The Host Unknown Podcast - Episode 138 - The Good Furniture Guide Episode
Episode Date: February 3, 2023This week in InfoSec (11:52)With content liberated from the “today in infosec” twitter account and further afield31st January 1995: AT&T and VLSI Protect Against EavesdroppingAT&T Bell Laboratorie...s and VLSI Technology announce plans to develop strategies for protecting communications devices from eavesdroppers. The goal would be to prevent problems such as insecure cellular phone lines and Internet transmissions by including security chips in devices.30th January 1982: First Computer Virus WrittenRichard Skrenta writes the first PC virus code, which is 400 lines long and disguised as an Apple II boot program called “Elk Cloner“. Rant of the Week (18:22)Anker finally comes clean about its Eufy security camerasFirst, Anker told us it was impossible. Then, it covered its tracks. It repeatedly deflected while utterly ignoring our emails. So shortly before Christmas, we gave the company an ultimatum: if Anker wouldn’t answer why its supposedly always-encrypted Eufy cameras were producing unencrypted streams — among other questions — we would publish a story about the company’s lack of answers.It worked.In a series of emails to The Verge, Anker has finally admitted its Eufy security cameras are not natively end-to-end encrypted — they can and did produce unencrypted video streams for Eufy’s web portal, like the ones we accessed from across the United States using an ordinary media player.But Anker says that’s now largely fixed. Every video stream request originating from Eufy’s web portal will now be end-to-end encrypted — like they are with Eufy’s app — and the company says it’s updating every single Eufy camera to use WebRTC, which is encrypted by default. Reading between the lines, though, it seems that these cameras could still produce unencrypted footage upon request.That’s not all Anker is disclosing today. The company has apologized for the lack of communication and promised to do better, confirming it’s bringing in outside security and penetration testing companies to audit Eufy’s practices, is in talks with a “leading and well-known security expert” to produce an independent report, is promising to create an official bug bounty program, and will launch a microsite in February to explain how its security works in more detail.Those independent audits and reports may be critical for Eufy to regain trust because of how the company has handled the findings of security researchers and journalists. It’s a little hard to take the company at its word! Billy Big Balls of the Week (31:34)FBI says it ‘hacked the hackers’ of a ransomware service, saving victims $130 millionThe Department of Justice announced this week that FBI agents successfully disrupted Hive, a notorious ransomware group, and prevented $130 million worth of ransom campaigns that targets no longer need to consider paying. While claiming the Hive group has been responsible for targeting over 1,500 victims in over 80 countries worldwide, the department now reveals it had infiltrated the group’s network for months before working with German and Netherlands officials to shut down Hive servers and websites this week.“Simply put, using lawful means, we hacked the hackers,” Deputy Attorney General Lisa Monaco remarked during a press conference.The FBI claims that by covertly hacking into Hive servers, it was able to quietly snatch up over 300 decryption keys and pass them back to victims whose data was locked up by the group. US Attorney General Merrick Garland said in his statement that in the last few months, the FBI used those decryption keys to unlock a Texas school district facing a $5 million ransom, a Louisiana hospital that had been asked for $3 million, and an unnamed food services company that faced a $10 million ransom. Industry News (37:32)Thriving Dark Web Trade in Fake Security CertificationsAlmost all Organizations are Working with Recently Breached VendorsGoogle Fi Confirms Data Breach, Hints At Link to T-Mobile HackCity of London on High Alert After Ransomware AttackResearchers Warn of Crypto Scam Apps on Apple App StoreLazarus Group Attack Identified After Operational Security FailWomen in CyberSecurity Calls for Participants for New Measuring Inclusion WorkshopsArnold Clark Confirms Customer Data Compromised in BreachThreat Actors Use ClickFunnels to Bypass Security Services Tweet of the Week (45:41) https://twitter.com/StateOfLinkedIn/status/1621258534062006276 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Wow, we've really got the energy up this week,
haven't we?
Yeah, exactly.
Try harder.
You guys are sort of complaining
that I wasn't here on time.
Oh, you're ready to go.
You came in and just...
You burned all the energy in my absence.
No, we were all up and pumped and ready
and then you came in and it was like,
where were you?
I was,
I was here at 25 past.
Nobody else.
I was the first person here.
I was literally the first.
No one else was here.
I sent a message.
Are you guys going to be on time for a change?
No response.
Therefore,
I just,
Oh my God.
The,
the,
the sheer audacity of this man.
It's unbelievable.
He walks in like someone leaving the airlock open sucked
out the whole atmosphere and now trying to blame us for it you guys need to go and get a coffee
i'm i'm ready to go the spaceship host unknown is now a vacuum thanks andy
you're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome, welcome one and all to episode 138.
142.
Of the Host Unknown podcast. Hello everybody, thank you for joining us. We trust you, dear listener, are well. We hope you had a good week. We hope you made it through.
