and a long a long tradition right and a long tradition of pranks yes has long been there but
uh i guess these days uh you know it's not common for companies to joke about being hacked
right yeah that's right it's very taken very differently but uh you know back then it was
good fun and the funny thing was back in
98 you know once stuff got out there it was actually really difficult to then take it back
um you know it's not like now where you publish a response or you know get it wild on social media
like back then stuff would go around on chain mail you know forward forward forward forward
forward in the subject header and uh you know you'd very really get the uh the recantation after
that but uh no good stuff 24 years ago that one was yeah the um they did other ones like they
they um disassembled and reassembled a car on the top of the dome didn't they but it was a
a police car and they had a policeman sitting in it with a donut in his hand.
Yeah, stuff like that.
But yeah, well-known for those pranks and really, really creative as well.
Cool. Our second story takes us back a mere 18 years to the 1st of April 2004.
The now ubiquitous Gmail service is launched as an invitation only beta service
um at first it was obviously met with skepticism due to being launched on april fool's day
um but it soon converted people whether it uh offered its use of um i guess just speed and
flexibility and it was very fast compared to hotmail, less adverts, et cetera.
Oh, yes.
And also the fact it was invitation only for a long time
helped fuel a mystique that only those who had Gmail addresses
were hip and uber cool.
I didn't think it was – I thought it was much earlier than 2004,
but, yeah, I remember this and thinking,
should I be getting in on this?
Do you know what I mean?
I had a Hotmail address.
Should I switch?
Yeah, exactly.
I've got a good email address.
I think mine was msn.com at the time.
I'm not sure.
I can't remember.
You're late to the game.
Yeah, exactly.
Yeah.
But also, you know, the benefits of Gmail,
they've been used by testers a you know, a lot ever since you learned
that you could put special characters, you know,
in the first part of the address and still receive messages.
So you can put, say, like, your name is, like, sirjester at gmail.com.
You could put sir.irjestr.
You know, that would all come to me.
And so, you know, I don't know how many free trials at Netflix people have managed to get through.
But thoroughly useful service for testing.
Testing in inverted commas.
I still can't get used to the interface.
I do not like Gmail.
Really?
Yeah, I'm not a fan of it.
Oh, man.
You know, I was like that.
And then in my previous job, they were a Gmail,
a G Suite sort of house.
Absolutely loving it.
Well, 14 months at a place that had used the G Suite.
Still don't like it.
Although there may be other reasons for that too.
I mean, I did like Outlook,
because that was like the de facto
in workplaces
and I liked it because
the folder structure and everything was a bit more
intuitive but once you get used to it
in Gmail it's brilliant
and it's fast
and whatever you say
everything's fast now
except this podcast obviously excellent thank you Andy Everything's fast now.
Except this podcast, obviously.
Excellent.
Thank you, Andy.
Appreciate it. That was this week's...
This week in InfoSec.
Sketchy presenters, weak analysis of content,
and consistently average delivery.
But they still won an award.
Like and subscribe now.
Right, we are moving on swiftly to the next part of the show,
which I have no idea about because of so many technical problems.
I haven't even looked at the script yet, but I'm sure this will be fun. Listen up! Rant of the Week. It's time for Mother F***ing Rage.
So this week's Rant of the Week obviously falls to me and the headline is very straightforward
here. Bank had no firewall license, intrusion or fishing protection.
I just want to say the first word of that, bank. Guess the rest. So an Indian bank that didn't
have a valid firewall license, had not employed fishing protection, lacked intrusion detection,
eschewed use of any intrusion prevention system has shockingly been compromised by criminals
who made off with millions of rupees.
So based on the headline alone, this is outrageous, utterly outrageous.
People are putting trust in national institutions like banks, and they just run fast and loose.
I mean, they had 45 branches that had just under $400 million US dollars of deposits,
which makes it one of India's smaller banks. but very often the people who have the least like to work with smaller banks
because they feel like it's going to be safer there.
It's not going to be sucked off.
It sucks.
Hang on a second.
