The Host Unknown Podcast - Episode 114 - BACK OFF THE MIC JAV!
Episode Date: July 29, 2022This week in InfoSec With content liberated from the “today in infosec” twitter account and further afield25th July 2007: The US Ninth Circuit Court of Appeals ruled that IP addresses and to/from... email fields can be monitored without probable cause. Appeals Court Rules No Privacy Interest in IP Addresses, Email To/From Fieldshttps://twitter.com/todayininfosec/status/115479199039704268829th July 2009: The first Security BSides conference was held in Las Vegas in a 3,767 square foot house.http://www.securitybsides.com/w/page/50746315/BSidesHistoryhttps://twitter.com/todayininfosec/status/1156078833277128704 Rant of the WeekHackers scan for vulnerabilities within 15 minutes of disclosureSystem administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed.According to Palo Alto's 2022 Unit 42 Incident Response Report, hackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code execution.However, the speed at which threat actors begin scanning for vulnerabilities puts system administrators in the crosshairs as they race to patch the bugs before they are exploited."The 2022 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced," reads a companion blog post.Since scanning isn't particularly demanding, even low-skilled attackers can scan the internet for vulnerable endpoints and sell their findings on dark web markets where more capable hackers know how to exploit them.Then, within hours, the first active exploitation attempts are observed, often hitting systems that never had the chance to patch. Billy Big Balls of the WeekNew ‘Robin Banks’ phishing service targets BofA, Citi, and Wells FargoA new phishing as a service (PhaaS) platform named 'Robin Banks' has been launched, offering ready-made phishing kits targeting the customers of well-known banks and online services.The targeted entities include Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Lloyds Bank, the Commonwealth Bank in Australia, and Santander.Additionally, Robin Banks offers templates to steal Microsoft, Google, Netflix, and T-Mobile accounts.According to a report by IronNet, whose analysts discovered the new phishing platform, Robin Banks is already being deployed in large-scale campaigns that started in mid-June, targeting victims via SMS and email. LockBit 3.0 introduces the first ransomware bug bounty programWith the release of LockBit 3.0, the operation has introduced the first bug bounty program offered by a ransomware gang, asking security researchers to submit bug reports in return for rewards ranging between $1,000 and $1 million."We invite all security researchers, ethical and unethical hackers on the planet to participate in our bug bounty program. The amount of remuneration varies from $1000 to $1 million," reads the LockBit 3.0 bug bounty page.However, this bug bounty program is a bit different than those commonly used by legitimate companies, as helping the criminal enterprise would be illegal in many countries.Furthermore, LockBit is not only offering bounties for rewards on vulnerabilities but is also paying bounties for "brilliant ideas" on improving the ransomware operation and for doxxing the affiliate program manager.The following are the various bug bounty categories offered by the LockBit 3.0 operation:Web Site Bugs: XSS vulnerabilities, mysql injections, getting a shell to the site and more, will be paid depending on the severity of the bug, the main direction is to get a decryptor through bugs web site, as well as access to the history of correspondence with encrypted companies.Locker Bugs: Any errors during encryption by lockers that lead to corrupted files or to the possibility of decrypting files without getting a decryptor.Brilliant ideas: We pay for ideas, please write us how to improve our site and our software, the best ideas will be paid. What is so interesting about our competitors that we don't have?Doxing: We pay exactly one million dollars, no more and no less, for doxing the affiliate program boss. Whether you're an FBI agent or a very clever hacker who knows how to find anyone, you can write us a TOX messenger, give us your boss's name, and get $1 million in bitcoin or monero for it.TOX messenger: Vulnerabilities of TOX messenger that allow you to intercept correspondence, run malware, determine the IP address of the interlocutorand other interesting vulnerabilities.Tor network: Any vulnerabilities which help to get the IP address of the server where the site is installed on the onion domain, as well as getting root access to our servers, followed by a database dump and onion domains.The $1,000,000 reward for identifying the affiliate manager, known as LockBitSupp, was previously offered on the XSS hacking forum in April. Industry NewsNo More Ransom Has Helped Over 1.5m VictimsUS Doubles Reward for Info on North Korean HackersCriminals Use Malware as Messaging Bots to Steal DataCyber-Criminal Offers 5.4m Twitter Users’ DataEuropean Police Arrest 100 Suspects in BEC CrackdownSocial Media Accounts Hijacked to Post Indecent ImagesHackers Change Tactics for New Post-Macro EraRansomware Group Demands £500,000 From SchoolSpanish Police Arrest Alleged Radioactive Monitoring HackersTweet of the Weekhttps://twitter.com/danielmakelley/status/1550884696355225601 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Well, it was lovely to see you both a few days ago for dinner.
