The Host Unknown Podcast - Episode 101 - My Brain Hurts
Episode Date: April 29, 2022This Week in InfoSec (09:26)With content liberated from the “today in infosec” Twitter account and further afield26th April 2013: LivingSocial informed its employees that 50 million users' names..., emails, dates of birth, and SHA1 hashed passwords were compromised.LivingSocial Hackedhttps://twitter.com/todayininfosec/status/151903974730119987226th April 1999: The first known virus to target the flash BIOS of a PC, the CIH/Chernobyl Virus triggers on this day, erasing hard drives and disabling PCs primarily in Asia and Europe. One of the most destructive viruses in history, Turkey and South Korea alone reported 300,000 infected systems. As Seen on Reddit (23:29)My thoughts on a decade of Cyber Security: 10 Lessons I’ve learnedReddit user u/CrowGrandFather has spent more than a decade in the Cyber Security Industry and has come up with 10 lessons he learned along the way.1. Cyber is risk and nothing else2. No one cares about your stats3. Understand that not everyone is as smart as you4. Stop with the playbooks5. Read the news for your boss6. Blackhat is mostly pointless7. Location, Location, Location8. You’re probably doing threat intelligence wrong9. Don’t write to be understood, write so that you can’t possibly be misunderstood10. Make friends with your Marketing team[That was this week's As seen on Reddit] Industry News (42:07)LinkedIn Becomes the Most Impersonated Brand for Phishing AttacksCosta Rica Refuses to Pay Cyber RansomBored Ape Yacht Club Customers Lose $3m in NFT ScamFrench Hospitals Cut Internet Connection After Data RaidSecurity Teams Should Be Addressing Quantum Cyber-Threats NowPrivate Investigator Admits Role in Hedge Fund HackUK Schools Can Sign-Up to Free Government-Grade SecurityCoca-Cola Investigates Data Breach ClaimCrypto Trading Fund Partners Accused of Fraud Tweet of the Week (45:00)https://twitter.com/austinpeay/status/1519397653305561088https://twitter.com/austinpeay/status/1519399475785125889 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Recording all of that, it would have been a perfect opener.
Can we do like a Kardashian, you know, where they recreate scenes
where something funny happens and then they say,
no, no, let's just do this and pretend this is what happened
when the cameras were on.
Jesus.
Let's just tell everyone it was a fun opener.
Okay, but as long as I'm Chloe.
That's the only one I know.
Sorry.
Is Kanye still a...
He's not a Kardashian anymore, is he?
No.
Isn't he?
Well, actually, I don't know why I said that.
I didn't even know he was even considered to be.
Well, he was married to Kim, and now they're divorced.
Fair enough.
These people are obviously moving in circles that I do not frequent.
No, I don't think you frequent the Cardicians.
But you are now a CISO, so you are back in certain circles, aren't you, Tom?
I am.
I am.
I'm meeting with vendors for dinner and everything.
You do it, you all.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome to episode 101-ish of the Host Unknown Podcast.
We are back after a two-week Ramadan and COVID hiatus.
Welcome, gentlemen. How are we?
Andy, what's occurring?
Well, like our listeners in North Korea, I cannot complain.
You've been waiting 100 episodes to say that one, haven't you?
104 episodes to say that one.
I'm telling you, I counted the episodes.
We really are on 101.
But as we point out, just because you didn't record them on your side,
it doesn't mean that we didn't record them.
But if a tree falls over in a forest and there's nobody there to hear it,
does it make a sound?
Well, as I say, if i talk into a microphone
with you guys and we have a loose agenda right i'm counting that as a recording like if you're
not copying it on your side that's on you okay so in which case we're on about episode 382
given given the amount we often chat about stuff, and they go, oh, we should have been recording that.
Yeah.
No, not too much.
I'm winding down at work.
I'm moving jobs one week to go.
Ooh, moving jobs.
Does this mean you're actually going to have more time or less time?
Well, you can't have less time.
You literally can't fit any more hours.
No, do you?
It's going to be fun.
I'm also intrigued as to what's going to happen.
Yeah.
I'm just going to say, all I'm going to say is my one piece of,
my one warning is you can be fired with just your notice
in the first two years with no legal recourse.
I'm just saying.
I'm just saying.
Spoken like the voice of experience.
Absolutely.
Absolutely.
And for all my current and future employers, when I say fired, I mean, you know, pursuing different avenues.
Yeah.
Yeah.
Difference of opinions.
Exactly.
Exactly.
Jeff, how are you?
Fantastic.
Thank you.
So last week I was in Orlando for Know Before Con, the first physical conference Know Before has had in two years.
You were doing your Chris Rock impression, weren't you?
I was.
Trying not to get smacked in the mouth by the boss.
I didn't get smacked in the mouth.
I was the emcee for the event, so I did actually start off by like,
please nobody Will Smith me because unlike Chris Rock,
I can't actually take a punch or a slap.
