The Host Unknown Podcast - Episode 110 - Andy is Hot Hot Hot
Episode Date: July 1, 2022This week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield28th June 2000: The Pikachu virus began spreading. It is believed to be the first virus tar...geting children, incorporating Pikachu from the Pokémon series. https://en.m.wikipedia.org/wiki/Pikachu_virushttps://twitter.com/todayininfosec/status/127743365251989913729th June 2007: Nearly 6 months after it was introduced, Apple’s highly-anticipated iPhone goes on sale. Generally downplayed by Old Word Technology pundits after its introduction, the iPhone was greeted by long lines of buyers around the country on that first day. Quickly becoming an overnight phenomenon, one million iPhones were sold in only 74 days. Since those early days, the ensuing iPhone models have continued to set sales records and have completely changed not only the smartphone and technology industries, but the world as well.26th June 1997: The US Supreme Court ruled the Communications Decency Act unconstitutional on a 7-2 vote. The act, passed by both houses of Congress, sought to control the content of the Internet in an effort to keep pornography from minors. In an opinion written by Justice John Paul Stevens, the Supreme Court ruled the act a violation of free speech as guaranteed by the US Constitution. Rant of the WeekQuick mention just to get the blood boiling: India extends deadline for compliance with infosec logging rules by 90 daysIndia's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.FBI warning: Crooks are using deepfake videos in interviews for remote gigsDeepfakes and Stolen PII Utilized to Apply for Remote Work PositionsThe US FBI issued a warning on Tuesday that it was has received increasing numbers of complaints relating to the use of deepfake videos during interviews for tech jobs that involve access to sensitive systems and information.The deepfake videos include a video image or recording convincingly manipulated to misrepresent someone as the "applicant" for jobs that can be performed remotely. The Bureau reports the scam has been tried on jobs for developers, "database, and software-related job functions". Some of the targeted jobs required access to customers' personal information, financial data, large databases and/or proprietary information."In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually," said the FBI in a public service announcement. Billy Big Balls of the WeekTrio accused of selling $88m of pirated Avaya licensesRogue insider generated keys, resold them to blow the cash on gold, crypto, and more, prosecutors sayThree people accused of selling pirate software licenses worth more than $88 million have been charged with fraud.The software in question is built and sold by US-based Avaya, which provides, among other things, a telephone system called IP Office to small and medium-sized businesses. To add phones and enable features such as voicemail, customers buy the necessary software licenses from an Avaya reseller or distributor. These licenses are generated by the vendor, and once installed, the features are activated.In charges unsealed on Tuesday, it is alleged Brad Pearce, a 46-year-old long-time Avaya customer service worker, used his system administrator access to generate license keys tens of millions of dollars without permission. Each license could sell for $100 to thousands of dollars.Pearce, of Oklahoma, then sold those licenses to Jason Hines, 42, of New Jersey, and others who sold them onto resellers and customers worldwide, prosecutors claimed. Pearce's wife, Dusti, 44, is accused of handling the finances and accounting in this alleged criminal caper.On top of this, Pearce is accused of using his admin privileges to get into internal accounts of former Avaya workers to generate more software keys. He allegedly covered up his tracks by altering information in the accounts over many years.Great balls but the bigger balls was from this article on the World Economic Forum:How aligning cybersecurity with strategic objectives can protect your businessAll filler with no thriller!Cybersecurity is not a technical problem, it’s a business problemBridge the communications divideRelationships may be damaged, not brokenCulture of Cybersecurity! Industry NewsSnoopers’ Charter Ruled Partially UnlawfulRansomware Suspected in Wiltshire Farm Foods AttackFBI: Beware Deepfakes Used to Apply for Remote JobsAmazon Fixes High Severity Vulnerability in Amazon Photos Android AppUkrainian Cops Bust Multimillion-Dollar Phishing GangNevadan Arrested for Alleged $45m Metaverse Investment FraudInfo-Stealing Campaign Targeted Home Workers for Two YearsNorth Korea's Lazarus Group Suspected of $100m Harmony HackFormer Canadian Government IT Worker Pleads Guilty Over NetWalker Ransomware Attacks Tweet of the Weekhttps://twitter.com/Cannibal/status/1542597532869570560 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So these stories look a little bit rushed this week, Andy.
