The Host Unknown Podcast - Episode 127 - HU Lite the alcohol free edition
Episode Date: November 4, 2022This week in InfoSec3rd November 2000: A Dutch hacker gained access to Microsoft's network by exploiting a vulnerability Microsoft issued a patch for 10 weeks earlier. The Patch MS Forgot to Applyhtt...ps://twitter.com/todayininfosec/status/132380788942589542425th October 2013: Adobe revealed that a breach of 2.9 million customer accounts made public 3 weeks earlier actually affected 38 million users.Adobe breach THIRTEEN times worse than thought, 38 million users affectedhttps://twitter.com/todayininfosec/status/1323807889425895424 Rant of the WeekGovernment by Gmail catches up with UK minister... who is reappointed anywayThe UK's Home Secretary – the minister in charge of policing and internal security – has been forced to apologize for breaching IT security protocols in government.Suella Braverman, who had already resigned for the breach, was reinstated in the UK's merry-go-round approach to government. She has written to the chair of Parliament's Home Affairs Select Committee to explain her actions and how she planned to avoid repeating them. Billy Big Balls of the Week The Hunter Cat is a bodyguard for your credit card (not an advert)See if this sounds familiar: You are in a weird part of town and get cash from a sketchy ATM. The next day, you pay for gas at a pump-side terminal that doesn’t look quite right.Against such a common problem, what are your options? For the particularly paranoid, enter the Hunter Cat. Pranksters posing as laid-off Twitter employees trick media outlets: ‘Rahul Ligma’A pair of pranksters posing as laid-off Twitter employees tricked multiple media outlets Friday as the public anxiously awaited news on whether Elon Musk had begun axing staffers.CNBC’s Deirdre Bosa interviewed two people who identified themselves as Twitter employees and were seen near the company’s San Francisco headquarters carrying cardboard boxes.Skepticism immediately emerged on social media. One of the pranksters said his name was “Rahul Ligma” — a reference to a popular internet meme — and held a copy of Michelle Obama’s book “Becoming” aloft while speaking to reporters. The other said his name was “Daniel Johnson.”Industry NewsRussia Suspected in Truss Phone Hacking ScandalOpenSSL Security Advisory Downgraded to High SeverityTwitter Verified Status Users Flooded with ScamsMobile Phishing Attacks on Government Staff SoarDropbox Suffers Breach, 130 GitHub Repositories CompromisedAndroid Apps With a Million Downloads Led Users to Phishing SitesThreat Actor "OPERA1ER" Steals Millions from Banks and TelcosUK Security Agency to Scan the Country for BugsBot Warning for Retailers Ahead of Busy Shopping SeasonTweet of the Weekhttps://twitter.com/Joelmpetlin/status/1587417968664752129 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
okay so we are um tom's doing a lloyds this week jab it's just you and me
yes he is doing a lloyds uh which is uh probably a good thing yeah euphemism for um
it's been being incident adjacent to something yeah yeah although he did say it was a minor
incident today but then he said he's up to his eyeballs so yeah i've no idea what a major
incident would look like and out of an
abundance of caution they're just going to call in mandy and to uh to reconfirm that uh nothing
serious sinister has happened actually called kevin himself like kevin mandy please come
just out just as a precaution nothing else
you're listening to the host unknown podcast hello hello good evening good afternoon good morning depending on wherever you are and i
do it that way around because uh jav my friend you are the other side of the pond
i am indeed i am i am in in sunny clearwater florida
and as i sit here look out the window it is beautiful it's about uh 27 28 degrees
so see outside uh i can see the bay life is good i i'm in an open plan office so
a i have to behave myself at times um But secondly, you might hear unwitting contributions from colleagues around me.
And when you say 27 degrees C, they were looking at you because you speak in a different language.
Yeah, exactly.
They had no idea what that conversion was.
No.
I have tried to slip in some, to get some more, you know, Americanisms into my vocabulary.
So the hotel I'm staying at is about, you know, 12 football pitches and three buses away.
Yeah.
Absolutely. And you're measuring stuff in cheeseburgers per hour.
Exactly.
Yeah.