It was the first time in a long time, wasn't it?
Long, long time.
I can't even think the last time the three of us were all together.
Well, it was B-Sides last year, wasn't it?
Because we've got that photo.
Oh, yeah.
Yeah, of course.
Shut up.
You're listening to the Host Unknown Podcast Hello, hello, hello, good morning, good afternoon, good evening from wherever you are joining us
And welcome to episode 114-ish, I think it is, of the Host Unknown Podcast
No, it can't be it must be uh 118
whatever whatever we lose count we lose count but we know dear listener that you don't that you don't
trust we all had a good week i mean obviously apart from you know having to go out and meet some
you know vague friends people that we will soon consider to be people we once knew.
But I hope everybody had a good week.
Jav, how about you?
I am still in astonishment as to how young Andy looked.
He has really turned back the clock.
He really lost so much weight.
He's now no longer looking like a thumb and more like a
little finger yeah exactly and like we kept asking him throughout the night like what what have you
done have you joined a gym have you started cycling or or something and all he would say was
well i swapped out harry bows for this other vegan plant-based sweet,
and that's the only change I've made, honestly.
Yeah, right, right.
When you stop consuming 250 grams of Haribo on a daily basis,
it is amazing how your taste buds change.
Well, 250 grams, that's got to be about 4,000 calories, right?
That's a bag.
It's only a few, you know, 600 calories.
It's not that much.
But when you're cutting that down by half,
I mean, you are reducing your calorific intake quite significantly.
Yeah.
No, but to be fair obviously during the pandemic i did uh pile on a bit more than
than i had before anyway we all had a little bit of uh lockdown weight right
yeah yeah mine was more of a uh lockheed martin uh it was quite industrial that was
that was tenuous at best that was fantastic come on
but you know the thing that really annoyed me is obviously we're trying to find a place oh where
are we going to meet tom's going to be here jav you know he doesn't like going places he doesn't
know where he can park his bike and uh you know jav's only requirement make sure it's halal okay
okay of course so we find a halal place it's in the, make sure it's halal. Okay, okay, cool. So we find a halal place. It's in the middle of nowhere.
We get there.
What does Jav order?
Vegetarian food.
Exactly.
That's right.
Oh, well, I don't trust all the halal places.
Like, what?
This is a power play.
It's a display of toxic masculinity at its finest.
Next time, Angus Steakhouse.
Hawksmore.
In fact, let's do Hawksmore.
Yeah.
You can get the cream spinach there, Geoff.
Yeah, exactly.
I mean, it's basically
what you had this time.
Yeah.
Oh, dear.
Andy, how about you? Apart from being, you know know being insufferable at slimmer's world on
thursday night yeah well there's obviously all of that calorie counting going on that i've been
doing um well do you know it's weird because i think we've already caught up we're kind of
i think it was actually i think that was actually really good food that we had
on during the week.
And then, obviously, we went out and thought we were heading for a gelato place,
and we got kind of stiffed.
It's basically a tourist place.
Bad service.
Nice environment, bad service, and average food.
Yeah.
So, obviously, we had a full meal, then we had dessert,
and then we went for like second
dessert afterwards yeah yeah well kulfi doesn't count as dessert really does it i mean
it's ethnic in it
i had to go for something british like the uh the milfoy i had yeah none of this foreign muck no and how about yourself so you've just literally
traveled back in from london you had a very early start today yes yes um i got an early start i i
was i was intending to stay in london today and uh plans changed so i got back bright and early
because jav wanted to start early because i well i'm not sure what he's on but he's on something um needing to leave early so we had to start
half an hour early and and surprise surprise jav was here uh so you know unlike the other night
right when he was like 45 minutes late oh my day god but um uh but yeah it's good. I've had, I've been running a workshop for three days this week. So, you know,
they're quite intensive and, you know, a lot of concentration.
And now I'm faced with all of these notes I've got to do something with.
So it's not looking forward to that. Sorry, what?
What kind of workshop were you running?
Like a infosec, know work workshop oh yeah work workshop
yeah yeah you know i'm a cso and everything i've got to do this sort of thing the workshop entitled
yeah i've got to i've got to do a i've got to do a workshop or something to show that i'm doing some
work it's it's uh you you should write a book on your on your learnings you know it's like yeah i think
it's like failing up as a see-saw chapter one be white chapter two be a man chapter three be old
well you know what i did share the manuscript with you both a couple of months ago and you
both failed to read it so you know who knows i had a skim through it to be honest i know i wasn't i had
a skim through i wasn't overly impressed that was i've had a skim through is exactly what everybody
says when they've not read it no i did read it it was oh i do read it okay
do you want brutal feedback on a live podcast?