Well, as you know, I did mention during the week that there was a good story we could possibly follow the Roe versus Wade ruling and how, you know, that infringes privacy.
But oh, no, you came back and said, oh, Smashing have already covered that this week.
Well, they did.
Interesting, because, yes, but at this point,
it was still Wednesday morning and the Smashing Security podcast hadn't been published yet.
Well, come on.
You know, you've got to sleep with the enemy occasionally.
Shocking.
You're listening to the Host Unknown Podcast.
Hello, hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us. And welcome to episode 110-ish of the Host Unknown Podcast.
I'm telling you, it's right. 110. I'm sure it's absolutely right.
Absolutely right. 110, I'm sure it's absolutely right. Absolutely right.
You know, the numbering does go a little bit off
when Jav goes completely off reservation
and starts recording his own.
I labelled it as an A.
You know, it was the same number, 121A.
I did not mess up the numbers.
This is completely YouTube.
Except you label it also still as a main podcast
so i had to go back in and re-change that well i'm referring to the the things that we've recorded
that never get published oh once once and every episode it's like less than one percent of my
of the episodes we've recorded have been have not been released uh do you know
do you know at the top of the show notes it actually says andy and jav to confirm
that the recording is recording by checking for the recording icon and remember why we had to
insert that tom once once that's what i'm saying you know it's fine it's fine anyway like you two do any better
whole episode yeah yeah yeah that wasn't recording
yeah but like your like your your efforts are any better my goodness it only takes one week
of fame when we're already fighting like a bunch of Catholic schoolgirls.
This is ridiculous.
We've been fighting for a long time.
Yes, we have. Yes, we have.
Jav, how are you, sir?
I'm very good. I'm very good.
Enjoying listening to you two kids bicker.
It's like, you know, listen to my kids.
I send them off to school and then I come on air and then you two are like, it's number 124.
No, it's number 26.
And it must be quite novel for you to come on our podcast, Jeff.
I know.
You're not a regular contributor.
Special guest.
Special guest star this week.
Who's not gone shopping.
Actually, yesterday, a blog I wrote got published on the world economic forums website so
christ they're scraping the barrel i know i you know what i i actually thought about it a lot
and um well generally no well generally i mean like no generally i struggle to think about stuff
but someone someone actually messaged me saying,
it's not too long before you'll be secret handshakes and all that kind of stuff.
You will be the Illuminati or the Penteverit.
But, you know, really, I don't think there's anything wrong with that.
And secondly, I actually think that what I do has a lot to do in common with politics.
You talk a lot. You give like broad brush statements. You don't actually implement stuff yourself.
So, yeah.
I notice a lot of your content, which goes out. It's like last week.
Obviously, you know, we did the podcast, you know, get the show notes together.
You talk about them. Next thing I know, I open up TikTok and Jav's got a video on there.
He comes up. He's talking about the story that was in the podcast and it's like hang on a second
unlike tom i do it after our podcast is done and published i don't take the stories beforehand and
publish them as my own are we talking about the stories in the show notes that arrived like nine minutes ago?
These ones, I'll admit, came in a little late on this episode.
Oh, man.
So Jav's fine.
He's preparing to jet off to Davos for whatever it is they do out there as a result of that.
Andy, how are you?
I'm good, although I am feeling a little bit hard done.
But I'm hearing my tagline being stolen more and more frequently.
I hear Jav on his TikTok channel saying, stay secure, my friends.
And I heard you signing off on Smashing Security.
Stay secure, my friends, as well.
It's like, is there anything original anymore?
Well, you know how much I like to rip off your unique content, Andy.
I hate you both so much.
Why do I even bother coming on this podcast?
Oh, yes.
I don't half the time because of this.
Oh, man.
How's your week, Tom?
It's been very good.
It's been very good.
Very productive, actually.
I've had to write and present four presentations this week,
mainly because I'm doing my homework at the last minute.
But it was good.
It was very good.
You've had like six weeks to do these presentations.
Yeah, that's exactly it.
That's exactly it.
And it gets done literally the last minute, right?
But yeah, it has meant I've been very productive, actually.
I feel like Bradley Cooper in Limitless as a result of it.
I feel like I've been hyper-focused and getting the job done.
And then, yeah, vegging out in front of the telly
with a tub of ice cream.
Nice.
You know, I won't be any more descriptive than that.
