The Host Unknown Podcast - Episode 111 - Jav Is In The Top Four
Episode Date: July 8, 2022This Week in InfoSec (08:04)With content liberated from the “today in infosec” twitter account and further afield8th July 2011: Space Rogue broadcast the final HNNCast. And with that, the Hacker N...ews Network came to an end. Final broadcast: https://www.facebook.com/78983739181/videos/10150254277486182/ https://youtu.be/UdKyDqU1p-41st July 1979: The first Sony Walkman, the TPS-L2, goes on sale in Japan. It would go on sale in the US about a year later. By allowing owners to carry their personal music with them, the Walkman and their iconic headphones introduce a revolution in listening habits and popular culture at large. Rant of the Week (17:12)Rogue HackerOne employee steals bug reports to sell on the sideA HackerOne employee stole vulnerability reports submitted through the bug bounty platform and disclosed them to affected customers to claim financial rewards.The rogue worker had contacted about half a dozen HackerOne customers and collected bounties “in a handful of disclosures,” the company said on Friday.HackerOne is a platform for coordinating vulnerability disclosures and intermediating monetary rewards for the bug hunter submitting the security reports.On June 22, HackerOne responded to a customer request to investigate a suspicious vulnerability disclosure through an off-platform communication channel from someone using the handle “rzlr.”The customer had noticed that the same security issue had been previously submitted through HackerOne.Bug collisions, where multiple researchers find and report the same security issue, are frequent; in this case, the genuine report and the one from the threat actor shared obvious similarities that prompted a closer look.HackerOne’s investigation determined that one of its employees had access to the platform for over two months, since they joined the company on April 4th until June 23, and contacted seven companies to report vulnerabilities already disclosed through its system. Billy Big Balls of the Week (23:42)Apple’s new Lockdown Mode defends against government spywareApple announced that a new security feature known as Lockdown Mode will roll out with iOS 16, iPadOS 16, and macOS Ventura to protect high-risk individuals like human rights defenders, journalists, and dissidents against targeted spyware attacks.Once enabled, the Lockdown Mode will provide Apple customers with messaging, web browsing, and connectivity protections designed to block mercenary spyware (like NSO Group's Pegasus) used by government-backed hackers to monitor their Apple devices after infecting them with malware.Attackers' attempts to compromise Apple devices using zero-click exploits targeting messaging apps such as WhatsApp and Facetime or web browsers will get automatically blocked, seeing that vulnerable features like link previews will be disabled. Industry News (33:14)TikTok CEO Addresses US Security ConcernSoftware Supply Chain Attack Hits Thousands of AppsHive Ransomware Upgraded to Rust to Deliver More Sophisticated EncryptionAPT Hacker Group Bitter Continues to Attack Military Targets in BangladeshNorth Korean Hackers Target US Health Providers With 'Maui' RansomwareMarriott Plays Down 20GB Data BreachFBI and MI5 Bosses Warn of “Massive” China ThreatMicrosoft Updates Windows 11 Subsystem for Android to Introduce Support For VPN-Assigned IPsApple Announces 'Lockdown Mode' to Protect Journalists, Human Rights Workers From Spyware Tweet of the Week (44:33)https://twitter.com/alxbrsn/status/1544707673282723840Ubisoft Accidentally Leaks Hundreds of Customer E-mail Addresses in Watch Dogs Marketing Snafu Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
okay so which one of you is going to resign first given that it seems to be the week of resignations
uh well in good conscience i can no longer work with either of you two so i'm out okay
okay and in good conscience i can work with neither of you two either
um i i have no conscience so i'm happy to sit here and take all the sponsorship money.
Go now, Jeff. Go now.
All the sponsorship money? All of it?
All of it. Every last penny.
You're listening to the Host Unknown Podcast. Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us
and welcome to episode 111-ish of the Host Unknown Podcast
I was waiting for you to say something there Andy
There we go
I was on mute, I put my mic on mute to cough.
I was on mute. It's so 2020, mate. I mean, come on. It's so passé now, darling.
Oh, dear.
Oh, yes, indeed. 111. So, Jav, how are you doing today?
111. So, Jav, how are you doing today?
I'm doing good. I'm doing good. It's a nice Friday, so sun's out. And yeah, I can't complain.
Well, I can because I'm talking to you two, but I won't.
Yeah, absolutely. And what's your week been? You did a little bit of travelling earlier. Yes, yes. I've been, for a while, it's been on my bucket list
to get an investment property of some sort.
So I've been travelling the country looking for someone
that will sell me something for like 10 grand or 15 grand or something.
So you've been going north, basically.
Yeah, further and further on each trip.
But with the rising cost of petrol,
it's like turning out to be cheaper
if I just fly there or take the train, actually.
Or just hand over the extra £10,000.
So where have you narrowed your sights to?
Or is that still sort of JAV confidential?
Yeah, it's to be decided, really.
Whoever accepts my local offers, really.
Are you going to become a landlord or an Airbnb host?