What?
Oh, man, I might have to leave that one in.
Oh, man, I might have to leave that one in. Oh, God.
They're not going to have their savings siphoned off.
Tom's getting ready for the weekend.
They're not going to have their savings siphoned off, you know,
by unscrupulous bankers and all that sort of thing.
by unscrupulous bankers and all that sort of thing.
But anyway, it just seems to be that this bank was just, well,
amateurs to say the least.
How they even got a banking license, one assumes they have fairly similar sort of banking laws over in India as well.
Yeah, the RBI are very strict. Yeah, exactly, exactly. fairly similar sort of banking laws over in India as well.
Yeah, the RBI, very street.
Yeah, exactly, exactly.
I mean, well, it's full of bureaucracy.
Well, India's full of bureaucracy.
The whole of Great Britain says you're welcome.
One of the worst things we could have left there.
But it's just astounding that even the people who built the technology would allow this to happen, even if they had no sort of skin in the game
when it came to security, because all of this stuff is purely commoditized
sort of platform security that is just put in out of the box,
not paying for a license for firewalls.
I mean, God damn.
So, yeah.
So I'm kind of reading like the reasons why these things,
how it comes to be like why didn't they have this stuff?
And one of the things they're saying is it's not uncommon in some sort of company,
countries like Nigeria, India, because the cost of the software, the enterprise licenses are priced to Western standards.
Yeah.
And so it's difficult for other nations to sort of pay that.
I mean, obviously, like this is excluding the fact they're a bank.
And obviously, if you can't afford to be in the game and don't have $400 million in capital.
Yeah.
But it does sort of raise, you know, because I guess if they charge less in different regions.
Right.
Then you just register your business or you'd get that business unit to buy it for the rest of the company.
But that's what that's exactly what happens in other parts of the world.
Also, you know, there are there are restrictions.
You know, companies can put in restrictions that stop you from doing that.
But, you know, you can buy flight tickets in, you know in india cheaper than you can get them so i i used to buy when i was going in and out of india a lot for a particular
project i used to buy a return ticket three months apart and then the indian bureau would buy other
return tickets um for me for the trips in between so origin originating in India and then coming back from the UK, it's sort of like half the price.
So there's always those pricing options are there.
And even there are so many Indian technology companies
that are serving the domestic market that have got the correct kind
of Indian licensing
pricing levels correct.
So I think this was just a problem that they had and didn't seek
to address rather than just, you know, oh, it's too expensive,
we can't do it, rather than actually looking to see how they can fix it.
That's right. I think if there was some desire to do something the way it reads like it's almost like someone who was the village banker who had like a little little notepad where he used to
write down every deposit and they they tie in the money into a little like you know a little package
and like just put it under the under the pillow uh just decided oh let's open up a bank now and we use the same process
and um i think that there's no desire here it doesn't read like there's been any desire or
intent to do anything because if you did then you'd have some things in place that are free to
do or open source technology some processes in yeah, exactly. Some processes in place.
I mean, there are plenty of open source firewalls and, you know,
the basics that you can do and put in place, you know,
that are harder to maintain, obviously.
But even the basics can be done, you know, with built-in and open source.
You're absolutely right.
Absolutely right. So, yeah, I think this definitely, definitely, you know,
stands for a real rant of the week because it's just, well,
it's criminal, obviously, because the police are involved.
In this day and age, it is.
Yeah, absolutely agree.
I can't believe I said that.
Rant of the week.
I can't believe I said that.
Rant of the Week.
We are officially the most entertaining content amongst our peers.
And on the back of Jav agreeing with me, let's move straight on to this week's yes so it's over to me and we are talking about bearded barbies no i'm not talking
about my tinder profile but there are There is a group being tracked as APTC23,
or as Tom would say, Cat23P.
I'm not the one who scored happiness from a scale of 1 to 10
and 1 was happy.
I said it was misery from 1 to 10.
I said it was misery from 1 to 10.
But anyway.
