The Host Unknown Podcast - Episode 131 - The Spousal Audit Episode
Episode Date: December 2, 2022This week in InfoSec (06:17)With content liberated from the “today in infosec” twitter account and further afield27th November 1995: Microsoft Shipped Internet Explorer 2.0Microsoft Corp. shipped ...Internet Explorer 2.0, starting a browser war with the popular Netscape Navigator. Netscape Communications Corp. had had a virtual monopoly on World Wide Web browsers since the infancy of the web. The Netscape Navigator and Communicator browsers serve as a format for viewing and creating World Wide Web pages, as well as participating in newsgroups and sending e-mail. Microsoft promoted its Internet Explorer with specific mention of its privacy and encryption features (such as support for SSL). Chrome browser has a New Year’s resolution: HTTPS by default (2020)24th November 2014: The Washington Post published an article which included a picture of TSA master keys. As a result, a short time later functional keys were 3-d printed using the [unblurred] key patterns displayed in the picture.The secret life of baggage: Where does your luggage go at the airport? (Image since changed)https://twitter.com/todayininfosec/status/1198722561355337728 Rant of the Week (18:41)Australia will now fine firms up to AU$50 million for data breachesThe Australian parliament has approved a bill to amend the country's privacy legislation, significantly increasing the maximum penalties to AU$50 million for companies and data controllers who suffered large-scale data breaches.The financial penalty introduced by the new bill is set to whichever is greater:AU$50 million [Approximately $34m USD for context]Three times the value of any benefit obtained through the misuse of information30% of a company's adjusted turnover in the relevant periodPreviously, the penalty for severe data exposures was AU$2.22 million, considered wholly inadequate to incentivize companies to improve their data security mechanisms.The new bill comes in response to a series of recent cyberattacks against Australian companies, including ransomware and network breaches, resulting in the exposure of highly sensitive data for millions of people in the country."The Albanese Labor government has wasted no time in responding to recent major data breaches. We have announced, introduced, and delivered legislation in just over a month," reads the media announcement."These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect."The most notable incidents were the Optus telecommunication provider data breach that impacted 11 million people and the Medibank insurance firm ransomware attack that exposed the data of 9.7 million.Apart from setting higher fines, the new bill also gives greater powers to the Office of the Australian Information Commissioner (OAIC) to get more involved in the privacy breach resolution and scope determination process. Billy Big Balls of the Week (28:19)San Francisco lawmakers approve lethal robots, but they can't carry gunsSan Francisco police can deploy so-called "killer robots" following a Board of Supervisors' vote on Tuesday, clearing the cops to use robots equipped with explosives in extreme situations.The robots primarily will be used to neutralize and dispose of bombs, and provide video reconnaissance, according to San Francisco Supervisor Rafael Mandelman. He added that none of the robots will carry guns, "and SFPD has no plans to attach firearms," in a Twitter thread after the vote. "However, in extreme circumstances it is conceivable that use of a robot might be the best and only way of dealing with a terrorist or mass shooter," Mandelman said.Such a situation has happened before. In July 2016 a mass-shooting incident left five police officers dead and another 11 people wounded, and the suspect was cornered in a local building. Police strapped an explosive charge onto a bomb-disposal robot, which detonated near the suspect, killing him.[One particular comment on this which made me chuckle was: “Considering American cops can't even go into an active shooter situation to save schoolchildren, I assume this will be the first course of action for anything above a parking ticket.”] - *Shots fired* (but not by the Texas police) Industry News (34:48)Experts Find 16,000+ Scam FIFA World Cup DomainsIreland’s DPC Fines Meta €265m Following Large-Scale Data LeakLet's Encrypt Issues Three Billionth CertificateAustralian Parliament Passes Privacy Penalty BillMajority of US Defense Contractors Not Meeting Basic Cybersecurity RequirementsResearchers Accidentally Crash Cryptomining BotnetEight Charged with $30m Unemployment Benefits FraudUK Extends NIS Regulations to IT Managed Service ProvidersWhatsApp Files on Dark Web Show Millions of Records For Sale Tweet of the Week (43:40)https://twitter.com/hackinarticles/status/1597820497856643072 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
So Andy's not with us again?
No, apparently he said that some audit has been brought forward or something.
Oh, I heard it was just his missus demanding to look at his phone today.
You're listening to the Host Unknown Podcast.
Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
Welcome to episode 131.
Yeah, okay. I'll go along with that.
Yes, I knew I'd get away with it eventually. Of the Host Unknown podcast.