Or hostess.
We don't discriminate.
I don't think I'm brave enough to.
No, this is true.
Yeah, yeah.
I'm initially just landlording in the traditional sense, I think.
So like screwing tenants, taking their sort of DSS
and sort of not fixing leaks and having mould on the walls.
Well, I mean, it fits with everything else.
He doesn't do anything around here either.
I mean, what are they going to do, leave me a bad review?
Well, with all the others, I mean, it's like they're going to stick out.
And if you've just joined us, this is Host Unknown,
Homes Under The Hammer podcast.
Did it, did it, did it.
So all you need, Jav, to be a landlord is you need a sheepskin jacket,
a jag, and two dogs so you can walk around telling everybody
that you owe them that they owe you rent, and you'll be fine.
That's your landlord starter kit.
Fantastic.
Great advice.
I should have come to you before I even went.
You didn't rock up with your jag, did you?
That was a thing.
No, I didn't.
Okay, cool.
Anyway, Andy, how are you?
What have you been up to?
Been working, working hard.
Or hardly working, am I right?
Or hardly working.
What was it you were saying?
Are you incompetently competent or competently incompetent?
So this is the thing of starting a new job and you start off as unconsciously incompetent, i.e. you don't know that you're bad at the job.
And then you become consciously incompetent. You know that you've got a lot to learn.
Then you become consciously competent, i.e. you have got a lot to learn then you become consciously competent i.e.
you have to work hard to be competent and then finally you become unconsciously competent where
actually it's second nature so where are you on that scale i would say i'm definitely the early
stages of this journey it's one of those am i going to make it to the finish line i do not know
it's you know that whole never be the smartest person in the room?
Yeah.
Just for once, I would love that.
You know, I just need a little bit of a...
You need an edge.
Yeah, I just need a morale booster, right?
Help me out.
Just give me something.
Yeah, no, learning lots of things.
So I've moved to a company which is a specialist risk management company.
And I've always been on the side of managing risk and being able to contribute something.
But now, you know, walking into a room with other experts, you know, who are far more qualified in that field than I am.
It does feel like I'm just, you know, kind of that guy that walks around the building site with a clipboard and just ticks things.
Yeah.
Yep.
Yep.
You got a bucket.
You got a hard hat on.
Yep.
Good, good, good.
Are you the guy in the suit with a hard hat at the building site who points at the plan and then points at the building and then points at the plan and points at the building?
Exactly.
Yeah.
I just need to, you know, start writing things down on that plan
and contributing a bit more.
But hopefully it will come.
It's, yeah, lots to do and very smart.
But in the meantime, I'm learning lots, right?
That's the most important thing.
Yeah, absolutely.
And also, you know, a lot of these smart people,
if there's anything we've learned from this current government, that we shouldn't always trust these so-called experts, you know, and leaders in the field to know what they're talking about, right? So, I mean, I'm sure there's something you can add to that.
Yeah. But Alas, how's your week? You're not too far ahead of me in terms of new jobs.
No, no.
You've been three months on Monday just gone.
So, oh, where am I?
I'm not even going to suggest in case, you know,
in case I don't make it through to the next payroll.
You know, I've just been bitten by a...
The life of a CISO.
Exactly, exactly.
So a couple of nice breakthroughs this week, actually.
I was on the call to somebody, and we were talking about whatever it was we were talking about.
And he said, yeah, and then we're going to use...
And then we're going to feed everything into Dave's new risk register.
And it took me a second.
It's like, Dave's new risk register.
That's the thing I kicked off two months ago because we didn't have anything.
And now everybody's.
Now you realize that everyone calls you Dave.
Yeah.
No, but it was kind of like, that's great.
It's being circulated.
People are knowing about this and want to now contribute to it.
So it's one of those, you know, the circle is kind of closing on itself in a good way.
So that was nice. That was really good.
So shall we see what's coming up on this week's show?
This week in InfoSec reminds us of loft-heavy industries.
Ranked of the Week brings us a brazen employee.
Billy Big Balls is a game changer for Apple device owners.
Industry News brings us the latest, greatest security news
stories from around the world. And tweet
of the week is the
story of a 10-year
email thread.
So, let's move on to our
favourite part of the show, the part of the show that we
like to call...
This week in InfoSec.
It is that part of the show where we take a stroll down InfoSec memory lane
with royalty-free soundtrack and content liberated from the Today in InfoSec Twitter account and further afield.
So our first story takes us back a mere 11 years when on this day, the 8th of July 2011,
Space Rogue broadcast the final HNN cast.
And with that, the Hacker News Network came to an end.
So for those who do not know their history, Space Rogue, aka Chris
Thomas, was a founding member of the hacker think tank Loft Heavy Industries. So he was the first
of Loft's members to leave following the merger of Loft with AtStake in 2000, and is also the last
to reveal his true name. So he was one of seven loft members who testified before the u.s
senate committee on governmental affairs in 1999 and he testified under his internet hand or space
rogue and it was his testimony and that of other loft members that served to inform the government
of the current and future internet vulnerabilities to which federal and public channels were susceptible.
