The Host Unknown Podcast - Episode 168 - The Purple Pineapple Episode
Episode Date: September 22, 2023This week in InfoSec (09:32)With content liberated from the “today in infosec” twitter account and further afield18th September 2001: The Nimda worm was released. Utilising 5 different infection v...ectors, it became the most widespread virus/worm after only 22 minutes. $ echo "admin" | rev nimda https://twitter.com/todayininfosec/status/170376036668821104116th September 2008: 20-year-old David Kernell compromised the Yahoo! email account of US vice presidential candidate Sarah Palin, then posted her emails to 4chan. 2 years later he was found guilty and sentenced to a year in prison. At age 30 he died of complications related to MS.https://twitter.com/todayininfosec/status/1703169477548884296 Rant of the Week (14:55)[We’re sympathetic of companies who get hacked and what they have to deal with, but there comes a time when they’re repeatedly hacked and you have to ask questions]:T-Mobile app glitch let users see other people's account infoT-Mobile customers said they could see other peoples' account and billing information after logging into the company's official mobile application.According to user reports on social media, the exposed information included customers' names, phone numbers, addresses, account balances, and credit card details like the expiration dates and the last four digits.As first reported by The Verge, some of the customers affected by this issue could see the sensitive information of multiple other people while logged into their own accounts.While a massive number of reports started surfacing earlier today on Reddit and Twitter, some T-Mobile customers also claimed that they've been experiencing this throughout the last two weeks."Reported this issue when it first popped up here on Reddit over 2 weeks ago and sent pics of the other person's info to their security team. No response, but wow, just wow," one customer said.Nine data breaches since 2018In May, T-Mobile disclosed the second data breach since the start of 2023 after hundreds of customers had their personal information exposed between late February and March after attackers hacked into the carrier's systems.In January, the mobile carrier revealed another data breach after the sensitive info of 37 million customers was stolen using one of its Application Programming Interfaces (APIs).Since 2018, T-Mobile has been hit by seven other data breaches:In August 2018, attackers accessed the data of around 3% of all T-Mobile customers.In 2019, T-Mobile exposed the account info of an undisclosed number of prepaid customers.In March 2020, T-Mobile employees were affected by a breach exposing their personal and financial information.In December 2020, threat actors accessed customer proprietary network info (phone numbers, call records).In February 2021, an internal T-Mobile app was accessed by unknown attackers without authorization.In August 2021, hackers brute-forced their way through T-Mobile's network following a breach of one of its testing environments.In April 2022, the notorious Lapsus$ extortion gang breached T-Mobile's network using stolen credentials. Billy Big Balls of the Week (23:31)Singapore may split liability for phishing losses between banks and victimsSingapore officials announced on Monday that next month they will deliver a consultation paper detailing a split liability scheme that will mean both consumers and banks are on the hook for financial losses flowing from scams.It is an answer to a common question these days: in a world of rampant payment and transfer scams, who is responsible?Countries like Australia have also considered shared loss schemes. Meanwhile, the European Commission has proposed a "refund" to victims of certain types of fraud, including authorised push payment scams.Starting next year, the UK will enforce mandatory reimbursement by banks to scam victims up to one million pounds – with the sending and receiving banks sharing the bill.Singapore's minister of state Alvin Tan has a different view."There are some views that banks can easily absorb losses arising from individual scam cases. However, full restitution without due consideration of culpability is neither fair nor desirable," he told Parliament on Monday. Industry News (33:01)Caesars Entertainment Reveals Major Ransomware BreachPirated Software Likely Cause of Airbus BreachTikTok Fined $368m For Child Data Privacy OffensesIllegal Betting Ring Used Satellite Tech to Get Scoop on ResultsMicrosoft AI Researchers Leak 38TB of Private DataClorox Struggling to Recover From August Cyber-AttackThreat Actor Claims Major TransUnion Data BreachFinnish Authorities Shutter Dark Web Drugs MarketplaceInternational Criminal Court Reveals Security Breach Tweet of the Week (41:32) https://x.com/gabsmashh/status/1704875732282077244?s=20 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
any of this chat or they just it is so dry it's like oh i know getting surprised with no loop
that's what i heard about graham he's he's a he's a little bit a little bit quick off the mark
yeah doesn't even say are you ready to record it's just like there's no precursor no no preamble
there's there's no foreplay with graham is there no but you know as I was as I was just downstairs making a coffee it did make me chuckle because he did mention that when he comes on here everyone just
disappears and does their own thing for like half an hour before we start recording
and I'm making my coffee downstairs whilst you know you're off in the kitchen
yeah well I think yes well I walked in you out. I waited until you got back.