Welcome one and all.
Welcome, dear listener.
We hope you've had a lovely week.
I hope you've had a better week than I have anyway.
It's been a bit of a crush for me.
But we don't have Andy today, but he did send us the show notes last night.
So I think the training he's gone through is actually working
it's uh he's just producing these things automatically now it is it's very good either
that or he just outsourced it to someone on fiverr like most of his other tasks and uh
and hence the audit yes hence the audit oh yeah i mean no no no wonder is uh no wonder he asked for the lights to be turned off when it's that time of the evening with his missus.
So, Jav, how are you?
I'm good, I'm good.
It's hard to believe that we are in December already.
What the bloody hell happened to this year?
I know, I know.
What's happened to life?
Honestly, I feel like a real old man now.
It's like I look in the mirror and think, what?
I mean, I used to look at people who were my age when I was young
and I thought, oh, those people have their shit together.
They know what they're doing in life.
They're like, you reached this stage.
You're like, no, I'm still making out as I go along.
Yep.
Yep, totally concur
with that totally concur with that but but yeah it's wow this has turned it turned a corner isn't
it this episode we don't have candy to add his levity and juvenile exactly frequency to this
episode but exactly so so you you young folks on the are listening to this here don Exactly. So you young folks listening to this here,
don't waste it.
Go out, have fun.
Don't become sad and just cynical people like Jav.
I'm not sad.
I'm just cynical.
Oh, dear. Yeah, it's been a busy week busy week it's um been been sort of pushing through a
bit of bit of rubbish uh i'm supposed to have a day off today but um i've still got some calls
i've already had a bunch of requests come through this morning i don't know what is this
working life malarkey about?
Did you not apply for PTO or something like that?
Is it not on your calendar?
Do your colleagues not respect the calendar?
That's when it's blocked off.
Oh, well, I'm booked out on the calendar all day.
There's no doubt about that.
But yeah, who knows? Who knows? I thought it was...
Do you know what? I thought I had the strength of character to just ignore all these these requests for help.
But it turns out I don't. See, I think this is where Microsoft or Google,
they need to embed this feature into email where when you when you send an email to someone,
it should say, oh, this person
is, Calibre's blocked
out for the day, would you like me
to delay the email so it gets sent
to them when they return?
We called the
fuck off, he's on holiday feature.
Exactly, exactly.
Yeah, F-O-H-O-H-O-T
F-O-H-O-H F-O-H-O-H F-O-T F-O-H
F-O-H
F-O-T-O-H
F-O-T-O-H
So yes, Google
Microsoft
Fuck off there on holiday
Oh, okay, that's version 2
When they realise they need to do that sort of thing
Yeah, yeah, yeah
But yeah Yeah yeah it's
right that's right i think but but then again and you know we we we know how much um you know how
much we all slack off generally so maybe this is us just making up time i don't know i don't know
so i you say that and now i i just remembered that Slack has this feature where you can pause notifications.
And then when you send someone a message, a DM on it,
it says they've paused notifications.
Would you like to notify them anyway?
Or something like that.
Oh, that's right.
Yes.
Yeah.
I guess I could pause notifications by just not looking at my email.
We know that you don't have that kind of willpower.
I have got the breaking strain of a warm Mars bar.
That's not a lot, by the way.
Anyway, talking of warm Mars bars, let's see what we've got coming up for you today.
This week in InfoSec talks about Microsoft's introduction of a security feature
which wasn't forced by others for another 25 years.
Rant of the week is either penalising the victim or shaming other regulators for their inactivity.
And we'll decide that when we get round to reading the story.
Billy Big Balls demonstrates we learn nothing from RoboCop
as ED-209 is unleashed on the American people.
Industry News brings us the latest and greatest security news stories
from around the world.
And Tweet of the Week shows us that even InfoSec
is not immune to automation replacing skilled people.
Right, let's move on to our favourite part of the show. The part of the show that we like to call...
This week in InfoSec.
week in InfoSec.
It is that part of the show with content liberated from the Today in InfoSec Twitter account and further afield. Yeah, easy. I don't know why he makes such a big deal of it. So I will
take the first one.
Is that right?
Am I doing the first one?
Yeah, yeah, yeah.
Okay, I will take the first one.
So 27th of November, 1995,
Microsoft shipped Internet Explorer 2.0.
So they shipped 2.0,
starting a browser war with the popular Netscape Navigator now if you're
effectively 35 or younger you'll have no idea what the hell Netscape Navigator was
but Netscape Communication Core had a virtual monopoly on worldwide web browsers since the infancy of the web.
