The Host Unknown Podcast - Episode 116 - Thom Can't Work The Buttons
Episode Date: August 12, 2022This Week in InfoSecWith content liberated from the “today in infosec” twitter account and further afield10th August 1988: 34 years ago today, Dade Murphy aka Zero Cool crashed 1507 computers, cau...sing a 7 point drop in the NY stock exchange. He was 11 and his family was fined $45,000. He was banned from touching a computer until he turned 18.https://twitter.com/hakluke/status/15572420864238714886th August 2014: A hacker announced the theft of 40 GB of data from the maker of FinFisher spyware, then leaked the price list, client list, and more.A Hacker Claims to Have Leaked 40GB of Docs on Government Spy Tool FinFisherTop gov't spyware company hacked; Gamma's FinFisher leakedhttps://twitter.com/todayininfosec/status/115895644924810854411th August 2015: A day after Oracle CSO Mary Ann Davidson posted a blog titled "No, You Really Can’t", security community blowback caused Oracle to remove the post.No, you really can’t (Wayback Machine)Oracle has this Modest Proposal, via its CSOhttps://twitter.com/todayininfosec/status/1293374259637768194 Rant of the WeekMeta's chatbot says the company 'exploits people'Meta's new prototype chatbot has told the BBC that Mark Zuckerberg exploits its users for money.Meta says the chatbot uses artificial intelligence and can chat on "nearly any topic".Asked what the chatbot thought of the company's CEO and founder, it replied "our country is divided and he didn't help that at all".Meta said the chatbot was a prototype and might produce rude or offensive answers."Everyone who uses Blender Bot is required to acknowledge they understand it's for research and entertainment purposes only, that it can make untrue or offensive statements, and that they agree to not intentionally trigger the bot to make offensive statements," said a Meta spokesperson.The chatbot, called BlenderBot 3, was released to the public on Friday.The programme "learns" from large amounts of publicly available language data. Billy Big Balls of the WeekBackground: Twilio discloses data breach after SMS phishing attack on employees"On August 4, 2022, Twilio became aware of unauthorized access to information related to a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials," Twilio said over the weekend."The attackers then used the stolen credentials to gain access to some of our internal systems, where they were able to access certain customer data."The company also revealed the attackers gained access to its systems after tricking and stealing credentials from multiple employees targeted in the phishing incident.To do that, they impersonated Twilio's IT department, asking them to click URLs containing "Twilio," "Okta," and "SSO" keywords that would redirect them to a Twilio sign-in page clone.The SMS phishing messages baited Twilio's employees into clicking the embedded links by warning them that their passwords had expired or were scheduled to be changed.BBB: Cloudflare: Someone tried to pull the Twilio phishing tactic on us too. Cloudflare says it was subject to a similar attack to one made on comms company Twilio last week, but in this case it was thwarted by hardware security keys that are required to access applications and services.Twilio reported a breach after employees received phishing text messages claiming to be from the company's IT department. These fooled them into logging into a fake web page designed to look like Twilio's own sign-in page, using pretexts such as claiming they needed to change their passwords. The attackers were then able to use credentials supplied by the victims to log into the real site.According to Cloudflare, it recorded a very similar incident late last month, which could suggest the two attacks may have originated from the same attacker or group.Detailing the incident on its blog, the content delivery network claimed that no Cloudflare systems were compromised, but said it was "a sophisticated attack targeting employees and systems in such a way that we believe most organizations would be likely to be breached." Industry NewsMeta Takes Action Against Cyber Espionage Operations Targeting Facebook in South AsiaNumber of Firms Unable to Access Cyber-Insurance Set to DoubleSmishing Attack Led to Major Twilio BreachHealth Adviser Fined After Illegally Accessing Medical RecordsUS Treasury Sanctions Virtual Currency Mixer For Connections With Lazarus GroupPredator Pleads Guilty After Targeting Thousands of Girls OnlineCyber-criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP ReportsDeathStalker's VileRAT Continues to Target Foreign and Crypto ExchangesSuspected $3m Romance Scammer Extradited to Japan Tweet of the Weekhttps://twitter.com/mttaggart/status/1557399523575508993 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
I just think we should completely avoid the whole topic of the crying CEO.
I mean, it's quite a difficult thing to do, to stay away from the crying CEO, but I guess we can try.
You're listening to the Host Unknown Podcast.
You're listening to the Host Unknown Podcast. Dry your eyes, dear listener. We're sure you've had a tough week.
We're sure that letting go of those people was probably the most difficult thing you could say or do this week.
And it's probably put you in a very vulnerable position.
But Friday's here.
The Host Unknown podcast is here.
And Javad is here.
How are you, Jav? Oh, I'm very good, I'm very good.
I have next week off which is great. I'm not going anywhere which is even better so I'm not spending
any money. You know I did sit down and like shed a few tears in front of my kids. You know this is
very difficult. I can't take you on an overpriced holiday this year. So they were comforting me by the end of it.