It's now Friday as we record. It's Friday noon. God knows what day of the week it is for you. Who knows?
But nonetheless, it's Friday.
Jav, how are you?
I'm good.
I'm good.
And you'll be pleased to know I think my home renovation project has come to a closure finally.
Yesterday, a new bed was delivered.
And it's a great bed.
It's one of those beds which is quite smart in that it's got speakers built into here and it's got like uh phone phone charging ports and it's
got and it's got like a light in the headboard so you don't and it's got storage and uh my wife
this is like theot wildebeest style yeah exactly does it rotate it doesn't and when you say storage
how many terabytes well yes exactly but my wife was adamant she wanted one of those ottoman beds
so you could lift it up and then chuck like all your blankets and dead bodies underneath it and
what have you and there's only one dead body i think she wants under there yeah well okay um and then
i was like you know why aren't you just more smarter with how you how many things you have
in the house and maybe you won't need more storage of course that went down about as well as one of
tom's jokes on stage so um so you're using uh the old bed in your office no no so so we so we ended up buying
the bed and having it delivered and it was assembled yesterday and then once we it was
all assembled and we put the mattress on top and you literally need a step ladder to get onto it
now well you do most normal people don't i don't i don't. I can tiptoe and crawl onto it.
My missus, on the other hand, she is really struggling.
So last night I was calculating, if I just kick her off,
there'll be like one Mississippi, two Mississippi, three Mississippi
before she hits the bottom.
It'll be quite funny.
Yeah.
So that's the excitement I've had in my out of interest what do the speakers connect to
a phone so there's a usb port in the in the headboard they're not even bluetooth
oh no there i think there is a bluetooth tooth function as well i haven't really tested it all
out yet is it bluetooth five now you're really pushing i don out yet. Is it Bluetooth 5? Now you're really pushing.
I don't even know if it has Bluetooth, let alone what version it is.
But don't worry.
You bought a bed and you don't know what specs it is.
I will do a thorough pen test on it in due course and report back the phone.
Just change the default password, Jeb.
That's all we're saying.
Yeah. course and report back the phone just change the default password jeff that's all we're saying yeah so andy have you had any um you know bed action this week as well like it like jeff uh sadly not no but i mean i bought a new bed uh last year which already has usb sockets it has
ottoman storage under the bed uh but it doesn't have
speakers so i'm curious as to uh you know the type of bed that jav's got but you know where
they stiff you on these beds is not just the bed like the mattress makes all the difference
and you pretty much need to spend the same amount on the mattress as you do on the bed
it's uh it's a farce it's a complete racket i'm pretty
sure that when the first bed i ever bought cost me about 300 quid from argos as a double bed and
um yeah my last one cost me significantly more and and if you're just joining us this is the
host unknown podcast where we discuss uh home improvements the old man edition the old man
edition yeah oh man but yeah no i won't uh drag you down with them with that too much
and don't get me started on this on the uh on the bedside tables
actually they're built in on my bed so it's um what
yeah what i mean this is what is this like the 70s g plan or something what's going on
hey what's wrong with g plan i actually bought some g plan sofas last year
okay how much how many g's did they set you back a lot i'm still paying them off
in fact i started i purchased them this time february half term last year and then quit my job
um yeah and so i've probably got what another 18 months left on that payment
but when it came up they were literally the most comfortable sofas in the store
and i was i thought she was joking when she said how much they were the problem was he was in the
news agents but uh yeah no they they did cost um yeah more than I care to admit. Wow.
So what I'm thinking is, like, which one of us is going to go full Dan Tanner and have, like, you open up the garage shutter
and drive your car straight into the living room?
Oh, yes, I remember that.
I always thought, doesn't that really smell, though?
Yes.
But with the amount that I spent on practical things that my family benefits from.
Tom, how much have you spent on Lego in just the last month?
Because I saw that pretty fancy Nintendo Entertainment System.
Ah, you see
complete with music christmas presents to yourself because i didn't realize we could do that and
justify it as a write-off no no from other people from other people so like the the rolling stones
um uh tongue icon um you know which is about what 80 centimeters 80 centimetres tall, something like that.
It was 2,000 pieces.
That was from the Duchess of Ladywell for Christmas.
Damn.
Yeah.
It's looking good on my bedroom wall, I can tell you.
And the Nintendo?
That was from a friend of mine.
Must be a very good friend.
So in answer to your question, only a couple of hundred quid.
And obviously the time and investment you put into the friendship
that we don't spend time with.