Oh, that's a good idea.
I'll get a coffee.
In my mind as well now.
Classic English farce.
Next minute there'll be a vicar popping out from under the stairs.
Actually, I think I should have gotten a coffee now.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome, welcome one and all.
Welcome, dear listener, to episode 172 68 of the host unknown podcast we've over time we've
drifted where actually now we're swapping time sync yeah exactly exactly uh i'll fix it in post
uh yes 168 of the hosts unknown podcast i don't know what we'll call this uh this episode probably
the the way we've already done the Late Late Show.
I've been sat here waiting for an hour
for you two to arrive.
I was here on time.
You were not.
You were here at 8.45.
Almost on time.
You were here at 7.45.
6.45.
on time. You were here at 7.45. And here it is now, a quarter to eight. Anyway, yeah,
so it's a bit of a slow start this morning. Anyway, Jav, how are you? How's your week been? Good, good. I saw live karma in action this week.
So I took a drive up to Leicester on Wednesday.
There was a little event there.
And as I was driving back, the heavens opened up and it was like absolutely chucking it down with rain.
And I was coming down the M1 and everyone's doing like 50 to 60 miles per hour.
That's about it.
And there's this white souped up hot hatch that goes on the outside lane doing about 80 or 90.
In the pouring rain.
And in the pouring rain where visibility is like literally like you know
a few you know 20 meters or something like that you can't see further than that you just see make
out like the lights are there do you know what add blue neon lights underneath that car and that
was me 20 years ago yeah 20 30 yeah and uh lo and behold, five minutes up the road,
traffic's all slowing down, crawling to a halt,
and then people changing lanes.
And see homeboy spun his car out, front bumper in the Central Reservation,
car facing the wrong way.
And him sitting on the, you the you know well there's some cars
that had pulled over us i think he was he was like behind one of those on the side over there
basically pulled over to tell him he's a bit of a twat yeah yeah so uh so you know i i chuckled a
bit at thinking that that was andy 20 years ago aquaplaning on the motorway so so basically your your the highlight of your week
was a huge dose of schadenfreude
something like that yeah
if you can hear some clicking in the background that's google now
that's jav now googling schadenfreude
no i just like i'm trying to work out how you spell it first before i can actually google it
it's going on mute elenca what is sheldon it's uh it's taking the delight in in the
pleasure from other people's misfortune yeah well that that's the title of my life autobiography then, isn't it?
We should probably call this podcast that.
Oh, dear. Anyway, talking about pleasure and misfortune.
Andy, how are you doing? How's your week been?
Not too bad. It's been an all right week, actually. Can't complain. I met with some old friends in fact not even friends
just old colleagues really you know what i barely know them yeah it's you know every now and then
you've got to keep in contact with people that you know you've kind of known for 10 years just
in case you need a reference for anything it's uh you know i just remember when i left my job at pwc
and uh we had a big big night out and out and I stood up and went to the pub,
et cetera, put a whole bunch of money behind the bar. And at one point, you know, people said
speech, speech, this is back in sort of like 2002 when that sort of thing happened. And,
and so basically I stood up and said, I will think of all of you as people I once knew.
It's true.
We move on, right right we move on right we move on no it is uh it is still good to uh stay in contact every now and then just sort of see
what's going on and then just kind of sad miserable lives well i just kind of think
actually did i make the right move did i not did i and yeah on balance i think you did absolutely
yeah absolutely that's good but uh
talking to people moving on yeah yes very good uh i i was actually up in london on monday night
to meet my 74 year old cousin which is lovely your 74th wife yeah 74 so did you two um uh go to schools together no no no no no
she used to babysit uh used to babysit her when she was younger right
him but but no he was uh he was over from australia because that side of the family
moved over many many years ago it's my father's sister's son um but it was really nice you know
i think i'd met him when i was very very young so i have no recollection of it um um but he was
remember what you did last year yeah exactly let alone anything else but uh he's got a cracking
sense of humor so he's he's only got one leg, which I think, you know, well, for a start,
you know, we were off.