But some more excitement in my neighbourhood.
Ooh!
A few days ago, one of my neighbours,
who's two houses down on the left,
so there's my immediate neighbour,
there's the service alleyway,
and then they live on the other side.
Now, they're builders and they've got a couple of vans
and one of them got nicked overnight no but surely no tools were left in the van overnight well unfortunately he had
several tools in the van um but the van but the van itself was his major tool because you know
he's lugging around stuff and what have you so he came to me he was really
distraught he was like i see you've got some cameras up can you catch anything there and i was
like mate gdpr and all this stuff i can only cover my own driveway you know like i'm not
yeah i can't cover the road and the alleyway in your house and he goes like brother i give you permission if you want to face the camera
this way so um so you went through the satellite footage that you had for the uh
so i'm in the process of upgrading my camera system gonna add four more cameras what yes is this a wired system or an ip system this is all a wired system
okay so the guy comes and he'll install it for me i'm not installing it myself yet
because as soon as it's wires and stuff and electricity i don't know how to do it
that's outsourcing you can't do the buttons outsourcing you're written all over it exactly
exactly who do you think i am like a sock analyst or something i can't do the buttons. Outsourcing, you're written all over it. Exactly, exactly.
Who do you think I am, like a sock analyst or something?
I don't do anything myself.
Going to outsource it to some East End barra boy done good.
Yeah, yeah.
No, there's a really good guy not too far from here.
He's got a shop that he installs.
He's the one that got my current setup going, and it's really good.
He also, like, every time he comes around to look at the cameras or fit or whatever he goes hey i can also get you one of those chipped like sky boxes if you're like you know those dream boxes that give you
every year i said no no no oh you know these neighbors and these neighbors they've all got
it you can ask them it works i said no i don't want them thank you very much it gets you all the blueys and everything yeah i know i know
so yeah basically neighborhood watch control center i am i am i'm just picturing like where
in my office i can set up a whole bank of monitors and like you know i'm gonna set up
like walkie-talkies with the neighbors and everything it's gonna be like you know, I'm going to set up like walkie talkies with the neighbors and everything. It's going to be like,
you know,
Oh,
what's your cool sign going to be?
Yeah.
Eagle.
Eagle.
Eagle.
There we go.
And then your neighbor,
Bob,
the builder.
Yeah.
Yeah.
Oh,
fantastic.
Do you know what?
The, the, the, Yeah. Yeah. Oh, fantastic. Do you know what? The ongoing saga of your back passage must have every listener
hanging on every word in every episode.
So, you know, if nothing else,
it gets everybody back to listening to next week's episode.
I know.
I know.
So stay tuned, folks.
Indeed.
Stay tuned for the further sagas of jav's back
passage andy how are you uh good i'm literally as jav was talking i was just scrolling through my
neighborhood watch whatsapp group um because there's actually a white van that was going
around our area and someone said hey keep an eye out for these scumbags and he's posted um you know screenshots from his cctv uh i chased them off and they're trying to steal
materials from my house um and basically it's a white van that's been stolen so it's a legit van
from a building oh it's not like a mr whippy then no but it's uh no it's a building company van so
you know quite likely to be in the area and stuff.
But, yeah, the van was stolen.
They've put some false plates on it as well.
Now, you know, far be it from me to be the detective of the group,
but Jav's neighbour has just had a building van stolen.
You have just had a stolen building works van driving around
nicking stuff i reckon you two should be talking so the only missing piece here
the only missing piece here last wednesday and thursday night where were you tom
i'm gonna plead the fifth on that
uh so how was your week anyway, other than a productive trip to Lidl?
Yes, indeed.
It's always a productive trip to Lidl.
The stuff you can find there is surprising, surprising.
I have a cupboard full of it now.
It's almost a cliché, but everyone does it, right?
Well, whenever I need a trombone, a TIG welder and a wetsuit,
where else would you go?
Exactly.
Do you know what?
I was walking through there the other day and they had some,
you know when you do welding, you have to wear a helmet,
you know, that blanks out the vision so you don't go blind.
And they had some automatic welding helmets.
So basically you can see through them and then as soon as it detects light,
boom, it changes and, you know, it goes dark, et cetera.
They looked so cool.
Are you going to convert it into like a Star Wars thing?
Do you know, I was so close to buying one.
So when a lightsaber lights up,
the mask automatically drops down sort of thing.
Yeah, exactly.
So I then have to use the force.
Exactly.
Oh, it's so close to buying one.
I was like, for goodness sake.
You know, it was like I had a paint job down the side,
you know, like, you know, red and yellow flames and stuff.
It looked really cool.
It looked really cool.
But yeah, aside from that, been in the office,
making the most of their air conditioning, obviously,
just like everybody else.
So yes, yeah.
And I'm picking up another or not,
picking up on a project and completing another.
So I had the glass delivered for my TV mirror in the bedroom.
So that's being fitted this weekend.
And, yeah, going to kick off and do another magic mirror as well.