So, talking about sitting in the living room in your pants,
what have we got coming up on the show this week?
Well, this week in InfoSec talks about the phone that changed everything.
Rant of the Week brings us the latest on remote working.
Billy Big Balls talks of a group of people playing fast and loose with company assets.
Industry News brings us the latest and greatest security news stories from around the world.
And Tweet of the Week reminisces about groundhog day again
so let's go to our favorite part of the show the part of the show that we like to call
this week in infosec
In InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane with content liberated from the Today in InfoSec Twitter account
and further afield.
So I'm actually going to really rush through all of these stories, really,
because I've got three of them to talk about,
and I only dropped in one primarily security one.
And it takes us back a mere 22 years
to the 28th of June, 2000,
when the Pikachu virus began spreading.
And this was believed to be
the first virus targeting children.
I thought it was polio.
It was incorporating Pikachu from the Pokemon series.
Very good. Okay, I see you bringing your A game today. Oh, I went there. children i thought i was polio operating pikachu from the pokemon series uh very good okay i see
you uh i see you bringing your a game today oh i went there i went last too soon i don't know
uh well you know we'll we'll see if we get any complaints um but yeah 22 years ago targeting
children right um so our second story and this is uh the reason we rushed through because I dropped this one in.
I'm looking forward to this one.
It takes us back a mere 15 years when the game changed forever.
The 29th of June 2007, nearly six months after it was introduced,
Apple's highly anticipated iPhone went on sale.
introduced apple's highly anticipated iphone went on sale and um it was generally played down played by um you know sort of old school pundits yeah um but it was greeted by long lines of people um you
know queuing outside the stores we saw them on the news and overnight it became a massive success
with 1 million iphones sold in the first 74 days.
Wow.
And obviously since then, I know if you think up until that point,
technology phones were getting smaller and smaller and smaller.
Yeah.
Then the iPhone says, no, we're dropping this great big clunky thing.
You know, say goodbye to your Nokia 8890.
Well, you say that.
I mean, BlackBerry had gone the other way
with their keyboards and stuff like that.
So, you know, it wasn't...
Yeah, fair point.
They weren't the first ones to go that way,
but they certainly were probably the ones that influenced it.
They weren't full screen, though, were they?
No, you're right, they weren't,
but they certainly influenced that direction.
And I think Apple also dropped the price as well didn't they um and that's something i i struggle
to believe seriously no it doesn't sound like apple would do it first came out something like
600 and then within three weeks they said no we're gonna drop drop it to was it five hundred dollars and if you've bought one in the you know since it was released we'll give you a hundred bucks back wow yeah i didn't realize
that i mean now they're what twelve hundred dollars just for the basic one yeah and they
just send you a cable in the box they don't even say plug charger comes separately yeah
but um but no i think like just to go back to the blackberry one
the blackberry was half a physical keyboard which was great for the business user because that's
where it really targeted it was like the the forward focus of phones you would you wouldn't
have it unless you were like a company issued the whole blackberry enterprise server and everything
yeah yeah and and then you had other touchscreen phones but none of them
were touchscreen they're all with a stylus and i think that was a massive massive change as well
like the the using your finger on the screen yeah no that's yeah and obviously um you know
blackberries were very good for uh doing riots and um you know having your secure conversation
and organizing riots in croydon. I know.
That was quite remarkable, wasn't it?
And then it transpired that the whole BES was one server rack in Canada or something.
Everything went through there, nowhere else.
Good times.
So our third story takes us back a mere 25 years ago.
And I dropped this in just because i thought it was quite timely um and the topic of conversation was quite amusing is that the 26th of june 1997
the u.s supreme court ruled the communications decency act unconstitutional on a 72 vote
so the act passed by both houses of, sought to control the content of the internet
in an effort to keep pornography from minors.
In an opinion written by Justice John Paul Stevens,
the Supreme Court ruled the act a violation of free speech
as guaranteed by the US Constitution.
And I just thought that, you know,
this was quite amusing 25 years ago.
The US Supreme Court were, you know, this was quite amusing. 25 years ago, the US Supreme Court were, you know,
voting on people's rights and decided that it's in the interest of everyone
to allow pornography to run free across the world.
Yeah.
Yeah.
Well, I mean, if you're watching pornography,
you're not necessarily impregnating anybody, someone, you know.