It was the first one I ever saw when I was working in the city for a financial services company that ran VaxVMS.
And then, you know, we were all, everybody was on terminals.
And then suddenly a few people got PCs and I think Vax bought out a, uh, uh, an NT machine. And then, and you had this thing called
Netscape navigator that allowed you to search for stuff that, you know, stuff that you didn't have
to go to a bulletin board for. It was really weird. And, you know, images loaded very slowly
from the top to the bottom, which was quite frustrating as a 21-year-old on a night shift exposed to what you could actually find on the Internet.
But, yeah, it was a revelation.
and communicator browsers, they served as, effectively, they were the window, as I just said, into viewing and creating worldwide web pages, as well as participating in news
groups and sending emails.
So it was a bit of an all-in-one, really.
Microsoft promoted its Internet Explorer at the time with specific mention of its privacy and encryption features, such as support for SSL.
Reminds me a little bit of Apple today, really.
But as I recall, it didn't make much of a splash, Internet Explorer 2.0.
It was 3, Internet Explorer 3, that I thought was the big deal because it had support for, well, GIFs and stuff like that.
So it was a much more sort of dynamic experience.
And I remember getting absurdly excited about Internet Explorer 3 being available.
And I had some friends over, other other sort of techie friends and uh or
semi-techie friends and they couldn't work out why I was excited about 3.0 and I did a particularly
bad job of trying to explain it because I didn't really know why either so yeah it was um oh great
days great days this is not very different from your current CISO-level presentations that you do to the board.
We're really excited about this security technology.
Why? I don't know why, but, you know, it's really good.
TLS and privacy and stuff.
And Magic Quadrant, look, top right.
We need to get this.
Not a fan of the Magic Quadrant myself, but there you go.
Yeah, overrated.
Well, that or the wave, the Forrester wave.
Oh, dear.
But, yeah, it was a good time.
It was a fascinating time on the internet.
I remember shortly after I got onto the MSN network,
which was Microsoft's foray into getting people online.
A bit like the AOL CDs, but I was a beta tester for the MSN network
and getting you online and having your email and all that sort of stuff.
It was brilliant, absolutely brilliant.
And rather than having network cables spread around the house,
it was literally just a telephone extension that made sure
that I could access the telephone line from the other room.
Very good, very good.
Do you remember those days?
Do you remember the dial-up days?
I saw some of that in a museum once, but, yeah.
No, I do, actually.
I did have a dial-up modem at home, and it was a good time
because at the time, we were on a BT phone package,
which gave us free landline phone calls from between 6 p.m. to or 6 a.m or something like that i don't know
it's just yeah uh late in the evening it was like free free landline calls so that was a time when
i used to dial up and uh start downloading stuff much to my my parents annoyance because no one
could use the phone then yeah yeah and your insomnia has stuck with you ever since yeah yeah
pretty much very good very good so uh the next story takes us back a mere eight years to 24th
november 2014 where the washington post published an article which included a picture of the TSA master keys. So the TSA have a whole bunch of master keys for their
locks. So you can get these TSA approved locks. So if you don't want the TSA to physically break
your locks, you can have these pre-approved locks where they have master keys and, you know, they
can then unlock your bag and have a look at your stuff
to make sure nothing's illegal in it or what have you,
such as like 50 liters of water or what have you.
But anyway, as a result of that nice picture
of the master keys,
functioning 3D printed keys were available.
So using the key patterns displayed in the picture.
So people were able to take the pictures, mark them up and, you know,
create the templates where anyone with a 3D printer could download it and say,
oh, print me off one of these keys.
And it was all just very, very good.
But, you know, this was OK.
I mean, I think it was a bit of a boo-boo.
It's a good highlight of where it could go.
I don't think, you know, the threat is all that much.
It's not like you could break into people's houses or what have you.
But this reminded me of another story, which happened a year later in 2015.
Oh, yeah. off another story which happened a year later in 2015 oh yeah where for about eight dollars
anyone could go on ebay and buy uh a new york city 1620 fire service key oh that's right yeah
and what that allowed is that basically gives you access to pretty much all of New York. You can get into any lift, any roof,
any high-rise buildings and what have you.
And even though there should have been,
well, there is a lot of restrictions
around who can own or handle those keys.
The reporters, I think it was the New York Times
or New York Post,
they were able to just go on eBay
and buy a couple of these keys.