So, yeah, busy.
It's going to be a busy weekend.
So I'm hearing a lot of stuff that you are doing yourself
and I'm hearing a lot of stuff that Jav's outsourcing.
Yes.
How the turns of table do it.
Exactly.
And yet you're the CISO.
Oh, and that's right.
And there's some fella in North London
I've got to install some cameras for as well.
It's a pain in the arse if he's trying to sell me dodgy software.
Try and upsell.
Yeah, Office 95, he said it's the latest version.
Anyway, shall we see what we've got coming up for you today?
This week in InfoSec talks about repressive government's
weapon of choice long before Pegasus.
Rant of the week is another big tech chatbot in the wild.
Billy Big Balls demonstrates why defence in depth
really can save you some pain.
Industry News brings us the latest and greatest security news stories
from around the world as usual.
And Tweet of the Week is an InfoSec dad joke.
My favourite kind.
So let's move on to our favourite part of the show,
the part of the show that we like to call...
This Week in InfoSec.
It is that part of the show which for more than nine months in the year
takes a stroll down InfoSec memory lane with content liberated from the
Today in InfoSec Twitter account and further afield.
So a quick first story which takes us back this week 34 years in 1988
when Dade Murphy, a.k.a. Zero Cool, crashed 1,507 computers, causing a seven point drop in the New York Stock Exchange.
He was 11 years old at the time and his family was fined forty five thousand dollars.
He was then banned from touching the computer until he turned 18.
And that story made the front page of The New York Times on 10th of August 1988.
It's true.
I saw it.
I saw it.
I was there.
Yeah.
I definitely saw it.
Yeah.
So we won't dwell too much on it because everyone knows all about Dave Murphy,
aka Zero Cool.
Well, everyone except my mum, in fairness.
Okay.
Well, we'll stick a link in the show notes.
I think there's a screen uh you know screenshot
so our uh second story takes us back eight years to the 6th of august 2014 and it may sound familiar
because a hacker announced the theft of 40 gigabytes of data from the maker of fin fisher
spyware uh hacker then leaked the price list, client list, and more.
So NSO Group's Pegasus was not the first spyware vendor
to be used by oppressive governments to spy on anyone they wanted.
And this week in 2014, an Anglo-German company,
Gamma International UK Limited,
the maker of the secretive Finn Fisher spyware,
which sold exclusively to governments and police agencies, was hacked. So during the hack, it revealed its
clients, prices and its effectiveness across an unbelievable span of applications, operating
systems and more. And this parody sort of Twitter account by the hacker claiming credit for the
leak was set up in tandem with the data
being released. And it really sort of spilled the tea on what many people already suspected
about these sort of dodgy selling practices that were going on. So in 2012, the FinFisher
software was found sort of being widely used by governments in the Middle East, particularly
Bahrain to hack and spy on computers
and phones of journalists and dissidents.
And Gamma Group, the company that makes FinFish,
are denied having anything to do with it,
saying that they only sell their hacking tools
to good governments.
Oh, come on.
Those authoritarian regimes must have stolen a copy.
But unfortunately, those files stolen from Gamma's networks
provided hard proof that they knew exactly what they were selling,
who they were selling, even during the accusations at the time in 2012.
And they knew that the software was being used to attack Bahraini activists.
But yeah, that stolen data contained client list, priceless source code,
details about the effectiveness of the FinFisher malware, user support documentation, tutorials, you know, and more.
And an invoice to the Baronian government as well, presumably. had a list like how finchfish have performed against the 35 top antivirus products um
literally showing how easy it was to defeat um you know detection jesus but yeah it's uh the
documents did reveal some like good uses statistics by country i mean imagine you know like other
customers include um you know which sort of prompted the parody Twitter account to tweet,
we have some integrity.
We do not sell to Israel.
So I'm sure this is probably the origin story of Pegasus anyway, right?
They're like, well, we'll make our own.
Yeah.
You have to question the morals of any company that would just,
you know, when faced with simple facts,
just deny everything and say, no, it's not true.
You know that that's going to come out at some point in the future.
They stopped the copy and then they planted a fake invoice
on our systems as well.
And then they made a bank transfer to make it look like we sold it to them.
It's so good they used it on us and we didn't detect it.
Yeah.
But, you know, like, so prior to the leak, so in 2013,
like human rights advocates and virus hunters,
basically they scrutinized this FinF software to like uncover potential abuses because they first got a glimpse
of it um when the egyptian state security uncovered um you know during that revolution
that this software was actually being used and up until that point in 2011 people had never seen
like researchers had only ever suspected it um to the point where even like you
know friend of the show miko hipponen um the chief research officer at helsinki based f secure
actually told bloomberg that we know it exists but we've never seen it so you think of it like
a rare diamond um but yeah it's quite the rarity and the story obviously was repeated again with
pegasus you just need to rotate the names of spyware and the names of governments caught using it.
And the story is good to go.
And the names of companies denying that they had anything to do with it.
It all just gets brushed under the carpet.