So this is, for those not familiar with your APTs, Cs, 23s,
it's a Hamas-backed hacking group.
And it was found catfishing Israeli officials working in defense, law enforcement, and government agencies.
Sounds reasonable.
Ultimately, yeah, it led to the deployment of new malware.
So they, and this is not a very new technique.
It's been going on for a while,
but this was like one of those new campaigns
that they call the light threat researchers.
They used fake Facebook profiles using fabricated identities, stolen
pictures, or, and I think this is the kicker, AI-generated images of attracted women, and
approached the targets through these profiles. And they actually spent a lot more time trying
to cultivate these profiles. they they spent a few months
um you know curating them posting in hebrew and liking groups and popular pages in israel
making friends with people uh so you know but their main objective was to target israel's
police defense emergency services or the government um and then after gaining the trust of people which probably
took only a few few conversations they they took the conversation in an erotic turn and they yes
so they were like you know uh let's download this Android instant messaging app.
Wow.
We're throwing them in today, aren't we?
Honestly, the 100th episode and we cannot arrange a piss up in the room.
No, we can't.
But it's the volatile Venom malware.
we go but it's the volatile venom malware so um so basically you you say here's here's something and um you know if you're not familiar with the volatile venom um it can steal sms messages read
contact this information use the device camera to take photos what basically it routes your phone and gives you all sorts of things there.
So it's, you know, it is a Billy Big Balls move, like going after any country's defense and police and government is always going to have big repercussions.
But I suppose it also just shows how entwined the digital technology has become within everyone's lives that you can't really separate.
You can't pick apart where cyber ends and warfare begins or where espionage begins or where crime begins.
It's all very, very blended together.
And we've seen that in the recent Ukraine war as well, or the ongoing Ukraine war, should I say.
There's lots of misinformation and attacks against technology hubs.
And you must have seen those pictures of those amazing Ukrainian people who are going into bombed cities and streets and reconnecting the Internet.
Yeah.
They're absolutely amazing engineers.
Connected to Starlink and stuff like that right
yeah yeah exactly so um so yeah i think it's just and we've been saying this for a year and
you know there's like when it comes to crime there won't be really cyber crime in the future it'll
just be crime because it's so entwined in everyone's life. You can't really now pick apart, well, is this a traditional crime
or a cybercrime?
Because there's elements of everything everywhere.
And I think something like this, the bearded Barbies have, you know,
shown that to be true.
You're absolutely right about the cybercrime differentiation
because Friends of the Show, Brian Honan, always talks about this.
And I've sort of picked it up from him as well and you know these aren't cyber criminals they're
criminals and there's you know there's no making them cyber criminals kind of adds a sort of an
element of romanticism and you know sort of coolness about them where frankly they're just
hardened criminals they still do the same things that regular criminals do.
They steal and they cause suffering, you know, either directly or indirectly.
And I think it's a really good distinction to make is that, you know,
crime is crime.
It doesn't matter where it's committed.
But ultimately there's some guys who are getting messages
from attractive-looking strangers and just willing to bypass all
logic and security um in order to get their their kicks ah well we've all been yeah yeah
well it is it just reminds me and i can't remember the name that they put to it but there was a woman
who um our profile created a bit of a woman who approached a ton of people in in infosec i can't
remember something rose maybe yeah and the guy done a talk at defcon or something and how like
it was just like it was almost like it was unfair because like literally like you send messages for
a connection and people would like some senior people in the industry would like immediately
reply back can i buy you a coffee or do you want to meet up or something like that god for goodness sake yeah oh look at tom acting
all shocked as if he wasn't named in the indictment he actually said champagne he did not say coffee
well that's what i was that's what i was you know astounded at coffee come on pass it up a bit. Exactly.
It's terrible.
It's terrible.
You know, LinkedIn is not Tinder, right?
Let's separate church and state here.
Excellent.
Thank you, Jav.
Well, Billy Big Balls, I think, probably sums up the end of that conversation quite lit quite literally there uh thank you very much for this week's billy big
balls of the week attention this is a message for all other infoSec podcasts. Busted. We caught you listening again. This is the Host Unknown Podcast.