And they worked, they could, you know, they could do anything with that. In fact, what you could do
is like, you could also use them to send all the lifts to the ground floor and lock them there.
So if you're on floor number whatever 72 good luck getting down yes so
or or if you're on floor 72 and it's breakfast time in your hotel and you know you're going to
be stopping at every single floor huh let's just go straight down but i think there's there's a
there's a there's a small but important distinction between these two. So I think in the case of the fire keys,
that was ostensibly stolen and reproduced,
whereas the TSA willingly handed over their keys.
And I think that underscores,
oh, I'm going to say it, the incompetence of the TSA.
The TSA as a whole is a joke of a federal agency.
No, no.
Absolute joke. And, you know, for a variety of reasons, but they had a vast amount of funding and the net result was a significantly under-trained and unmotivated workforce
who were lambasted as a result because they were so badly trained,
badly motivated, badly incentivized.
And it just became a constant rush by their marketing
and social media managers to,
to adjust to the point where, you know, they're posting pictures of, Hey,
look what we, um, uh,
look what we confiscated from our passengers in just one weekend at,
you know, at this airport. And it's, you know,
a table full of water bottles and it's kind of like, great.
You're just underscoring the utter failure of your system
here you know totally uh it was yeah i i um i every time i used to fly the usa was the tsa was
the worst part of it every other country the security folks were on the whole very very you
know efficient polite etc etc yeah not the tears especially if you especially put 50 dollars into folks were, on the whole, very, very efficient, polite,
et cetera, et cetera.
Yeah, not the TSA.
Especially if you put $50 into your passport when handing it over,
then they're very helpful.
Yeah.
Do you know what?
You'd get arrested for that in every airport outside of America.
Really?
Yeah.
Yeah, they wouldn't take bribes, but it would not surprise me if the TSA did
that is not a legal opinion
that is purely conjecture
Why don't you try it for the YouTube
like thing?
Yeah, but that means going to
America
I don't want to go to America right now
Who wants to go to America?
It's a nice place
I like America
I like America.
I like Americans,
let's put it that way.
Yes, yes, that's a very different thing entirely.
But then we can choose
the Americans we like.
We can't choose
the America we like.
Right, sorry,
for our international listeners
over the pond,
we do love you.
We really do.
Just sort a few things out first.
That was this week's...
This week in InfoSec.
In 2021, you voted us the most entertaining
cybersecurity content amongst our peers.
In 2022, you crowned us the best cyber security podcast in Europe.
You are listening to the double award-winning Host Unknown podcast.
How do you like them apples?
Do you know, it occurred to me, when I listened, when you did your bit,
you said, takes us back, takes us back a mere 8 years
I forgot to do that on mine
I know, I know there's a lot
of years in your one so I thought maybe you
couldn't work it out
37 years, come on
it's easy
27
27?
27?
Okay, good thing you skipped that one.
Yeah, yeah.
Good thing I raised that, right?
Good thing I made a point of raising that one.
Oh, man.
That's going to put me right in the right mood for this week's...
Listen up!
Rant of the week.
It's time to mother rage now if you've listened
to any of our industry news stories over the last few months you will recall that there's quite a
there have been quite a few stories about a certain number of Australian companies being attacked.
Was it Medicaid, I think, was one of them.
And I don't know, something, you know, corkhats.com or something.
I can't remember.
But there's been a number of high-level, high-profile
and potentially significantly damaging attacks going on in Australia.
But Australia has now said that they will fine firms up to 50 million dollars for data breaches,
which is this victim blaming or is this actually a significant incentive for companies to stop being incompetent and to invest?
But the Australian Parliament has approved a bill to amend the country's privacy legislation,
significantly increasing these penalties to $50 million for companies and data controllers who suffered large-scale data breaches.
So the details are the financial penalties introduced by this bill are set to whichever
is greater of 50 million US dollars, which is about 34 million US dollars, about four pounds, 15 pounds sterling.
Three times the value of any benefit obtained through the misuse of information and 30 percent of a company's adjusted turnover in the relevant period.
That's potentially vast. That's really good.
potentially vast. That's really good. So previously, the penalties were 2.22 Australian million dollars, million Australian dollars, which was considered wholly inadequate to
incentivize these companies. So the the the Albanese Labor government, and this is a quote,
has wasted no time in responding to recent major data breaches.
We've announced, introduced and delivered legislation in just over a month, which sounds like a very party political statement to make.