That's the answer.
Well, whatever.
Anyway, talking of brutal,
shall we see what's coming up for us today?
This week in InfoSec pays homage
to the best conference for hackers by hackers.
Rant of the week laughs.
Laughs, I tell you, at your 14-day patching cycle.
Billy Big Balls is the opposite end of the scale to a 419 scam with bad spelling.
Industry News brings the latest and greatest security news stories from around the world,
and Tweet of the Week could probably be found in the Shower Thoughts subreddit.
found in the shower thoughts subreddit.
So before we move on, do you know what?
One of the things we discussed on, was it Tuesday night?
Yeah, it was Tuesday night, wasn't it?
Was we never ask our audience how they are.
We always ask ourselves, but we never ask our audience.
So audience, how are you doing?
Are you well?
Are you looking after yourself? How did you suffer in the heat or did you not indeed just give us a shout on our twitter feeds
on our email address anything just uh let us know how you feel and you know rest assured we are
thinking of you aren't we gents yeah i think of the little people all the time yeah you can give tom a direct call on plus
four four seven eight seven nine uh look with both our listeners calling me at once it's not
going to be a problem is it anyway let's move on shall we to our favorite i say favorite part of the show
the part of the show that we like to call this week in infosec
it is that part of the show where we take a stroll down InfoSec memory lane with content
liberated from the Today in InfoSec Twitter account and further afield.
So today our first story takes us back a mere 15 years to the 25th of July 2007
when the US 9th Circuit Court of Appe appeals ruled that ip addresses and to from email fields
can be monitored without probable cause so the um ninth circuit court of appeals ruled that
ip addresses and to and from fields in emails are basically the legal equivalent of dialed phone
numbers um and the government can get a court order to obtain them
without showing any form of probable cause,
as would normally be needed if you were to want to look
at someone's house, for example.
But this is obviously very different to what Europeans know about GDPR,
who rule that IP addresses and email
addresses are
personally identifiable
information should be protected
at all courts.
Another
thing where our
colonial cousins are just
not quite in the same place
as the rest of the world.
They didn't get the memo, did they?
We really took down the notes differently
on how we should interpret personal data
and how we should protect it as well.
Indeed, because just because it's not illegal today
doesn't mean it won't be illegal tomorrow.
I always get confused.
I don't know the different circuits
I don't know whether the 9th circuit
means that they've gone through 8 other circuits
in order to get there
Is it like the Radio 1
top 10 where they go from 10
9, 8 and down
the first circuit is the real one
That's the one that really counts
Is the first circuit like
the Supreme Court?
Or is that like the 27th Circuit?
Is it like an OSI model?
It could just be a cool name.
Yeah.
Yeah, exactly.
I keep thinking of like a five-ring circus or something.
It's like, you know, you jump through the loops.
That's probably a more accurate term.
When it comes to US laws u.s law circuits
circus is definitely a good
yeah oh the ballet uh anyway our second story takes us back a mere 13 years to the 29th of
july 2009 uh this is when the first security B-Sides conference was held in Las Vegas
in a 3,767 square foot house.
Wow.
So if you think, happy 13th anniversary, B-Sides.
That is literally 13 years ago today.
Why do the show notes say happy 10th anniversary?
Because I cut and pasted it directly from the today in infosec twitter feed um three years three years
ago yes exactly so uh i shall uh delete that now but i did add my own links to it as uh
but do you i i think jav you were probably on twitter at the time weren't you do you remember
when people were talking about this and it was it was literally someone's house and they were
talking about oh you know we'll just get everyone there people can sit down and uh you know sit on
the floor and you know different people just stand up and talk yes and it was it just sounded like a
really cool event that was going on.
It was going on the same time as DEF CON was going on as well, right?
Yeah.
Blackhead and DEF CON, yeah.
Yeah, and then obviously it was replicated, you know,
around the world.
You know, all kinds of places have gotten them out.
I think London's probably my favourite one, of course.
Delhi's my favourite.
Oh, it would be, wouldn't it?
I was about to go on about how cool it was that we got a good history
with B-Sides, the three of us, and we really sort of cemented
our friendship there.
But no, screw you.
Yeah, you go to Delhi, Tom.
London's my second favourite.
I don't know.