Well, maybe it's preventative, right?
Prevention's better than cure.
Who knows?
Something, something, something.
Yeah.
Excellent.
Thank you, Andy, for this week's...
This week in InfoSec.
Feeling overloaded with actionable information?
Fed up receiving well-researched factual security content ask your doctor if the host unknown podcast is right for you always read the label
never double dose on episodes side effects may include nausea eye rolling and involuntary
swearing in anger we're gonna get our money's worth from that.
Definitely from all of those.
And talking about involuntary swearing,
it's time for this week's...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
So the show notes may have been late this week,
but they're certainly fully packed.
So not only do we just have three stories
from this week in InfoSec, I've got two stories for rant of the week. The first one,
just to get the blood boiling, quick mention, India has extended its deadline for compliance
with its InfoSec login rules by 90 days. So the industry's Ministry of Electronics and Information Technology and the local computer emergency response teams have extended the deadline for compliance with their cybersecurity directions introduced on April 28th, which we spoke about on this very show.
spoke about uh on this very show uh this this is the one that um all of the major vpn providers have decided to leave india as a result because they would be liable for just handing over uh all
of their logs about uh activity that's gone through their servers which of course they don't do and if
they can't hand them over then they are uh liable for liable for it so in a sign that this may well be changing it's been extended the grace period for that has
been extended by 90 days so you heard it here first maybe if you're particularly poor at looking
on the internet for news but you heard it here first days. I reckon in 90 days or as it's approaching it,
it's either going to be delayed again or it's actually going to be reconsidered
and rewritten.
That's what I think because that's how crap the war is in the first place.
Andy, can we get another jingle made up?
Something like Tom rants about India and then the wrap of the week.
Yeah, and just insert it.
Yeah.
Save people three minutes.
But, you know, I mean, this saga is ongoing
and I can't believe that they are insisting.
They're just not backing down on this.
I think they will.
I think this is the first sign.
This is the first sign that actually somebody's going hold on
a minute lads this might not be going how we want it to yeah so compliance is here yeah yeah so so
one thing that as as a like industry or social media and a lot of security and privacy people
are doing uh that they're not very good at is leaving the
back door open for people to gracefully change their mind oh leave them face yeah yeah exactly
except face because i think when you see and it's not just about this but a lot of times someone
makes a mistake the pylon is so severe and direct and their demands are so like we want this we want that
we want that draconian that it becomes really difficult for someone to leave with their dignity
intact whereas you know even if you just say even if you give someone the option maybe
you meant to say this or maybe you forgot to include that or maybe i misinterpreted
you give someone so much room to save face and survive with dignity
that I think that's a real key skill that I wish a lot more people
in our industry had.
Yeah.
For sure.
You'd think as politicians they'd know exactly what to get with.
Off track.
Anyway, our second story.
Our second story fbi warning crooks are using deep fake
videos in interviews for remote gigs deep fakes and stolen pii utilized to apply for remote work
positions i don't really get this i don't really get this so what's happening is criminals are
using deep fakes to disguise their face and voices whilst they do uh remote interviews
for jobs to then gain access to PII um why do they need to use um why they need to use deep
fakes for this as opposed to I don't know one of those pairs of glasses with the nose and the moustache attached. I don't know.
And also to get a job which may or may not have access to PR,
it feels really weird.
It feels like this is the – unless this is a testing ground
for actually proper spear phishing, blah, blah, blah,
but it feels odd here.
But nonetheless, the FBI have issued a warning that says,
in these interviews, the actions and lip movement of the person seen interviewed on camera
do not completely coordinate with the audio of the person speaking.
At times, actions such as coughing, sneezing or other auditory actions
are not aligned with what is presented visually,
said the FBI in a real. Well, I think they just finished reading the thesaurus that morning.
But clearly, clearly they've never used WebEx for any of their.
WebEx for any of their video companies.
That never aligned.
Yeah, was it WebEx is used by Cisco employees and those that are trapped in their building?
Yeah.
But, yeah, it seems like a really odd use of it.
The only thing I can think of is that it's like some kind of user testing almost,
or real life testing, because yeah, they might get the job, but there's a pretty good chance
they won't get the job. And it seems that doesn't align to criminal activity, which is we may get
into this. And it seems it's a very resource intensive way of doing it um although
it has just occurred to me that maybe what it means is that 10 people can pretend to be that
one same person and so you can bring in a whole broad range of skills um and acids but which which
um which well i still think the glasses with the nose and moustache attached would also achieve.