These new larger penalties send a clear message to large companies that they must do better to protect the data they collect.
they must do better to protect the data they collect. So and two of these most recent ones,
Optus Telecommunications had a data breach that impacted 11 million people and the Medibank insurance firm ransomware attack that exposed the data of 9.7 million. So it's great. We need to,
you know, we often talk about ensuring that any legislation has teeth here.
So, for instance, when we notify the regulators here of breaches, it's often said that the effect of being regulated and having a fine put upon you is a bit like being savaged by a dead sheep
because the fines are often negligible when it comes to showing incompetence and general
lack of regard for the protection of people's data. But convers conversely kicking a company when it's down may not be the
right approach so i'd be really interested to see how this is going to be applied whether it's just
carte blanche you know you get you get you lose your data this is what you get fined and it's you
know whichever is the is is is the greater as well. These are not sort of like lower-end figures either
because much as Jav likes to do in his Billy Big Balls,
which is blame victims and hurrah for the cyber criminals,
I think kicking people when they're down like this
is going to be damaging for potentially the economy,
is going to cause companies to perhaps not offer certain services to the public because of a risk
of being fined if something goes wrong. And how much of this is actually going to be investigated
by the equivalent of the Australian ICO, which I think is actually called the ICO in Australia.
So, you know, how much of this is going to be looking into
were there adequate controls, blah, blah, blah, blah, blah,
or is it just going to be carte blanche?
I mean, I'm hoping it's the former rather than the latter,
but is just kicking people and getting more and more money out of them
the best way to go?
Or is it about ensuring at a legal level or at a legislative level
that companies of a certain size have to demonstrate
a greater degree of cybersecurity competence.
I'm not sure, but yeah, seems a bit harsh.
Seems a bit harsh.
So I hate to say this, but you know where I'm going with this.
I'm not even going to say it yet,
unless you record it and play it back to me later.
But the penalty of any fine shouldn't be for getting breached.
But the penalty of any fine shouldn't be for getting breached.
It should be for lack of due care or incompetence or not having the right controls in place.
That's where the fine should come into place. Because you can do all the right things and still get breached.
Yeah.
In which case, if you can demonstrate, look, we had this in place.
We took due care and this, that, the other.
But the attacker was very determined.
Or there was an insider, whatever it might be, then it's like, OK, does really penalising you solve anything? No, I don't think so. The second thing that I think with all these
penalties and fines and what have you is that the actual real victim normally is the customer of one of these customers of these
organizations what do they get diddly squat so rather than saying pay 50 million to the
to the regulator say like well you just lost data on like you,000 people, give them all, you know, $500 each or something as an apology,
along with the credit checking for a year.
And or, you know, in the case of the recent ones, like pay for them to get a new passport issued or a new driving license or whatever it might be.
or whatever it might be.
I think that would be more beneficial to the actual victims there rather than just like taking out of one big company's pockets
as almost like a stealth tax
and it doesn't really do anything to move the needle
and it doesn't incentivize.
If you're going to penalize that money
regardless of what security controls you have in place,
well, let's not spend any money on security
because why spend 10 million on on a
whole like building a security operation center and all these you know controls when we're going
to get fined anyway so might as well save that money and put that towards the fine or why invest
10 million a year when we could get away with being fined 50 million every 10 years exactly exactly it's a little bit like
what when you used to get caught speeding by the police you'd be issued a fine um you know points
on your license blah blah blah blah blah and it was just uh you know the penalizing of of that
behavior okay fair enough you know but now it's, if you caught speed in, it's like, well,
actually, you could go on a speed awareness course and not have the points, but be put on notice.
Actually, maybe something like that, making these companies pay a fine, but the fine actually pays for consultancy support and engagement from the regulator to
to see how their internal controls can be improved and then and then be put on a you know a watch
list for the next two to three years to to ensure that it's actually in place that would be a better
use of that money wouldn't it yeah yeah as long as that that process isn't outsourced to the
big four they're like oh you've been fine but here's the alternative deloitte kpmg you know
they're here to help you sort it all out oh my god if the big four are listening just just just
send me 10 of everything you make off this scheme that's all i'm saying it's not much it's not much oh dear right that was this week's rant of the week
feeling overloaded with actionable information
fed up receiving well-researched factual security content
ask your doctor if the host unknown podcast is right for you always read the label
never double dose on episodes side effects may include nausea eye rolling and involuntary swearing
in anger dead or alive you're coming with me
I was going to say that.
That was my line.
I'm sorry, mate.