No, no. yeah london's my second favorite i don't know no no it's it's like i'm just like i'm gonna click on the on the notes that you've put in there and it's like b-side history and there's so many names in there like you know i just remember
it all like i remember seeing the pictures of it and i was like this is just like the coolest thing
ever because i mean bear in mind like now
a day well you know people like Jack Daniel are like you know legendary status in the industry
but back then it was like a smaller pocket of people on Twitter and especially being on this
side of the pond I'd never been to the US so I didn't know any of these people as like big big
stars were well like these are such cool people they're putting on these things and look at them and oh I I know that person on Twitter and now I
can see their pictures there in that thing and I think the the the genesis of this was so pure and
so good and I was just talking to someone the other day that i kind of like besides london i go there
and on one hand it's like really good that you see it's so big now but then i really do miss the
earlier ones where it was yeah everyone knew everyone everyone knew everyone everyone was
just trying to work things out as they went along you like you sound like somebody gatekeeping a
band you know i only like the first two albums I'm not saying that I like the first two albums.
I mean, I do get a bit nostalgic.
He's saying you dislike them.
Wow.
We have cross-examined Langford in the office today.
I'm just holding a mirror up to what you normally do to me.
Ninth Circuit of Appeal.
Ninth Circuit of Appeal, Langford.
Objection, hearsay.
But I do see some of the names on here.
Obviously, lots of respected people and one particular dick
who I won't call attention to in terms of these names.
But let's just say, right, right you know there's no smoke without fire
that's all i'm saying i thought wasn't it isn't this the guy who's your best mate yeah yeah like
pictures of both you getting hammered and everything it was just like one of those
bromance like montages that we saw on twitter jav I remember Jav introducing you to him.
Yeah.
Oh, well.
Yeah, B-Sides, very good conference.
Definitely grown beyond all recognition, to be honest with you.
Very, very professional. The London one is indistinguishable from some of the, you know,
some of the other larger conferences that go on.
Yeah, and just on that note,
obviously the call for papers for B-Sides London is now open.
And Ticket News will be coming out very soon.
And mentoring as well.
So options.
We can either mentor, like you said, Tom.
Hosts unknown could potentially be a sponsor if we weren't broke
we could put in a host unknown talk to talk about how to do a podcast for two years
and lose money in infosec i think that's a good one it's also also six years. Yeah. I thought it was ten.
I don't know.
I lost track.
Whatever.
It's a bit beer farmer-y, though, isn't it?
This is true.
Just without the alcohol.
Yeah, it's right.
Yeah, yeah.
We call it the sparkling water farmers.
Or the Halal Brothers.
Zero percent.
There's options. That's all we're saying
there are options
if you're reviewing the CFPs at B-Sides London this year
sorry but you're going to get a lot of
submissions
of varying degrees of quality
brilliant
nice trip down memory lane there Andy thank you for this week's of varying degrees of quality. Brilliant.
Nice trip down memory lane there, Andy.
Thank you for this week's... This week in InfoSec.
Feeling overloaded with actionable information?
Fed up receiving well-researched, factual security content?
Ask your doctor if the host unknown podcast is right for you always read the label never double dose on episodes side effects may include nausea eye rolling and involuntary swearing in
anger and on such a note let's move on to the natural successor to This Week in InfoSec,
the part of the show that we call...
Listen up!
Rant of the Week.
It's time for Mother F***ing Rage!
And Rant of the Week this week.
So we know how uh in fact i was talking about it just this week uh
in in my special cso security make sure everybody knows that tom's doing some work workshops um and
it was about how promptly we need to be addressing vulnerabilities and i think the standard thing is
i think critical is within what two weeks is it
very often and let's say 14 days i think yeah 14 days is exactly yeah 14 days exactly it is is a
industry accepted norm uh and you know all the way down to like never for low um when you get
around to it when you have a quiet day you know um so So, and that's pretty standard across the board. However, what we have
seen now, according to Palo Alto's 2022 Unit 42 Incident Response Report,
sounds a bit contrived that name, doesn't it? The time from when a cve you know a vulnerability is reported and the time to when
uh hackers are scanning and monitoring for said vulnerability is how long do you reckon
um well it's going to be obviously if we're saying that 14 days is, you know, industry standard,
it's going to be 14 days and four hours.
Yeah, exactly.
You'd like to think, wouldn't you?
Yeah, you'd like to think.
And, you know, perhaps if I said 14 days and 15 minutes, you'd think, wow, that's pretty tight. Actually, you wouldn't
be far wrong, but you'd only be about 14 days wrong. It's actually 15 minutes from the point
that when a CVE is first disclosed, when it first comes out of the gate, 15 minutes later,
first comes out of the gate 15 minutes later that cve is being monitored and scanned for by hackers well you say hackers you say hackers how many of them are like researchers thinking
i need to submit a talk for black hat this year what can i do here's a cve quickly scan get the
screenshots throw into a slide deck well job, job done. You're absolutely right.