Always good material to start with.
Always good material.
But he's ex-Australian SAS.
He, you know, he lost his leg in Rhodesia, blah, blah, blah.
And he was talking about his missus.
Rhodesia?
We still say that.
Oh, sorry.
Well, that's what he calls it.
Sorry.
What is it now?
What's the modern, what's the real name for Rhodesia?
Isn't it Zimb?
Is it Zimbabwe?
Zimbabwe, yeah.
Okay, okay. Yeah, it's funny. Do you know what? I just took it on face value. It's funny how you forget, you know, like Bengaluru instead of Bangalore and Chennai instead of...
Look at Tom trying to like cover up how he just slips into casual racism with his friends
damn straight I am genuine mistake um just took it on face value uh we was talking about how his
how his wife and daughter are in Spain there's some long walk thing um which yeah some black
Spain is a long walk from Australia you've got to give them that well. Well, yeah, true. But it's like a pilgrimage thing.
Anyway, so they're doing that.
And I said, well, it's just as...
Because he had an Apple Watch on as well.
I said, just as well, you're not going
because you'd only get half the steps in.
Yeah, it was a nice time anyway.
It was really good.
And then with my mother, the Duchess as well, stayed overnight. So it was really good uh and then with uh with my mother the duchess as well stayed
overnight so it was really nice to see her did a bit of uh network troubleshooting which most
people would have fixed in about 20 minutes and took me about two hours uh you managed to stretch
it out good well i managed to be very very confused all it all it came down to was the
access point needed rebooting.
Literally the first thing that people would do.
Yeah, but it was coming up with certificate errors.
That was the thing.
Like, what?
Anyway, talking of errors, certificate or otherwise,
shall we see what we've got coming up for you this week?
This week in InfoSec is a story about vice presidential candidates
using Yahoo Mail.
Rant of the Week asks
where we should draw the line on
victims. Billy Big Balls
asks won't somebody think
of the poor banks?
Industry News brings the latest and greatest security news stories
from around the world and Tweet of the Week
queries a recent
acquisition.
So, let's move on to our favourite part of the show,
the part of the show that we love to call...
This Week in InfoSec.
It is that part of the show where we take a trip down infosec memory lane with content
liberated from the today in infosec twitter account and further afield and our first story
shall take us back a mere 22 years ago to the 18th of september 2001 when the ninder worm was released utilizing five different
infection vectors it became the most widespread virus after only 22 minutes wow i did not know
that yeah it's huge and obviously it was um there's a huge panic at the time it was a week
after 9 1111 had occurred.
And so, you know, the US didn't know if they were getting attacked on sort of multiple fronts.
It was like, you know, that was a physical, now comes a cyber.
But yeah, NIMDA was also known as the concept virus, obviously a worm.
It could spread, as we mentioned, through multiple methods.
So email, web servers, network shares, the email propagation, it could spread via we mentioned through multiple methods. So email web servers, network shares,
the email propagation,
it could spread via email attachments and email messages,
exploited web server vulnerabilities,
network shares, multiple payloads for this virus,
absolutely fantastic.
So it could overwrite files, it slowed down machines,
it could modify web pages.
But yeah, like I say, it was known for its widespread disruption,
but most notably the speed that it could spread at.
Kind of drifted off there.
Did you lose your thread a bit?
I did. I heard some typing in the background.
More keyboard noises from Jav.
I've got my quiet Apple
keyboard and I wasn't even touching it.
Yeah.
It wasn't...
Do you know what? I reckon Andy's
just hearing it in his head now.
Yeah, yeah, yeah. Even last week he was like
oh, I can hear something, I can hear something.
He's such a keyboard Nazi.
He is.
Nazi? Nazi. He is. Nazi?
Nazi.
You did not see that coming.
He's going to tell us that the keyboard clicks don't track now.
I love it.
Jav's sitting there saying,
it's not me while he's looking at his other screen,
his arm going up and down like that.
It's not me. It wasn't me at all. It his arm going up and down like that. And he's like, it's not me.
It wasn't me at all.
It wasn't me.
I don't know how I came off mute, but it wasn't me at all.