Were you writing these on the plane on the way out there?
No, I was just scrolling through TikTok and stealing ideas.
It's a lot easier.
So you had one job when you were out there, you know that,
and you failed, which was our mutual friend, Kai Rohr,
and the other chap, Perry Carpenter, our mutual friend as well,
both wrote a book, and you were there with them both.
All I asked for was a free signed copy of their book,
and no, couldn't do it.
Couldn't do it.
Yeah, what they heard was free
copy they didn't care about this so i know you tried to play to their egos and so they're like
yeah yeah of course but uh they're professionals man they see right through that stuff yeah you
know i got a a copy but i only got perry to sign it i didn't have it on me when i met kai so i
thought you're gonna say you asked asked Kai specifically not to sign it.
Well, Kai signed so many books that his unsigned ones are more valuable, aren't they?
Yeah. Yeah, I've ordered it. It's arriving today. I've actually had to pay for a book my friends,
colleagues have written. I'm heartbroken. I'm heartbroken i'm heartbroken i'm remember this when i when i finish my book as as a see-saw you must be it must be a really alien experience to
actually have to pay for anything yeah he's just remind him he could probably expense it
it's literally called security culture isn't it oh yeah that goes under education and learning
doesn't it yes yeah and after reading it you can claim, doesn't it? Yes. And after reading it, you can claim CPEs for it as well.
You mean after claiming I read it, I can claim CPEs for it.
I have a lot of books on my shelf that I claimed I've read.
Just go to summaries.com or whatever the website is.
They do the short versions, which are really good.
website is you know they do the the short versions which are really good and and actually if um youtube uh sometimes they have like really good like audio summaries off a book and if you listen
to it at 1.5 or 2x speed then you can actually quicker it's even quicker it's absolutely brilliant
anyway how's your uh how's your week been how's's your two weeks been, COVID boy?
Well, yeah, so I start work on a new job at the beginning of April
All good
Test positive for COVID at the beginning of the next week
I'm in bed for a week
And then still positive, although walking wounded for the third week
So I'm working from home
So this last week was only my second week in the office.
But I tell you what, this CISO job is difficult, isn't it?
It's hard work.
Why are you asking me?
I don't know.
Yeah, actually, why am I asking either of you, to be honest with you?
My God.
You didn't already try and fail at this CISO job in the past.
As in what, sorry? Didn't you already try and fail at this CISO job in the past? As in what, sorry?
Didn't you already try and fail at this CISO job in the past?
No, I successfully failed at the last.
Oh, no, I did not successfully fail at all.
I didn't fail at all.
No, I just, I think because the last CISO role I had,
I kind of, because it was the result of an acquisition
and because it was effectively Greenfield and all that sort of stuff
and because I had an existing team which I built on,
it was a slightly easier process.
Whereas at the moment, it's like, bang, no induction, no onboarding,
in you get.
And it's just really I feel like I'm drowning at the deep end
while they keep tying extra weights to me.
I did have a couple of breakthroughs this week,
which was good, which was good, actually.
Breakthroughs are better than breakdowns.
Well, yes, exactly.
Been there, done that.
Don't recommend it.
So, which was good, you know,
and I've got my first security board report
that I'm presenting the week after next deck's got to be in
next week so you know there's there's lots of um you know proper work going on and everything
uh so yeah it's an interesting environment i'm enjoying myself lovely people but wow
i'm confused as hell steady tom this sounds like an actual useful bit of information we should do
this on the podcast regularly the first 90 days
as we start your your mental health declining yeah part of my sort of security board review
um deck will be you know level of work my mental health yes quality of work
work-life balance work-life balance. Work-life balance.
Number of topics covered on Host Unknown podcast.
Cost of rehab.
Or everything else is MasterCard.
Yeah, yeah.
Or corporate Amex, let's face it.
Yeah.
Let's face it.
Well, okay.
Let's see what we've got coming up for you today.
Well, this week in InfoSec talks about the life before Groupon.
Rant of the Week is still on holiday, the lazy thing.
So this week we are covering, as seen on Reddit, Billy Big Balls is also still on holiday.
So we'll go straight on into industry news, which brings us the latest and greatest
security news stories from around the world, and tweet of the week is an urgent message
for users.
Okay, so let's get on, shall we, into our favourite part of the show, the part of the
show that we like to call This Week in InfoSec.
It is that part of the show
where we take a stroll down InfoSec memory lane
with content liberated from the Today in InfoSec
Twitter account and further afield. So our first story takes us back a mere nine years to the 26th of April 2013
when Living Social informed its employees that 50 million users' names, emails, dates of birth
and SHA-1 hash passwords were compromised.
So for those who don't recall this company, which boasted huge numbers at its peak,
LivingSocial was, and still is in a different way, an online marketplace, which allowed users to buy and share things through in their city.