But, yeah, this is a really weird one and not the best description of it,
but from the FBI either, I don't think.
But, yeah, I'm really fascinated to see how this is going to pan out
because it really isn't going to be long before, you know,
we had the audio deep fake of somebody transferring money because they thought they were talking to their boss over the phone.
The video deep fake is only just around the corner, right?
Yeah, yeah. No, you know, it reminds me of this Key and Peele sketch where they want to rob a bank.
And one of them says to the other, like, I've got this really good plan.
We go there under the pretense of like we want to be cashiers.
So that we get a job there, that we work there.
We go in nine to five.
At the end of the month, they give us some money.
We keep doing this.
After 20 years, we get a gold watch and we walk out of there scot-free.
Yeah.
And he's like, this sounds an awful lot like a job.
Yeah, a bank job.
Yeah.
We'll see.
We'll see what comes of this.
But like I say, really, I do think criminals are going to start using this.
But this is an odd way to do it but we shall see we shall see rent of the week
if you work hard research stories with diligence and deliver well-edited award-winning studio
quality content for high-paying sponsors then you too can be usurped by three idiots who know how to think on their feet.
You're listening to the award-winning
Host Unknown podcast.
You know, funny story.
When I was recording on Tuesday with Smashing,
I played that jingle and said,
can you put that in your show?
And they said yes, but it would cost us 1,500 quid.
Ouch. Wow. Chum came to lists us 1,500 quid. Ouch.
Wow.
Jumping to lists.
Yeah, I know.
I know.
Not all of us are made of money, folks.
Although I have to say, it was a rare pleasure going on that show.
They're very professional.
They don't cuss each other out like we do.
There's no unpleasant words
before or after the podcast no no blaming no finger pointing it's great it was it was a real
joy unlike uh unlike uh this and uh this week's
wow what a lead-in thank you so much for that, Tom.
Oh, my pleasure.
Where am I? Where am I?
So, there's a company called Avea.
They're based in the US and they provide many things.
I've never heard of them.
Maybe...
Telephony.
They're huge in the corporate world of
uh telephony systems are they jazz never worked in corporates though he doesn't oh this is this
is true he doesn't do proper jobs he doesn't make up yeah whilst you're in the bank jav i bet your
entire phone system was uh via based yeah probably probably are they like the armated shanks of the telephony world?
They are.
Exactly.
Armated shanks.
Yeah, you certainly want to do something to their handsets at the end of the day.
Yeah.
Anyway, they have a system called IP Office, which they offer SMBs.
And it's a basic package. But if you want to add features like voicemail, call waiting, what have you, then you need to buy additional licenses.
And there was some employees or an employee who worked there. And he used his access to generate software
licenses. And he went off with his wife and sold those licenses to SMBs and funneled money through
a fake PayPal account that they dispersed into other accounts and what have you.
How much do you think they sold in fake software licenses?
They undercut the main dealer,
so they were selling them not at top cost,
but they got them for free.
How much do you think they made?
A couple of million?
Yeah, that's what I thought.
They made more than $88 million.
What?
That is a lot of packages that they're selling that is that is so each
license could sell for anywhere between a hundred dollars to a couple of thousand dollars so um
it must have been a full-time job just managing that yeah yeah that is like a proper company's
worth of uh i mean you're not not getting an accountant for 500 quid
to do your books, are you?
This is a proper...
Yeah.
Yeah.
So Jason Hines,
who sold them to resellers and customers worldwide,
and Pierce's wife, Dusty uh accused of handling the finances and accounting
so so who's jason hines what part was he oh he sold them to hines who then sold them on
right yeah so brad pierce was the employee he generated you think he made enough money out
of hollywood we why would he need to be doing this?
It's the excitement, isn't it?
Well, true, true.
It's the breaking the law part of the thing.
You get a thrill back in your life.
Method acting.
Maybe he's like, you know, Ocean's 22.
He's researching a role.
That should have been his defence.
Yeah.
So, yeah.
So Brad Pearce the the keys.
He sold them to Jason Hines and Pierce's wife handled the finances.
It's a it's a three person convoluted web. But yeah.