Accidentally hit the space bar.
Anyway, our second story takes us back a mere 15 years to the 16th of september 2008 when 20 year old david cornell compromised the yahoo email account of
u.s vice presidential candidate sarah palin and then he posted her emails to 4chan
and yeah two years later was found guilty and sentenced to a year and a day in prison
which i mean if you think back then,
we thought Sarah Palin would be a bad idea as a vice president, right?
And then we saw her emails.
Yeah.
And then, yeah, along comes, you know,
the alternative candidates and one actually became president.
But yeah, no, it's a huge cyber security incident back in 2008 um she was the
then governor of alaska uh and obviously republican vice presidential nominee she she was um she was
very qualified because she had lots of um uh foreign country experience because she could
see russia from alaska exactly yeah i mean they practically, yeah, it's the same thing, right?
So the guy, David Cornell,
he actually operates under the pseudonym Rubico.
He managed to gain entry into her account
by using publicly available information
to reset her password.
And then, obviously, once he downloaded her emails,
he then shared that with um
the uh you know the the well-known uh group of people with high moral values down at 4chan
but yeah no you know the incident did prompt sort of concerns about online privacy security and
you know potential vulnerability of public figures to cyber attacks um but yeah it while it did have obviously humorous aspects of the uh the attack it is
a reminder of the importance of cyber security and the need for individuals and public figures
to take steps to protect their online laughs, you stay for the sage advice.
Exactly.
This week in InfoServe.
You're listening to the Host Unknown podcast. Bubblegum for the brain.
the host unknown podcast bubble gum for the brain right let's move on shall we to uh well my favorite part of the show because i'm doing
all the talking it's called listen up rent of the week it's time to mother rage
right if jab finds fault in this, I'm sorry.
I think I'm just going to pack it all in.
I don't attack the story, I attack the man.
Very good.
As a man of moral turpitude, I can see there, Jav.
So obviously, and we've said this on the
show a number of times we're we're always sympathetic to companies who get hacked and
what they have to deal with you know we're not into victim blaming or supporting the the criminals or
anything like that you know but um but there has to be a line drawn right there has to be a line drawn, right?
There has to be a point where you question a company's ability to run business.
So we're talking about T-Mobile.
So T-Mobile has recently had another glitch, security breach, where it lets users see other people's account information.
Customers were talking on Reddit and other social media accounts platforms about how when they log in, they're able to see other people's personal and sensitive information after logging into the company's official mobile app.
The exposed information included customers' names, phone numbers, addresses, account balance,
credit card details, like the expiration dates and the last four digits.
I mean, I guess at least they covered that, right?
So it was first reported on The Verge.
Some of the customers affected by the issue could see the sensitive information after they logged into their accounts.
And although this surfaced in the last few days, it's actually been going on apparently for up to two weeks.
on apparently for up to two weeks. One user said on Reddit, reported this issue when it first popped up here on Reddit over two weeks ago and sent pics of this other person's info to their security team.
No response. Wow. Just wow. One customer said. Now let's put this in context. You know, things go wrong with your technology, right?
You know, it's coded by humans. It's just, you know, stuff happens.
I've got to say two weeks is a long time, right? It should have been addressed the moment they saw it.
But OK, it's given the benefit of doubt. Until you look at the history.
you look at the history. So since 2018, how many times do you think T-Mobile has had a data breach?
Three, four, nine, nine, nine times. That's nearly once every six months. That's probably something like once every 7.5 months on average. Are we talking about like proper breach or are we just like a little noddy?
August 2018, attackers accessed the data of around 3% of T-Mobile users.
That's tens of thousands of people.
In 2019, T-Mobile exposed the account info of an undisclosed number of prepaid customers.
In March 2020, T-Mobile employees were affected by a breach exposing their personal and financial information.
December 2020, threat actors accessed customer proprietary network info, such as phone numbers and call records.
February 2021, an internal T-Mobile app was accessed by unknown attackers without authorization.
August 21, hackers brute-forced their way through T-Mobile's network following a breach of one of its testing environments.
April 22, the notorious Lapsus extortion gang breached T-Mobile's network using stolen credentials.
Wow. And now this one.
So it's just, you have to question, you have to question what is going on there.
To be fair, they're not just exposing customers.
