The Host Unknown Podcast - Episode 179 - The One Third Empty Show
Episode Date: January 12, 2024This week in InfoSec (06:16)With content liberated from the “today in infosec” twitter account and further afield6th January 2014: Intel renamed its McAfee subsidiary Intel Security, distancing ...itself from the name of McAfee's founder, John McAfee. In 2017 Intel spun off McAfee as a separate company...then several months later John McAfee and Intel settled a lawsuit over Intel's use of the McAfee name.https://twitter.com/todayininfosec/status/174371109655955460710th January 2000: The FBI was after the hacker Maxim after he posted credit card numbers online when CD Universe refused to pay $100,000 in extortion. 6 months later it was shared that he'd likely never be prosecuted b/c 1 or more of the firms which performed IR screwed up chain of custody.Data thief threatens to strike againhttps://twitter.com/todayininfosec/status/1745207259058081942 8th January 1986: "The Hacker Manifesto" was written by Loyd Blankenship (aka The Mentor) and originally titled "The Conscience of a Hacker".8 months later it was published in issue 7 of the hacker zine Phrack.Read it [again]. http://phrack.org/issues/7/3.html#articlehttps://twitter.com/todayininfosec/status/1744413963696161010 Rant of the Week (16:44)Cybercrooks play dress-up as 'helpful' researchers in latest ransomware rusePosing as cyber samaritans, scumbags are kicking folks when they're downRansomware victims already reeling from potential biz disruption and the cost of resolving the matter are now being subjected to follow-on extortion attempts by criminals posing as helpful security researchers.Researchers at Arctic Wolf Labs publicized two cases in which casulaties of the Royal and Akira ransomware gangs were targeted by a third party, believed to be the same individual or group in both scenarios, and extorted by a fake cyber samaritan.Victims were approached by a "security researcher" who offered post-exploitation services. In one case, the mark was told the ransomware gang's server could be hacked and their stolen data could be deleted.Another victim was told the "researcher," who used different monikers in each attempt, gained access to the servers used to store victims' stolen data, offering the chance to either delete it or grant the victim access to the server themselves.In return, the hacked customers were asked for a fee of approximately 5 Bitcoin ($225,823 at today's exchange rate)."As far as Arctic Wolf Labs is aware, this is the first published instance of a threat actor posing as a legitimate security researcher offering to delete hacked data from a separate ransomware group," Stefan Hostetler and Steven Campbell, both senior threat intelligence researchers at Arctic Wolf, blogged."While the personalities involved in these secondary extortion attempts were presented as separate entities, we assess with moderate confidence that the extortion attempts were likely perpetrated by the same threat actor." Billy Big Balls of the Week (21:34)All India Pregnant Job service: Indian men conned by 'impregnating women' scamAs cyber scams go, this one is rather unique.In early December Mangesh Kumar (name changed) was scrolling on Facebook when he came across a video from the "All India Pregnant Job Service" and decided to check it out.The job sounded too good to be true: money - and lots of it - in return for getting a woman pregnant.It was, of course, too good to be true. So far, the 33-year-old, who earns 15,000 rupees ($180; £142) per month working for a wedding party decoration company, has already lost 16,000 rupees to fraudsters - and they are asking for more.But Mangesh, from the northern Indian state of Bihar, is not the only person to fall for the scam.Deputy superintendent of police Kalyan Anand, who heads the cyber cell in Bihar's Nawada district, told the BBC there were hundreds of victims of an elaborate con where gullible men were lured to part with their cash on the promise of a huge pay day, and a night in a hotel with a childless woman.So far, his team have arrested eight men, seized nine mobile phones and a printer, and are still searching for 18 others.But finding the victims has proved more tricky. Industry News (29:21)23andMe Blames User “Negligence” for Data BreachMerck Settles With Insurers Over $700m NotPetya ClaimNorth Korean Hackers Stole $600m in Crypto in 2023Anti-Hezbollah Groups Hack Beirut Airport ScreensUkrainian “Blackjack” Hackers Take Out Russian ISPCyber Insurance Market to be Worth Over $90bn by 2033Only 4% of US States Fully Prepared for Cyber-Attacks Targeting ElectionsNCSC Publishes Practical Security Guidance For SMBsMandiant's X Account Was Hacked in Brute-Force Password Attack Tweet of the Week (38:11)https://twitter.com/chris_walker_/status/1744805492273430886 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
nobody's gonna know
nobody's gonna know they're gonna know
how would they know
how would they know how would they know i can't i can't I just I can't oh my god
he's not coming is he
he's not
he's not
and it's going to be fine right
it's going to be easier
no one's going to know
no one's going to know
no one's going to know
but nobody will notice
even he won't notice
you're listening to the
host unknown podcast
You're listening to the Host Unknown Podcast. podcast and welcome back it has been 27 days since our last uh confession here on host unknown 27 i think that's probably the longest break we've had isn't it it really is yeah and why did
was it because uh someone pulled out at the last minute yeah yeah i can't think who and twice as
well well yeah this being the second time you know month at least. Yeah. Yeah, ridiculous.