Yeah, there's something interesting, though.
Just a few days ago, and I had a quick scan through and I don't think we cover it later on the show,
but there's a former Twitter employee um who who worked from 2013 2015
who's been convicted for spying for saudi arabia so ahmed abu amu was charged with sending saudi
officials private information of users uh who were critical of the kingdom um in exchange for
hundreds of thousands of dollars so when you talk about
insider threats and uh when you talk about like you don't really need pegasus you just need to
pay someone who's working for one of the companies to give you all the information um and uh yeah i
think it just and and then the second point is you mentioned miko and i've just got to give a
cheap plug uh miko's new book if it's's Smart, It's Vulnerable, is out.
Widely publishing.
I've started reading it.
It is a very good read so far.
It's not on Amazon, though, is it?
Oh, no, I've got to send a pre-copy, I think.
Oh, God.
Everybody I know has been sent a pre-read.
Mikko, I know you're listening.
I know you're a fan of the show.
Do a man a favour. Send me a couple of copies i'll give one to andy and everything i'll be honest i'll wait until it comes out on blinkist so i can listen to it in sort of 15
minutes i always set it to like 1.25 speed. Yeah. So anyway,
right, our final story
is from a mere seven years ago
when on the 11th of August
2015, a day
after Oracle's CSO
Mary Ann Davidson posted a
blog titled, No,
You Really Can't. The blowback
from the security community caused
Oracle to remove the post.
So what was so controversial about this, I hear you ask?
Well, Oracle's chief security officer, Marianne Davidson,
would like to get rid of all the reverse engineering security weenies,
as she put it.
And she wanted you to know that static analysis is Oracle's job,
not yours, and that looking for security vulnerabilities in this way
breaks the license agreement that you signed up to.
So obviously at which point the internet exploded.
The blog post in which she gave Oracle's position on this point
got called various things, arrogant, holier-than-thou, petty,
condescending, idiotic scolding patronizing yeah whining
and it was basically you know within 24 hours it's deleted um and with the benefit of obviously
unemotional hindsight and you know the pitchfork mob mentality of the angry twitter um there were
actually some interesting points made in a blog post um but it was unfortunately buried inside paragraphs
of uh as you say sort of you know condescending um vitriol really um so she like literally quoting
you know from the blog um she goes on say recently i have seen the largest uptick in customers reverse
engineering our code to attempt to find security vulnerabilities in it insert big sigh here this
is why i've been writing a lot of letters to customers that start with hi how's it aloha
but end with please comply with your license agreement and stop reverse engineering our code
already um and so yeah it's quite a tough one you, she goes on to say that, you know, we're really good at, you know, scanning for vulnerabilities.
You know, we write half of these software, you know, these analysis tools ourselves.
So, you know, we actually understand what's happening.
So all these tools you use have a close to 100% false positive rate.
So, you know, stop wasting our time by reporting them.
You know, we're just trying to save time
in this mutually time wasting exercise um but the problem is because she goes on such a rant and
it's a rant that you'd have been proud of tom um she literally i mean the links in the show notes
because the way back machine doesn't forget right um so you know she actually starts going off track
on some of these other frustrations she's facing she does this q a and it's just like question hey i've got an idea why not do a bug bounty pay third parties to find this stuff
answer bigger sigh bug bounties for the new boy band many companies are screaming fainting and
throwing their underwear at security researchers to find problems in their code and insisting this is the way walk in it if you're not doing bug bounties your code isn't secure oh well we find 87 percent of
security vulnerabilities ourselves security researchers find about three percent and the
rest are found by customers and it's you know that whole sort of i don't know there's just a
lot of arrogance about this you know it was uh yeah just
the way it didn't come across well uh and i do sort of remember in 2015 this kind of kicking off
on twitter but you know i was drinking a lot at the time so i don't think i got involved i know
the feeling i remember it well actually no i don't but uh yeah i think that you know there's a way of
getting your point across,
but sort of hiding behind the, you know,
any of this reverse engineering you're trying to do is a violation
of your license agreement.
Stop trying to tell us about vulnerabilities.
I think universally recognized is the wrong way about doing it.
I mean, I think the point of trying to stop people from just, you know,
basically script kiddies just from running tools against the product and saying,
oh, we found something.
When those tools are freely available and are used by Oracle,
it just wastes everybody's time.
There's a way of saying that that doesn't involve putting things
in brackets like even bigger sigh and all that sort of crap.
I mean, and this is the problem with a lot of these stuff.
And I think Oracle as well suffers probably because of Larry Ellison
more than anything, but suffers from an arrogance anyway,
you know, as a corporate culture.
And I think if you don't message things correctly,
if you don't think about your audience and who you're talking to
and what you want them to take away from it,
it's just going to get, you to get drowned out in all the noise and tears
and vulnerable LinkedIn posts.
Yeah, but I guess this is a good reminder not to write with such emotion
without sitting on it for a while, and also why big companies
have such rigorous controlled media channels.