They are at least the employees are also in on this.
They've got skin in the game, right?
Exactly.
If they say we're in this together, they actually mean it.
They literally are in this together.
T-Mobile, we don't discriminate between your data or our data.
We lose all of our data.
Yeah, we treat your data exactly the same as ours.
But you have to ask.
I mean, maybe, and it would be good to see, you know,
get some insider information here.
Maybe, and it would be good to see, you know, get some insider information here.
Maybe there are some real fundamental flaws in the platform.
But I thought T-Mobile was one of the more modern operators, right?
I thought they were fairly recent.
They're not an AT&T or Verizon that were there from day one and therefore had, you know,
probably still got mainframes running stuff and, you know and very poor integration and all that sort of stuff.
I thought they were one of the more recent operators for a start.
So their tech stack should be fairly up to date.
But who knows?
You don't know also what their financials are like,
apart from what is disclosed.
And I assume they're still doing okay, but that might be because they're not investing money in tech.
But you have to question, really,
what is so fundamentally flawed in their environment
that it gets breached every seven or so months?
Really, what is going on?
What is going on?
I wonder what the lifespan of their cso is
do you know what that would be that that would be some good linkedin research wouldn't it
that would be brilliant they've probably stopped calling them cso's now they're probably you know
um master of the dark arts i don't know yeah i i love how on this story you started off by saying we do not
like to victim blame and then proceeded to victim blame for the next five minutes straight in this
case damn straight bringing out bringing out digging up ancient history uh in yeah i think
you'd find in 2018 you suffered a breach there in 2019 history you know to be fair it's constant there is something every year
like they've not even yeah yeah they're consistent it's actually consistent yeah we only know about
it from 2018 like maybe they didn't even have monitoring before 2018
wow i know but it's a bit like you you get house burgled, right? Because you, I don't know, you leave a latch open on one of your windows or something and your house is burgled.
That's still wrong, right?
But then you don't fix the latch and then you open the window and you get burgled again.
It's like, oh, that's really bad.
If that happens to you nine times, you know, because you haven't fixed your window latch.
Yes, you are being targeted, but you're being targeted because you're an idiot.
Wow. So we've gone from we don't victim blame to T-Mobile, you're an idiot.
Yes, they are.
Quote by Tom Langford.
Well, no, I'm talking about said homeowner who's leaving their window open.
But yeah.
Pulling no punches, wow.
So how would you take this story?
Poor T-Mobile, bullied by playground hackers.
By every hacker in there.
T-Mobile sets up bug bounty program to teach kids the value of skills in important hacking skills or playground.
To teach 16-year-olds living in mother's basement.
Yeah, sets up non-financial incentivated bug bounty program.
Yes, exactly.
Exactly.
Do you know what?
I like that.
We should have, maybe we should change
rant of the week to positive spin of the week you know oh dear anyway that was rant of the week
recording from the uk
you're listening to the Host Unknown podcast.
Right, Jav, let's see how we can clash on this one.
So this ties in quite nicely with stories that both of you have brought up
and the key messaging is like you know there's
responsibility on every side when it comes to a breach or fraud specifically so you know when
Andy was talking about Sarah Palin's email and it brought about that whole question about you know
people should be a bit more savvy people should should, you know, they should take some responsibility,
not use their real, you know.
Anyway, so the question is,
we are getting so much more payment transfer scams and fraud.
Who is responsible?
And Singapore has shown they've got a pair of kahunas on them by announcing
that they would deliver a consultation paper detailing a split liability scheme that will
mean both customers and banks are on the hook for financial losses flowing from scams.
for financial losses flowing from scams.
Countries like Australia have also considered share loss schemes.
Meanwhile, the European Commission has proposed
a refund to victims of certain types of fraud,
including authorized push payment scams.
The UK, not wanting to get left behind,
next year will enforce a mandatory reimbursement by banks to victims,
by banks to scam victims up to £1 million,
with the sending and receiving banks sharing the bill.
See, that's just going to make transactions harder.
It is.
Are you sure you want to make this transaction are you positive your customers or that know
your customer stuff is going to go through the roof right it's yeah come to the uh come to the
local branch which is now 52 miles away yeah unless you live in wales unless you live in wales
or scotland or Scotland or the Scottish Highlands
where your mobile bank will drive up to you on the 3rd October
or 3rd weekend of every month.