Yeah, that's right.
Well, it was last year.
It was a long time ago.
I can't remember.
And obviously with the age and the memory, that's funny.
No, there's no age in.
It's just my memory.
Do you know what I think has happened?
He's probably called in sick from work all week
and now realised that he can't go on a podcast.
Yes, exactly.
In case his colleagues hear it.
I've been signed off all week.
There's no way I can do anything.
So much sunshine in those photos he's been sending though, right?
There is, yeah.
Weird.
I got a postcard from him yesterday as well.
Yeah, Florida was it?
I think so, yeah. Or was it Costa Rica? I can't remember one of the... Yeah, I got it postcard from him yesterday as well. Yeah. Florida was it? I think so, yeah.
Or was it Costa Rica?
I can't remember one of the...
Yeah, I got it when he was in LA.
Yeah.
He posted mine from LA, so...
Yeah.
He's enjoying himself a lot, mate.
He is.
Working from home.
Yeah.
Sorry, guys.
I may not be on regularly as I'm not feeling too good.
Yeah.
May not be on regularly.
Oh, back to normal then, mate.
Yeah. Anyway, how was your your break it's been a while it was very good i had uh two and a half weeks off something
like that so uh present me is cursing past me for putting all that work off to uh this year
um because i came back on monday and holy moly um you know, lots to do on Monday, lots of emails and stuff.
Well, well, well, the consequences of your own actions.
Exactly, that's exactly it.
Exactly what's happened.
But I've kept the Christmas beard for the time being.
I know you can't see this on screen, dear listener,
but it's becoming a fine mountain of hair, I think.
I like the way you dye it white as well to give it that old Father Christmas.
Do you know what? I have to do that most mornings.
Because being so manly, it just sort of goes back to the main colour,
the main colour of the hair on my head, basically,
but the main colour just overnight.
But it does tell me where the nearest mountain is,
and it does protect me from
bear attacks so absolutely yeah yeah so as you can see i'm clean shaven you are always all round
i think including your eyebrows all over yeah i got carried away this morning i just
wasn't quite with it so what about you how? How was your break? Any New Year's resolutions?
New Year's resolutions are sort of loose promises that you don't have to, you know.
That are not legally binding.
Non-legally binding commitments, yeah.
No, I actually worked through Christmas and New Year.
I was available.
Really?
Yeah, I just didn't take any time off.
I've still got some time to take off.
I was saving my holiday for the February half term.
Oh, and for the legal problems abroad.
Absolutely.
But I also have, I had that cough as well.
You know that sort of 30-day cough,
nicknamed the 30-day cough?
Yeah, yeah.
That persistent cough.
I had that, and the only thing getting me through it was
sherry oh so new year's resolution is buy more sherry well I don't I felt we've actually got
another bottle in the cupboard so I'm all right with that but uh yeah I mean between that in the
hallway in amazon boxes yeah that that festive period I almost got through a whole bottle on
my own wow um and I was I was sort of sipping it, you know, during the day,
working from home, and it was festive time.
And it was medicinal.
Exactly.
It was medicinal purposes only.
Put a little touch here.
Yeah, have a little sherry, darling.
Exactly.
And it really did help the throat.
So I'll just put that out there as a little helper if you need it.
Just don't be afraid to go a bit old school with the methods.
That and the whiskey in the kids' milk bottle.
Whiskey in the gums.
Yeah, exactly.
For bedtime.
Yeah.
Exactly.
And talking about getting inappropriately drunk,
shall we see what we have got coming up for you this week?
This week in InfoSec is an industry giant addressing the question, what's in a name?
Rant of the Week is a story about scammers double dipping.
Billy Big Balls is a story about victims getting screwed when they were just trying to screw.
Industry News is the latest and greatest security news stories from around the world.
And tweet of the week was going to be a washing machine pun,
but we didn't want to rinse and repeat.
It's a strong start.
Oh, look at that.
Someone's been working overtime on this.
Someone's on fire on these notes.
It wasn't me and it obviously wasn't Jav.
on this someone's on fire on these notes it wasn't me and it obviously wasn't jeff so let's uh let's move on shall we to our favorite part of the show the part of the show that
we like to call this week in infosec That seamless clicking of buttons just before that jingle played, eh?
It's a strong start.
It is that part of the show where we take a trip down InfoSec memory lane
with content liberated from the Today in InfoSec Twitter account and further afield.
So what's in a name?