So formerly headquartered in Washington,
LivingSocial had around 70 million members around the world in 2013. So not a small
company by any stretch of the imagination. So they were founded in 2007 by four employees of
a health group company. And they initially launched LivingSocial as like a daily deals website.
And they offered their first deal to the public in July of 2009 so like two years later
that was and in less than 12 months after that they had actually launched 25 in 25 different
cities huge growth everything was looking good right so they had raised over 800 million dollars
in venture capital funds wow they were hiring dozens of workers each month, constantly
breaking into new cities around the globe, collecting hundreds of million dollars from
investors. They actually acquired at least eight companies around the world in the space
of two years, boosted their numbers up to 4,500 employees. And amongst her investors actually include Jeff Bezos.
Wow.
So he chucked in $175 million as an investor.
So life was good, right?
And then obviously Murphy's Law kicked in.
So despite best efforts, the company didn't reach the size it needed to be
for these particular tax breaks to kick in
um and so they had to they'd released some sort of subleased offices that they had previously
purchased uh and at the same time the industry kind of had this realization that daily deals
were just not a sustainable business um and so just as the company was sort of strategizing how
to adapt you know where do they go in the future?
They said, well, we're going to go from a daily deals website to become a mobile app.
Then obviously the 26th of April 2013 rolls around and the CEO announced that their database had been hacked and 15 million of their registered users were impacted.
Is this like the equivalent of, you know, a restaurant sort of slowly going out of business and then suddenly it catches fire the next day?
Yeah, well, do you know what?
There were suspicions of that, but they don't know because they did try and go on for a bit longer.
I think they obviously did panic in terms of, you know, I mean, I don't know if you remember when Groupon first sort of hit big in the UK.
You know, you sign up to it and, like, the first two weeks
were like a novelty.
And then it was like, holy crap, stop spamming me.
And it's like you literally just add them to the spam filters.
Well, you use it because you see that one product that,
oh, yeah, that looks good.
I love that.
And then, you know, before you know it, you know,
if you like this, if you like network cables,
you like mattresses.
Yeah, 46% off hair straighteners yeah yeah do you know and there's only so many pairs of those I could buy yeah
one for every day of the week yeah exactly but uh obviously they're they did the classic
announcement so this was back in 2013 and it's an announcement that stood the test of time.
Credit card information was not compromised.
Yes.
Yes.
Hallelujah.
And they take cybersecurity seriously.
They take cybersecurity seriously.
But every other bit of user information they had,
dates of birth, password, everything was exposed.
But in the announcement, the at-the-time CEO,
Tim O'Shaughnessyy told customers that the stolen passwords had been hashed and salted um which meant that you know past codes
were converted into a one-way cryptographic representation that used random strings to
cause each hash string to be unique um and so he obviously went on to make the statement that your living social
password would be difficult to decode which then sent twitter into overdrive on commentary
obviously but i'm not saying that the breach was the fatal blow to living social but you know from
its peak of 4 500 employees uh they dropped to 800 employees after the breach um wow and yeah they two years later
they dropped to to just 200 employees uh in 2016 they still go now they are but they were acquired
by Groupon in 2016 for an undisclosed amount of money so Groupon was one of their competitors at
the time um so it was undisclosed at time of acquisition and then a couple of months later Groupon confirmed
that the amount they paid was zero dollars they just took on the debt they just took on the debt
and the customer base I guess um mercy kill yeah yeah it was a mercy kill but although uh you know
it's common you know during these attacks uh yeah this you know this, this happened a year after the LinkedIn breach, two years after the Sony breach.
Has anything really changed?
Advice that came out from a lot of security professionals, one I saw from Chris Weisopel, said that there's some concrete steps individuals can take to protect themselves because it's not clear exactly when the attack happens.
Check your email, see if it's been accessed from strange places or if it's not clear exactly when the attack happens um check your email see
if it's been accessed from strange places or if it's been forwarded elsewhere and if you're using
the same password on multiple sites now is the time to change them and use a password manager
i've had that somewhere before it sounds really familiar but it sounds like really familiar
yeah it sounds like you jav actually because
what you say in all of your articles
uh yeah so this obviously on 2013 wouldn't surprise me jav you're still quite the fan of
replicating other people's content back then weren't you still quite honestly that is
objection your honor That's harsh.
Funny, true, but harsh.
Funny, true.
What are you talking about?
Oh, dear.
Motherfuckers.
But this is an interesting one because, you know,
very often you talked about the two other examples.
What was it, LinkedIn and Adobe, did you say?
Sony.
Sony, that's right.
Yeah, Adobe were prior to that.
Yeah, and Adobe as well.
But, you know that both those cases
and Sony as well all three of them
those are companies that have
continued to grow
and expand
afterwards as well
this is a rare example
of a company
dying
after a security breach
but it does show that it's actually more complex
than just a security breach will kill the company
because it sounds like they were already
on a little bit of a downward spiral anyway, right?