If you're in Wales or Scotland, you just have to drive to another country
to get to your local bank.
Yes, pretty much.
But yes, Singapore's Minister of State, Al Van Tan, has their view.
There are some views that banks can easily absorb losses arising
from individual scam cases however full restitution without due consideration of culpability is neither
fair nor desirable so it is really interesting because like you know banks have always experienced
fraud like from from you fraud from the beginning.
And a lot of them will set aside a certain amount of money to just absorb this because it's easier to refund people.
Maybe there's like a £50 million budget a year.
And that's easier to do than to actually then get into the whole litigation
and who's to blame and who's not to
blame and having very expensive lawyers and what have you and uh and and the way of thinking of
this is it it's all risk management isn't it it's all like you know can is this risk tolerable or do
we transfer some of the risk and uh yeah it it reminds me of like my favorite explanation of this was from the movie Fight Club, where the main character, the narrator played by Edward Norton.
He's like he works for a car company and he assesses accidents.
He works for an insurance company.
Insurance company.
That's one.
So I'm a recall
coordinator. My job is to apply the formula. A new car built by my company leaves somewhere
traveling at 60 miles per hour. The rear differential locks up. The car crashes and
burns with everyone trapped inside. Now, do we initiate a recall? Take the number of vehicles
in the fuel, A. Multiply it by the probability of failure, B. Then multiply the number of vehicles in their fuel, A, multiply it by the probability of failure, B,
then multiply the result of the average out-of-court settlement, C.
A times B times C equals X.
If X is less than the cost of a recall, we don't do one.
And I think that's the very same formula that Mr Tan of Singapore is applying here.
Just with slightly less death attached to it, I guess.
I don't know.
The thing on this is it's taking such a binary view, isn't it?
It's just taking a, you know, well, we're not going to.
Yeah, you have to.
I actually think this is a good move.
Because the UK is making sure that the banks refund everyone, right?
But if you think, you see the amount of people that actually transfer money,
you know, that then say they got victimized.
You know, someone said that this.
And you have to go through so many steps.
Are you sure you want to transfer this money?
Do you know who this person is? Are they asking you to make payment quickly yeah and it's like there's only
so many times you can guide and you know people click through all of this stuff constantly and
then you know face i see we all click through stuff i mean i don't know i actually think yeah
because this way how many end user license agreements have you read?
Only about 692 as of last week.
But I haven't installed anything for it.
694th is probably the one that's going to get you, right?
Yeah, exactly.
But people click through stuff because they become blind to it.
And now they're going to learn.
Yeah.
It's going to learn today, boy.
It's too far the other way we need three strikes and you're out or uh or uh you know like the financial services compensation scheme they
did well no because then otherwise people just keep getting defrauded they don't pay any attention
they're not changing their behaviors yeah but you know they just know they've got a safety net of
the what a million pounds is the limit well yeah, that seems rather extreme, I must admit.
You know, I would have said something like 10 grand, five grand, you know.
But I don't know. I just I just think skin in the game.
Skin in the game is all well and good.
But we also talk about how convincing a lot of these attacks are nowadays,
how, you know, how efficient attack is really convincing. also talk about how convincing a lot of these attacks are nowadays how a phishing attack
is really convincing
and how we all sometimes
nearly get drawn in
and they're designed to trick you
and they're designed to do this
so you are being robbed
so we're not talking about financial
institutions where companies
should have additional
processes to to
not get fished and tricked by this type of we're talking about average house users so someone that
you know gets an email yes hey you know you've inherited all this money from an unknown relative
you didn't know you had in yeah you know so they're getting even more they're getting more of these attacks.
We've got 62 billion Zimbabwean
dollars that we need to transfer,
but there's an administration fee to get it
through customs.
Unfortunately, anyway, it's Rhodesian
dollars, I think you'll find,
which only comes out at about
£4.50 anyway, but nonetheless.
No, I think Andy's right.
I think this would be a two-step process.
I think one is it pushes more accountability to people
to think a bit more carefully, but also it should slow down
some of these transfers anyway.
So banks should put in better controls.