But if you're in India and you have to adhere to these new guidelines there,
a port scan means that you've got to report it, right?
Yes, it's true.
But nonetheless, whether it's security researchers, in adverted commas,
or bad actors, 15 minutes.
And also, frankly, a security researcher who, let's face it,
is self-employed and probably doesn't get out of bed
until about midday anyway, right?
Motivated.
In fact, they probably don't get out of bed until midday
because they've been working until like 6 o'clock in the morning anyway.
Criminals who we know are set up like regular businesses and have hr
directors and you know all that sort of thing probably keep pretty consistent hours no doubt
even have a 24 by 7 shift system including follow the sun capabilities right they're gonna be all over this all over this so 15 minutes now my rant
here yeah i guess it's less of a rant and more of a like oh fuck my life you know how are we
supposed to keep on top of this i can't even you know you can't even get most IT teams to respond to a phone call in 15 minutes.
You know, the closest you get to it.
It takes 15 minutes to raise a ServiceNow request.
Well, to type the damn thing in, yeah, exactly.
I mean, even with the promise of donuts and stuff, you know,
you might get that cut down to a day.
And nowadays with remote working, you can't even get people into the office.
So, geez, 15 minutes. and nowadays with remote working you can't even get people into the office so so you know
jeez 15 minutes so um and and that's that's if you are monitoring these announcements
really closely you know well you've got no chance effectively right um so yeah uh
no chance effectively right um so yeah uh so what can people do about this tom should we all give up and go home oh my god it's tempting to say that you know it's like
what's the point you know we're good we're patching stuff that's actually been actively scanned for and actively exploited
for for for two weeks you know and that's if we're on our a game right
um so yeah it's geez um we really don't have uh much we're going to have much joy in this at all are we
it does sort of
highlight
why you need that defence in depth
approach to
layered security
every layer because
ultimately if that vulnerability is on
an internal system you've got two weeks
as long as your external perimeter controls
are good
but if that vulnerability as your external perimeter controls are good.
Yeah, exactly.
But if that vulnerability is on your perimeter controls... Oh, yeah, it's done for.
So then you have to make sure the inside's not...
What's the analogy?
The egg that's hard on the outside.
Yeah, exactly.
The what, sorry?
The armadillo.
Yeah, it's crunchy on the outside and soft in the middle.
Oh, like an armadillo. Yeah. Crunchy on the outside and soft in the middle. Yeah.
Oh, like an armadillo.
Yeah, exactly.
That's right.
Yeah, absolutely.
Absolutely.
But even the game of cat and mouse, you know, this the mouse has just got much, much smaller.
And the cat is now a freaking tiger it feels like
yeah well you know it's it's still an interesting rapport and it's not
terrible i mean in in a lot of things when you when you start breaking it down and whatever
you said so they they have like um initial access table in the report. And number one is phishing.
So it's not even software vulnerabilities is number one.
That's a far distant number two.
But then there's like, you know, compromised credentials or social engineering.
I mean, it's like, you know, these sorts of things that we all know about are making up the bulk of it.
So, you know, it's true. Like while criminals start scanning and start trying to actively exploit stuff really quickly, there's like to Andy's point, there's a whole, you know, layered approach there.
And, you know, it's you can reduce the risk significantly if you just take a few a few simple steps as I would say I totally agree with you but
I think you know shock value alone um you know when when most people can't even you know read
an email in 15 minutes let alone answer a call or whatever it does feel like you're we're very much
on the back foot and and you're right we have to take it into in context
and all that sort of thing but i'm you know it shouldn't surprise us that it only takes 15 minutes
but it is a still a bit of a shock right yeah yeah and a lot of this is just doing your homework up
front like understanding what your what your attack surface is what your assets are what's you know so so you know when when you're told that
there's a new vulnerability affecting x product your first question shouldn't be do we even have
that or how many of those boxes do we have lying around or how many are publicly facing or
exploitable you should have that information to hand and then it becomes a lot easier but
yeah it's easier said than done.
Easy for me to sit here and say that.
Well, yeah, yeah, exactly.
Mr. CISO.
Yeah, exactly.
CIWSP, I have you know.
Yeah, exactly.
Yeah.
You know, here's someone who's paid to talk about it, not actually do it.
Which, frankly, is actually quite a good gig i have to say anyway that was uh uh this
week's rant of the week this is the podcast the queen listens to although she won't admit it
and jav we're now moving over to you for your favourite part of the show, the part of the show that you call...