Wow. There's a lot of money to be made in in pirated software apparently
and um you know they they've uh they've been charged and uh with conspiracy to commit wire
fraud and 13 counts of wire fraud uh they don't feel quite so bad about that copy of Office 98 I had on a burnt disc back in the day.
I know, I know, right?
Do you know why that's dodgy?
Because I don't think there was an Office 98.
I think that's how you knew outright it wasn't legit.
Wow.
Was it Office 95?
Office 97?
95, 97, and then 2000.
2000, yeah.
There were wares back then, perhaps, CDs called Jurassic Utilities,
which it came with your office suite and extra things like Photoshop,
which didn't need subscriptions back then yeah uh and
you know that's why so many people allegedly allegedly allegedly so many people had like
adobe premiere at home yeah yeah it's right generic office workers with with all of this
stuff and data center edition windows 2000 running running up running a pop box a pop mailbox for them yeah
oh dear excellent but but yeah what what gets me is like
you know there is a limit i mean this is like a proper billy big balls move because like how long
did they think they could get away with this? Because surely you think, oh, you know what? I've made a hundred grand.
That should be enough for a little retirement nest egg.
Or I've made a million, but 88 million.
I mean, like when was,
you know that the wheels were going to fall off at some point.
Surely.
Yeah.
It becomes an addiction.
Yeah.
But at some point you're just going to have to make an offer to buy out of
Vaya so you can hire.
Yeah.
I'm sorry, Vaya, I'm going to have to do some due diligence.
I'm going to have to knock down the price offered because you've got someone ripping off your licenses.
Yeah.
You've got a lot of insider fraud going on.
Yeah.
Oh, dear.
Wow.
I see he even covered his tracks.
He used admin privileges to get into internal accounts
of former workers to generate more software keys.
Wow.
I know.
It's despicable behaviour.
I mean, what next?
He went in and deleted the log files or something.
I mean...
Well, we've all been there, right?
Right.
Hang on a second i don't know how to answer that without speaking to my lawyer
anyway putting a bow on that story just to reiterate the really big bull story was
this article in the world economic forum, how aligning cybersecurity with strategic objectives can protect your business.
All fill up with no thriller. Hold on. Who wrote this?
I may have written that part.
So the key the key points in the article by this astute gentleman.
Now, cybersecurity is not a technical problem. It's a business problem.
Bridge the communications divide.
Relationships may be damaged, but not broken.
And finally, create a culture of cybersecurity.
Do you know what?
I think the biggest Billy Big Balls part of this
is the fact that whoever wrote this
was trying to sort of pass off something
that we've been talking about in security 10 years ago
to the World Economic Forum as this is groundbreaking stuff?
For the World Economic Forum, it is.
Yeah.
Billy Big Balls, there you go.
You know, look them straight in the eye.
Don't break eye contact.
You know, they'll believe you. You know, I recently rewatched War Dogs.
I love that movie. Oh, that's such a good film. Yeah. Yeah.
I I want to build my entire business around that model.
But with cybersecurity and thought leadership, as opposed to guns and bullets.
And on the right side of the law well that's a great area come on right side of the law
in one country it's different another country come on who are we to judge so you're going to
start this business in two years time obviously how long do you think you'll be it will be before
you could start another business after that one well Well, I've learned from my mistakes and I've got my identity set up under the name of
Tommy Lansady.
Andrew Agnes.
Yeah.
Excellent. Thank you, Jav, for this week's
Billy Big Balls of the Week.
You're listening to the host unknown podcast,
Bubblegum for the brain.
The problem with Bubblegum is that over time it loses its flavour.
But unlike this show, which when it comes to the right time,
you get the very best part of it. And what
time is that, Andy? It is that time of the show where we head over to our news sources over at
the InfoSec PA Newswire, who have been very busy bringing us the latest and greatest security news
from around the globe. Industry news. Snoopers charter ruled partially unlawful. Industry News. Ransomware suspected in Wiltshire
Farm foods attack. Industry News. FBI beware deep fakes used to apply for remote jobs.
Industry News. Amazon fixes high severity vulnerability in Amazon Photos Android app.
Industry news. Ukrainian cops bust multi-million dollar fishing gang.