I'm sorry.
Murphy, it's you.
Anyway.
San Francisco has been stepping up some of their automation.
And I call this the IoT of police.
They have approved lethal robots.
So San Francisco police can now deploy so-called killer robots,
robots following a board of supervisors
vote on Tuesday.
Clear the cops to use these killer robots.
And it was funny.
Someone said, like, what, you're going to equip these robots with guns?
And one of the spokesmen says, no, no, no, we've got no plans to attach firearms.
We're just going to give them bombs that could detonate when they're near us.
What?
That's even worse
that's not a really big
move, I don't know
what is, it's like
guns are for pussies, we're just going to give them
a bomb, blow them up
yeah, blow them up
in fact, why not just put a pair of articulated
hands on it and get the robot to strangle
them
I mean, this is like In fact, why not just put a pair of articulated hands on it and get the robot to strangle them?
Yeah.
I mean, this is like proper, you know,
you must have seen Team America World Police.
Yeah.
And there's a beginning scene, there's a bunch of terrorists, they're about to blow up the Eiffel Tower.
So Team America swoop in and they shoot everything up.
They kill all the terrorists, but in the process,
they also destroy the Eiffel Tower, the Arc tower the armory and everything like that around it and they're like
yeah freedom of america this is that come to life honestly i i read this and i could not believe
um um you know it's like they're saying, oh, this is for extreme circumstances that, you know, the robot might be used in the day in the way of dealing with a terrorist or a mass shooter.
Now, the problem is that when you're dealing with someone like that in that situation, they're normally surrounded by hostages.
They're normally in a in a in an office building, in a shopping mall
or something like that.
It's not the place you want to blow something up.
If that was the way, then police would just go in
and chuck a few grenades in there.
Exactly.
All I can imagine is C-3PO with an explosive vest being pushed
into a building by the police going,
excuse me, no, actually, I don't want to.
So apparently the situation has happened before.
So in July 2016.
There's precedent.
Oh, my God.
Yeah.
So this is a bit sad.
There was a mass shooting incident that left five police
officers dead and another 11 people wounded the the suspect was cornered in a local building
and so police strapped an explosive charge onto a bomb disposal robot which detonated near the
suspect killing him so that robot is like you know live by the bomb die by the bomb it was like
you know it's quite an extreme thing and you're like wow what kind this is like this is a first
world country i am i mean i don't want to get into the whole debate i so i'm going to stop it right
there but there was one one comment on this story,
which Andy's put in there.
He's highlighted it.
So I don't know whether he's highlighted it to say,
you must say this, or he's highlighted it to say,
like, this is completely, avoid saying this.
But we're going to say it.
We're going to say it.
One particular comment in this which made me chuckle was,
considering American cops can't even go into an active shooter situation to save
school children, I assume this will be the first course of action for anything above a parking
ticket. Shots fired, but not by the Texas police. Well, if the answer to gun crime is more guns and the answer to more gun crime, therefore, is more bombs.
Where are we going with this? I find this, this is, wow. I mean, this sounds like a little bit
of an anti-American episode for which I apologise. I think we should blame Andy for that. But
yeah, you've got to start looking at yourselves and wondering if this
is the right way to go wow that's scary that's it is it is it is it's like and and the thing with
with robots now it's a bit like now where you have the chatbots on websites or what
have you you've basically realized that you cannot negotiate with these things you cannot give them
reason you cannot what have you it literally is like ed 209 if it misinterprets who you are
or it doesn't see that you've dropped the gun uh it will still say you have 30 seconds to comply and you're going to get
shot to shit
Wow
It does make
Robocop feel
not quite so science fiction
like
No, and it also seems
a lot more tamer by comparing
my real room
Wow
I'm kind of somewhat speechless I compare my room. Wow.
I'm kind of somewhat speechless.
And that was,
well,
I know,
especially it's not very good when you're trying to host a show as well.
So thank you.
That was Billy Big Balls of the week.
Are you outraged that Host Unknown was voted the most entertaining content coming out of Europe?
We read all complaints sent to our Reddit channel on r slash Smashing Security.
So, Tom, I hope you've gathered your voice back again
because I wanted to ask you, do you know what time it is?
I do. It is that time of the show where we head to our news sources
over at the InfoSec PA Newswire who have been very busy
bringing us the latest and greatest security news from around the globe.
from around the globe.
Experts find 16,000-plus scam FIFA World Cup domains.