Billy Big Balls of the Week!
Well, thank you very much for that introduction.
So, I have a pair of Billy Big Ball stories today, and they go together quite nicely because they're both relating to ransomware.
There's the first one is there's a new fishing as a service or FAS on the block.
It's a new Robin Banks Fishing Service targets commonly common popular banks like Bank of America, Citi and Wells Fargo.
So they offer ready-made phishing kits targeting the customers of these well-known banks.
And it offers templates to steal Microsoft, Google, Netflix and T-Mobile accounts.
So this all is uncovered in a report by a company called iron net um and um
you know it's uh it just goes to show the like i think tom i hate to say that you said it already
but i agree that these outfits are getting very professional and they operate like legit businesses and there's
a lot of this uh help built in and support if you if you're like you know what what level of
criminal are you budding criminal street mugger you know or the most popular option which is like
hardened nut they genuinely do have have like price tiering plans.
They do.
They do.
But each plan comes with 24-7 support.
And it's like you can have like single templates for $50 a month
or you can get unlimited access, like, you know,
most popular for $200 a month.
Yeah.
24-7. That's more than most software companies or, you's uh 24 by so that's more than most software
companies or you know legit ones most banks yeah it's definitely more than most banks
let alone the uh yeah it's just fantastic it is but they have captures as well like you can insert
all kinds of things on this honestly if these people just switched it around made it legit they would
like be so successful yeah they're probably making more money because they're not paying tax right
but that's the that's the thing well then again most big corporations are well they're always
around i don't know i don't want to say too much, but...
Yeah.
And also, they've got a good name, Robin Banks,
as in the name Robin.
Robin Banks.
That sounds like the name they came up with after a session on the beer in the pub.
Anyway, the second story, Lockbit took a bit of a break
and they revamped the software and they're now out with Lockbit 3.0.
The interesting part in this, I talk about professionalism,
is that they have now introduced the first bug bounty program offered by
a ransomware gang asking asking security researchers to submit bug reports in return for rewards
ranging from one thousand dollars and up to one million dollars i wonder if kat Mazzurri consulted on this with them
it sounds like a pretty solid
bug bounty program
it might be like, you see it's just a
white label, Hacker One
it goes through the same
people way, just like on a different channel
we invite
all security researchers
ethical and unethical hackers on the planet to non-discrimination yeah in our bounty breaker
yeah exactly um you know the the story says that you know it's different by legitimate
companies as helping criminal enterprises would be illegal in many countries um but also the
interesting thing is they're not only offering a bounty for reward but it is also paying bounties
on quote-unquote brilliant ideas on improving the ransomware operation and for doxing, the affiliate program manager. Wow. I have a question.
If I'm running Lockbit 2.3, is this a free upgrade?
Do I get a discount?
Or do I have to pay full price?
Give it 15 minutes.
You'll get version 3 automatically, Tom.
Yeah.
Good one.
So it depends.
Did you buy direct or did you go through a channel partner?
Well, I'm on like a monthly subscription.
Okay.
The secure backup way, even you don't know the encryption key,
the decryption key, right?
Yeah.
your backup way even you don't know the encryption key the decryption key right uh but yeah i think this is absolutely just like the sheer balls on this move it's just to say not
only you're saying we are criminals we are criminal enterprises we are offering software
but help us improve and we will give you a reward. It's just beyond belief.
That's fantastic.
Billy Big Balls of the Week.
This is the Host Unknown podcast, home of Billy Big Ball Energy.
Indeed it is.
Now, Andy, you've got no time for any clever time-based puns here.
So what time is it?
It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news
from around the globe.
Industry news. who have been very busy bringing us the latest and greatest security news from around the globe. Industry News
No more ransom has helped over 1.5 million victims.
Industry News
US doubles reward for info on North Korean hackers.
Industry News Best doubles reward for info on North Korean hackers. Industry news.
Criminals use malware as messaging bots to steal data.
Industry news.
Cybercriminal offers 5.4 million Twitter users data.
Industry news.
European police arrest 100 suspects in business email compromise crackdown. Industry news. European police arrest 100 suspects in business email compromise crackdown.
Industry news.
Social media accounts hijacked to post indecent images.
Industry news.
Hackers change tactics for new post-macro era.
Industry news.
Ransomware group demands £500,000 from school
Spanish police arrest alleged radioactive monitoring hackers
And that was this week's
Huge if true Huge if true Huge if true.
Huge if true.
Huge if true.
I'm sorry.
A ransomware gang that demands half a million pounds from a school.
Do they not know how much money schools have?
I know.
I didn't even click on that.
They might as well ask me.