Yeah, well, especially as it was removed and said something like,
this post did not reflect our corporate values or something like that.
That's normally something that you say when somebody goes on
some kind of Nazi-based profanity-laden rant
rather than just talking about weenies uh excellent andy thank
you for that lovely trip down memory lane in this week in infrasur
if you work hard research stories with diligence and deliver well-edited, award-winning, studio-quality content for high-paying sponsors,
then you too can be usurped by three idiots who know how to think on their feet.
You're listening to the award-winning Host Unknown podcast.
Ratchet and Tom, if it's smart, it's vulnerable, is now available on Amazon.
So you can go on there and get yourself a hard copy or the Kindle version.
Oh, fantastic.
I will do that straight after the show.
As long as he can get a voucher.
Mikko, if you're listening, text us a voucher, mate.
Okay, on to my favourite part of the show,
the part of the show that I like to call...
Listen up! R part of the show, the part of the show that I like to call... Listen up!
Rant of the Week.
It's time for Mother F***ing Rage.
So this might sound a little bit wrong at first,
that I'm ranting about this, given the subject.
So Meta, i.e. Facebook, have released a chatbot,
and people can chat to this chatbot, clues in the name, on Facebook
and ask it questions on nearly any topic and we'll get a sensible answer back.
The thing is, though, this prototype chatbot has told the BBC journalist that Mark Zuckerberg exploits its users for money, which I think is hilarious.
So it's an honest chatbot.
It's an honest chatbot.
Well, also, the chatbot uses artificial intelligence, and effectively, it has access to everything on the internet, so it can make up its
own mind. So when presented with all of humankind's universal knowledge, it came to the conclusion
that Mark Zuckerberg exploits its users for money, that our country, either US, is divided and he didn't help at all.
So these are fairly interesting claims from something that has the sum of all humankind's
knowledge. You'd think Meta and Zuckerberg might be in a little bit of a spin about this.
And I know there's a lot of people out there who are probably sort of punching the air and saying, yes, here's one in the eye for you, Zuckerberg, you human-skinned lizard, reptile person, you.
But what people forget, and I used the phrase slightly earlier, is that there's no such thing as bad publicity in the sense that Zuckerberg knows
exactly what's going on here because what Facebook, and let's call it by its original name
because meta's ridiculous, what Facebook does is gather as much data about everybody that it possibly can. And the use of this chatbot is doing just that.
It is gathering vast amounts of data from what people are asking it,
what it's no doubt siphoning off huge amounts of data
from people's computers while it's doing it.
It wouldn't surprise me in the slightest.
It shouldn't surprise anybody there.
And it's doing exactly what Zuckerberg says.
And the fact that it's getting this kind of coverage makes me think
that we shouldn't have covered it at all because we know that our many,
many dozens of listeners will have such an influence on this.
But the fact is the coverage it's getting is getting more people to use it and
therefore facebook is getting more access to more data for it to use process and sell
so blender working is what you're saying his plan's yeah exactly his evil genius plan is working and the fact that you know
blender bot 3 um which i i don't know perhaps they misspelt brenda i don't know but it was it was
released on friday so just a week ago and it's already garnered international coverage which is
very very concerning so yeah if you're if you're sort of listening concerning. So yeah, if you're, if you're sort
of listening to this, if you're, if you're reading about this and you're thinking, ha,
you know, Zuckerberg's been sort of hung by his own petard, unfortunately, I think you're wrong.
And unfortunately, you know, if you've interacted with, uh, with Brenda, then chances are she knows a whole lot more about you than you probably know about yourself now.
Wow.
Your microphone was on.
Your camera was on.
Yeah.
Yeah, exactly.
We saw what you were doing with that industrial power tool.
I love how – and, folks, listeners, I have to apologize for Tom.
He's a bit old.
Well, and folks, listeners, I have to apologize for Tom.
He's a bit old.
But Facebook, one of the most popular used services,
internationally releases a new service.
And Tom is surprised it's garnered coverage internationally.
But it's gone viral.
You know, it's gone so viral,
everyone's like talking about it around the world. I mean, it's not like Facebook is a small product that no one uses.
And I mean, like, just think about Apple releases a new phone and it's just got like, you know,
0.2 millimeters shaved off the corner and one extra pixel on this camera.
And that gets international coverage all the time.
So I think that's just part and parcel of these large companies.
Whenever they release anything, there's always going to be coverage um but i what i did hear
though was that if if this hadn't of garnered them the coverage they wanted zuckerberg did
have a crying picture on hand he was about to release it to say about how how bad he felt. How vulnerable he felt.
Yes.
With your analogy there about Apple, Jav,
the one thing I would say is that the latest iPhone
doesn't call Tim Cook a knob.
No, because they've got Siri under their nose.
There's no way that Zuckerberg could show emotion at all.
He just hasn't learned that.
No.
I mean, he would send a command to his central processing unit
to release some saline-based liquid to exit from one of his eye socket holes.
Yeah.