Yeah, well, I think, I guess,
if you don't have a good product,
I think that's the thing.
There's only so many daily deals you can span out to people.
People are not going to buy stuff every day.
If your business is not robust in the first place,
then a security breach could take it out.
Yeah.
But if it is a robust business,
chances are you'll survive it and continue to grow.
Yeah.
But in terms of, you know, what they said, everything they suggested,
playbook response seemed to be pretty good, pretty standard.
But alas.
So our second story takes us back 23 years to the 26th of April, 1999,
when the first known virus to target the flash bios of a pc
The cih virus triggered on that day erasing hard drives and disabling pcs
primarily in asia and europe
So it was one of the most destructive viruses in history with turkey and south korea impacted by
at least
300 000 infected systems.
And I have no idea why the stats focused on Turkey and South Korea,
because they're not the usual yardsticks for virus.
300,000 in today's terms is nothing, right?
Yeah, but this is 1999.
Yeah, I know, I know.
But, you know, today you'd hear, you know,
we restricted it to just 300,000 systems.
Yeah, only a small percentage. Only 2% of our user base was impacted. Exactly, exactly. But, you know, today you'd hear, you know, we restricted it to just 300,000 systems.
Only a small percentage, only 2% of our user base was impacted.
Exactly.
In Turkey and South Korea.
Chernobyl, also known as CIH or space filler, was a Microsoft Windows computer virus that it first emerged in 1998.
And its payload is highly destructive to vulnerable systems.
Obviously, overwriting critical information and like on system drives
and in some case, destroying the BIOS.
And a student named Cheng Yinghao
at Taitung University in Taiwan
created the virus,
which he confessed to.
Wikipedia stated it infected
up to 60 million computers around the world
and they obviously put an estimate of 1 billion us dollars in commercial damages
but chen claimed to have written the virus as a challenge against the uh bold claims of
antiviral efficiency by antivirus software developers um and then he said his classmates
spread it um and then you know he apologized to
the school made an antivirus program available to download to stop it um but despite him admitting
to writing it prosecutors couldn't charge him with anything at the time um because no victims
came forward uh with a lawsuit yeah so therefore um that led to a new computer crime legislation
in taiwan um which obviously applied retrospectively but yeah he like you know not only held his hand Therefore, that led to a new computer crime legislation in Taiwan,
which obviously could be applied retrospectively.
But yeah, he not only held his hands up, he got away with it scot-free.
But just to bring this around, so the Chernobyl virus,
so it was CIH originally, but it was called Chernobyl
because the date of its payload is the exact date of something big that happened in the Soviet Union back in the day.
Yeah.
On a similar day.
But this is the one that in March 1999, several thousand IBM machines were shipped with the virus pre-installed.
And this was just a month before the virus would trigger.
And famously, in July of the same year, in 99 um do you remember at defcon um the
cult the dead cow gave out copies of um back orifice 2000 yeah for free and this is defcon
7 and all of those discs were discovered by the organizer of being infected with cih
and also companies like yamaha they shipped software updates um to the sort of cdr writer
drives that were also infected with the virus.
Wow.
So this was a time when software distribution
didn't really check what they were shipping out.
When you say Yamaha distributed, et cetera, yeah, makes sense.
I mean, Sony have distributed rootkits before, right,
and all that sort of stuff.
Cult of the Dead Cow shipping stuff shipping you know stuff with their stuff with with um with this
on that sounds that sounds incredible i mean it really does go to show that because the cult the
dead cow were serious players right we know they were but i don't think they had antivirus installed
in their machines if i'm honest well no but they're the sort of people who'd be looking at
things at a far lower level than antivirus would in the first place right you know it just goes to show that how how much of a sort of burgeoning um activity this sort
of this type of uh increase in number and and uh technical complexity of viruses were that
even people in the know weren't really looking for it.
Yeah.
But it's always the same, like people with privileged access, right?
Your IT department are the worst for bringing infections into the company than, you know, your average employee.
Yeah.
I mean, I remember the days when you had to use a floppy disk
to program your BIOS, you know.
That was far more secure than using Windows.
And that was revolutionary compared to the
tapes that you used to have to wind on, right?
Tell me about it. The punch card that you used to have
to punch yourself
with a whole punch. I used to
back up VAX VMS systems with
reel-to-reel tapes. That was
one of my first jobs.
Oh dear. Brilliant.
Excellent. Thank you very much, Andy. That was one of my first jobs. Oh, dear. Brilliant. Excellent. Thank you very much, Andy.
That was fascinating.
This week in InfoServe.
We are officially the most entertaining content amongst our peers.
And that reminds me, isn't there another award ceremony coming up?
There are.
Does that mean we're going to have to change the jingles?
I think so.
Yeah, probably.
We are now no longer officially the most entertaining.
God, it's going to cost us money.
We're going to have to win.