Ransom all my stuff and say, right, we'll give you, you know, give us half a million
and we'll unlock anything.
It's like, well, it's yours.
I can't do anything about that.
So it's...
School budgets are as tight as a gnat's chuff.
It's Wooten Upper School in Bedfisher,
which sounds like a private school, which a feeder system to Eton,
so they might have money.
But the Academy Trust.
Oh, anyway, they believe Wooten has five hundred thousand pounds in cyber insurance, according to local newspaper Bedford Today.
And has threatened to release all the data until unless the trust pays up.
So maybe it is a case of that, you know, going after the insurance companies first, figuring out how much cover everyone has and then targeting all of them for that much money.
The thing is, though, right, the fine for losing data on how many students, not even that many students and parents that use a school.
It's going to be cheaper than the
£500,000 insurance.
Although they've got to re-key
all that data again, though.
Yeah, do you know what?
Not the end of the world.
Home addresses, bank details
and student psychological reviews.
What?
Do you know what? It's not worth £500, 500 000 do you know this company the hive ransomware
group they need to get someone that actually can price things properly because you've gone in too
high guys you're gonna you've lost it we've been up in their professionalism and and here they
quite blatantly haven't done their research yeah this is the thing like you still get some of those
dodgy operations you know for every you know proper this is the thing. You still get some of those dodgy operations.
For every proper company that's out there,
you still get the little chances.
Yeah.
And yeah, sadly.
Sorry, guys.
But I looked at this one about the US has doubled the reward.
They are increasing reward for information on korean state-linked hackers
to 10 million dollars so they initially published a rewards for justice scheme of five million
dollars earlier in the year in march 2022 um which indicates that it hasn't been you know
particularly fruitful so it's now gone to 10 million dollars so at this point that's the type
of uh number that you know someone in north korea who's probably part of this group may be thinking
about switching you know switching sides and uh you know potentially but it's absolutely right
and that's why they double these these um ransoms because it also makes people feel
like you know their best mate could turn them in right because it's a life-changing amount of money
but given they're in north korea how can they get them well one how do they find out about it
how do they get the money when they get the money where do they put it um how do they access it and
more importantly what are they going to spend it on
exactly you you hit the nail on the head tom this is more a political move a posture
to say look we're taking security seriously this is the the manifestation of that
i mean it feels like it otherwise there's only so many potatoes you can buy exactly otherwise we
could just phone up the US ambassador here
and say, we have a tip on these North Korean hackers.
OK, they're based in North Korea.
Like, what else can you offer them?
Yeah, I'm not sure that will qualify us for the 10 million.
No, but come on.
It might give us a sponsorship deal or something, you know.
Yeah, having a three-letter agency knock your door down
in the middle of the night is not what I would consider
a sponsorship deal.
It would make such a great Black Hat talk or DEF CON talk,
though, wouldn't it?
It would, or even a B-Sides London talk.
Yes, yes, yes.
How I ended up in Guantanamo Bay.
Yes, yes. Come on How I ended up in Guantanamo Bay. Yes, yes.
Come on.
Do it for the likes.
And the clout.
Yeah.
I was impressed by Andy actually spelling out B-E-C.
Well, I didn't know whether we say B-E-C or Beck,
so I just said business email compromises.
I couldn't remember what it was, to be honest you too many tlas as long as you don't call it pens test then they
were all good oh man that's like fingers down a blackboard that is oh how anybody could call
a pen test a pens test.
Well, actually, you know, sometimes people get a bit quirky and, you know, do weird things. But how anybody else could agree with that, I think, is a weird thing for me.
Anyway, anyway, we digress.
We digress.
So what's, well, it says a hackers changed tactics for new post macro era
I thought Microsoft had rolled back
Their decision to disable macros by default
They did
I think that was
They did previously
But now they've put it back on again
They've put it back on again
So they've done two U-turns
Yes
Wow
It's like conservative government
Wow
Yeah actually we shouldn't be surprised by that
it's like apple maps trying to take you down a one way no losing that analogy well apple maps
is terrible he's always asking you to do you turn here turn left here and there's a no entry or
a one way you know what what when apple maps first came out, it was awful.
Awful.
I ended up walking for 45 minutes in the wrong direction.
See, you're so stubborn.
You're such a fanboy.
You still stuck with it, even though after like 20 minutes, you know.
No, you don't, because you think it's just up ahead,
and then you realize when you get there,
it's not where you're supposed to be.
It used to be awful.