Oh, speaking of cheeseburgers per for out the food portions are just ridiculously huge
like 16 football football sizes football pitches worth on a plate i know i know it's like the plate
of food is like like the size of a of a standard shield used by the romans in battle with
i i went to this place yesterday like the team went and it was a tie
place and i got this pad thai and i was i swear i was eating it for like half an hour and at the
end it was like there's not a dent made in it it was just still there and my stomach was like i had
to undo my top button on my jeans it was ridiculous oh they put it in a doggy bag for you as well so you can take
it back with you well it was like more a doggy bag was more like a black bin bag it was like so
big like here take all the rest of it away so what we'd call a food bank in the uk exactly
oh dear so i think um owing to time pressures and the fact that, you know, Tom left it very late to tell us that he wouldn't be joining.
We're going to skip this week in InfoSec. I know, I know.
Favourite part of the show. It's the only reason people tune in to hear me talk about what happened this time, you know, in history.
Yeah. However, I just don't think we've got time for it.
um yeah however i just don't think we've got time for it no no it's a shame this is the uh the light version the the what is it the alcohol free beer episode today yeah yeah exactly so you
know i won't do any analogies there because um uh yeah no it's we're going to keep it professional
we don't want to do any editing so
i am going to lead us into tom's favorite part of the show which is
so i completely skipped over what you got coming up this week and that's okay because we're saving time so this week i'm going to talk about government by gmail um and this is a story
that the uk's home secretary so for everyone else watching the shit show that's going on in the uk
in terms of government uh the minister in charge of policing and internal security um you know the
uk's home secretary uh she was forced to apologize for breaching IT security protocols
whilst in government so this is Suella Braverman who'd already resigned for the breach got
reinstated sort of six days later you know as part of this whole merry-go-round approach to
government and she wrote to the Chair of Parliament's Home Affairs Select Committee to explain
you know what she did and how she intended to avoid repeating you know making that same mistake in the future and it
turns out that you know she had detailed that on six previous occasions she had forwarded
ministerial documents to her personal gmail account and obviously the reason she gave for
this is that you know she needed to do so in order
to view documents on her private phone whilst conducting microsoft team's call on her official
phone uh you know which is obviously you know you need to be able to look at that camera you can't
have that distraction uh of reading a document at the same time um yeah so there's that and obviously
on another occasion she
accidentally forwarded you know some official documents to a member of parliament from her
gmail account because she didn't have a work phone with her um so it was lucky she had an
off-site backup right with uh on her personal device oh my gosh yeah so this whole i mean as
i think i said i don't swear often but you you know, it's a complete shitshow of a government.
And this is a person that has access to extremely sensitive information on national security.
What are you going to learn?
Unbelievable, isn't it?
I mean, it was bad enough when you caught ministers all using WhatsApp to discuss their coups and which way they're voting.
And now you have something like this.
It's absolutely shocking. But it's not. Yeah have something like this it's it's absolutely shocking
but it's not yeah i mean it's not do you think people at work do this like in corporate
environments do people forward stuff to their personal accounts all the time and yeah exactly
unless your dlp prevents you from doing so right yeah yeah no it's a weird one so i think on one
hand so we're looking at at this with the security hats on and we're saying this is shocking, unbelievable, terrible behavior.
But you're right. This happens in every organization and people are always like, and, you know, to somewhat her defense, these are plausible arguments for someone who just wants to get their job done and the tools
they've been given are not up to scratch to help them do it um so i'm not excusing the behavior
especially given that she should know better and she's in government and she has access to like
you said extremely sensitive information but if we look at the principle for why many people end up doing this kind of thing, like shadow IT, forwarding stuff to non-corporate devices or emails, a lot of time it's just because they want to get their jobs done.
There is absolutely no excuse for doing this.
But broadly speaking, I think there's also something to be said about the lack of flexibility or the lack of ability for tools to provide what users are actually looking for.
That's a very diplomatic answer.
Yeah, but I mean, someone said, you know, this is in the scheme of UK government shit shows so far in 2022.
This is a non-issue.
Just retrain her and put her back to work, which is exactly what's happened.
But, you know, I think this is just the tip of the iceberg in terms of the type of stuff that is actually going on.
And to her credit, she has said, I have requested briefing and guidance by security experts on what constitutes appropriate use of government and personal IT.
Wow.
Yeah.
So at least she has admitted that she has now proactively requested InfoSec awareness training rather than, you know, just waiting for the mandatory once a year PowerPoint that goes around, right?