Industry news. Nevada arrested for alleged 45 million dollar metaverse investment fraud.
million metaverse investment fraud. Industry News. Info-stealing campaign targeted home workers for two years. Industry News. North Korea's Lazarus Group suspected of $100 million harmony hack.
Industry News. Former Canadian government IT workerased guilty over networker ransomware attacks
Industry News
And that was this week's
Industry News
Huge if true
It would be huge if true
But do you think the part that was partially unlawful Of the snoopers charter was the part where they were snooping?
Yeah, I think everything else was by the book. They requested it. Yeah, they just got told no and did it anyway.
So I'm looking at this Nevada and arrested for alleged $45 million metaverse investment fraud.
And it seems like the man just he marketed to investors promising high returns.
And, yeah, just made false representations about how successful stuff was going to be in the metaverse.
And just kept receiving money from me.
So how is that any different from any NFT or cryptocurrency?
Exactly.
Or from what Facebook are doing anyway, right?
I mean, it's, jeez, I'm amazed.
What I'm really surprised about in this story
is Ukrainian cops bust multi-million dollar fishing gang.
Don't they have a war to fight or something?
You've got to be kidding me.
They've got bigger issues.
That's like Billy Big Bull, though, isn't it?
That is.
Although, in fairness, it depends what they were fishing
or what that gang was after,
because if it's undermining the war effort,
it's in their interest to do it.
So what they're doing,
they've been accused of operating over 400 fishing sites
that requested victims to enter their bank account
and card details in order to apply
for social welfare payments from the EU.
So it's basically taking advantage of people
literally in a war zone.
In a war zone.
Looking for some help.
And over 5,000 victims
were scammed in this way.
I'm surprised you didn't choose that story
as a Billy Big Balls jab.
No, I just saw it now.
He's literally just read the show notes.
Yeah, that's right. He's thinking,
damn, that was another
one i could have done so we'll see it on tiktok later look at yeah this is true this is true
will he be singing and dancing to it yes with the wearing the this is quality research from
check marks they spotted a critical vulnerability affecting the Amazon Photos app on Android.
And I was thinking like, who uses Amazon Photos?
Who uses that?
This is such a theoretical vulnerability.
It's like how many Android users actually use Amazon Photos
when you have Google Photos, which is the best photo app
there is actually on the market.
I just find it really bizarre.
Okay.
It's the best Android.
Yeah, the best one for Android, exactly.
But yeah, I had a look at Amazon Photos, actually.
It was not very good.
I mean, like, you know, Amazon do some great stuff.
I mean, their Kindle Fires are really good value tablets,
especially for, you know, families and stuff like that.
They're quite difficult to crack and hack, but you can do them.
You can do it.
But yeah, some of their software is a bit shonky you know like their
music app and stuff like that it's i'm really not hugely impressed by it although they give
you huge storage though for the photos is it yeah thing that makes them attractive this is true yeah
and actually their music app was one of the very first ones because i remember
back in the day when you bought a c from Amazon, you also got the digital copy.
Yeah.
Yeah.
No, it's like I used to use a music app just because the free,
whatever comes with Prime, not the.
Yeah, yeah, yeah.
But then Spotify is so much better.
So I've just switched.
Oh, I can't stand Spotify.
Those adverts just drive me crazy
no you you go for the paid version isn't it and what do i want to do that for
so you don't get adverts that's what i got apple music for
yes he already pays a premium for music yeah I know. Why would he want to pay you cheaper? It's got everything that Spotify's got except Joe Rogan,
which for me, I'm happy to pay more money for.
Oh, that's the only thing I actually paid for Spotify for.
Joe Rogan is the best.
God damn it.
I mean, wouldn't you be happy if we got like half the viewers,
listeners that Joe Rogan had on this podcast?
Well, yeah.
I'd be happy if we had half the sponsors that Joe that joe rogan had on this podcast well yeah i was happy if we
had half the sponsors that exactly i don't care how many people are listening to this shit
spotify if you are listening we are happy to ditch tom langford if you and cut an exclusive
deal with your platform you will have a multi-award winning cyber security and entertainment podcast and
spotify if you're listening we're happy to drop uh andy for um look put it this way right any of
us are happy to drop each other okay that end scene in reservoir dogs with a mexican standoff
right whoever's got the money there's no hesitation in the others.
We will look that person in the eyes when we pull the trigger.
Oh, man, I just shot Marvin in the face.