We're going to have to make sure we socialise where people can vote for this
so we can win under the banner of save us money, get have to win. We're going to have to make sure we socialise where people can vote for this so we can win
under the banner of save us money, get us to win again.
Yeah.
I think that would work.
I think that would work.
Right.
So in a change to our normal programming,
we are going to move on to a new segment,
which I think we've done once before,
but this is going to be sort of like the middle third of the show in reality.
We are going into.
This is the sound of the Host Unknown podcast crew putting on their armour,
getting ready to do battle with the hordes of strong opinions.
This is As Seen on Reddit.
Snappy jingle.
Snappy jingle.
So As Se seen on Reddit, the headline is My Thoughts on a Decade of Cybersecurity. Ten lessons I've learned.
Noob.
Yeah, yeah, I know, right? I know. So Reddit user Crow Grandfather has spent more than a decade in the cybersecurity industry
and has come up with 10 lessons he's learned along the way.
Clue is in the title.
So we're going to go through these.
Some of them, yeah, make sense.
And some of them I really don't agree with at all.
Oh, yes.
At all.
Wait, hang on a second.
People disagree on Reddit.
I know.
It's outrageous.
Absolutely outrageous. So disagree on Reddit. I know, it's outrageous. Absolutely outrageous.
So the first one, cyber is risk and nothing else.
True.
Yeah, true. I agree with that. Jav?
Yeah, true.
It's all about risk. It's not about right or wrong. It's all about risk.
Two, no one cares about your stats.
False. No, no one cares about your stats. False.
No, I'd say it's true.
It depends on what stats they are, how they're presented,
what stats they are.
You don't want stats.
You want information.
I think, broadly speaking, they're poorly presented in many places,
but sometimes they actually do work.
Okay, so the consensus the is the consensus
that we disagree with this uh i do think we i well i think it's touch of what jab said there
is some color in this right no one cares about um how many attacks your firewalls blocked yeah um
but they care about you know how many times people are you know failing to complete
i don't know mandatory training or people are constantly doing stuff you know trying to extract
data from the company uh you know that will tell you is it a pattern that you're actually
deliberately accidentally stopping people from working or are people deliberately trying to
exfiltrate data um i
think this is going to depend on what type of company you are that's the difference between
a statistic and actually data and you know data that you've been able to put together and draw
conclusions from yeah but they um you have to get the stats in in order to to analyze the data
absolutely so um when when they say no one cares
about stats that's your external audience right they don't care about those numbers they care
about the statements you make as a result i do think that's going to change i'll be honest right
i've definitely seen trends if you think about new regular um like regulations that have come
in like eba the European Banking Authority guidelines,
CPS 234 in Australia for the financial sector
and insurance sectors,
they're pretty much putting the onus on them
that when you deal with third parties,
you have to be comfortable that the information you get
is as you would run it yourself.
And so what a lot of companies are asking for is basically
access to this sort of information what are the stats for um you know how are you managing these
things how what's your vulnerability burndown rate um you know that type of thing so i don't know i
think this is a very macro level though isn't it i mean this very macro and also it's one of these
things it's like, hey, dude,
like you're buying the service from us,
take it or leave it.
If you want to run it yourself.
But this is just the reality of where,
you know,
well, we need to have this realisation
in third party, right?
Where people have just gone too far
in terms of the information
they think they need,
you know,
versus what they can actually do
with that information.
Yes.
I mean, I think there's a caveat to this, you know know in the sense that no one cares about your stats to the point
that you know jav said we don't care how many viruses you blocked or or spams you filtered or
anything like that but statistics are an important part of providing actionable business outcome
decision making yes so it's fair to say that statistics are important in actionable business outcome decision-making.
Yes.
So it's fair to say the statistics are important.
Yeah.
I think they're important, but they need to be presented a lot better.
Yeah.
Most people don't care about the stats. They care about the actionable business outcome.
Because the question is, are stats important? The question is the stats aren't our stats important the question
is no one cares about them okay i would tend to agree with that doesn't mean the stats are bad
we're now confusing ourselves let's move on i'm absolutely fine you know you're the one who's uh
confused anyway this one this one's a doozy you know and i might have to um go outside and have a have a quick uh
breath of fresh air after this one understand that not everyone is as smart as you bullshit
they're usually smarter apps oh my god if you if i was thinking about this on the train last night
because it pissed me off straight away.
Hang on.
Hang on.
We've got something for this.
Listen up!
Rant of the week.
It's time for Mother F***ing Rage.
I mean, bloody hell.
What kind of arrogance is it where you say,
I'm the smartest one in the room.
I don't need to explain myself, blah, blah, blah.
That is the wrong way to look at things. Assume you're the dumbest one in the room. I don't need to explain myself, blah, blah, blah. That is the wrong way to look at things.
Assume you're the dumbest one in the room,
and if that means that when you're trying to explain something that you're assuming that they already know what you're saying,
then that's fine.
If they already know it, they'll either tell you
or they might even learn something from you.