I know that the whole thing is on faster payments
and everything but if it's a new account you're making a payment to and it's based in another
country or there's no agreement to recall funds and all that kind of stuff then yeah you should
slow it down i think you know slowing down payments is is a good good measure for that as
well especially if banks are 50 percent liable for even 100 percent whatever
it is that's not what you said when you needed that 100 quid off me the other day
what do it now do it now come on i did it i did it now yeah exactly and they just proved that you
fell for the scam and now you i'm only giving you 50 pounds back to prove the point.
Very good.
Very good.
It's an interesting one.
It's an interesting one.
I guess we will see, right?
I guess we will see.
But yes, thank you, Jav,
for that almost coherent Billy Big Balls. Billy Big Balls of the Week.
We don't research the story, but let us tell you what we think based on the headline.
You're listening to Insights from the award-winning Host Unknown podcast.
And talking about crap from headlines, let's see what time it is.
Andy, is it that time of the week?
It is that time of the week where we head over to our news sources over at the InfoSec PA Newswire, who have been very busy
bringing us the latest and greatest security news from around the globe.
Industry News Caesar's Entertainment reveals major ransomware breach
Industry News
Pirated software likely cause of Airbus breach
Industry News
TikTok fined $368 million for child data privacy offences
Industry News $168 million for child data privacy offences. Industry news.
A legal betting ring used satellite tech to get scoop on results.
Industry news.
Microsoft AI researchers leak 38 terabytes of private data.
Industry news.
Clorox struggling to recover from August cyber attack. Industry news. And that was this week's... National Criminal Court reveals security breach. Industry News.
And that was this week's... Industry News.
Huge, if true.
Huge.
Huge, one might say.
So I'm looking at this pirated software.
Oh, my God.
Really?
So we were actually talking just before the uh show we were talking
about how you know industries that have health and safety yes of mine generally have a good
culture of compliance because they understand the seriousness of it and culture as well they
have a strong culture they yes yeah absolutely yeah so that's the whole point yeah so in this
situation it looks like,
obviously, they've got the standard,
Airbus takes cybersecurity seriously.
Threat actor known as USTOD claiming to work
as part of the ransomware group posted the data breach.
Okay, so they stole data, lots of personal information,
names, addresses, phone numbers, email addresses.
So an employee of turkish airlines um installed some pirate software a pirated version of the microsoft.net
framework oh man see that must be i mean that that's free right that's not even
you don't pay for.net framework these days do you
You don't pay for.NET framework these days, do you?
No, I don't think so.
So presumably they just got it from a download site.
Well, like I say, we don't research the stories.
We just make judgments.
But it should have done better.
Hey, from the headline alone, it's outrageous.
Yes, exactly.
TikTok fined 368 million for child
data privacy offences.
Witch hunt.
I'm glad I'm not on that platform.
Glad they kicked you out.
Weren't you too old to join?
Didn't they say that your account was banned
because you didn't speak Gen Z?
You're not fluent in the...
I'm down with the kids, innit?
Yeah, your basic millennial left a lot to be desired.
They couldn't validate you as a...
So this was purely about default set.
And this is, you know,
you don't see the other social media networks getting fined like this.
So any account for children was set to public by default
uh whereas the default behavior should be to ensure that any account um owned by children
is private by default is is that enshrined in law that that uh account details for children
should be set to i i assume that there is some sort of data protection um because it guidance which is very strongly
saying that persons under the age of yeah because the interesting thing here is if they're fined
368 million you'd think it was because they were told oh by the way you know your settings here
are wrong for children you need to change it and tiktok went nah fuck you we're not gonna we're
not gonna do that we don't care about kids' security.
In which case, fine, hit them with a big cash fine
and teach them a lesson.
If it's kind of like, oh, we found a little loophole
that you're not doing, then that's a different matter.
That's what it feels like.
It very much feels like that.
It's a proper witch hunt.
Yeah.
And to be fair, the Irish Data Protection Commission
is not shy at dishing out big fines.
No.
Well, they need the money for their economy, for a start.
Yeah.
Yeah.
So is this from Ireland, is it?
Yeah, it's the Irish DPC.
Interesting.
What else have we got? Oh, we covered last week actually caesar's entertainment reveals major ransomware breaches it's good to know that uh now they've come out and admitted it
well that our news sources are now using us as a source of news right of course
yeah caesar's realized they got breached. Yeah. So this TransUnion one,
so ThreatActor claims major TransUnion data breach.