So, Andy, how does a deaf person tell the time?
I don't know, Tom.
How does a deaf person tell the time?
The same way as everyone else.
They use a watch.
What time is it, Andy?
It is that time of the show where we head over to our news sources
over at the InfoSec PA Newswire who have been
very busy bringing us the latest and greatest
security news from around the globe.
Industry News
Scottish power
parent company hit by
data breach. Industry News
Trezor customers fished after mail chip compromise.
Industry news.
Adbury warns of Easter egg scam.
Industry news.
Jail releases 300 suspects due to computer glitch.
Industry news.
WhatsApp voice message is an info-stealing phishing attack. Industry News.
Germany shuts down Russian darknet marketplace Hydra. Alhydra. Industry News. Attack on Ukraine
telecoms provider caused by compromised employee credentials. Industry News.
Block warns 8 million customers of Insider Breach.
Industry News.
Employee info among 13 million records leaked by Fox News.
And that was this week's...
Industry News.
Huge. Huge.
Huge.
I see Andy's cursor going to the same story that I was listening to. I literally, look, I'm there as well.
How do you release 300 suspects due to a computer glitch?
Yeah, exactly.
This man, he's in for 25 for GBH.
Oh, it says he's being released tomorrow.
What the hell?
That's absurd.
That's the sort of thing you see in a Hollywood film
about a future prison that's completely controlled by a computer, right?
Yeah.
And suddenly all the doors open and they find their you know they they fight their
way to the top and realize that they're actually on a super tanker in the middle of the atlantic
ocean or something like that but i was like looking at this story so they're not actually
convicted they're not actually serving time already um so this is the texas jail ordered
the release of nearly 300 defendantsants after a computer glitch disrupted processing procedures and probable cause hearings.
So they go and say that under state law, defendants charged with misdemeanors may not be held for processing for more than 24 hours.
And defendants charged with felonies, they cut off his 48 hours for processing.
the cutoff is 48 hours for processing.
And it turns out that their system went down on the 24th of March,
about 7 o'clock, until the 26th of March at 9 p.m., which is obviously over 48 hours later.
So everyone that was in for processing at that time
was just automatically released.
But it did include people uh restaurant suspicion of theft uh making
terrorist threats or indecently exposing themselves um so you know not the the real sort of hardened
people but certainly not but just people who are going to expose themselves and then blow themselves
up yes and then steal something before they do it yeah Yeah. Yeah, that's...
I mean, now, obviously, you know that the police are coming for you,
so you're going to just shred the evidence if you can.
Certainly, if you're a thief, you're going to fence all that stuff
or get rid of it if you're...
Yeah.
Shocking.
All due to a system update.
Yeah.
Yeah.
So this one, Cadbury warns of Easter egg scam.
I'm thinking of you here, Andy.
Have you had any WhatsApp messages from Cadbury?
I haven't, but you know what?
I don't actually take my info direct from Cadbury
when it comes to their products because I have a cousin.
The chocolate connoisseur is coming out.
My cousin works at Mondelez, who owns Cadbury.
So I tend to get, you know, like all the new stuff,
the trial products and, you know, sort of stuff from their shop.
What? You're only telling us this now.
Hey, I can't share this stuff.
Yes, you can.
It's top secret stuff.
He lives in Switzerland.
There's a thing called the post office.
He leaves some stuff for me and he's like, you've got to try this stuff. He lives in Switzerland. There's a thing called the post office. He leaves some stuff for me and he's like,
you've got to try this stuff.
And we discuss whether it's going to sell or not.
So what products have you tried that you've since seen on the shelf?
Oh, God, you know, so many of them.
I can't even think.
Things like the, I don't know, like the Orange 12.
I had those about three years ago.
Those are one of my favourites.
Andy, you bastard.
About three years ago.
But if I look, it's the most recent one.
I'm trying to think if I've got a picture of it.
Are we going to get your cousin fired?