No, I've got something else that I've got to build next,
which is the Atari video atari video console system
nice so so just to go back a bit and i nearly fallen off my seat i'm looking at there's a g
plan vintage leather sofa i just looked up and it's like three and a half grand just for one sofa uh yeah that's so much proper sofas cost jav no this is
like what yeah no what you mean ikea don't do proper sofas you mean you what what i mean is
you could when you spend that amount of money you can actually take the plastic off the sofa
rather than leaving it on no no the kids ruin it
rather than leaving it on.
No, no, the kids ruin it.
You need to leave the plastic on.
It's like, what next?
You're going to tell me you don't wrap your remotes in cling film.
Or you don't have one of those plastic runners in the hallway as you enter the house.
Yeah, like you have under your office chair.
Yeah, exactly. like you have under your office chair yeah exactly
but anyway how's your week anyway tom anything yeah very good note very good mostly um mostly
in my hotel bed for that matter so uh yeah still in the hotel now uh we'll be going into the office
uh obviously once it once the office opens after we've finished recording
so uh yeah uh i was just saying to jav it's one of those weeks where you think i am never going
to get to the end of this week alive it's just there's so much going on that's gonna you know
it's gonna scupper me but i seem to have made it so far so i've just got a couple of presentations
to write you know as as we all know a a CISO's job is PowerPoint of politics.
PowerPoint of politics.
Regurgitating is, you know, is when I eat too much chocolate over the weekend.
But yeah, it's been good.
It's been busy.
I think I say that every week, but it's been very constructive.
You know what's funny about you?
Talk about regurgitating.
And I thought about you, Tom, the other day because I was talking to someone.
And it was a document we're going through about risk.
And then I said, like, you need to give some examples.
And I said, like, because did you know that falling coconuts kill more people than sharks every year?
Yeah.
Babies kill more people than bears every year.
Yeah, yeah, yeah.
Hey, it's worked.
Yeah, toothbrushes in toilets or something.
I think I'm going to bring that talk back, actually.
Oh, thank you.
So, talking about blatant theft,
shall we see what we've got coming up for you this week?
This week in InfoSec reveals the date
the first PC virus code was written.
It sounds like we've got an exclusive scoop, but I don't.
Rant of the week observes Anchor go through the seven stages of grief.
Billy Big Balls is a story of the hunters becoming the hunted.
Industry News brings us the latest and greatest security news stories
from around the world.
And Tweet of the Week is a eulogy for all those dedicated employers.
So let's move on to our favourite part of the show, shall we?
It's the part of the show that we like to
call pretend it played this stroll down infosec memory lane with content
liberated from the today in infosec twitter account and further afield and do you know
what that's actually throwing me tom i'll be honest this feels like we're on smashing security
i didn't hear any jingles it's like i'm completely shush shush we clean this up in the edit
Come on, we're supposed to be professionals
I'm not used to this
I realise we're actually blowing through time
So I'm going to run through this quickly
And I did not prepare
So our first story
You've been here
Since 25 past
And you didn't prepare? What's going on?
As in I haven't worked out my maths yet.
Our first story takes us back a mere 28 years to the 31st of January 1995
when VLSI protect against eavesdropping.
And so this is a story of AT&T Bell Laboratories and VLSI Technology
announcing plans to develop strategies for protecting communications devices from eavesdroppers
and the goal would be to prevent problems such as insecure cellular phone lines and internet
transmissions by including security chips in devices so I don't know if you remember, like, back in the 90s
when mobile phones were sort of becoming common,
you could actually just use a radio sort of frequency scanner
and listen to at least one side of a phone conversation.
And, you know, you could quite frequently pick up chatter
between people having conversations.
Because obviously back then, people used to use phones a lot more for talking.
For talking?
Yeah.
I see my phone ringing.
I'm like, dude, seriously, what are you doing?
You have to sit and wait for it to finish before you can message back.
And then you've got to add like 10 minutes and say sorry was in the shower or
whatever um but yeah this stuff wasn't built in by default and um you know the whole clipper chip
and things like that where you know became common that um you know law enforcement was regularly
listening to phone communications um didn't even need a warrant either um so yeah but did the was the clipper chip fully rolled out though i thought it was kind of
abandoned uh well we'll never know right it's um well yeah you know by the time it's caught
it's already been in use for a while do you know what i mean it's like it's where uh you know
someone has something good and they don't tell anyone about it and then all of a sudden word
gets out and everyone starts using it and it leaks and you know people start looking at it with more
scrutiny um yeah so it wouldn't surprise me if this was like i mean you know as a kid walking
down the street with a um you know radio frequency scanner i could regularly listen to conversations
the fact that you had a radio frequency scanner as a kid kind of concerns
me yeah uh no so 95 i'll be honest i wasn't um you know i wasn't i was able to afford uh you know
things myself so um yeah it it uh we had it's gonna go go away we had these things called iComs
which were used for like
they were like secure
like walkie talkies
but they also had built in radio frequency scanners
and yeah using that
you see my walkie talkies
were like
noddy walkie talkies
like quite literally
noddy and biggies
I know these things had like a
four mile range yeah things had like a four
mile range yeah mine had like a you know a bedroom range yeah that's uh that was like a plastic cup
wasn't it with a bit of string from wh smith walkie talkie Oh, dear. Anyway, that's our second story.