I know.
You know, if only one of us knew of an organization
that could provide excellent security awareness training timely on relevant topics.
I know, but unfortunately, we're just stuck with Google
and Googling what we can and can't do.
Yep.
Yeah.
You know, it's a shame because October was Cyber Security
Awareness Month. We just missed the boat because we
could have pushed the messaging to it
from there.
We'll get her next
year. Yeah, next year. Next October
we'll make sure all the government
is aware.
Superb.
Rant of the Week.
You're listening to
the Host Unknown Podcast.
Bubblegum for the brain.
Indeed.
So I think this is
the part of the show
where we need to head
rapidly over to
Rant of the Week over to okay so that heads over to me and apparently i've got
two big balls to cover this week um how my colleagues are now giving me weird looks because
they don't they obviously can't hear the jingles that are being played. But the first story is the hunter cat is a bodyguard for your credit card.
Now, see if this sounds familiar.
You are in a weird part of town and you get cash from a sketchy ATM.
The next day, you pay for gas at a pumpside terminal that doesn't look quite right.
a pumpside terminal that doesn't look quite right. A few days later you get a call from your bank saying someone's using your card in a nightclub across town. It's not a disaster
but you have to spend some time going through your recent charges and you have to wait a
few days for the replacement card to come through while you're wondering which ATM was
the one that skimmed your credit card.
Indeed. What are your options against this problem Andy? Well for the particularly paranoid enter the HunterCat. The HunterCat is a small device powered by a coin battery roughly the size and
dimensions of a credit card. It's simple you swipe it into the vape shop or gas station atm in question
and check for one of the three lights and if you get a warning or dangerous light then consider
another location when you want to try again just click the reset button the card even has a sleep
function that shuts the device off after 15 seconds to save on battery life isn't that amazing that does sound amazing and this is not a sponsored advert either
this is actually a joke because i mean i was just mentioning earlier about um
you know last time i was in la and uh there was the receptionist tried to skim my card and it was
the bank that caught it um you know they actually blocked the card and said that it was it was run through a suspicious device um you know in the
and you know it's like in the u.s especially they take your card away from you don't they like we
don't allow that to happen in the uk um or you're you know they bring the terminal to you whereas in
the u.s they happily take your card and walk off with it yeah um so yeah i am i guess well i guess
this is a problem right in the u.s that
still wouldn't save you you know when the when the waiter walks off with your card it still doesn't
save you handing over the hunter cat um but you know skimming devices stuff like that on atm
machines i would love to know how it works but i am intrigued um if this was a linkedin post i would hit the interested button yes yes it is i i think
it's right and i think obviously like given by the examples that i i quoted it is very much a
us-centric thing because like you said that contactless is hair but it's not really hair
there's a lot of still chip and signature not really chip and pin it's it's a bit bit weird it feels very like
backwards i was going to say third world country-ish but then that actually third world
countries have some really really cool wireless technologies in place these days so it's not even
that but but yeah you know it's it's it's it's an issue um but then again i how much personally when i look at it it's not
so much of an issue because i don't actually use my card much everything's like a virtual card on
my phone or something and i just like do the old like you know i'm doing the little motion like
almost like harry potter tapping something with his wand yeah um not a euphemism
anyway moving swiftly on to the second bill Billy Bigelow story of the week.
And these really, really made me laugh. And if Tom was here, he would be saying, which criminals are you applauding this time?
And they're not criminals. These are pranksters. And we have a soft spot for pranksters.
We have a soft spot for pranksters. So these pranksters posed as laid-off Twitter employees.
So they stood outside Twitter's building with boxes and what have you,
and they were like, oh, we've been axed by Elon Musk.
And they tricked a whole bunch of reporters into believing them. So the reporters interviewed them
and they started publishing stories.
Some people were skeptical
because one of the pranksters said his name was Rahul Ligma.
And if you're not familiar with that,
Google the meme.
He also held a copy of Michelle Obama's book, Becoming.
He was holding that aloft while speaking to the reporters.
The other name, the other person said his name was Daniel Johnson.
So as you can imagine, lots of media outlets were reporting Twitter employees fired Ligma Johnson.
Oh, man, this is it just goes to show how desperate we are for news that, you know, you've got people on the pavement outside waiting for people to come out.
