The Host Unknown Podcast - Episode 102A - A New Era
Episode Date: May 9, 2022This week in infosecI was a teenage botmaster Rant of the week (Thom, how do I add images to this section?) I want to use the images and description you used  here https://podcast.hostunknown.tv/ep...isodes/episode-102-end-of-an-era Never mind. I'll type it out.Rant is about EC Council being EC council Billy Big ballsThe Indian government has issued new directives requiring organizations to report cybersecurity incidents to CERT-IN within six hours, even if those incidents are port or vulnerability scans of computer systems.This requirement was promoted by India's Computer Emergency Response Team (CERT-In), who states it has identified specific gaps causing difficulties in security incident analysis and response, and to address them, it needs to impose more aggressive measures.https://www.bleepingcomputer.com/news/security/india-to-require-cybersecurity-incident-reporting-within-six-hours/Industry NewsHHS Information Security Program 'Not Effective'SIM Fraud Solution Sparks Privacy FearsGroundbreaking Cybersecurity Book PublishedGitHub to Enforce Two-Factor AuthenticationHunter Biden Laptop Repairman Sues Over Hacker AllegationsNHS Inboxes Hijacked to Send 1000+ Malicious EmailsMicrosoft, Apple and Google Team Up on Passwordless StandardUkrainians DDoS Russian Vodka Supply ChainsSpecial Police Constable Used Encrypted Chat to Post Child Abuse Content Tweet of the weekhttps://twitter.com/joehelle/status/1521241363785953280?s=21&t=nryrC32Sfqnyb1x0_0K2YA Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Hello, hello, and welcome to the Host Unknown podcast, the real Host Unknown podcast, the
beginning of a new era. Now, as you fine listeners would have picked up, Andy and Tom are juveniles,
delinquents. They are worthless. They are the scum. So to give you a good experience, I have come into the studio to
record the proper podcast for all you wonderful people.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening, wherever you are.
Heaven knows that's a hard line to deliver. So the reason that we didn't record this week on time
was, well, it's twofold. You have Andy, who for the first time in like 70 years has decided to
move jobs and he was a blubbering mess. He carried on crying and breaking
down every five minutes. What will I do? It's like dropping off your kid to nursery for the first day.
They just want to cling on. And Tom, obviously being Tom, who can't hold a job down more than
six months at a stretch, was there to console him. With me, with a proper job and travel I couldn't be there so that's kind of like how we ended up
where we ended up other than that I have had a good week because I can hear many of you saying
Jav where have you been how was your week I'm glad you asked last week on Thursday Friday I was in
Berlin for some work it was a lovely time than that, I have had no issues with
neighbours. No one's been fly-tipping anything. I've just been having to listen to Tom and Andy
whine and moan and make up stories about me. But enough about me. Let's get on to today's show.
This week in InfoSec, we take a stroll down InfoSec memory lane. Rant of the Week shows the real value people place on exposure.
Billy Big Bulls is a bold strategy from the Indian government.
Let's see if it works out for them.
Industry News brings us the latest and greatest stories from around the world.
And Tweet of the Week shows us the real reason behind Musk's purchase of Twitter.
the week shows us the real reason behind Musk's purchase of Twitter.
So, with that, let's go on to our favourite part of the show, the part we like to call…
You're listening to the Host Unknown Podcast. Bubblegum for the brain.
OK, so that wasn't the jingle I was looking for, but who knows how Tom arranges these things. Anyway, this is Today in InfoSec.
On May 9th, 2008, friend of the show Graham Cluley posted this article.
Teenage bot master Sobe sentenced a mere, where is it, 14 years ago to this day. So Sobe was a
zombie herder and his real identity at the time was not made public and in the absence of Andy,
I've not bothered to do any research as to find out who this person actually is.
But they were a zombie bot master.
And there's a really good article by Dan Goodin on the 8th of May 2008 on The Register.
It's an extensive article.
But in May 2005, a 16-year-old hacker named Sobey opened his front door to find a swarm of FBI agents
descending on his family's three-story house in Boca Raton, Florida.
He had actually broken an arm and a leg in a motorcycle accident recently, so they were
in a car.
But one of the agents wanted to be sure, so he grabbed his good arm, while others seized thousands of dollars worth of computers, video games, consoles, other electronics.
It was a synchronized raid because over in Los Angeles, the FBI was serving a separate warrant on Jensen James Ancheta, Sobeys 20 year old employer and hacking mentor.
They were raided because they had a year long botnet spree and what they were
doing, they hijacked apparently almost 400,000 PCs and they were, some of them
belonged to the US Department of Defense.