InfoSec Twitter account and further afield. So what's in a name? Our first story takes us back a mere 10 years to the 6th of January 2014, when industry giant Intel renamed its McAfee subsidiary
to Intel Security, distancing itself from the name of McAfee's founder, John McAfee.
And so there's a big history actually with this.
I didn't realise what they did over time.
So obviously McAfee founded in 1987 by John McAfee,
became very well known for its antivirus software,
and then John McAfee left.
And in 1994, Intel acquired the...
Sorry, McAfee left in 1994,
but then Intel acquired the company in 2010
for $7.68 billion dollars
yeah and so it was just four years later i think this is the era where you know john mcafee was
doing his youtube videos snorting coke off his backside and he was just yeah he i mean that that
man was on a trajectory.
All right.
And he had the money to enable it as well.
So it was four years after it was acquired by Intel,
they announced they were phasing out the McAfee brand,
you know, which is the security software,
and they renamed it Intel Security.
But then I did some research to see where it was these days.
Obviously, I'm still familiar with the name McAfee.
I think everyone is.
It's Trellix, isn't it?
Well, so they did spin off, you know, again,
the following years before going private in November 2021
via a buyout from an investor group.
And that deal was worth $14 billion.
What?
Yeah.
So even though, yeah, it's had some rebranding, renames.
I think if anyone says McAfee,
you would still know that it was antivirus.
Yeah.
That was likely to slow your machine down.
So hang on.
So Intel renamed from McAfee to Intel,
whatever it was, security.
Intel security, yeah.
And then it got renamed again to McAfee
or it got sold off i can't quite see
where that mcafee name came back into it but it's definitely still out there it's well do you know
what it's like an sti right it just it keeps coming it's just not going away it doesn't matter
how much you spend on it yeah it's trellix now i think is that is the name i don't you know what
if we had someone who was like a an expert in the field a subject matter
expert who could talk about viruses and malware and and and if we had enough notice that we were
going to be one person shy today we may have been able to get that may have been able to phone a
friend yeah exactly exactly and and if that friend didn't pick up, we could have got hold of Graham Cooley.
Exactly. Yeah. Look at that. Here we are.
So, yeah, we will leave you wondering on how that McAfee name just doesn't die.
So our second story takes us back a mere 24 years to the... I did this wrong because I could easily work out the date.
I did this one because I could easily work out the date.
10th of January 2000, when the FBI was after the hacker Maxim,
after he posted credit card numbers online,
when CD Universe refused to pay $100,000 in extortion.
And then six months later, it was actually shared that he would probably never be prosecuted
because one or more firms which performed the instant response
actually screwed up the chain of custody in that but what i love about this story so this uh hacker you know
is known as maxim he claimed responsibility he said he stole like 25 000 credit card numbers from
them i don't even remember cd universe um but you could buy well obviously cds were big back then
but you know they're online music retailer retailer because obviously online was a big thing
in the year 2000.
So you didn't just go to Our Price or HMV or, you know,
the equivalent in the US.
Our Price.
Yeah, you just went to CD Universe.
And, you know, it's supposed to be cheaper, right?
Because it was all VCs that were funding these companies
because it had a dot com at the end.
So anyway, he attempted to extort the company.
He said, like, give me $100,000 or else I'm going to release
all these credit card numbers that I stole from you.
So CD Universe said, no, we're not going to pay,
and probably because they didn't have the money.
And so Maxim, being true to his word,
he then published thousands of these credit card numbers on a website.
So the website was shut down.
And obviously, big big news so NBC news
interviewed him and he told them that all anonymous they didn't know who he was but he said
or not interview like email you know not email he said I'm going to set up a new site and I'm going
to distribute more information. So then they said like the FBI is investigating you know and it's
going to be theft extortion all this kind of stuff.
And bear in mind, this was like at least, I can't remember when PCI DSS came out.
This was at least seven years prior to that, right?
Because that was, you know, more towards after the Heartland and TJX and those sort of breaches.
But anyway, Maxim said he had like over 300,000 credit card files from CD Universe
and he criticized all e-commerce companies for insufficient security measures.
Can you believe that? A hacker stealing data and then blaming companies for having inadequate security.
It is a story as old as time. I'm doing this for your own good.
Exactly. But yeah, so CD universe did actually advise their customers that their
credit card data uh was compromised um and they were still determining how the breach occurred
at the time of the article um and security experts at the time uh had concerns other
online retailers may also be vulnerable, believe it or not.
But yeah, despite media attention, the companies actually tried to downplay the significance of the event, citing historic low in credit card fraud rates.
And also, to a certain extent, if you can communicate to your customers quickly enough and say, just cancel your credit card.
Yeah, I doubt they would have done.
I mean, this is, do you know what I mean?
Let's say 24 years ago.
Yeah, it's just the wild, wild west, wasn't it?
And we still don't have the proper playbook for it.