Oh, wow.
No, but I think, like, you know, you say all this,
and, you know, you're not wrong in that you
know facebook has been known for collecting data but how's that different from alexa or siri or
google like you know it's they they all could they're all always listening they're all collecting
information that's how they they're all wired recommendations on what to buy and what to do and hey it looks like you're heading towards you know this shop again or or like andy
you're running low on haribos would you like me to order some more for you you know it's that's
the name sugar-free haribo replacements thank you very much they're called jello sweets
is it really is that the name?
Yeah.
It's your favourite kind, isn't it, Jab?
Yeah.
So you're absolutely right.
All this is about gathering data, and many, many other companies gather data,
and we talk about those companies and we rant about them without a shadow of a doubt.
I think the interesting angle here is that people think that it's backfired when actually it's doing exactly, exactly what Zuckerberg wanted it to do.
You're right. You're right.
So there was I was reading some tweet by a popular YouTuber, tech YouTuber, and they said that whenever they read in a tweet by a popular tech YouTuber and they said that whenever they release a video
Reading a tweet by a popular tech
YouTuber
and they said
you know what, I don't like giving
other YouTubers any props
because I don't want people going to anyone else
and they said that
when they make a video
they deliberately get a small
fact wrong.
So they'll call, you know, something, you know, by the wrong name or they'll they'll miss, you know, call it AC current, the DC current, whatever.
And it goes, the reason for that is that people love to jump into the comment section and just correct him.
Oh, you're such an idiot idiot how could you make this mistake clearly
that's that that's the red wire and you called it the blue wire and you know what i did because
it's normally a small engagement but that's what boosts the engagement and that's what the algorithm
likes and that's what bumps it all the way to the top and that's how i get like you know hundreds
of thousands of views per video and this is exact same strategy here isn't it this is it like let's get the chat
what to say something mean about zuckerberg and the whole world will you know love it i'm i'm
you know i'm quite impressed that you've taken it to such levels that the entire contents of
all your youtube videos are entirely wrong jav and no i know i'm just like i've gone extreme
i'm like that let's just i that you know if it works for Alex Jones
I mean
yeah that's very true
very true on which
well on which note
we shall say
rant of the week
you're listening to the award winning
host unknown podcast
the show which smashing security sets their out-of-office team.
Okay, Jav, over to you now.
I think you've got a couple of Billy Big Balls.
You have an entire sack full, let's say, of Billy Big Balls for us.
Billy Big Balls of the Week. sack full let's say of billy big balls for us yes i do have an entire sack full today for you dear listeners so prepare yourselves twilio
discloses a data breach and so twilio the big internet company they got breached after an SMS phishing attack on employees,
or as we like to say, a smishing attack on employees.
So they were sent text messages to their phone,
which they impersonated Twilio's IT department,
asking them to click URLs containing the words Twilio, Okta and SSO.
So it all looked very legitimate.
And that's the problem with the phones.
It's like, you know, you just see the words.
It's really hard to inspect where the URL is actually taking you or, you know, people can't be bothered.
And also the phone, you're checking them at all odd hours of the day and night, even when you're bleary eyed first thing in the morning.
What? Oh, IT needs me to change to change it okay let me click on this so they clicked through and it took them to uh surprise surprise a a landing page created by
the baddies and um they then um entered in their id and password after which they were, what's the term, 2FA spammed or what have you.
So basically, the criminals started to log in with those credentials.
And every time they logged in, the employee would get pushed a 2FA code, not a 2FA code, like one of those approvals.
And they kept doing it. And they started phoning them up saying,
hello, we're calling from the IT department and you've got a push notification.
Please click yes, because that is all part of the security of your account.
So eventually they wore them down and one of them clicked or a couple of them clicked yes
on those MFA notifications and gave the criminals access to their accounts.
And this may be a successful attack.
Yes, a successful attack.
Why did somebody's misfortune make you laugh, Jack?
I see what you're doing there.
I see what you're doing there it made me laugh because
I was sort of like hung my head a bit
when at RSA a few months ago
no less than three keynote speakers
trotted out the erroneous stats
that MFA protects against 99% of all attacks, which is, and actually, if you look
into that stat, it's not even the accurate attribution. I think it's originally a Microsoft
quote, but it was account takeover. So it protects against 99% of account takeover so so it's it's it's used really
erroneously and and uh out of context in many things and and then I was like haha where's your
MFA now um so the question is then like well I'm not hating on MFA I I think it's as a technical
control it's one of the best controls out there that gives you the most fundamental and it addresses a huge amount it gives you the yeah it's real return on investment
for it yeah you need to be realistic about the limitations of what it is and how you implement it
and especially you need to look at whether they what you have implemented is phishing resistant because
if you can still like bombard people with all these notifications and we've heard stories in
the past a lot people just saying i just say yes to everything because that's what i've been told
to um yeah you know you desensitize them to it so how can you do it correctly and for that we turn
to cloud flare uh cloud flare said someone tried to pull the twilio phishing tactic on us too can you do it correctly? And for that we turned to Cloudflare. Cloudflare said
someone tried to pull the Twilio phishing tactic on us too. So what
happened is that their employees also received text messages claiming to be
from the company's IT department and they fooled them into logging onto a fake web page designed to look like Twilio's
own sign-in page and surprisingly these domains were registered literally within the hour prior
to those text messages going out so it was a well thought out and coordinated campaign but they failed because they used those hardware keys like a YubiKey or something like that that
you have to pop into your machine and that's your second factor it doesn't text you a code
it doesn't have a pop-up notification so there was nothing that they could give to the criminals to
to get them to log on so a good example of a phishing-resistant form of MFA.