Just the sheer hubris of, you know, I know this,
you don't know that, that's so wrong, so wrong.
It is.
I mean, I just reword this completely to understand
that you're not as smart as everyone.
I would say understand that you're not as smart as you think you are,
especially in this case.
I'm sorry, Crow grandfather.
I don't know who the hell you are or what you do,
and you may well be the smartest man in the room.
You would be between me and you, I'm sure.
But that's the wrong way to look at things.
But I think this is also cultural differences in terms of,
I'm going to guess that this guy is an American.
No, no, in the nicest possible.
You know, Americans are very good at self-promotion
yes yeah you're right you're right i think you're you're absolutely right so all of our american um
of uh listeners out there tell us about why you're smarter than we are
we don't have time to read all of that there There's too many ways. You know what they say.
If you're the smartest one in the room,
find a different room because you've cleared him of all things.
Yeah, and also, you'll never learn anything.
I don't know why I stayed with you two here, but, you know.
You'll never learn anything, right?
No.
You'll never learn anything.
I mean, I always, after doing the Hosting Home podcast with you two,
I always go to another room because, frankly,
it's exhausting being the smartest one in this room.
I was going to say, the only reason you guys are still around
is because you've never been the smartest one in the room with me.
Smartest or sole founder, one or the other.
Oh, dear, yep.
So I'm glad we are viciously agreeing on this one uh number four stop with
the playbooks interesting it's interesting i mean like what you meant to do just make it up on the
fly i mean i thought we were doing that throughout the 2000s i mean literally like making it up on
the fly and this is a problem when you've only got 10 years of experience right if you had 20 years of experience you'd realize why you had the playbooks yeah although again and this is all
in the detail and you know this is all in the interpretation stop with the playbooks that you
maybe have either produced or seen produced right that doesn't mean that all playbooks are bad
so playbooks are very often overly written, overly complex,
overly jargonised, et cetera, when frankly a 30-page playbook
could probably be a two-page thing, which then turns it into an aid memoir.
Does it say, say your company, for example, Tom,
does yours a two-page playbook when in case of emergency,
just call Tom?
That would do, right? Yeah tom yeah yeah easier easier far easier well and also to the earlier point the way i look at things is if the document is long
complex and difficult to read then people like me aren't going to read it you know i need something
simple to read something something simple that's broken down and easy to understand. Yeah.
Number five, read the news for your boss.
Oh.
What?
Is this like Jackanory or something?
Yeah.
Morning, boss.
It's our morning news meeting.
So in industry news today. So he said said don't read the news to your boss read it for
your boss uh so what would your boss be reading effectively put put it this is you know um put
yourself in an in another man's shoes you know walk a mile in another person's shoes, right?
That's what I say.
So telling your boss that you don't know about something
that hit mainstream news hurts your credibility as a professional.
Yeah.
Or just say you knew about it.
Yeah.
Oh, dude, that's a classic response that you –
what do you call yourselves, evangelists?
I don't know.
That's a classic Jav maneuver, isn't it?
I think that's in his playbook.
Yeah, yeah, I know.
Don't you do let me in with that advocate, Jav.
Excuse me, excuse me.
I'll provide a quote for your media outlet
and then quickly Google what's happening.
Why is this?
Text message.
Yo, has anyone heard about Log4J?
Excuse me, excuse me.
Give me a quick summary who was asking that
question two weeks ago first day on their new job it's a jab maneuver my arm
wasn't me because i had covid two weeks ago oh you know three weeks ago from the back of a taxi
on the way to the office exactly i was just back of a taxi on the way to the office. Exactly.
I was just telling you I was on my way to the office.
I wasn't asking for a quote.
Oh, dear.
Number six.
I know where Andy's going on this one.
Black hat is mostly pointless.
So I'm assuming they mean in Black Hat USA, not Black Hat Europe.
Yeah, of course.
And it's the RSA of DEF CON, effectively.
Yeah, the RSA of DEF CON, wow.
It's full of vendors.
Yeah.
Black Hat is mostly pointless.
Well, mostly pointless for this individual.
You get out of it what you need to get out of it.
Yeah, it varies.
I mean, your mileage may vary.
I know some people who absolutely hate rsa other people say it's the best best conference for them
because of the nature of their work and same thing with black hat or defcon or b-sides you get
you know these a lot of these are very you know specific in in their nature and to your point i
think you just get out what you put in.
If you go to these places without a playbook,
then you're just going to be wandering around and thinking,
oh, this is just rubbish.
I know this because I'm the smartest one here.
Yeah, exactly.
But hallway con is always the best part of any conference, right?
Absolutely.
The hallway track, without a shadow of a doubt.
And here's the thing, and I think this is it.
My thoughts on a decade of cybersecurity.
That's a decade of cybersecurity doing what?
Just one particular job, a range of jobs? Have you gone from purely technical to maybe...
So I can answer that.