What did you do?
I didn't mean to.
I didn't mean to.
Oh, dear.
Anyway, excellent.
That was this week's...
Industry News.
this week's Industry News
In 2021
you voted us
the most entertaining
cybersecurity content
amongst our peers
In 2022
you crowned us
the best
cybersecurity podcast
in Europe
You are listening to
the double award winning
Host Unknown
podcast. How do you like
them apples?
I like them very
much. Yeah, I like
them very much indeed. The only
apple I like. Okay,
time for this week's Tweet
of the Week. And we always play that one twice.
Tweet of the Week.
And I shall take us home with the Groundhog Day tweet.
It's originally a tweet from someone called Steph Schwartz,
who says,
Jurassic Park is the most realistic disaster mover series
because every time they have the same problem over and over again
and nobody ever learns from it or tries anything a different way.
And someone called Cannibal has literally quote tweeted that and said,
this is literally why all of us working in InfoSec still have a job.
And I think it's true.
You know, we always talk about, you know,
the same problems just being repeated over and over again.
You know, we never managed to fix that root cause.
So it's a very good observation
and the reason many of us are still very much employed.
Long may it continue.
It's very true.
I was doing a talk about, you know,
the story of a breach on Wednesday
and said that basically, you know,
it was really good at first because it means it meant
that we got the high profile that we wanted
within the senior leadership.
It meant we got, you know, a lot less friction around budget,
blah, blah, blah, until about three years later
when it all started to get, you know, tied off again and reduced.
And the comment from the audience was,
so basically what you're saying is have a breach every three years
yeah
that's basically it because then
you'll get your budget back
yeah I think you can make that
probably a better case scenario is your biggest
competitor has a breach every three
years that would be best case
absolutely
absolutely
oh dear excellent excellent thank you very much, Andy, for...
And here we are, stumbling and tumbling to the end of the show. Gentlemen, that was surprisingly painless this week, apart from when I got a delivery. So when I went quiet for a little while, that's what I was doing. Yeah, it's going to be interesting to see whether you cut out the part
where, you know, firstly you leave the mic on
whilst you go and take a delivery,
and then you switch your mic off when you're supposed to be talking.
Well, I mean, it could be argued that any length of silence
is when I started talking with the mic switched off.
But, yeah, well, we'll see.
We'll see what comes
out in the edit eh um but yes i think that was very very painless that was a good one and you
don't sound like you've been sucking helium this week either no oh man i do not i worked out what
it was the device i was using to record was transmitting data at 48 uh kilohertz and this app receives it at 44.1 kilohertz so it was roughly 8.67 something
something percent too fast and i had to work that out on the fly because i had to stretch it and
renormalize it and all that sort of thing wow that a pain. I won't be doing that again.
Anyway, Jav,
thank you very much for your non-helium based contributions this week.
Yeah, whatever.
And Andy, thank you, sir.
Stay secure, my friends stay secure
you've been listening to
the host unknown podcast
if you enjoyed what you heard
comment and subscribe
if you hated it
please leave your best insults
on our reddit channel
go on
I was going to say
we're going to see which you'd like and you're
going to do a bit more research on and then publish as a tiktok in the next hour well before
i do that i'm so i am going to do that yes but before i do that i know you two are not going to
stop using my my my catchphrase and what have you but But I do know someone who folds even quicker than I do.
That's Graham Cooley.
Who is this mythical person?
That's Graham Cooley.
Graham Cooley?
So I'm going to...
He's going to be sued for something.
Yes, and he folded super quick.
What did he fold on?
I can't remember, but to be fair, he's got more to lose.
Yeah, he wrote a blog and they said, well, you named us and it's, you know.
Oh, yes.
Anyway, yeah, so you used my phrase on his podcast and he aired it.
So he's going to get a note from my legal team.
and he aired it, so he's going to get a note from my legal team.
Do you know, I did notice that they did sort of raise the topic of copyright abuse with you, Tom.
And, you know, unfortunately, it's royalty-free music that we use.
That's what I said.
That's what I said.
The beauty of using royalty-free music.
Unlike our jingles, which are all copyright.
Yeah, exactly. They can't use them
at all. Well, actually they could
as long as we get more viewers or listeners.
So frankly,
yeah, we'll just roll over
and show our bellies for a nice little tickle
with no problems at all.