So they specifically warned of internet vulnerabilities,
claiming they could take down the internet within 30 minutes,
for which obviously the Senate paid great attention to.
And their testimony marked the first time
that persons not under federal witness protection
were permitted to testify under assumed names.
I was going to ask, beforehand, did they sort of like,
what are you going to call yourself?
I don't know, what are you going to call yourself?
I don't know, just put two random words together.
I'm Xanthor the Destroyer.
Back then, I think everyone sort of went by internet handles then, right?
It sort of came from the IRC days or, you know,
bulletin boards.
What were your internet handles?
I had many.
So Jester being one of them.
No, I didn't actually add the Sir part until maybe 1999.
Prior to that, it was just Jester.
Well, you hadn't accomplished so much by that point.
Exactly, yeah. I hadn't
done so much. But yeah, no, it wasn't until
maybe 98, I think.
What about you, Jav?
What was your nom de plume?
Oh,
none of them
I can remember are suitable for
competing.
Big Dick 69.
No, no.
I've never been into false advertising.
Adequately sized Dick 68.
Room for improvement.
Grower, not a shower.
Anyway, with DVA, so Loft Heavy Industries, they created the Hacker News Network website in 1998,
and their goal was to publicise security storage,
which they believe should have been better publicised,
as well as call-out inaccuracies in mainstream reporting.
We've seen many examples of this and sort of
sensationalism in the past and they were the authoritative place to get your accurate security
news from um you know by the late 90s but when they were acquired by at stake in 2000
at stake essentially shut down uh the hack news network because they had to find a balance between
you know sort of providing this free educational service to the community
and not pissing off their commercial customers.
We're not touching that with a 12-foot barge pole.
Yeah, exactly.
But, yeah, in the spring of 2009, Space Rogue did restart HNN
and he continued to run it for another two and a half years
until it came to its end in July of 2011.
Wow.
Why did,
why did he give up?
Do you know?
Uh,
he did.
Well,
it basically became too much effort to run.
So,
you know,
with the,
I guess,
researching stories,
editing,
uh,
and all of that,
you know,
he's saying it's sort of spending 40 to 50 hours a week on it.
Crikey.
Side gig.
I thought this was bad enough
in the hour I have to spend with you guys,
but blimey.
Well, exactly.
Well, funny, right?
Funny, right?
Has it been an hour or has it been more?
Are we on episode...
Yeah, we started this show on episode 115.
What people don't know,
this now turned into episode 116,
but we can talk about that another time.
112.
Yeah.
But, Les, I i'm gonna just quickly move on to our second story which takes us back long before i was born uh which is a mere
43 years to the first of july 1979 when the first sony walkman the tps2, went on sale in Japan. And it went on sale in the US a year later,
obviously by allowing owners to carry their personal music with them.
The Walkman and their iconic headphones introduced a revolution
in listening habits and popular culture.
So I remember the knockoffs that came out in the late 80s
and things like that. And I've actually got one of the more modern Sony Walkman cassette players in my drawer because I bought it back when I unearthed a Spectrum 48K.
You remember those?
Yeah.
And in fact, we gave this particular one away as a prize at a conference, as I recall.
Yes. And I wanted to sort of bring it back to life prize at a conference, as I recall. Yes.
And I wanted to sort of bring it back to life and have a go with it, etc.
And I bought some old tapes.
I think it was Jet Set Willy and I can't remember the other one anyway.
A couple of tapes.
And so I thought I'd buy a Sony Walkman to play the tapes into it.
Do you know what?
It wouldn't work.
The gain was not high enough for it to work
so in the end i downloaded an app onto my iphone an iphone 4 um which simulated that and so i got
a photo somewhere of a spectrum and an iphone connected with an audio cable with the iphone
feeding the program into the spectrum it's like a real sort of contrast
of technology there you know one slave into the other it was the wrong way around you know but
but yeah so it was um yeah the whole wartman thing just is is really good i've still got cassette
tapes in in you know um now that are on the shelf somewhere.
But yeah, but do you think the mini disc came out as well after that
with its anti-skip technology, right?
And the CDs.
Because no one could jog with it or anything.
And the CDs, yeah.
Yeah, oh, the CDs.
Well, that was the problem, though, wasn't it?
The CDs, they would skip as you were walking.
Yeah.
But then they came up with anti-skip technology on those as well.
Yeah, all that meant was it just paused for, you know, two seconds.
It was never as good.
I mean, like, the Walkman, the original tape was just so good.
It was, like, durable.
You didn't have to worry about dust and scratches like you did on the CD.
And it was just so easy to record.