Well, I don't know.
So do you remember when I got got this giant tobalone a four
and a half kilo tobo oh yeah that's where i got it from like his workplace um you know yeah so
they've got like a little shop on site uh and also you know i've contacted him about whether
he can get stuff like i don't know if you ever heard of the freddo face cakes uh my daughter
used to love them they just stopped going
on you know they started going off the shelves so i sort of mentioned i was like dude can you get
any of these and uh as i know confirmed this stuff's been pulled from from uh from use you
know we're not going to sell it anymore it's not popular um so i think to to celebrate the 100th
episode and i just because i'm hungry i might be a bit biased but
of uh the proper we should all fly to switzerland and record from there
and have your cousin chocolate exactly going into diabetic comas
but uh yeah no i mean there are like stories so things like you know I don't know if you saw
Cadbury's did a thing
where they
they hide up to
10,000 pounds
in different cream eggs
sort of all over the place
and I was like
isn't it
a double coloured egg
isn't it
is it white and
milk chocolate
white yeah
it's got white chocolate
part
and you know
I said like
you must know
a domain admin
or like a Salesforce admin that's got the details of where this stuff's going right and um but he's saying that you know
even like the employees in the factory they it's literally the boxes are swapped as soon as they
leave the factory so no one knows which boxes they are and then they're like they probably have
like pwc as an auditor doing it. Yeah. Yeah.
Yeah.
You know, that's probably what they just tell them.
Oh, we swap boxes.
There's double negatives.
There's all this kind of stuff.
It's probably just like straight out.
They're all in one box in a news agency in Glasgow.
Yeah, exactly.
So they're all chomping their way through 10 grand.
Yeah. So the other thing was um i'm just
scrolling back and this was here in april last year so a year ago it was the plant the cadbury's
plant-based bar made with almonds that's actually really good it's really tasty yeah i tried it back
then he said look this is probably one of the best bars that i've tried uh he said you know here's
one for you.
And I tried it.
I said, that is actually pretty good.
I said, when's it coming out?
And at the time, he says he didn't know in the UK.
I literally, I think I had my first square three weeks ago
or something like that, but probably been out before.
But, yeah, it was very good.
And if you've just joined us, you're listening to the host unknown
Chocolate Appreciation Podcast. Indeed. So all I'm saying is the CPA. just joined us you're you're you're listening to the host unknown chocolate appreciation podcast
indeed so all i'm saying is the cpa yeah all i'm saying like to get back to the point i'm not
falling for these cadbury's easter egg scams because i've got an inside man okay so so our um
our advice to our listeners is to get a cousin who works for Cadbury's and you'll be fine. Yes, exactly.
Right.
Excellent.
What was the other one I wanted to look at?
I've lost it now.
Oh, yeah, Block.
Who's Block?
Yeah, I don't know, but they've got 8 million customers.
Oh, US Payments Company.
Oh, God. Contacting got 8 million customers. Oh, US Payments Company. Oh, God.
Contacting over 8 million current and former customers
of its Cash App investing subsidiary.
The details may not be accessed by a malicious insider.
Oh, my God.
They must have really annoyed that person.
Yeah.
I don't know. Why did they did they oh but you know what so reading it information reports included full name brokerage account number which is a unique identification
number associated with the customer's stock activity and it also included brokerage portfolio
value portfolio holdings and or stock trading activity.
It didn't include usernames or passwords, dates of birth,
social security numbers, payment card information.
So this sounds like someone that's going to another job and is taking a customer base with them.
Yeah, yeah.
Yeah, but if they're taking a customer base,
you'd think they'd take their emails.
Yeah, true.
Because how else are you going to do it?
What are you going to do with that information?
Yeah, maybe they just didn't include that.
But if you've got the person's name, it's easy enough to look them up, right?
Yeah.
That way you can cold call them rather than...
And you're only after the high-value people anyway.
Well, yeah, probably 10 of those millions, right?
Yeah.
Exactly.