That's always a pretty dodgy move.
If you want to take over PCs, try to make sure they don't belong to the government.
They were charged with 17 felonies.
And what they did is they took over these computers and they installed adware on it, basically,
recruiting part of their botnet.
You know, they made, the Fed seized more than $38,000,
earmarked as Sobeys cut off the botnet profits.
This is quite, I mean, compared to today's figures,
and when you look at ransomware and all that kind of stuff,
it's not a significant amount of money.
But back then, it was.
Sobe's mentor, Ancheta, received 57 months in prison after pleading guilty to four counts of fraud.
Sobe, when he turned 18, pled to two counts of juvenile delinquency. His plea
agreement contemplated a prison term of 12 to 18 months. You know, it wasn't that long ago,
when you think about it, like 10, 15 years ago, that botnets were rife and, you know,
taking control of DoD computers or corporate machines wasn't such a big thing. You know, taking control of DOD computers or corporate machines wasn't such a big thing.
You know, everyone in, you know, most people in their offices, and I'm sure if Andy was there,
he'd say about how he set up his own botnet in his office to rack him up some more AdSense money
while he was pretending to do his day job.
But I'll leave that story for him to explain someday.
You know, his Haribo and sugar addiction doesn't feed himself.
But yeah, 14 years ago, we were still locking up delinquents for botnets.
And now the world has changed.
38,000 people wouldn't get out of bed for that kind of cybercrime.
And botnets like Mirai or the IHOT,
anything internet connected,
seem to be growing more and more.
Anyway, that was this week's Today in InfoSec.
Only one story for you today because I'm lazy
and researching these stories takes a bit of time.
You're listening to the award-winning
Host Unknown podcast.
Officially more entertaining
than Smashing Security.
In your face!
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
Yes, it's time for the Rant of the Week.
Normally something we give to Tom
in the hope that he's going to have a stroke on air
and give us the highest ranking podcast episode ever.
But until then, I have to try to do this while staying calm
and not raising my blood pressure unnecessarily.
This is a tweet.
And so bear with us because we do have a, I we I mean the royal we I have a tweet for you
later now this tweet is by Mr Hacking at John J Hacking if that's not a cool twitter id I don't
know what is in this he explains how EC council everyone's favorite sir peddling sweat house has asked him to do a video interview
about the CEH, the certified ethical hacker degree, and they wanted to use
the video interview as marketing material to convince people to take the CEH.
Obviously.
Now it's one thing when, know sometimes people will do will willingly give a testimonial or
something like that but you know when you're an organization and you charge people thousands upon
thousands for their certifications and then you're you've got a marketing program you know you expect
there to be some sort of agreement in place like oh could, could you do this for us? And maybe we will pay you,
or maybe we will give you some bonus points, or we will, you know, give you something
like a swag bag, whatever it might be. We'll give you a free ticket to our next conference.
Anyway, John asked what was the compensation thing, and EC Council replied saying regarding your query this initiative
and any compensation financial slash non-financial are independent of each other and hence your
participation will not all capitals will not help you get compensated financially or through credits as it is beneficial from a different standpoint
altogether. To reiterate, and this is all underlined, this video will be available to
millions around the globe and will add a great value to your resume and further career progression.
you to your resume and further career progression.
This is, this reminds me of a promo cut by The Rock back in the day, like, you know,
just stepping into the ring with me will expose you to the millions and millions of my fans around the globe.
So you should just be thankful for being here, Jabroni.
But it is just such a reflection of the poor attitude that so many, so many of these organizations have that they think that they can just take someone who's spent time building up their career, their reputation, their credibility, and then they want to cash in on that credibility. That is what you are cashing in on. You know, when you look at marketing, you are trading in people's attention.
And that is a valuable commodity. You can't say that there is no value in that.
If you spent years writing blogs and posting tweets and sharing your knowledge, then you're going to build up an
audience and that audience trusts you. They invested in you. So if you are then going to
use your name or brand or your platform to then promote someone else, there should be a really
good reason. And, you know, I think for an organization like EC Council I would not put my name to to that of
course if if a check suddenly comes in mysteriously through the post I might change my stance on that
I'm joking I'm joking there is something seriously wrong with these organizations if the shoe was on
the other foot and someone went to EC Council and said hey I'm a newbie in this field. I've just passed my CEH.
Could you make a video and send to your millions and millions of members about what a great person I am?
They all say no.
So why is it acceptable to do it the other way?
I'm sure this is what Tom would be ranting about as well if he was there.