It takes us back a mere 41 years,
long before I was born, to the 30th of January, 1982,
when the first computer virus was written.
And this is the story of Richard Skrenta
writing the first PC virus code, as they called it,
which is 400 lines long.
And it was disguised as an Apple II boot program called Elk Cloner.
And when it came up, it said,
Elk Cloner, the program with a personality.
It will get on all your disks.
It will infiltrate your chips.
Yes, it's Cloner.
It will stick to you like glue.
It will modify RAM too 2 send in the cloner
and um dear me somebody needed to get laid geez that was dreadful 15 year old high school student
originally written as a joke um put it on a disc and it got one of these things got out of hand
right yeah as all these things do.
Best laid plans.
Well, and they say Macs don't get viruses, right?
But the very first one?
Well, it didn't actually harm him, I don't think it harmed Macs.
I think it harmed PCs.
Oh, no, it did.
No, no, my bad.
It did attach itself to the Apple II operating system.
And as I read this, I realise we covered this story about this time last year
in a lot more detail.
Well, obviously, there's only so much stuff that happens, you know,
in the same week.
So, Tom, for convenience, we could have just copied and pasted
last year's segment into this one.
In fact, just the entire show, nobody would have noticed.
Nobody, I'm telling you.
Apart from the sofas were a lot cheaper.
Well, yeah, exactly.
Yeah.
Exactly, yeah.
Bloody Brexit.
Excellent.
Thank you very much.
This week in InfoSwerve.
Way.
People who prefer the Smashing Security podcast
over the Host Unknown podcast
are statistically more likely to enjoy
the Harry and Meghan documentaries.
Read into that what you will.
True story.
True story.
Right, let's get to the angry parts of the show.
It is time for...
Listen up!
Rant of the Week. It's time for listen up rent of the week it's time to mother rage
all right so we've we've all heard of the brand anchor right we um in fact we've probably the
three of us have probably got devices i know i've got a an anchor eufy vacuum cleaner
little handheld one little no No, mine's a little
sort of massive hockey puck one
that goes around and does itself.
I'm not doing that.
That's why I've got robots.
Anyway, yeah, exactly.
Exactly, even if it is robotic stuff.
So
we've all heard of these. In fact, I think
they made their name originally with batteries,
didn't they?
I used to have one of their mobile phone chargers. You know the portable mobile phone charger things? We've all heard of these. In fact, I think they made their name originally with batteries, didn't they? That was their... I did.
I used to have one of their mobile phone chargers.
You know, the portable mobile phone charger things, battery power packs.
Yeah.
Yeah.
So big brand, big brand, American.
I'm not sure if all their products are made in America,
but it's an American company, which is quite rare in the security space as well.
And the story broke a few months ago.
In fact, I spoke about it on the Trash Insecurity broke a few months ago in fact i spoke about it on the uh security podcast
a few uh a few months ago trader i know about how um uh about how their security cameras which
are supposed to uh contain all of their um all of the footage remains on the device it doesn't go up to cloud were actually
accessible through the internet and how they had denied this and blah blah blah and this has become
a big story so the verge has covered this um and uh in in their words they're saying first you know
anchor told the verge that it was impossible that that could happen. Then it said, then it was covering its tracks and then it just deflected everything whilst
ignoring all journalistic inquiries about this problem, whereby with a simple media
player, you could connect to Eufy cameras across the world and stream the video that
was contained on it.
eufy cameras across the world and stream the video that was contained on it so not exactly a security feature when they're uh proclaiming that it is you know that it's a you know not cloud it's not
accessible from the internet etc so the bottom line is they finally fessed up they have finally
fessed up that time yeah so what the summary of the story is that you would access the recordings About time. the broader internet the problem was that they then enabled a feature that allowed you to connect
to the device over the internet through a web browser and they forgot to encrypt it
they forgot to encrypt this now in in some of this and do click on the link it makes for some
painful painful reading but in some of their defense of themselves when said, you know, you enabled an app that connected to your supposedly secure cameras and allow people to stream from there using, you know, unencrypted data streams.
encrypted data streams. And their defense was, well, the app was originally just to maintain,
you know, accounts and stuff like that. And then people said they wanted to access their recordings.