I mean, there's pictures in the article that's linked to it.
You got all the reporters with the cameras their microphones up
and these guys are generally holding like cardboard boxes as if they've just been turned out
turfed out and it's um oh it's just brilliant they're so desperate to report on the story that
they just didn't even consider it could be a hoax i know i know that's the thing it's like you want
something to be so you you want something to be true.
So your brain just filters out any evidence to the contrary.
Yeah.
So you just end up, and this is like, this is classic social engineering.
This is, you frame something in a way, you know, reporters are there and what have you.
And then you turn up looking like you've been
fired and that's the natural logical conclusion people jump to so it's but you know as reporters
we expect better we expect them to do some basic fact checking you know that kind of stuff that
you know journalism used to be wants to be known known for, but since the internet has taken over,
sort of like anyone can really do it, isn't it?
Anyone can provide an unofficial source.
Yeah.
Brilliant. Thank you, Jeff, for this week's... Billy Big Balls of the Week.
If you work hard, research stories with diligence and deliver well-edited award-winning studio
quality content for high-paying sponsors then you too can be usurped by three idiots who know
how to think on their feet you're listening to the award-winning host unknown podcast
indeed uh jav what time is it oh um i don know. Why don't you tell me what time it is?
It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
And I said that part slowly because I realised I'm also controlling the media board this week,
so I need to find the sounds to go along with it.
Whatever.
Yeah, this week's...
Industry News.
Russia suspected in trust phone hacking scandal.
Industry News.
Open SSL security advisory downgraded to high severity. Russia suspected in trust phone hacking scandal. Industry news.
OpenSSL security advisory downgraded to high severity.
Industry news.
Twitter verified status users flooded with scams.
Industry news.
Mobile phishing attacks on government staff soar.
Industry news. Xbox suffers breach. 130 GitHub repositories compromised. Industry news. Box suffers breach. 130 GitHub repositories compromised.
Industry news.
Android apps with a million downloads led users to phishing sites.
Industry news.
Threat actor operator steals millions from banks and telcos.
Industry news.
UK security agency to scan the country for bugs industry news
what warning for retailers ahead of busy shopping season industry news and that was this week's
industry news huge if true huge huge if true um I see that threat actor Operator, but it's spelt like capital letters and an I instead of a T.
Yeah, I wasn't going to spell that out.
Is that Operator or Operator?
I don't know.
Operator?
Yeah, it's, I mean, only sort of, you know,
sad people substitute letters and numbers, right, in their handle.
Okay, sir, Jester. it's not the dumb thing um so interesting story the uk security agency to scan the country for bugs and this
is a story that the ncse um is going to vulnerability scan any internet accessible system in the country wow that's a lot yeah i mean i don't
know if they will then share the report with you or you know because you could actually save some
money on you know your own qualis subscription or similar by saying hey look ncsa are doing this for
us all these like ip cameras from China and your smart fridges
and everything's going to show up on the report exactly oh see there's another story about the
Russians hacking a home secretary yes so obviously this is the story about our former UK prime
minister Liz Truss and her phone was hacked earlier in the year when she was Home
Secretary and it was then kind of covered up or just was it covered up no they did cover it up
they imposed a news blackout on the incident so people did know about it sorry she wasn't Home
Secretary Foreign Secretary but yeah they're saying that they stole a year's worth of data off that phone messages and
emails and now if liz trust had been forwarding the messages to her personal gmail account the
russians wouldn't have got hold of it so maybe yeah maybe uh suella bradman's ahead of her time
exactly she's like you know ducking and diving. Who would ever decide to look there for it?
What I find funny is that there's another story,
which is like mobile phishing attacks on government staff saw,
according to a report by Lookout.
And it's not really UK specific, but it's interesting.
So again, like, you know, government people getting targeted more and more.
You know, the cyber war that
everyone was talking about or cyber espionage it's it's not a big bang approach but it's it's
the frog is getting boiled it's been going here it's been going on for a while yeah yeah and this
is when you find out your uh cyber insurance doesn't cover you for it yeah i know uh i mean our cyber insurance expert tom langford isn't on the call
today otherwise he would tell us whether you know lloyds of london would cover this policy or not
yeah also i've just received a message tom's asked me to move on from this particular topic
of conversation and uh he disavows all knowledge of any incident which may or may not have occurred
at any large insurance institution
within the City of London.