So security over convenience.
Yes.
Yes, that's right.
And, yeah, don't ask me what happens with it.
Well, security and convenience.
Yeah.
Well, yeah.
It's not convenient to carry a hardware key around, honestly.
But we all know the push to authenticate is far easier
yeah yeah i don't know i'll leave mine in my laptop i'm just saying snap it off yeah
plug it in snap it off yeah okay as long as there's a bit you can press we're all right
in there yeah exactly so wasn't Twilio something else beforehand?
Didn't they rename themselves?
I don't remember.
I thought they were a certain...
Weren't they a malware company?
Is it McAfee?
Were they McAfee?
No.
No. No.
Founded in 2008.
Okay, I'm thinking of something else.
What did McAfee rebrand as?
I don't know.
They split into two different companies
and maybe one of them split into two different companies.
It's Mcfee's
all over the place yeah you're thinking of trellis that's who i'm thinking of began with t
stupid name means nothing aren't they that that like dance group or something
you think of the trello the um the mood? No, I'm thinking of Skrillex.
That's who I'm thinking of.
You mean the people who wrote our intro tune without realising it?
Oh, dear.
And on which copyright note we will end on,
and thank you, Jav, for this week's... Billy Big Balls of the Week.
We are officially the most entertaining content amongst our peers.
That's an old one.
All right, let's do something else then.
Let's do...
Attention.
This is a message for our friends over at Smashing Security.
We call you listening again. This is the Host Unknown podcast.
OK, with time rapidly running out, it is time.
And what time is it, Andy?
It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
Meta takes action against cyber espionage operations targeting Facebook in South Asia.
Industry news.
Number of firms unable to access cyber insurance set to double.
Industry news.
Smishing attack led to major Twilio breach.
Industry news.
Health advisor fined after illegally accessing medical records.
Industry news.
US Treasury sanctions virtual currency mixer for connections with Lazarus Group.
Industry news.
Predator pleads guilty after targeting thousands of girls online.
Industry news.
Cybercriminals shift from macros to shortcut files to hack business PCs, HP reports.
Industry news.
Deathstalker's vile rat continues to target foreign and crypto exchanges.
Industry news.
Suspected $3 million romance scammer extradited to Japan.
Industry news.
And that was this week's... Industry news. And that was this week's...
Industry news.
Huge if true.
Huge.
Huge if true.
Huge.
So this predator that pled guilty after targeting thousands of girls online,
why didn't he just enable his self-destruct bomb on his wrist?
he just enable his self-destruct bomb on his wrist?
You know, there's a new, there's a
prequel to that out, I think, on Disney.
Yeah, Prey.
Supposed to be really, really
good.
I thought you were going to go the other way there.
No, it's supposed to be excellent.
You know,
the original with Arnie was such a good film.
It's among the top films ever made in history.
And everything else after that has been such a terrible disappointment.
It just hasn't been able to capture,
especially those Alien versus Predator movies.
And so I really don't know whether I can take another one,
another such disappointment by watching Prey.
I keep hearing that it's very, very good.
Who said this?
I did just then.
Didn't you hear me?
Yeah, okay.
I've heard it's very good.
Okay, cool.
I think we should also, we deliberately avoid any sort of Black Hat DEF CON stories
because we can't be arsed with that.
If we're not there, it's not happening.
Exactly.
We've also missed out on the NHS.
It's like when babies close their eyes and they think that nobody can see them.
If we don't talk about it, it's not going.
It's not happening.
And also the NHS hack with 1-1-1 going offline
and the Cisco hack as well.
You know, there's so many great stories
we've not referenced this week.
What was the Cisco hack?
Cisco was also similar to the Twilio one, wasn't it?
It was like their MFA got...
Oh.
And they actually posted a really good write-up
of what happened
and went public with it.
But I think it's because the gang that sort of hacked them
said that they were going to release everything anyway.
Yeah.
Cisco got ahead of it.
I don't think they were.
Including the invoice to Bahrain.
Yeah.
But, yeah, 2.8 gigs allegedly stolen from that one uh but yeah ransomware group uh tried
to extort them do you know what nowadays 2.8 gigs doesn't sound like a lot does it it really doesn't
no but then i don't know if you think about emails without attachments yeah i know i know but i just
yeah just 100 gig that's that's that's getting quite large, right?