Like, you know, when, like, end of the year or something, they, you know, Capitol used to you know when like end of the year or something they you know
Capitol used to do the top hundred songs of the
year you could sit there and record them off your stereo
and have your own mixtapes
making mixtapes for your you know
the love of your life at the time
obviously not
it was more
sorry I remember doing like
no I'm not even going to go
into it after you know after an emotional break i remember the pasadena's i'm doing fine now
sort of on loop along with uh who's the other one king of wishful thinking
you know for the longest time there was a david bowie track that you know has some quite sort of
atmospheric kind of crackling in it and all that sort of thing
10 years later i found it's because the tape was crinkled
when i listened to the original i think it was on a cd it was like
hang on where's where's the crackly bit? What's this edit?
Yeah, exactly.
And because it was at the beginning, it was in the first track,
when he turned it over, the album had finished,
so you didn't hear it on the other side, if you saw it.
So, yeah, yeah, 10 years.
10 years just because of that one crackly tape.
Anyway, excellent, lovely trip down memory lane there.
Thank you, Andy, for this week's... This week in InfoServe.
This is the podcast the Queen listens to.
Although she won't admit it.
So let's move on, shall we, to the blood-boiling part of the show the part of the
show that uh we like to call listen up rent of the week it's time to mother rage so you'd think
that um you know any company that's dealing in sensitive information, such as vulnerabilities and bug reports and all that sort of thing,
they'd have their security locked up tight.
And you're right.
This particular company, HackerOne, they absolutely do.
They are a very reputable company, very open, honest, trustworthy, etc.
Unfortunately, the same cannot be said for one of their most
recent employees. This particular employee joined on April the 4th of this year and was let go as June 23rd. So that was only about two and a half months, actually, two and a half months or so.
And in that time, this particular person was a bit of a scoundrel, to say the least. So
if you don't know what HackerOne does, they are a bug bounty company. So if you're
a company that wants to outsource your bug bounty program, i.e. outsource the ability for security
researchers around the world to test your platform, test your website, test your software products,
and then get paid for any vulnerabilities that are found. This is what HackerOne does. They handle
all of that for you. They handle all the payments and you just pay HackerOne directly so you don't
have to worry about it. This is all great because security researchers just put their findings.
They look on the HackerOne website. They download what work is available to look at, and they start their
research. And if they find something, they upload it. Well, this particular employee, who, as it
turns out, has another name of Rizzler, R-Z-L-R, this particular person who was on the inside of HackerOne was taking these reports that were coming in from genuine security researchers who were expecting to be paid for it and then contacting the company directly and saying, hey, look what I found. Do you want to give me some money for this?
Basically, stealing other people's work and passing it off as their own.
And we all knew a kid like that at school. Right.
So this guy is basically what you're saying is he's got see-saw potential.
Absolutely. In fact, Andy and I have got a friend now who does that. Right.
Yeah, this is true yeah so this this person um did this seven times in this
two and a half month period i mean that's like once every 10 days or so something like that
absolutely shocking um presumably they were background checked and all that sort of thing
but it really the amount of time they were in, this person came in with a premeditated idea, I think, of what they were going to do.
They were going to gather as much money as they could and then just leg it.
And probably, like so many of these genius criminals, got a bit greedy, thought this was a bit too easy and stayed a little bit too long. And it was only found out when a customer requested an investigation of a suspicious
vulnerability disclosure through a direct channel rather than from HackerOne directly. And it
basically matched up with one that had already been submitted.
So, yeah, absolutely shocking.
When I was given the choice to do this or another story,
this one just made my blood boil straight away.
Just appalling, appalling.
And thank goodness for the criminal minds who keep screwing it up. And also, well done, HackerOne, for disclosing it and being open and honest about it.
In fact, Andy, you and i were talking
about this before and you know they've done a bang up job on this yeah well especially i mean
the whole model is based on trust right and they yeah yeah yeah fair play true yeah this is even
better than the time that they helped criminals launder money through an unofficial ransom uh disguised but bang bang on job well missed a long memory there
sorry were you gonna ask them for sponsorship well we can cut this part out were you
it's asking for hacker one if you're listening please join us come on the show. It'll only cost you, you know, four figures, and we can hear all about the story.
Yeah.
And what is it?
Bug Crowned, if you want to sponsor us.
You just need to do a few higher figures,
and we'll get you on first.
Yeah, exactly.
And we'll even say stuff about Hacker One for you.
We'll read it from the script.
That's right.
We take all the liability, so you don't have to.
Yeah.
We're like Nigel Farage.
We'll just read anything.
Yeah.
Yeah.
Oh, excellent.
So, yeah, well done, HackerOne.
And boo his, shame on you, Mr. Rizzler.
Or Mr. the Rizzler.
And that was this week's...
Rant of the Week.
Feeling overloaded with actionable information?
Yep.
Fed up receiving well-researched, factual security content?
Yes!
Ask your doctor if the Host Unknown podcast is right for you.
Always read the label.
Never double dose on episodes.
Side effects may include nausea, eye rolling
and involuntary swearing in anger.
True story.
I love that jingle.
Oh, yeah.
So I really like the music on that one.