Right, anything else on here not sure yeah i just found it uh interesting the mailchimp story that they got breached
and then they their platform was used to send emails to trend treaser
so it's it's just uh an evolution of the phishing thing you you compromise someone that's in the
trusted trusted chain and then use them to deliver your your malicious payload so i read the quality
of those phishing emails is going to go up as a result
yeah just what probably what they wanted, right? Yeah, yeah.
In fact, MailChimp now has a service on the dark web available.
So it's highly successful.
You can run AB campaigns, see how many people opened your email,
read your email, which headlines do the best.
Which people have clicked through on your phishing link?
I know a company that does that for real.
Excellent.
Yes.
So thank you.
That was this week's...
Industry News.
Are you not entertained?
What?
The judges were.
You're listening to Europe's most entertaining content. Bro, what are you talking about, man?
And now we start to come to the close of the show
where it's time for this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
It is, and I shall take us home.
And this week we have
a tweet from
Snow and
she says, what are
some of the most cringiest
InfoSec marketing terms
you've seen? I'd think
hack-proof and military-grade
would have to be on that list.
Yep. And can't
disagree with that statement.
Military grade means made by the lowest bidder.
Yes.
Yeah.
So there's, I mean, like following the thread,
there's some good ones, like OneClick seems to be one.
CloudNative.
CloudNative, yeah.
Seems to be machine learning, you know, automated.
AI.
Cyber Pandemic. CyberPearl Harbour. It seems to be machine learning, automated, AI, cyber pandemic.
Cyber Pearl Harbor.
Oh, that's a horrible one, isn't it?
For fuck's sake.
But you know what?
Apparently, companies that use military grade as their titles, they don't sell very well in France because people just assume
that this software is going to raise the white
flag immediately.
Single pane
of glass. I've heard that
one a few times.
But that one makes sense to me.
I kind of
understand that one.
So one of the commentaries says
nothing is a single pane of glass without
using products from the same company and that is terrible defense in depth it is not a great
selling point no but it's not that if you if you can say that my product integrates with this this
this and this so that you can see it all through one dashboard. Come on.
Anyway.
Oh, simple dashboards. So what you're explaining is itself to me.
Well, Power BI does that, right?
I mean, it's taking feeds from all sorts.
But yeah, yeah.
Going back to that military grade one,
it reminds me of Alan Shepard
when he was on top of the Mercury rocket that had to be shot into space
in the 60s, one of the early spacemen, astronauts.
And he said as he was sitting there in the countdown,
he suddenly realised he was sat on top of a rocket that had been built
by contractors who'd put in the lowest bid.
Excellent. Thank you, Andy, for this week's...
Tweet of the Week.
And there we go, folks.
Our 100th show.
Nothing fancy, no special event,
because we don't need anything else like that
to make us feel special.
No, and also what people haven't noticed is that we actually recorded Alfresco.
We actually did it the old school way that they're still using
over at Smashing Security today.
Yeah, we did.
We've got no backing track, so we're not hearing the jingles
that we normally hear.
No.
No.
So, yeah, I'll be up till midnight editing.
Hence the reason the show's out on Saturday this week.
Exactly.
Enjoy your Saturdays, folks.
Edward Jav, thank you so much for your time
and for agreeing with me so early on in the show.
Ah, well, you know, enjoy it while you can.
I know, you're just weak with a hunger. And Andy,
thank you very much. Stay secure, my friends. Stay secure.
You've been listening to the Host Unknown podcast. If you enjoyed what you heard,
comment and subscribe. If you hated it, please leave your best insults on our Reddit channel.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
You'd think after 100 episodes we'd get better at this.
It all went wrong last week when Tom decided to, like,
just before we're about to record,
oh, let me just install this update, then we'll get back to it.
It's this hot Israeli bird. Look, she's been posting in hebrew but i think she likes me she just wants me to install this look what's life if it if if
you can't run an update on production on a friday i was about to say it's the the five to five
deployment on a friday isn't it? Yeah, exactly. Push to prod.
Which sounds like what I'm doing this weekend.
Aye.