That's brilliant.
So other than that, I think relatively quiet week,
which is good for us
because it allows us to move swiftly on.
Thank you, Jav, for this week's...
Industry News.
You're listening to the Host Unknown podcast with your award-winning hosts
javad and andy and insert name here usually mr tom langford how do you like them apples
how do you like do you know what i said i've literally just seen the button which says hate
you apples in 2021 you voted us the most entertaining cyber
security content amongst our peers in 2022 you crowned us the best cyber security podcast in
europe you are listening to the double award-winning host unknown podcast how'd you like
them apples and i had to play that so I could
give myself time to find the button
for our last part of the show.
And that is the part that we
call Tweet of the Week.
And we always play this one twice.
Tweet of the Week.
And Jeff, as you're on
holiday, do you want to take us home with this one?
This is excellent.
This is a great tweet
exchange so elon musk uh the new twitter overlord said that um you know blue checked verified
accounts will be 20 a month so man of the people stephen king published author said $20 a month to keep my blue check.
Fuck that.
They should pay me.
If that gets instituted, I'm gone like Enron.
And Elon Musk replies saying, we need to pay the bills somehow.
Twitter cannot rely entirely on advertisers.
How about $8?
And then the actual tweet is from Joel M. Petlin.
Joel M. Petlin is his Twitter ID. And he goes, only on Twitter can we watch a man worth $200 billion negotiate with a man worth $500 million about saving a month it's so true i mean this is
just one of those things where it's how it's third world problems right or first world problem how
the other half living it's uh no the question is like maybe this is how stephen king has 500
million is in his account he didn't waste it willy-nilly on $10 here, $12 there a month.
Yeah, no, it's true.
And you always find it's the richest people that don't share the wealth, right?
It's a bit like yourself, Jeff.
I mean, when's the last time you brought dinner?
Hey, all I'm going to say is buy my book that is now available on Amazon,
50 Ways to Survive and Thrive in Cybersecurity.
Buy it, leave a five-star review, leave a glowing review on Amazon,
and McDonald's kids' meal is yours.
Okay, done.
I am cheap, so I will spend, how much is the book?
$20.
I'll spend $20 on the book for a three dollar happy meal it's something like nine quid or something it's
like it's it's very cheap okay it's reasonable yeah it's uh it might not be my that that might
be the author price i don't know that might be maybe i've given up what my markup is now um i'm
making about 25 pence per book, let's put it that way.
So I'm definitely not in it for the money.
You're an educator with passion for the industry.
I am. I just want to spread the wealth, the knowledge.
I've achieved everything I wanted to do in life,
so now I just want others to be somewhat successful.
And give yourself some time to manage your property portfolio
well yeah i mean like
go on now the truth has come out i shall thank you for this week's
so we rapidly burnt through um this week which is what we intended to do we actually debated
whether or not we would do anything.
But as we had written out which stories were current news, we said that we would do it anyway.
Yes, yes, I know.
And you know what?
You keep entrapping me on these things.
And like, I think I'm going to have my attorney present on all future recordings.
Just like I'm going to look and says like that my turn is
saying i shouldn't engage with that objection here so you've been in the u.s one week you're
already lawyering up man i know i'm right it's how we roll here oh dear brilliant well i shall
thank you for your time it's it's very rare that you turn up on time and
Mr Lankford doesn't.
So I shall
thank you. Well, you're welcome
and, you know,
I do what I can.
Stay
secure, my friend.
Stay secure.
You've been listening to
The Host Unknown Podcast.
If you enjoyed what you heard, comment and subscribe.
If you hated it, please leave your best insults on our Reddit channel.
Worst episode ever.
R slash Smashing Security.
Have you heard from Tom yet?
No, other than that thing he said that he was uh dealing with that
incident um minor incident but he can't make it but he's up through his eyes um yeah he obviously
hasn't been through corporate comms yet before he can no before yeah he hasn't pre-prepared the
message of uh how they address what's going on yeah i, I mean, he should have just said, look, I take security seriously.
No credit cards have been breached.
Yeah, all credit card data is encrypted.
There's nothing, yeah.
Comical alley.
Brilliant.
There's nothing to see here.
We maintain control of all our databases.
In the back end, someone's leaking it all on Twitter.
Yeah.