Right.
Sorry, it's down to me now, isn't it?
Yeah, we've got to keep the show moving on.
I'm too busy looking at the notes and the added notes that have been put in there
since our little recording faux pas earlier that hopefully nobody noticed.
So let's move on to another faux pas and Jav and this week's...
Big Balls of the Week. and Jav and this week's You know what Tom, I don't know
what I'd do to deserve this. I'm
so nice to you.
You know, I'm not
even like throwing you under
the bus today or disagreed
with you too much and like
this is what I get and then you wonder why
I'm mean to you. I love the caveat, I haven't even disagreed with you too much. like this is this is what i get and then you wonder why i'm mean to you i love the caveat i haven't even disagreed with you too much yet too obviously yet yet exactly
so how billy big balls off the week goes to apple and tim apple has some kahunas.
So, you know how it is.
People's whole lives revolve around their phones these days.
Everything is on there.
You can't even go and get a paper ticket from a parking machine anymore.
You have to do it through an app.
So everything's on there.
It's kind of all right because if you don't have change which i never do um but um hold on sorry my phone's ringing i forgot to put it on silent no and that's not an invitation for you to start
phoning me andy which is what's something you always do yeah so our whole life is is on the
phone everything's there but it's also a treasure trove of information for criminals bad guys out there they can uh oh thanks actually
these phoning me up now before i had a chance to put my watch on mute i put my phone on me
but not my watch so everything's on your phone your life's there, but there is a lot of information
that can be misused and that's not just from advertisers or people with bad...
Jav, can you answer your phone please mate?
I can hear it come through the sound right now, you've reached the O2 messaging service. Okay.
So Apple have announced...
Oh my god.
You know what? I can hear
it ringing in my
headphones. I know because I'm holding it up.
Yeah, why?
We're just trying to show your incompetence.
Oh, really?
And this is the best way you could think of it?
This is a deflection technique, nothing else.
Yeah.
Apple know that their phones are very popular.
They've gone on the privacy bandwagon for a while.
They're saying, like, buy iPhones, we take your privacy seriously.
But criminals also know that,
and there have been many targeted
attempts against individuals based on their phones so you if you know their geolocation you can use
that to do a drone strike if you are um what's that that nso group then the pegasus spyware
also can affect iphones and give away all your information, trade secrets and whatever.
So, you know, who wants to go up against corrupt governments, dodgy regimes and fancy state
backed software manufacturers whose whole job is to break into phones?
Well, Apple, and they've announced a new security feature known as lockdown
mode which will roll out with ios 16 to protect high risk individuals like human rights defenders
journalists and dissidents against targeted spyware attacks so i assume you just like you
know you can be running down the road being chased
by Agent Smith and you pull out your phone and say, Siri, enable lockdown mode. All of a sudden,
enabling lockdown mode. All the shutters come down. And yeah, yeah, yeah. If you could add
some sound effects in the background, Tom, that would be great. Does it flood all your chats with memes?
Yes we call it the Andy feature.
So the lockdown mode you can still use messaging, web browsing and
still use messaging, web browsing and...
You can still use it as a phone, basically, can't you?
Yeah, yeah, yeah.
But there are some connectivity protections designed to block mercenary spyware
used by government-backed hackers
to monitor their Apple devices
after infecting them with malware.
Attackers attempt to compromise Apple devices
using zero-click exploits,
targeting messaging apps such as WhatsApp
or on Facebook or web browsers
will get automatically blocked.
Seeing what vulnerable features
the link previews will be disabled.
So this is really, really good.
I think it's one that's almost auto-sandboxing everything.
What I was wondering is that this is a really good feature now
for people who are valuing their op set,
like journalists or what have you.
But I think more and more of these features
might even creep into the standard build of an iPhone
that, you know, the way they're going
with like do not track and everything.
I think this is a really good, you know,
general security feature.
I mean, like why, you know,
and I say this as a being employed
by a security awareness vendor.
If you can have it so that the phone doesn't allow you
to click on something and got compromised, you don't need to then train the user.
Don't click on a link or here's how you check out what's dodgy.
If your security software can do that for you itself and just prevent it,
I think that's, that could be really, really useful.
But yeah, I think, you know,
I just asked, I don't think it's got enough coverage.
Is that Apple have also doubled their bounty program.
I was just about to say exactly that.
For any sort of findings in lockdown mode.
And they go up to a maximum of $2 million
if you find a vulnerability with their lockdown mode.
Because it's a million in anything else,
but if it's to do with lockdown mode, it's $2 million, yeah.
Wow. Do you think Rizzler submitted a bug bounty for that?
I don't think anyone else has done it yet.
The problem was the evidence he provided was paper thin.
Let's roll that story up now.
Oh, very good.'s a it's a really
good feature and i think we need more of these features natively in these devices and i think
we you probably will i think even um maybe like corporate issued devices might even be something
like this it's like here's a brand new wi-Fi. By the way, we've disabled everything you might find useful on it except for work. It's sort of like a better MDM.