So we enabled it. We neglected to encrypt it. But it's okay. I'm paraphrasing slightly,
but it's okay. Because only 0.1% of our user base actually use that the web functionality to stream uh videos from there and i'm like yeah 0.1 of your user base do that a hundred percent of anybody hacking or wanting to
look at you know video feeds are going to use that because it's unencrypted why would they go for the
encrypted stream when there's an unencrypted one absolute double talk written by a lawyer who doesn't know what they're talking about
so i find this shocking i mean or a lawyer who does know what they're talking about and is
being very careful to not incriminate the company for the subsequent lawsuits which may be coming
their way well exactly but it's he knows it score it's yeah exactly because he's surrounded by lawyers apparently uh are you sat on a couch what by yourself while they're surrounding you from
behind the couch is that is that but it's a very just asking couch i'll be honest it is apparently
it's good to lie down on but um so um it's so the thing here the thing here that gets me is that when you deflect,
when something like this happens, and it's quite clear that in this instance
there is no end-to-end encryption on a certain medium, et cetera,
what Anchor did was exactly the wrong thing.
They doubled down and said, no, it isn't.
Prove it.
No, it isn't.
Nothing to do with it.
And anyway, even if it was true, it doesn't matter. They doubled down and said no it isn't prove it no it isn't nothing to do it and anyway even if it was
true it doesn't matter they doubled down they knew exactly what the problem was and they they just
claimed it didn't exist and of course you say you do something like that to any kind of journalist
with any kind of integrity they're they're going to just push and push and push and it finally they finally
fessed up to it but all it does is drag the the brand's name through the mud they sound and they
come across as uh just a company that is untrustworthy that actually will do everything
it can to deny something that is blatantly true now they have gone on and said
you know that we're the um we the we've updated every single eufy camera uh really i'm i'm i mean
one i'd like to see the stats on that um and don't just you know write down 100 because that's not
really a stat is it but you know they've updated every single Eufy camera to use WebRTC,
which is an encrypted package,
so that any communication that comes in and out is now encrypted.
They've also invited a third-party security consultancy
to audit their security practices and to review them
and to help improve and all that sort of things.
He's in talks with a leading and well-known security expert,
please don't say it's Bruce Schneier,
to produce that independent report
and has launched or will launch a microsite in February
to explain how its security works in more detail.
I think it's probably just got the words, it doesn't, on it, nothing else.
It sounds like they are, you know, now they've realised
there's a huge fallout from this. It's, you know, they need
to bury it. They are taking steps.
Don't get me wrong, the horse has bolted, but
if you don't deal with it at the time, the second best time is now.
You know what this sounds like to me?
And it's quite clear.
It's like, once again, Tom Lankford blaming a victim.
A victim?
What are they a victim of, precisely?
Of their own incompetence?
You know what?
Everyone makes mistakes.
Of their own incompetence.
You know what?
Everyone makes mistakes. Who has not ever accidentally exposed something to the internet that they shouldn't have or what have you?
Or shut down banking systems.
Mr. CISO over here is now throwing out words like untrustworthy and dragging through the mud as if like every internet enabled CCTV camera you buy from AliExpress is the bastion of security.
This sounds like from bitter experience, Jeff.
And anyway, you're absolutely right.
You're absolutely right.
Everybody does make mistakes.
And the key is to own up to it and fix it and not deny that it even existed in the first place.
What if your mistake is not owning up straight away?
True.
Hang on, whose side are you on?
Andy just grabs his popcorn and loves this one.
Yeah, exactly.
So I think from a company perspective, i think what we sometimes underestimate is how much
pressure organizations get from so-called ethical hackers and bloggers who refer to themselves as
journalists and all this kind of stuff who just want to try and make a name for themselves or
drag a brand through the mud so sometimes like know, you do need to be very legal aware
and say, okay, let's see,
and assess the situation yourself
before you come out and say,
oh, you got me gov, hands up.
I admit I made a mistake and what have you,
because you don't know how the people
that are coming to you are going to react to that.
Because we've seen it happen in the past
where, you know, brands have been like
just needlessly, you know, pitchforked to death or not to death uh but you know the mob comes out really really
quickly so there is that balancing act as well i think not everyone that reports a a vulnerability
to an organization does it with the best of intentions yeah and you know i've been at a
place where i remember someone contacted us saying oh
you know you've got this uh open s3 bucket um and what it was it basically had the company name on
it that's correct because some dev decided to try something on aws um you know there's no data in
there or anything but it did have um obviously the company name in it and this guy was like
you know this bucket's open
yada yada yada you know what are you going to do about it and it's like you know thanks for letting
us know you know it's not a production system it's got no data in it it's just you know you've got
the company name on it and it's like you know how much do i get from the bounty do you have a an
official bounty program and it's like um no and it's like well you know i'm going to talk about this in a blog
post and you know explain how i discovered it and it's like dude there's nothing to discover
do you know what i mean yeah it's just one of those things and so some people are
you know i think we've seen this with some bug bounty programs where they um completely agree
but in a case like this where they say no no no not true no no no no no no no no not true
not true not not not true not true oh yeah it is true we've changed it well you know again you're
reading one side of the story uh which is you know published from the journalist's point of view
i'm not saying that that's incorrect or whatever how difficult is it to see? Journalist says your traffic through your website to your secure cameras
is unencrypted and available from across the internet.