And then on principle, I'd be disagreeing with him.
as well if he was there and then on principle I'd be disagreeing with him but seeing as he's not here he's somewhere else pretending to you know trying to get through a probation period at a job without
getting shown the door but yeah this is just such a horrible horrible way to approach it and it's so
disrespectful to professionals and individuals and what have you I mean it's different if you
want to approach someone for a collaboration that's something else if you want to do some sort of product placement or sponsorship deal that's different. If you want to approach someone for a collaboration, that's something else. If you want to do some sort of product placement
or sponsorship deal, that's something else.
If you want to give some credits,
if you want to say, hey, do this
and we will donate money to a charity of your choice,
that is something else.
But just to say, oh, come here,
take time out of your day,
spend two, three hours or whatever it might be,
even if it's 15 minutes doing something for us, but you're not going to get compensating, but we're going to use this
for our own benefit is diabolical. And one of the reasons I get so, I'm getting so frustrated about
this is because Tom and Andy have been doing this to me for years. Every week they ask me,
show up, give us your time, bring your star power,
put our podcast up on the higher echelons.
Let us hang out with you and give us some exposure.
And what do I get in return?
Absolutely nothing.
Rant of the Week.
Sketchy presenters, weak analysis of content, and consistently average delivery. Like and subscribe now. and now I need to calm my heart rate down so let's move on to
see who is the balls that is big belonging to Billy this week
Billy Big Balls of the Week.
Right, so this week's Billy Big Balls moves come courtesy of the Indian Government,
which has issued new directives requiring organisations to report
cyber security incidents to the Indian CERT within six hours.
To make matters worse, if that wasn't bad enough,
even if those incidents are port or vulnerability scans of computer systems,
I'm lost for words.
off computer systems.
I'm lost for words.
This is clearly something that's been put out by someone who has never worked in incident response in their lives.
The requirement was provided by India's computer emergency response team, who
states that it has identified specific gaps causing difficulties in security
incident analysis and response.
And to address them, it needs to impose more aggressive measures.
Well, there is one thing to impose aggressive measures or to fill the gaps.
And if you remember on a couple of weeks ago on the show,
we discussed about a bank in India.
It was a local bank in India that had all sorts of issues.
They didn't have firewalls.
They had some open source
components. They're using unlicensed version of Windows or something. Those are, I think,
some of the gaps you need to be addressing if you are the Indian cert. You do not need to be
addressing things like report to us every vulnerability or port scan going on because
in all fairness, the CERT might as well just
set up their own SIM and say, just point all your logs towards us because nearly everything
falls under the guise or this definition. There is a long list that they have provided.
It says the types of cybersecurity incidents that will have to be reported to Sir India are the following.
Targeted scanning, probing of critical networks or systems, compromise of critical systems information,
unauthorized access to IT systems or data, defacement of websites or intrusion into a website,
and unauthorized changes such as inserting malicious code, links to external websites, etc.
such as inserting malicious code, links to external websites, etc.
Malicious code attacks, such as the spreading of virus worms,
Trojans, bots, spyware, ransom, cryptominers.
Attacks on servers, such as database, mail, and DNS,
and network devices, such as routers.
Identity theft, spoofing, and phishing attacks.
Denial of service and distributed denial of service.
I'm not even halfway through the list.
I might read out the whole list and I'll put it in the post-show, post-credit scene.
But this is ridiculous. I think this is less of a Billy Big Bull than turning more of it into a rant.
But, you know, a phishing attack.
Someone sends a phishing email.
Are you going to report that to the cert?
A phishing attack. Someone sends a phishing email. Are you going to report that to the CERT?
You know, someone spoofed an email. This is just, just ridiculous.
So, India, CERT, if you are listening, please, please, please figure a better way. Do better.
Maybe if you give EC Council a video testimonial saying how good they are,
they might do some of this stuff for free.
Oh, wait, sorry, no.
They don't do anything for free.
You're listening to the Host Unknown podcast with your award-winning host, Javad, and insert name here.
Well, I am storming through the show today, which is what happens when you don't have
two talentless Muppets dragging you down all the time. So, without further ado,
let's head over to the InfoSec PA Newswire to bring you this week's
Industry News. to the infosec PA newswire to bring you this week's industry news HHS
information security program not effective industry news sim fraud
solution sparks privacy fears. Industry news. Groundbreaking cyber security book published.
Industry news.
GitHub to enforce two-factor authentication.
Industry news.
Hunter Biden laptop repairman sues over hacking allegations.
Industry news.
NHS inboxes hijacked to send over a thousand malicious emails.
Industry news.
Microsoft, Apple and Google team up on passwordless standard.
Industry news.
Ukrainians DDoS Russian vodka supply chains.