But if this is something that can also be triggered remotely as well, it means that if
a company's SOC is seeing that somebody's being targeted, et cetera, they can trigger this
without the user having to do anything in the sense that, you know,
the user might not know they're being attacked because it's, you know,
quite surreptitious and behind the scenes.
But if the SOC finds it, boom, they can lock it all down.
And they're securing all the endpoints, not just, you know,
the standard laptop, et cetera.
Yeah. Yeah. No, good point, good point.
So, you know, you see, you can track your employees,
you see, oh, they're entering a dodgy country.
Yeah.
Let's just enable lockdown mode as they go through customs
and, you know, good luck with trying to get any data off it.
Well, people often say that you should, you know,
get a brand new device when you go to China and things like that.
I guess if you just put it into lockdown mode, it would be the same thing, effectively, wouldn't it?
No, I mean, what they'll do, they'll literally just grab your face, hold it to your phone, use it to unlock Face ID and then switch lockdown mode off.
Yeah, yeah, yeah.
But I do love it. I mean, this sounds like such a West Coast, someone in San Francisco thinking of it.
Well, you know, these regimes, they can get it.
I tell you what, why don't you just buy another £1,500 iPhone and travel?
Yeah.
And then you won't have that problem. You're a genius. Genius, Dave.
Why didn't I think of that? Good one.
Oh, dude. No, it's good. It's good.
I think it definitely qualifies for a big ball move,
Billy Big Ball's move,
because it does put a target on them somewhat.
But hopefully it's, well,
hopefully this is a case where the other phone manufacturers
will actually copy and, you know,
roll this out amongst other sort of phones as well,
because, you know, frankly, something needs to be done, right?
And this is quite a bold move to try and address that balance.
Definitely, definitely.
Thank you, Jav, for this week's...
Billy Big Balls of the Week.
It doesn't matter if the judges were drinking.
Host Unknown was still awarded
Europe's most entertaining content status.
So it was, and so it was.
And that was only a few weeks ago, really,
which just goes to show that,
well, just goes to show how much time flies.
And talking of time flying, what time is it, Andy?
It is that time of the show where we head over to our news sources
over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news
from around the globe.
Industry News.
TikTok CEO addresses US security concern. Industry news. TikTok CEO addresses US security concern.
Industry news.
Software supply chain attack hits thousands of apps.
Industry news.
Hive ransomware upgraded to Rust to deliver more sophisticated encryption.
Industry news.
to deliver more sophisticated encryption.
Industry news.
APT hacker group Bitter continues to attack military targets in Bangladesh.
Industry news.
North Korean hackers target US health providers with Maui ransomware.
Industry news.
Marriott plays down 20 gig data breach.
Industry news.
FBI and MI5 bosses warn of massive China threat.
Industry news.
Microsoft updates Windows 11 subsystem for Android to introduce support for VPN-assigned IPs.
Industry news.
Apple announces lockdown mode to protect journalists,
human rights workers from spyware.
And that was this week's...
Wow.
Huge if true.
Huge.
Huge.
Although 20 gig data breach apparently isn't huge.
This is the third time Marriott have been breached in
five years. Four years?
What is it? I mean, come on.
There was that you were saying last week.
It's good to have a breach every three years because it brings it
back to the forefront of everyone's mind.
Yeah, but not three in three years.
Yeah, exactly. I mean, come on.
That InfoSec program
is not working.
Well, that's just... Obviously obviously i'd have to click on the
link to know more and i'm damned if i'm going to do that but it just seems to me that you know maybe
because they were so easy to roll over the first time the criminals just wait for them to pick
themselves up and get back to business as usual and go all right let's try let's have another go
and they're kind of like being you know constantly being punched by the school bully in the same place,
even though the bruise has cleared up.
It still bloody hurts and it's still taking them out.
And I'm wondering if it's, you know, a persistent set of attacks
or if it is just now incompetence.
Right, so take a back, right, the whole thing back in the day,
so much data went,
right? You know, credit card information, you know, that original one from when they acquired
Starwood Hotel. So, you know, huge amounts of data and they got fined for it. And then they
got breached again last, I can't remember if it was last year or the year before. But anyway,
they keep losing personal data, right? So you'd think that they would have some type of controls in place.
And don't forget, controls are there to not to deliberately or to necessarily always stop malicious people.
It's to stop accidents from happening as well.
So in this recent case, apparently an employee at Baltimore Airport got fished at the airport Marriott and so they allowed someone
to connect to their machine and then that person who connected their machine exfiltrated this data
20 gigs worth of data right and so Marriott tried to downplay it and said oh you know there's
non-sensitive business files that were taken but then there were 400 people that had sort of
sensitive personal information taken as well and that includes full credit card details with CVV, expiry dates, and also HR files containing information on employees.
But taking it back to what controls would you put in place?
Bearing in mind, you have been fined in the tune of millions of pounds already, you know, in different regions as well.