How difficult is it for them to say, okay, let's check that out?
So we regret the initial communications which were sent back to the journalists
when they identified a serious vulnerability in our website.
The intern who fielded the initial message is no longer with the company. sent back to the journalists when they identified a serious vulnerability in our website the intern
who fielded the initial message is no longer with the company and has been trained uh you know we
have improved our customer interaction please please tell me you're not reading that please
tell me you're not reading that i'm just saying there's more than, as Jeff said, there's more than one side to a story, right?
Yeah, this is terrible.
Let's be honest, right?
You do not put your £100,000 vulnerability experts
on the front line dealing with customer queries, right?
Let's be blunt.
Like big companies like Anchor would be paying, you know,
call centre agents by the hour to fill these questions.
And they're probably on call.
They've got to do a certain amount of support calls per day or answer a certain amount of emails.
So, yeah, it's not good stuff.
The ethics and morals of you two.
This is not good stuff.
I'm not trying to downplay it.
I'm just saying that, you know,
maybe they didn't get the right person first of all,
which is why it's taken so much time to get to a resolution.
Just a... Jeez, who am I dealing with?
What are you doing on my podcast?
You're dealing with people who live in the real world
and understand not everyone's black and white.
Yeah. with people who live in the real world and understand that everyone's black and white.
It's encrypted or it's not encrypted. That's pretty black
and white to me. It's hard to hear
you from the height of your ivory tower
sometimes.
Indeed. Do you know what? I've got
one last thing to say.
Rant of the Week.
You're listening to the award-winning Host Unknown podcast.
It's better than tinnitus.
Wish I had bloody tinnitus right now.
Dear me.
It's encrypted with SHA-1, yes?
Is that good enough for you?
I'm ashamed.
I'm ashamed to be associated with YouTube.
Dear me.
Oh, well, whatever.
Here's thingy with the next bit.
So, unlike Tom, I am not going to be shaming anyone.
And unlike what he normally...
You know the script says that I have to get angry?
You know that's part of it.
You know that's the rant of the week, clues in the words.
It's black and white.
It's either a rant or it's not a rant.
One or the other.
And unlike what Tim...
Tim?
Tim?
Bloody hell!
Can you go any lower?
Clearly you know a Tim who you're not familiar,
you're not friends with.
You can't even remember my bloody name.
You're so generic, Tom.
We could replace you for anything and anyone.
Just get on with it, Jojo.
Okay.
Right. anything and anyone and we just just get on with it jojo okay right so the fbi finally did something uh the department of justice announced that the f, they worked with some of their counterparts in Europol,
in Germany and Denmark, or sorry, Netherlands.
And they took down the Hive infrastructure, a notorious ransomware group.
Not to be confused with the central heating company.
Well, I know, I've just had one installed i'm thinking bloody hell i didn't get much use out of that
give it up that's the fbi you have no idea it could very well be yeah it could well yeah
oh that hive yeah from the government that brought you no-fly lists and Guantanamo Bay comes the takedown
of the no-heat list yeah
so so they apparently infiltrated their their networks uh about six months ago. And they were observing their operations and what have you.
And apparently they were tipping then off victims or potential victims
or slipping them the decryption key.
And apparently in the process of the last six months,
they prevented about $130 million worth of ransom campaigns
because the targets no longer needed to pay.
Over the years, they claim that Hive has been targeted over 1,500 victims
in over 80 countries worldwide.
So, you know, they were covertly monitoring their servers, and it was able to snatch over 300 decryption keys.
And then they used those to unlock customers or companies that had been infected.
So they worked in unison.
They took down the whole infrastructure um so you know
that's bye-bye hive group uh for this week because there's been no actual mention of any arrests
occurring as part of this you would have thought that you know the infrastructure is probably the
least important part of this because if you're talking about this organization that makes
hundreds of millions of dollars a year um if you just take down their infrastructure they're just going to
take their money invest in some new infrastructure and be up and running again uh what you really
need to do is be to be like identifying the people taking them down like you know arresting them
throwing them behind bars for like you know three life sentences or something or as the
americans like to do uh just send a drone over their house and um you know just um uh you know
sort them out that way but still i think it's uh it's a good move i always like it when these big
groups get get taken down by a bit of international law enforcement collaboration and uh hopefully uh
you know more of these things happen and disrupt some operations.
So do you know what I'm seeing here is that Hive Group
need to do better background screening when they hire people.
They do.
They do.