Ireland's DPC finds meta €265 million following large-scale data leak. Industry News. Let's Encrypt issues three
billionth certificate. Industry News. Australian Parliament passes privacy penalty bill.
Industry News. Majority of US defence contractors not meeting basic cyber security requirements.
Industry news.
Researchers accidentally crash crypto mining botnet.
Industry news.
Eight charged with $30 million unemployment benefits fraud.
Industry news.
UK extends NIS regulations to IT managed service providers.
Industry news.
WhatsApp files on dark web show millions of records for sale.
Industry news.
And that was this week's...
Industry news.
Huge, if true.
Huge.
Absolutely huge. There's a lot of big numbers in this week's
Millions, three billionth
265 million
16,000 plus
30 million, it's all about the numbers
It seems
It is, and I'm looking at the story about
Security researchers who accidentally
Killed a botnet
So they were
Analyzing a prolific botnet
and accidentally killed it
due to, according to the story,
the coding equivalent of a typing error.
So, yeah.
The bot is designed to conscript machines
via SSH and weak credentials
and has the functionality to launch DDoS and crypto mining campaigns targeting the gaming technology and other luxury car industries, amongst others.
Atomai decided to test some of the botnet's command and control functionality as part of its research.
So it's set up by a controlled environment by modifying a recent sample to talk to an IP address and this allowed them to have a controlled environment
to play around with it. But interesting, after one single improperly formatted command,
the bot stopped sending commands and that was simply missing a space between the target website
and the port, but it was enough to bring down the entire botnet.
That's a good thing, though, right?
That is a good thing.
And I'm sure if Andy was there, he'd tell us loads of stories
about how he brought down his production environments
by running commands from his desk in production.
Oh, this is the latest version of Nessus out or something.
So I thought, let's do a scan.
And we could hear about how you did something similar as well.
I've never made such a stupid rookie mistake in my life.
I don't know what you're talking about.
Episodes 89 and 52, I think it was.
No, but this seems to me like, you know, I'm a researcher in bank robberies.
I'm going to observe this bank and see how robberies are carried out.
And then as the bank robber runs in with the shotgun,
saying nobody move, accidentally trips them up and knocks them out.
It's kind of like, shouldn't we be stopping this sort of thing anyway i don't know well
rather than just observing it you know observing criminal i don't know i don't know i'm sure i'm
sure i'm missing something and if andy were here he would tell me but no i think what one of the
things with with a lot of these criminal gangs that you don't know you can sometimes learn a
lot more about the actual root cause uh by observing them for long periods of time.
So you gather intel on who they are and actually go after the people,
not the technologies.
But also, I think a lot of these researchers are very careful
because they don't know if law enforcement is monitoring them
or if they're part of a sting operation or something like that.
Well, exactly, yeah.
I love this.
Let's encrypt issues, three billionth certificate.
Wowza.
That's just one organization that issues certificate.
That's huge.
Imagine if they charged a dollar for each certificate.
Yeah, except it takes $1.50 to produce.
Yeah, wow. I mean,.50 to produce. But, yeah, wow.
I mean, that's such a large number.
It really does put into perspective the size of, well, bluntly,
the internet, right, and the scale of it and what's required to run it.
It does.
It does indeed.
Always good to see Facebook and Meta being fined
€265 million. Hopefully
that money will be put to good use.
Yeah, where does that
money go?
Do you know what? It certainly doesn't
go to the
people of, well in this case
Ireland.
I don't know where, because that's a
fair chunk of change isn't it I mean
you could you could probably build a you know a new wing on a hospital for that amount of money
right you could you could you could have like you know 10,000 ventilators for that kind of money so
yeah it's uh yeah yeah or or some um dodgy PPE for uh you know, COVID wards. Yeah, yeah, yeah, exactly.
Or something Matt Hancock's mates.
Yeah, exactly.
Down the pub.
Exactly, down the pub.
Can't believe he came third on Have I Got a Celebrity?
Not that I was following it.
So WhatsApp files on dark web show millions of records for sale.
That ain't good.
That's not good for WhatsApp because they're making this massive
push about, you know, we're end-to-end
encrypted. You can't do anything. You can't find
anything. You can have your conversations
in secret.
And now we've got files
that have been found on WhatsApp available on
the dark web. Is that right?
I don't know.
I'm just saying in a desperate attempt to try and read the story at the same time to act like I know what this is about.
But it's.