Okay.
So I did actually check him out and so he
clicked on the link and everything i did yeah he started fixing computers at his local pizza place
uh before leading a sock at a multi-billion dollar enterprise with thousands of users and
hundreds of thousands of machines so a narrow field of of work uh well i mean started at a small company hands-on and then
moved on no but i mean you know we always see this with uh sock being you know usually see
themselves as the infosec department right everyone's sort of uh what once being instant
responder or an analyst or you know forensic uh investigator yeah yeah interesting right number seven uh i'm glad you
clicked on the link because location location location is is that the tv show that they like
to watch the most uh so this uh one of the most in his own words one of the most challenging
concepts sock analysts seem to deal with isn't investigating new malware strains it's understanding the location of our sensors and what they can provide um okay so when again go back my thoughts on a decade of
cyber security it should be my thoughts on a decade of being in a sock yeah uh
i mean it's very sock heavy right yeah it's very tech heavy, right? Yeah. It's very tech heavy.
There's nothing about legislations or the boring stuff, the contracts, the daily bread and butter.
Yeah.
Right, move on.
You're probably doing threat intelligence wrong.
Probably.
It depends who you speak to.
I would tend to agree with this, and I think this would include this individual as well.
Yeah.
Whatever Gartner say is the right thing,
it's the right thing at that moment in time.
Yeah.
Number nine, don't write to be understood.
Write so that you can't possibly be misunderstood.
I quite like how that's worded,
but also it has an element of covering your arse into it too.
I was just about to say, I quite like how it's worded, absolutely.
And I think if you're writing documents, if you're writing a blog or some kind of piece,
you're absolutely right. But this strikes me as a little bit of you know slash anti-work um in the sense that
you know always make sure you uh you you you get in writing exactly what your boss has told you to
do always make sure that you are very clear about it it does feel very cover your ass
yeah and finally number 10 make friends with your marketing team
i agree man i mean you guys made such good friends you
actually joined them well jazz more pr than marketing yeah well pr sits under marketing
anyway in the all chart but yeah but i i i agree i think if it's not marketing it's internal comms or
someone that can help you get your message out yeah how about just make friends
wow now that's a novel concept i know let's all not be that arsehole security
person right you know it's hard it the the truth is it's a real struggle making friends
who are all with people who are all dumb as you dumb dumber than you yeah this is true this is
true yeah so maybe this you know he thinks marketing are the ones that are either the
dumbest or the ones closest to him i'm not sure anyway that was this week's just remember to be nice in the comment
section as seen on reddit you're listening to the award-winning host unknown podcast
officially more entertaining than smashing security So I'd just like to say, we were attacking the ideas presented by that user, not the user themselves.
I'm just trying to think what possible legal ramifications could be coming our way, because you got that disclaimer in there quick.
And so now I'm trying to think what was said.
you you got that disclaimer in there quick and so now i'm trying to think what was said i just felt a bit like i don't want it to be misconstrued that we're being mean towards a person for sharing
their opinion i think it's it's really good that people share their opinions we're being
their opinions we've made a whole podcast out of sharing our our opinions and i think it's
our fast underbate yeah exactly and and it's absolutely right to attack opinions or ideas and...
Check and challenge.
Yeah, exactly.
But what isn't cool is when you attack the individual,
the person behind it.
So, Tom, I know you've fallen foul of this many times
and, you know, you've had...
Once!
Once!
Don't make me call out the specific blog posts
where you called out specific individuals
who then got a bit offended.
Oh! Once! Once!
Ed the Fed actually came to find you in the UK.
My God, I love the way that the truth
never gets in the way of a good story.
Did Ed the Fed come and see you after you wrote a response to one of his blog posts?
No, he didn't.
No, he didn't.
I've never met him since.
And also, I didn't attack him.
I attacked his performance.
Well, he took it as a personal attack.
So that's why I'm just clarifying that these things can be missed.
He didn't take it as a personal attack. He that's why I'm just clarifying that these things can be missed. He didn't take it as a personal attack.
He asked what I thought was wrong with his performance.
And then he said, please, would you consider removing it?
And here's my phone number.
Please call me up directly.
Here's my email.
Hang on.
Are you in my LinkedIn account?
You've got the same password you've been using since 2012.
Exactly.
The same password that was on my facebook account yeah
yeah and your boy's face yeah
oh dear dreadful right i think we're gonna move on to this week's industry news which we're just
going to recount i i can't see we're going to comment too much on it i think we've we've
sort of discussed our way out of things but here is this week's industry news linkedin becomes the most impersonated brand for
fishing attacks industry news costa rica refuses to pay cyber ransom. Industry news. Bored ape yacht club customers lose $3 million in NFT scam.
Industry news.
French hospitals cut internet connection after data raid.
Industry news.
Security teams should be addressing quantum cyber threats now.
Industry news.
Private investigator admits role in hedge fund hack.
Industry news.