Because, you know, when you're hiring FBI agents,
there's got to be, you know, that should be pretty easy
to identify, you know, during your onboarding process.
Do they wear khaki slacks and a
polo shirt yeah does that does their windbreaker jacket have the initials fbi on the back
no my my name's frederick bernard in l what's that other female body inspector Oh, dear me. Dear me.
Well, good.
I mean, it's good to see law enforcement doing something
and something very positive as well.
So, you know, especially when one of them's including a Texas school district,
right, save the money so they can spend that money on banning books
and stuff like that. banning books and stuff like
that.
Banning books and building curved corridors.
Curved corridors and putting up a,
in God we trust stickers on every wall.
Yeah.
Excellent.
Thank you,
Jav for this week's.
Billy Big Balls of the Week.
Balls of the Week.
This is the podcast the King listens to.
Although he won't admit it.
Well, we got that one right this time.
So, yeah, and talking of time, Andy, I think it is that time, isn't it?
It is. It is that time of the show where we head over to our news sources over at the InfoSec PA Newswire,
who have been very busy bringing us the latest and greatest security news from around the globe.
Industry News.
Thriving dark web trading fake security certifications.
Industry news.
Almost all organisations are working with recently breached vendors.
Industry news.
Google Fire confirms data breach, hints that link to T-Mobile hack.
Industry news.
City of London on high alert after ransomware attack. Industry News. Researchers warn of crypto scam apps on Apple App Store. Industry News. Lazarus Group attack identified
after operational security fail. Industry News. Women in cybersecurity calls for participants for new measuring inclusion workshops.
Industry News.
Arnold Clark confirms customer data compromised in breach.
Industry News.
Threat actors use click funnels to bypass security services.
Industry News.
Tom Langford finally shaves beard. Industry News. Tom Langford finally shaves beard.
Industry News.
And that was this week's
Industry News.
Huge
if true. But we also
know that that last story
is not true. You didn't shave your beard.
I did shave the beard. I just left a little
beard behind.
So you trimmed it? i neatly trimmed it so again with the lies you trimmed it just leave it at that
let's move on from there these in jokes shall we and uh let's get back to the news stories that
matter i did shave my beard. It's absolutely true.
Oh, so I've clicked on this story.
This is really interesting about the thriving dark web
that trade in fake security certifications.
So there's a dark web operator called ISC Squared.
And they give out...
For $250 a year, you can subscribe to a certification which...
Which adds no value whatsoever.
Guaranteed to at least get you through the initial round of shortlisting for a job.
For an entry-level job.
So I'm confused, right?
So looking at this story,
so they're saying that the average price ranges
from $5 to $200 for course content.
So, I mean...
Just buy it from the original price.
I was going to say,
is this not the same price as the uh
the original source yeah um pretty much yeah i don't know that's just it's a strange one to me
seeing that um because a lot of these security certifications you can validate online right
you don't even need to yeah um either the person has it or they don't i don't know what's google fi
uh it's the mo it's the us only mobile cell phone um network oh yes that's right
so i think there was an issue with this story is about the hint of the t-mobile hack was
they were vulnerable to sim swapping uh so i believe google files he uses the t-mobile hack was they were vulnerable to sim swapping uh so i
believe google files he uses the t-mobile network for something um and so yeah people could just
swap the sims and then get access to mfa um content so they pretend to be someone get access
to their um yeah you know account and receive MFA for all the accounts
and authenticate to whatever services have that MFA.
Again, it's all just much of the same.
It is.
I'm just wondering who Arnold Clark is because he's confirmed customer data.
And why has he got quite so much customer data?
Yeah, exactly.
Okay, so it's a UK car dealer.
I did not know that.
No, you'd never seen them?
Oh, okay.
I thought you were being funny.
No, I've never heard of them.
Car and van rental.
No, Andy only buys direct from the manufacturer.
No, I go to like Hertz or Rent-A-Car.
Yeah.
No, I get like Hertz or Rent-A-Car.
So Lazarus Group attack identified after OPSEC fail.
Any guesses on what their OPSEC fail was?
Did they hire FBI agents?
Well, close, close, close.
So there's lots of technobabble in the beginning of the article about how like you know the the you know what
tools they were using and everything but the opposite click on a link mistake mentioned
the team said the attacker used one out of a thousand ip addresses belonging to north korea
so yes uh pretty much a fail. Oh, man.
They'll be like, Dave, are you not using the proxy?
Yeah.
I use ExpressVPN.
ExpressVPN for all your needs.
What probably happened was the hacker realised he'd made a mistake
was when he couldn't get to his Netflix content.
Yeah. Yeah.
Or they sent a bill saying
it looks like you're
using an account which is using another location.
The cost of this account is going up
by £3 per month.
That's the thing
with Netflix at the moment, isn't it?
They're going to start to play
hardball and say you can
only use the account in the same household,
like in the same IP address,
which means when you're travelling...