There's no actual data that's all samples that have been given but i think what what this is probably a lot like is uh someone
trying to register new phone numbers and then you sometimes get a notification saying you know do
you want to add this or do you want to add it to the web web-based format and stuff and if you can
trick someone saying yes or accepting that then someone then gets access to all of your your whatsapp data so um so i think that the end-to-end stuff
is still legit it's secure but it's uh you know if you could trick someone into giving
opening the front door for you then you don't need to be a key lock master a lock lock pick
and finally uh the um the last one here the majority the majority of US defense contractors not meeting basic cyber security requirements.
This one caught my eyes as reading it because it doesn't surprise me because the supply chain of many of these government organizations is so big.
You've probably got some fairly small organizations here, probably two or people come size companies that are just doing
odds and sods here and and you know this is exactly what certainly in the uk cyber essentials
is designed to address but i'm not sure there's a similar size thing for um uh for smaller
organizations out in the US or not. Indeed.
We shall see.
Anyway, that was this week's...
Industry News.
It doesn't matter if the judges were drinking.
Host Unknown was still awarded Europe's most entertaining content status.
I think we're making a point about that this episode.
Yes.
Right, let's move on to the last part of the show.
It's time for...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week. Would we always play that one twice. Tweet of the Week.
Would you like
to do this one?
Okay, so this is...
Thanks, Andy,
for putting in a picture that
now I have to explain
as Tweet of the Week.
So, it's a picture with
two parts to it.
The first part says, Hacking in the Past, and it's got picture with two parts to it. The first part says hacking in the past,
and it's got someone with that overly large brain,
a bit like Megamind.
And it says, I reversed engineered binary stolen from intelligence agency
server.
Here's a sign which shouts zero day exploit code and the STDL of me
routing the server for lulz.
OK?
I've spoken like a true cybersecurity expert there, Geoff.
And then versus hacking now, where there's a picture of a drooling,
blibbering idiot going Metasploit module go brrrr,
and he's putting a square block into a round hole.
I think he might have been,
I think Andy was clutching at straws this week,
but it is a good one, is a good one.
If nothing else,
HD Moore has commoditized the ability to hack nowadays.
Yes, yes.
You know, this is, after doing this,
I have the utmost respect of those people
who do the audio captions
for the visually impaired on movies.
Yeah.
A man walks quietly through the streets,
kicking leaves as he goes.
Yeah.
Exactly.
I think I'd be quite good at that.
Maybe you will be.
OK, so your task this weekend, Tom, because you've got nothing else to do,
it's not like you've got work calling you any days off,
is to go through the movie Swordfish and explain that as an audio guide for Visual Impaired.
A woman performs fellatio on a man as he tries to hack into a computer
whilst having a gun held to his head
i think that's that's the entire film right wow that that is uh that is surprisingly good tom
i have to give you that that is really good and that was this week's... Wow, we blew through that one.
We should do this with Andy more often.
I know, it's a fat-free, streamlined episode.
Do you know what?
I think we make that joke every time one of us is away.
I know, I know.
Although we can't say that about Andy anymore
because he's not fat anymore.
No, he's lost so much weight.
Ladies, he's looking fine.
Yeah, no wonder his Mrs. Watson will get his phone.
Yeah, it all falls into place.
Holy crap, my husband's looking attractive now.
I need to be sure he's not.
Oh, dear.
Andy, if you're listening, we hope the audit has gone well.
And, well, actually, come to think of it,
have you noticed that the host unknown WhatsApp group has just been deleted?
Oh, oh, oh.
Andy, Mrs. Agnes, if you're listening,
I've tried to talk him off the ledge so many times.
I told him he should be a good person, but, you know,
he just didn't listen.
You told him he should be a good person.
Wow, way to set a man up there.
Just think of your wife and child
Andy
alright
Jav thank you very much
for this week
lovely as always and have a lovely
weekend
stay secure my friend
stay secure
you've been listening to the host unknown podcast end. Cool, thank you. You too. Stay secure, my friend. Stay secure.
You've been listening to the Host Unknown Podcast. If you
enjoyed what you heard, comment and
subscribe. If you hated it,
please leave your best insults on our Reddit channel.
Worst episode ever.
r slash Smashing
Security.
So how would you
audio narrate the bullet time sequence from The Matrix?
You know, the first one where Trinity jumps up in the air and the camera spins around.
A policeman nervously approaches a room.
He peers in. He spots a lady, the rather attractive Carrie-Anne Moss,
seating at a computer.
As he barges in, she lifts into the air as if carried by wires.
Damn, second career already there, I think.
I know, that is so good.
Thank you.