A terabyte, that's a lot.
2.8 gigs, I mean, you could fit that on, you know,
the smallest of USB sticks you can get now.
Yeah, but do you know how, I'll tell you what,
we should have actually covered it, because what was interesting
was the way they actually did it was they hacked um an employee's
personal google account yeah and that employee's personal google account was synced obviously with
the browser they used to work um and obviously all their credentials are stored in the browser as
well so then all they had to do was get the employee to accept the MFA push that went through to him,
which he did.
And I see it's actually, they're calling it MFA fatigue attack.
That's nice. Yeah, so send a constant stream of MFA requests to annoy them
in the hopes they'll finally accept one to stop them being generated.
And, yeah, finally convinced them to do them being generated and uh yeah finally uh convince
them to do it and they the attack has got access to the vpn um and then spread laterally through
citrix servers and domain controllers wow
yeah it seemed like a very hastily put together there's been lots of questions that people have been asking on um on twitter about it
uh what one of these like 2fa fatigue is one of the fakest things i've ever heard of
why are proper security professionals treating this as though it's not just a weak excuse
and then they they further up yes i wanted the car alarm to go off when a break-in was attempted
but i heard it nine times or ombs when I went outside and handed him my keys.
I seriously doubt this technically is still a theft.
It's true. It's true.
It's all about marketing, though, right?
This is clearly a comms that has gone through the marketing channels.
Yes.
You know, those highly paid people doing what they do best.
Yeah.
If you put a recognisable tag on something,
if you name it something that sort of kind of makes sense,
then people become more aware of it.
Yeah.
If you were to call it sending you 2FA requests
until you finally accept yes, it's not really quite so snappy, is it?
No, it's catchy.
No.
No.
Anything else in here?
I'm glad to see that
the host unknown cyber espionage
operations that have targeted Facebook
in South Asia are going well.
Yep.
Yeah, although I think we're going to have to
pull back. They're on to us.
Yeah, that's right.
We had to have that conversation with Brenda
unfortunately.
It's all very dull really at the moment. Yeah, that's right. I mean, we had to have that conversation with Brenda, unfortunately. Yeah.
It's all very dull, really, at the moment.
Yeah.
Everyone's in Vegas.
Yeah, shifting from macros to shortcut files.
OK.
The romance scammer story is quite interesting
because Interpol arrested 15 suspects
in connection with the romance scam conspiracy
and most of these were unwitting money mules so they were just told hey make money from home
and we'll transfer money and keep 10% and forward the rest on to us and so they
they like you know the group is thought to have made three million from it and yeah they've
is thought to have made three million from it and um yeah they they've um
yeah it's quite dull so well i think we we we covered or we we talked about that netflix show i can't remember what it's called now about the the romance scammer who um and it was in it was a
in a couple of three parts i think and and you're getting halfway through it and you're thinking, how is he able to afford all of this lifestyle to show off?
And, of course, what it's showing is that he's using one person
to fund the next person to fund the next person and so on.
And it's absolutely fascinating how they work
and how utterly convincing they are.
Yeah, never watched it.
The Tinder swindler. Tinder swindler, there we go. Yeah, that watched it. The Tinder swindler.
Tinder swindler, there we go.
Yeah, that was on.
Well, it's worth watching, actually.
It's worth watching.
I think they dragged it out a little bit,
but it was very well done.
There was that, and there was Inventing Anna.
I loved that.
Oh, I've got to see that.
Have you yet to see that?
Yeah, I'm looking forward to that one.
Right, on the note of um inventing a woman
called anna let's uh call it so that was this week's industry news
feeling overloaded with actionable information fed up receiving well-researched, factual security content?
Ask your doctor if the Host Unknown podcast
is right for you.
Always read the label. Never double
dose on episodes. Side effects may include
nausea, eye-rolling, and involuntary swearing
in anger.
Right. Andy,
let's have you close
the show this this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And this week's Tweet of the Week is from Taggart.
And he said, it's a dad joke, so I'll warn you,
I'm going to have a conversation with myself.
I'm an offensive security professional.
Oh, like a pen tester.
No, I'm a sock analyst, but also I'm a offensive security professional oh like a pen tester no I'm a sock analyst but also I'm a huge jerk
hang on
I thought I had a
but I don't
alas
great one
very good Andy
a suitable note to
end the show on.
Tweet of the week.
Gentlemen, thank you so much for your time this week.
We've been running for many, many minutes.
Jav, thank you so much.
You're welcome.
And Andy, thank you.
Stay secure, my you. Stay secure, my friends.
Stay secure.
Tweet of the week.
Wait.
You've been listening to the Host Unknown podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
The worst episode ever.
R slash Smashing Security.
Kurt is a bumpy one.
You had a bit of trouble with the buttons on this week's show, didn't you?
I'm always having trouble with the buttons.
His hands are shaking after using a power tool for like three hours.
That hole needed to be drilled.
Sure it did.