Industry news.
Special police constable used encrypted chat to post child abuse content.
Industry news.
And that was this week's industry news as always huge if true
and i thought what was interesting there's two password related stories here so one is the
microsoft apple and google are teaming up on passwordless standard, which should be fun. And I'm all for passwordless standards and passwordless
works well when it works.
The biggest challenge normally is like what happens when you forget your password
or when you have a password reset or your account's taken over.
Um, but, uh, also I just saw GitHub to enforce two factor authentication
about freaking time.
So, um, yeah.
I mean, this is one of those things.
We keep on talking about passwords
and standards and everything.
And yet, on one hand,
Microsoft is teaming up
with Apple and Google
to come up with passwordless standards.
And on the other hand,
GitHub, which is owned by Microsoft,
doesn't even enforce
two-factor authentication as
of today. So left hand speak to right. I know that Tom probably would have jumped all over the
DDoS Russian vodka supply chain story so I'm gonna skip it. Groundbreaking cyber security book
published and this was really interesting because I know Tom was complaining that two of my colleagues,
Perry Carpenter and Kai Roek, they recently published their book, The Security Culture Playbook.
It's a really good read.
I haven't got through all of it yet, but the bit that I have got through is really interesting and really well written.
So I recommend if you're interested in security culture and building a strong security culture
within organizations to read it.
But I know Kai asked Tom for a testimonial and then he didn't use it in the book.
And I don't blame Kai at all.
I think that's a very, very smart move.
I mean, I should really go through and try to dissociate myself with Tom on a professional level, at least.
So I started removing any LinkedIn endorsements, recommendations, any pictures we have online that might indicate that we're friends or something or colleagues.
You know, it's just, yeah, I'd say let's make 2022 the year that we cancel Tom Langford.
He's an old white guy and no one will miss it.
This is the Host Unknown Podcast.
The couch potato of InfoSec Broadcasting.
And as we hurtle towards the final stretch,
it's time for Tweet of the Week.
And because we love that tune so much, we play it twice.
Now, there is a trend on Twitter at the moment where people are posting tweets that look like
they originate from Elon Musk. Sometimes they do, sometimes they don't. Here's one which I believe
most certainly isn't, but I'd like to believe it's true.
So this is by Joe Helle, and it's a tweet by Elon Musk saying,
planning on buying SANS and making the certs affordable.
I think if there's anyone who could possibly do that, it would be Elon Musk.
So yes, I think there is something quite to be said about this prices of certs and what have you.
So Elon, if you can make that happen, it would be much appreciated.
And the second tweet of the day is by Sycotic.
Soycotic. S-O-Y-cotic.
Every time I have a programming question and I really need help, I post it on
Reddit and then log on to another account and reply to it with an obscenely incorrect answer.
People don't care about helping others, but they love correcting others. Works 100% of the time.
And this is why whenever I...
I've tried this and this definitely works.
So I will say something like Tom Langford believes X, Y and Z
and people always jump to say how Tom is an idiot and he's wrong.
And you really can't disagree with that.
I once did say Andy said this and everyone was like, who?
Tweet of the week.
This is the podcast the Queen listens to.
Although she won't admit it.
And that is all she said or wrote.
What is the phrase?
I don't know.
If Tom was there, he would correct me.
But thankfully, he's not here.
So we can make up whatever phrases we want amongst ourselves. I hope you enjoyed this super slick, super streamlined episode, more informative, less banter. I guess you could say
that we've become so indie, we record separately and then it's up to you, the listener, to put all
the pieces together to get a complete show. Think of us like the IKEA or the Lego of the podcasting world.
A bit of self-assembly is required.
So until next week, we might be back as a trio or I might be doing this solo thing.
I kind of like this solo gig.
But until then, everyone, stay secure, my friends.
You've been listening to the Host Unknown podcast. But until then, everyone, stay secure, my friends.
Some of the other controls recommended by the Indian CERT would be Attack on critical infrastructure, SCADA, and operational technology systems and wireless networks.
Attacks on applications such as e-governments, e-commerce, etc.
Data breach, data leak.
Attacks on IoT devices and associated systems, networks, software, servers. Attacks on incidents
affecting digital payment systems. Attacks through malicious mobile apps.
Fake mobile apps. Unauthorized access to social media accounts. Attacks all
malicious suspicious activities affecting cloud computing systems,
servers, software, applications.
Attacks on all malicious, suspicious activities affecting systems, servers, network, software,
applications related to big data, blockchain, virtual assets, virtual asset exchanges,
custodian wallets, robotics, 3D and 4D printing, additive manufacturing, and drones.