I know.
You've got to go through a process.
You can pay £3 extra per month for that.
Yeah, no, I think it...
What I read was the device needs to be connected
to your home network at least once a month
or something or once a 30 days okay that's slightly better okay it's less of an issue but yeah it's just yeah my in-laws tv is never going to come to our house and connect to our network
exactly I don't know what I don't know what my mother's gonna do I mean it's so funny so funny now You can tell who the cheapskates are
Because they're all moaning about it online
And it's like, okay
Or the ones who are paying for their extended family
They're the ones that are moaning
Because they're the ones that are going to get it in the neck
Yeah, yeah, there is that
Oh my gosh, I'm going to
My bill's's gonna be huge
i need to just cancel it all together changing my passwords today
do you know on reddit there's so many um you know choosing beggars stories you know about people
demanding to have their you know their netflix reinstated from their you know two girlfriends ago yeah exactly are you listening to yourself
i did see there's some guy who um was using his ex's account um she paid for it and he was using
it for two years because he created a profile and called it settings oh that's right yes
brilliant they never checked it assuming it was just settings.
That is quality.
That is quality.
And on that real piece of consumer advice there,
I think we'll call an end to this week's... Industry News.
That threw me.
This is the EasyJet of security podcasts.
Let's be honest, your cheap ass couldn't tell
the difference between us and a premium security podcast anyway
right let's go to the last story that we're giving to our cheap ass listeners uh andy i
think it's time for you and this week's sweet ofweet of the Week. And we always play that one twice.
Tweet of the Week.
I shall take us home.
This week's Tweet of the Week is courtesy of State of LinkedIn Twitter account.
And they have posted a cutout of obviously something from LinkedIn, a screenshot of someone's post, announcing the passing of a colleague.
screenshot of someone's post um announcing the passing of a colleague and the message says uh you know regarding the passing of name of good it is with the very deepest of sadness
that we announce and mourn the passing of our dear friend and colleague phil phil died doing
what he loved returning from a customer event in london networking and promoting our brand.
Oh my god.
I think what the actual tweet, quoted tweet
is from State LinkedIn, sums
that up entirely. It does.
They say, fucking hell.
Wow.
I must, I'm really
good to find out who this was because
that is appalling absolutely appalling
but uh maybe phil did um you know love his job that much well yeah maybe phil didn't love his
wife and kids that much either anyway someone commented well we assume that that's what phil
loved doing he often gave up his weekends and spare time in the
course of promoting our brand so we figure he must have loved doing that
we're told that his dying words were how much he wanted to smash the sales target in Q2 this year
his dying action was was to push his EpiPen into my hand. Yeah.
Oh, he's pleading at me.
And I think he wanted me to have it. He really wanted me to have it, yeah.
Oh, man.
Phil's family, if you're listening,
but really, oh, my God,
I hope his death in service paid out massively for you
because this is awful. Awful.
What a horrible, horrible message.
Andy, you're depressing us.
Well, the good news is at the end of that post,
there is actually the message of a new vacancy for Phil's former brother.
Looking for a motivated person.
Good folks.
Travel to London.
We're like a family here.
Yeah, we're like a family.
Applicants will be prioritised if they don't die soon.
Yeah.
Wow.
Oh, my goodness.
Do you know what?
I'd love to find out who this actually was, but who knows?
Who knows?
Anyway, thank you, Andy, for this week's...
Tweet of the Week.
Well, we've come barrelling into the end of the show.
We ran quite long, actually, but that's fine.
I think we had fun, didn't we?
No.
We had a time.
That pause was way too long.
Way too long.
You know,
if,
if I die on air during this podcast,
I would not want it to be posted that I died doing what I loved.
That is literally what we are going to,
he died doing what he loved,
winding up Tom.
Yeah,
that's right.
Anyway, Jav, thank you very much very much sir thank you for your time this week
uh yeah and Andy thank you for your time stay secure my friends stay secure
you've been listening to the host unknown podcast if you enjoyed what you heard comment and subscribe if you hated it please
leave your best insults on our reddit channel worst episode ever r slash smashing security
pretend you heard it fix it in post right what is it? Why did we miss the intro and the outro?
What's going on today?
Well, we didn't miss the intro.
Basically, I'm travelling and for some reason they lost the connection to the files
and I thought I'd update them.
But we heard everything else.
Because I really quickly went through and dropped them in and made a real mess
but managed to work out where everything was.
Amateur hour, man. I know. It's like the first time you've put jingles in a podcast. dropped them in and made a real mess but managed to work out where everything was amateur Al man
it's like the first time you've
put jingles in a podcast
well it's the first time this week
yeah
I'm just trying to desperately search
on LinkedIn if I can find who Phil
is
I cannot
I cannot