Like DLP, right? You're looking for credit card data or PII egress in the network, okay?
Why would they not have that control in place? And I get, you know, that you allow a certain
amount of data to go out, you know, without stopping it because it may be bau or it's an acceptable risk but surely the details of 400 people is not something that should be allowed
to go out without being flagged somewhere yeah so when they said that somebody connected to the
machine um in the airport does that mean they they allowed this person to plug in over usb
uh socially engineered, they state.
So I think it was one of these, hey, it's me, Dave, from the IT help desk.
Can you go to this site and find the executable?
Yeah, that probably makes more sense because it would take a while
to copy 20 gig of data over, wouldn't it?
Yeah, and that's what I mean.
But something must have flagged and said, hey, look,
there's sensitive data going out of the network.
I think it does.
I think it also plays to the fact of budgets,
because I know most hotels are still hurting from the pandemic
and cash just isn't available.
And hotel profits are razor thin at the best of time,
or Rizler thin even.
Sure.
But you lose 330 million guest data in 2014.
Yeah.
Then you lose 5.2 million guest data in 2020.
Yeah.
Along with employee logins.
Surely at that point you're saying, look, you know,
this is actually costing us more in fines to address the root cause.
Yeah, exactly.
I completely agree.
I'm just trying to think of the nonsensical logic.
Now you're saying I completely agree once Andy's shown you
what a farce your way of thinking was.
And I'm like, oh, no, it's just no budget.
There's no budget for this thing.
They have razor thinthin profits.
I mean, like the minibar.
They're literally giving the stuff away on the minibar.
Are you all right?
Have you had a stroke or something?
I'm not sure.
I'm just saying, honestly, you're so full of shit,
but that's what makes you a great CISO.
No, but what I was saying was the rationale that's being given internally is profits are too thin. We can't afford to spend all the money that we want. We'll put other things in place like education and awareness and stuff like that, rather than the expensive multimillion dollar DLP. We'll spend 10 grand on a PowerPoint and send that round. And the regulators will tick the box and we'll get away with it.
That's probably the rationale as to why DLP hasn't gone in.
That's not to say it's not true that what Andy's saying isn't true,
because of course they're going to get hit with fines again and again
every time they get um they get uh hacked but and and the business
is wrong in its assumption that you know we can't afford to do this because they can't afford to not
do it now wow so many words to say absolutely nothing but okay anyway the other story that
sounds like you generally yes it. Game recognises game, my friend.
That's what I always say.
Mind you, you take all the words
you use in this podcast and you use them
three or four times elsewhere.
TikTok and
the Cron show
or whatever it's called now. The Jarek show.
That's it. All that sort of stuff. So yeah, that's it. You know, all that sort of stuff.
So, yeah, that's fair.
Anyway, you had your little moan?
I've had my little moan.
Just one, a story that's near and dear to Andy and mine hearts.
The TikTok CEO addresses US security concerns.
And I fully agree with him there is absolutely just like a witch hunt going on here i don't know why they
think oh the the um the ccp is interested in finding out the u.s user data on their 14 year
old girls who are dancing to trends i mean it's just it's just farcical i think there's no
basis on this and because those 14 year old girls will be government employees in 10 years time
well this is uh what's that um cruz senator cruz this was his old thing wasn't it about how
tiktok china's trying to dumb down americans infiltrating with their algorithms.
Well, it certainly works with you two.
Up at 3 o'clock in the morning still on TikTok.
One more TikTok.
Oh, just one more.
One more set of jiggly boobs.
I pay attention.
When it tells me to go to sleep, I go to sleep.
I do everything that app tells me to do.
But, you know, I mean, so the whole argument was about whether or not
the data sits in china or not and so right basically if data sits in china then the chinese
government can read it okay and they have the resources to do that and they will do that and
they will profile it and they will do everything but i mean this is exactly what Facebook's doing to US data. Yeah, it is, absolutely.
This is exactly what they're doing with Instagram, Meta, Facebook,
all your Oculus Rift stuff.
You've got to use Facebook login to use Oculus Rift.
It's like if you think that companies are not doing this,
then you're pretty dumb.
But the difference is, though, is that Facebook is an American company
and they can control that.
They can change regulation, they can control,
and if it comes to it, they will send armed soldiers into data centres
to secure servers if they have to.
They can't do that with China.
No, all you do, you'd have a good old set of good old boys
who are told that the government's there to steal their guns
or take away their rights or give women the right to vote on their own bodies.
And those data centers will be manned by patriots to fight back.
I don't see why the US think they're any better than China.
They're going to take away our Minecraft crossbows if we don't see why the US think they're any better than China. They're going to take away our Minecraft crossbows
if we don't starve them.
Exactly, yeah.
They're not any better, not at all,
but they have more control over the US companies
than they do over the China ones.
That's what it comes down to.
This is like that Spider-Man meme,
where Spider-Man pointed to Spider-Man.