It's now much better. I think, in fact since they uh they decided to put it in cars was when they you know with carplay was when they realized they actually
had to make it work properly so you're the type of person that would literally drive into a river
because the the apple sat now told you to he would he would I'm just waiting for like is that right yeah Darwin Horde you know I could just imagine this
like you know yeah I mean you you're near the end anyway Tom so you might as well go out on a bang
and he'll give us something interesting to talk about if if Tim Apple tells me to go down a certain
road I'm going to go down a certain road okay he? He's got your best interests at heart. He has.
He has.
We all love Tim Apple.
Let's face it.
Right.
That was this week's Industry News.
In 2021, you voted us the most entertaining cyber security content amongst our peers in 2022 you crowned us the best cyber security podcast in europe you are listening to the double award
winning host unknown podcast how'd you like them apples damn double award winning two years in a row there we go uh right let's uh well let's close the show
in style shall we with this week's sweet of the week and we always play that one twice
sweet of the week and it will be up to me to take us home without depressing anyone so this one is
a tweet uh which came through the group chat.
I think, Tom, you sent this around, which was a good one.
And it is from Daniel Kelly.
And he says, people without cybersecurity degrees
created the content that is taught in cybersecurity degree classes.
Wow.
This is a very true statement which i like but it's true of any any qualification in theory right
uh it's yeah so i know it just has sparked quite a lot of debate on the uh chat you know you got
some people saying you know what's your point yeah yeah and but uh you know there's someone
who replied jeremy sort of uh you know in the
comments says you know many employers require you to have a four-year or six-year degree to
apply for positions uh he says you know how many jobs i've been rejected over the past six months
simply because i don't hold a degree yet many universities want me to guest lecture
yeah it's true there's a lot of um you know this also opens up the the big debate about you know a
lot of the big companies requiring people to have degrees yeah exactly you automatically get
disqualified if you don't have a degree regardless of what that degree is in as well you you know
that that person you just mentioned,
he's been turned down for jobs,
but then he's being offered a job and he's turning that down.
And I think there's just like a bit of matchmaking to be had here.
Like the job you want is right in front of you.
Become a lecturer at a university.
Yeah, but it doesn't get paid enough.
Ah, so, okay.
So I'm a money hungryhungry whore.
And also, if you're a guest lecturer,
I think you do it for free, don't you?
I don't know.
I'd be surprised.
I'm sure there's going to be plenty of people that charge for...
You might get your bus fare paid for.
Yeah.
And then there was someone else, Sherrod, says,
you can come and watch me speak and earn CPE credits
to apply to a certification I do not hold.
That's quality.
That's a bit like Jav talking about all the things a CISO should do.
I was about to say, Tom, it's a bit like you talking about,
you know, security recommendations.
Yeah, exactly.
Honestly. about to say to us feel like you're talking about you know security recommendations yeah exactly you know what i'm going to start leaking screenshots off like every time tom asks a question on our on our whatsapp group say oh someone's asked me like what mitigations do we have for BEC what's BEC I can't remember
I think I think I refer to that as consulting with my peer group
yes yeah so I'm in a closed network of uh respected
no no I never say the word respected about YouTube. Okay. Let's be clear.
Let's be clear.
Excellent.
Thank you, Andy, for this week's...
Just remember to be nice in the comments section.
No, it's not.
Tweet of the week.
Yeah, just remember to be nice.
That's always a good one to say.
Always remember to be nice. Good's always a good one to say. Always remember to be nice.
Indeed.
Good advice to tell others, yeah.
Yeah, be nice, you fucking idiot.
Yeah.
So, gentlemen, thank you very much.
Much obliged.
Jav, thank you for your time this week.
Excellent.
We're done three minutes before the scheduled time,
so I'm happy that you two have managed to take your thumbs out,
turn up on time and deliver a mediocre show.
As always, love you both.
Thank you and thank you, Andy.
Stay secure, my friends.
Stay secure.
You've been listening to the host unknown podcast
if you enjoyed what you heard
comment and subscribe
if you hated it please leave your best insults
on our reddit channel
worst episode ever
r slash smashing security
so I still can't believe that you haven't heard
of the four-hour work week
I shall send you a link now so you can yeah it's been around for so long I think there's free pdfs
yeah there must be you mean it's been ripped off multiple times exactly yeah
but you have you heard of Tim Ferriss though no not heard of Tim Ferriss, though? No, not heard of Tim Ferriss, ever.
He's not related to Tim at all. And maybe because he's in the self-help book section
and I never go to that section.
I don't know.
I mean, seeing your work ethic, I thought you'd, like, you know,
just read the title and just decided to work four hours a week.
I'm assuming it's, like, be effective in four hours a week.
I mean, I've never claimed to be that.
Never claimed to be that.