UK schools can sign up to free government-grade security.
Industry news.
Coca-Cola investigates data breach claim.
Industry news.
Crypto trading fund partners accused of fraud. Industry News. Crypto trading fund partners accused of fraud.
Industry News.
And that was this week's...
Industry News.
I removed every story that referenced Russia or Ukraine.
So we're scraping the barrel here, right? So I'm looking at the UK schools can sign up to
free government grade security. So I'm trying to understand what government grade is.
By the cheapest possible vendor. Yeah, that's military grade, isn't it?
Oh, well, government grade. It's whoever Boris gave the money to.
Yeah. Yeah. Are you a pub landlord or neighbor of one of the
prominent tourists yeah so this is literally uh mail check uh so it's for schools and it's to
help uh so it's been provided by ncse mail check and web check services so they previously offered
these to uh further education colleges and universities
mail checks designed to help organizations improve anti-spoofing to stop frauders from
sending emails in their name um so it basically just checks your spf your sender policy framework
your domain keys identified mail and your domain-based message authentication but can't
you do that through i can't remember what it was.
Free websites.
Yeah, there's a free website that does it for you as well.
Yeah, but the people who do Quad9, they also push –
I can't remember what it's called, where you're making changes to your DNS
so it can't be spoofed and et cetera.
So, damn it.
Maybe I should have done some research.
Yeah.
There's something else out there.
Yeah, well, we are rapidly running out of time,
so I'm going to move us on from this.
So that was this week's...
Industry News.
This is the Host Unknown Podcast.
Jav, we are coming to the end,
and you are going to take us home on this week's Tweet of the Week.
And we always play that one twice. Tweet of the Week.
So this week's Tweet of the Week is from Austin-Payne State University.
It's APSU alert.
Sorry.
We are under a ransom, ransomware.
There's a typo in it. We are under a ransomware attack.
If your computer is connected to the APSU network, please disconnect immediately.
And this is great because most of the people are a bit confused in the responses and they're
like well why are you asking folks to shut down rather than forcing a network shut down or
you know and i'm sure all of your people connected to the network are on twitter just waiting and
following your your um your for your advice and what have you.
It's a really weird one.
Also, I think this was reissued because I think originally it said
Ransom Spaceware.
Oh, yeah.
Do you know what?
I actually see the original one is even better.
It says APSU Alert Ransom ransomware attack and then it goes all caps
it says this is not a test shut down all computers now oh my gosh i have not seen that one do you
know what i think apsu would have benefited from in a situation like this a playbook a playbook
exactly exactly so you know someone was just freaking out and typing the first
thing they came across rather than having a template they could have used yeah yeah it's
just a very it's literally like running around with your hair on fire saying what do you do
just like shut it off shut it off yeah yeah yeah but know, hopefully they're okay. I mean, you know, ransomware sucks and the people who do it are criminals.
And I'm sure the people inside APSU, despite what you say, Jav,
were doing their very best to deal with this.
And, you know, we shouldn't be victim blaming, right?
See what you did there, you son of a bitch.
I just get you back for the other 27 times you've done it to me anyway that was this week's so we come crashing into the end of the show
gentlemen thank you very much for your time this week andy thank you
uh what do you know this whole episode has gone completely out of sync right Thank you very much for your time this week, Andy. Thank you.
Do you know what?
This whole episode has gone completely out of sync, right?
It's like you came to me first on the intro.
You're coming to me first now.
So when you say thank you, I'm supposed to say stay secure, my friends.
But now you're going to go to Jev and he's going to say it.
Steal my line. This is episode 101.
I mean, you set the schedule up.
It's completely screwed up
you know what's this bloody you know as seen on reddit for two episodes for two whole chunks i
mean our timing's completely out yeah you didn't say what you didn't even ask what time it was
i know i didn't i didn't did i well hey this is a new show we're moving forward you know you should
know andy spends the whole week coming up with a response to that,
and you didn't ask him.
You denied him that.
All right.
Next week, I will work out a really interesting way of asking you what time it is.
Some serious edging going on here.
Serious.
I will permit you your release of telling us the time.
I'm just glad Andy got to get out his North Korea gag early on.
This is true.
This is true.
Right, Jack, thank you very much, sir.
Appreciate your time this week.
Honestly, I don't know why I bother with this one.
Okay.
And Andy, thank you.
Stay secure, my friends.
Stay secure.
You've been listening to the host unknown podcast if you enjoyed what you heard comment and subscribe if you hated it please leave your
best insults on our reddit channel worst episode ever r slash smashing security
that's painful that was so painful honestly it was just like tom was completely off yeah it's the ramadan of podcasts
this is the covid of podcasts old man covid this is the advocate of podcasts
oh so rich.
Hey, you know, Andy and I are professionals.
You know, we're executives.
How quickly?
Oh, you're not even out of his probation period yet.
And I'm a professional like Andy.
I know which side to go to.