Yeah, yeah.
I mean, you know how much love I have for Facebook, let's face it.
And I think TikTok is the lesser evil here without a shadow of a doubt.
Exactly.
I happily submit my data to China.
Yeah, something win-win.
Yeah, exactly.
Oh, dear. Oh dear.
Excellent.
That was this week's...
Industry News.
If you work hard,
research stories with diligence
and deliver well-edited,
award-winning,
studio-quality content
for high-paying sponsors,
then you too
can be usurped by three idiots
who know how to think on their feet.
You're listening to the award-winning Host Unknown podcast.
Right, we come crashing to the end of the show,
and it's the part of the show that we call...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
So I shall take this one home with a tweet which Tom Hughes shared.
It just kind of put a smile on my face when I saw it.
And it is from Alex Bursan.
And he says, back in 2012,
Ubisoft accidentally added everyone a CC on a marketing email.
Long story short, someone hit reply all,
and 10 years later, the email thread is still going strong.
And I think that's beautiful.
And he includes a screenshot of the email.
I mean, we've all been there, right?
You know, where you get this email and it's like, you know,
someone replies unsubscribe and then someone else says,
please stop replying to all.
And then someone comes back five hours later and says please remove me from this list and then someone
else says please stop replying to all um just classics right you know those things and they
typically die off after a couple of days um but he's included a screenshot from uh you know when
he looked at it uh at the weekend and it's like one of the one of the replies in it uh actually
says since this thread started i've gotten married had a child gotten divorced gotten remarried
and become an executive at redacted company and um you know someone else says hey i had my first
child yesterday i hope everyone's been well over the last decade god i'm so tired and it's like
this 10 year thread of just, you know,
the only thing they have in common is being Ubisoft customers.
It's a forum, right?
Basically, yeah, with a lot of bounce backs, I'm guessing.
Yeah, exactly.
A lot of bounce backs and a really long thread.
Yeah, but 10 years.
I mean, this is up there with the Billy Big Bull.
I love the banality of it as well.
You know, the stuff that's sort of being mentioned in there I mean, this is up there with the Billy Big Bull. I love the banality of it as well.
You know, the stuff that's sort of being mentioned in there. Was it somebody said they had their gallbladder removed recently?
Oh, your gallbladder didn't deserve you or blah, blah, blah.
And it's just, it has just become, well, it's going to become the new Facebook.
Yeah.
So somebody said, it's nice to see this thread still going after all these years.
I hope you're all living your best lives.
That's right, yeah.
It's lovely.
It's lovely.
I want to be looped into it.
If anyone can add me to it, loop me in.
Yeah, that's right.
And you're going to get it, and the first thing you're going to reply is,
unsubscribe. Yeah. And you're going to get it, and the first thing you're going to reply is, unsubscribe.
Yeah.
Well, I wonder how many people sort of said, hey, I'm leaving my,
you know, over the years, I'm leaving my job.
Can you add my new email instead?
Yeah, that's right.
Or forwarding it on to their personal address.
Oh, dude, that's great.
This reminds me, Andy, you're one that that holds our archival records because
you don't delete anything unlike me but uh it reminds sometimes every now and then like you
haven't done it for a while but you find an old old emails chain that the three of us were
exchanging about something and like you say hey guys look what i found i'm like oh my god why
does that still even exist delete delete delete yeah I need like the equivalent of, you know, lockdown mode for when I die.
No, we need lockdown mode for you.
Enron protocol.
Yes.
Very much hard drive with me.
That's right.
You prize it out of your cold, dead fingers.
Yeah.
Excellent.
That was this week's...
Well, it was tough going.
It was an extra half hour than we intended to spend recording,
but we made it.
We made it.
I can't believe we did.
The technology issues aside, the thing is still recording,
which is always good.
So, yes, thank you very much, gentlemen.
Jav, thank you so much for your time today.
Yeah, whatever, whatever.
Thank you very much for your time today.
You're like Conor McGregor giving it all the loud in the beginning
and afterwards, like, you were just business, brother.
You were just business after getting knocked out by khabib and andy thank you so much for your uh contributions today
stay secure my friends stay secure you've been listening to the host unknown podcast
if you enjoyed what you heard comment and subscribe if you hated it please leave your
best insults on our Reddit channel.
The worst episode ever.
r slash Smashing Security.
That was a marathon,
not a sprint. It was.
It was, yeah. And hopefully, Jav,
your trip to the doctors this morning
was for your blood pressure.
No, no, just like, but I was for your blood pressure. No,
no,
just like,
but,
but I'm having my,
you're an angry,
bitter man is what's coming across.
What?
Come on.
I'm the most chilled out,
laid back person.
And I know,
and like,
you know,
really it's,
you don't know many people then.
No,
I don't.
Well, You don't know many people then, do you? No, I don't. Mate, you're not even the most chilled out, laid back person on this call.
No.
I mean, you're definitely in the top four, but you're not.
Just always missing out on that podium position.