So TransUnion's one of the big credit providers.
And so three gigs of data were published,
sort of about 60,000 individuals of this data.
The problem is this data has now been breached so many times, you can't even tell where it
comes from. It's been rigged. And so this happens
with a lot, you know, between the credit agencies, you know, particularly post the Equifax
breach. Every time, like, you know, they sort of package up data,
say it's from a particular company and sort of then state
that, you know, we've got more but here's
enough of the data to validate all the data is real you just can't prove where it comes from
yeah and so it's uh yeah and when you say three gigs of data it sounds like an awful lot
until you get to microsoft levels of data. 38 terabytes. How many thousands of times larger is that?
10,000 times larger? I can't work it out. But yeah, that's a lot of
data. I mean, you've got to wonder, has anybody even got systems large enough to deal with that data so this included um
data including microsoft employees personal computer backups the backups contain sensitive
personal data including passwords to microsoft services secret keys and over 30 000 internal
microsoft teams messages from 359 microsoft employees you see you see
something like this what they should should do is make sure that all the data is in one big zip file
because then you have to download the entire thing before you can open it up and read it
you know which which of course nobody can do that's that's your security through obscurity
if it's kind of like oh we can stream data and we'll get live data down,
then, yeah, anybody can do it.
But, you know, you can't sit at home and go, ooh, I'll have that data
because you'll fill up your hard disk.
It won't open because it's not a proper zip file.
But done.
I mean, it's easy, right?
Fantastic.
That's Tom's security advice.
Tom, you know, if anyone's looking for a competency
so who thinks outside the box.
Well, T-Mobile.
Do you know what?
T-Mobile could do it.
Yeah, I need a job for six months.
Yeah, yeah, yeah.
Maybe you could join the Krebs Stamos group.
I mean, like, you know, you'd be in good company there.
Friends of the show.
Please come on the show, Krebs and Stamos.
We'd love to take the piss out of you in person.
Oh, dear.
I think that just about sums it up, really, doesn't it?
Industry News.
industry news people who prefer the smashing security podcast over the host unknown podcast
are statistically more likely to enjoy the harry and megan documentaries read into that what you will
that one's slowly going out of date as as har, as Harry and Megan are slowly falling in out of relevance.
Absolutely.
Right,
Andy,
take us home for this week's tweet of the week.
And we always play that one twice.
And this week's tweet of the week comes from Lady G who is at Gab smash on X.
And this is following the news of cisco's acquisition
of splunk at a cost of 28 billion dollars and so lady g asks is this 28 billion dollars that
cisco is giving splunk to buy them or just renew their license for the year it's so brilliant brilliant that is so true
it is um you'd like to think they get a free license for that
yeah spunk used to be great when they first launched they were like you know everyone
wanted to get to spunk then their prices just kept going up, kept going up, kept going up.
Yeah.
If you want to store anything beyond yesterday.
Well, that's it.
That's it then.
All right.
That was a short and sweet one.
That was.
Tweet of the week.
You can tell we've been on this since about half past five in the morning
because I think we just run out of energy.
Run out of coffee.
Yeah, run out of coffee.
Exactly.
Exactly.
Well, gentlemen, thank you so much for your input,
your radiant smiles that I can see on the cameras at the moment,
and staying in all morning just to get this done.
Much appreciated.
Jav, thank you very much.
You're welcome.
And Andy, thank you.
Stay secure, my friends.
Stay secure.
You've been listening to the Host Unknown podcast.
If you enjoyed what you heard comment and subscribe
if you hated it please leave your best insults on our reddit channel
worst episode ever r slash smashing security
what was that word again shade and fraud shard and freadenfreud. S-C-H-
A-D-E-N
F-R-A-U-D-E.
Yeah.
Autocomplete. You're obviously
typing it an awful lot.
When you
get hit by a bus, I will be very,
very happy. Is that
a good word? Boom!
There you go.
Slapstick is the perfect example
of schadenfreude.
As in slapstick comedy,
not slapping someone with a stick.
Oh.
That's assault.
Okay.
Unless there's like the...
Purple pineapple.
Purple pineapple.
Purple pineapple?
Wasn't that our safe word?
That is safe