Do you know what I mean?
People don't follow the actual what should happen.
It's all about get legal involved first,
figure out what our exposure is,
and then come up with the story.
Figure out how little we can do.
Yeah, but I mean, the end part where it says that you know
it was like he was never found uh ultimately um you know 24 years later i couldn't find anything
he was ever found um but they also knew that they'd be unable to successfully prosecute him for
that part of it um and there's no details of exactly how it was compromised but they did
speculate that um the way the instant response firms turned up,
they all sort of like logged in.
There's like three companies all logging in at the same time,
all accessing the same files, changing the last access time
and all that kind of stuff.
So it was pretty, like I say, early days of the internet.
I don't think today's well-defined well-qualified san certified instant responders
keystone cops rocking up as you know incident response team
and it probably was like that as well yeah uh and you know when you say the instant response
it's uh it's like dave from accounts because he knows a bit about computers
he's read a couple of books.
He was telling me about that film War Games.
Was Hackers out at this point?
No, Hackers was slightly later, wasn't it?
Yeah, Hackers was later.
War Games was...
War Games was 89?
No.
No, it was 83.
86, 87.
Oh, I don't know.
I'm going to say, yeah, I think earlier.
But you could be right.
But I know we normally leave on two,
but I am just going to chuck in a third one
because it is so historic.
And it's the third story.
It takes us back a mere 37 years
to a time before I was born,
when on the 8th of January, 1986, I know you always laugh when I
say that, but yeah. I think 2001 was the most recent one we've had. Right, so 8th of January 1986,
The Hacker Manifesto, written by Lloyd Blankenship, aka The Mentor, originally titled The Conscience of a Hacker. And it is timeless, the way he's written,
it's absolutely timeless. It was published eight months later in issue seven of Hackers in Frack,
but it still survived the test of time. So yeah, penned in 1986. The Mentor wrote it as a reflection
on the hacker culture and mindset and bear in mind this is 86
right so you know one of the things he says this is our world now the world of the electron and
the switch the beauty of the board we make use of a service already existing without paying for what
could be dirt cheap if it wasn't run by profiteering gluttons and you call us criminals we explore and
you call us criminals we seek after knowledge and you call us criminals we explore and you call us criminals we seek after knowledge and you call
us criminals we exist without skin color without nationality without religious bias and you call
us criminals you build atomic bombs you wage wars you murder cheat and lie to us and try to make us
believe it's for our own good and yet we're the criminals it's just timeless like so you know
go out and read it.
I'd bring some show notes for that one.
Yeah, you're going to have to take a look at that one.
Excellent.
Thank you, Andy, for...
This week in InfoSec.
People who prefer other security podcasts
are statistically more likely to eject USB devices safely.
For those who live life dangerously, you're in good company with the award-winning Host Unknown podcast.
Well, you're in good two-thirds of the company anyway.
Okay, time for...
Listen up! Rant of the company anyway. Okay, time for... Listen up! Rant of the week. It's time for mother f***ing
rage. So this is a classic double dip exercise carried out by hackers, but blimey, this is
a tough one to read. So a company was attacked.
There were ransomware reeling from the business disruption,
the cost of resolving it.
And then this company was offered help, which sounds great.
You know, we've got, what do we call them, cyber Samaritans,
which, I mean, put cyber in front of anything, right?
It's an interesting use of the word.
But two, sorry, researchers at Arctic Wolf Labs published these two cases
in which casualties of the Royal and Akira ransomware gangs
were targeted by a third party believed to
be the same people in both scenarios. So here's the situation. As I said, you're attacked, you're
ransomwared, you're reeling from it. And suddenly a company crops up and says, we can help you here.
What you don't know, however, is that it's the same attacker posing as legitimate um security
researchers and incident response people saying that they're going to help you um to uh you know
help you to to recover from this and of course these it's the same people they know exactly what
happened they can dig even deeper because they're given carte blanche access to the uh to the company's systems
in the hope that they might be able to recover data etc uh absolutely i mean this is this is
actually quite a straightforward rant you bastards i don't know i don't know what else to say here. It's kind of like being mugged and then the mugger runs off,
changes his jacket, runs back, helps you to your feet,
punches you in the stomach and robs you again.
I mean, it's just shocking, this one.
But you know what I love?
You know how like these crime
gangs are quite well organized yeah you can just imagine this came out like a sales conference
you know where they had their strategy away week or whatever yeah someone wrote a post-it note and
put it on a bookshelf they did yeah they worked out all the uh yeah the pros and cons and they
say look you know we can diversify how
can we diversify with the same equipment without increasing cost no bad ideas guys no bad ideas
yeah exactly dimitri what you got for us yeah vladimir no vladimir that really is a dumb idea
dimitri's got the art got you know knows what we're trying to do here.
Oh, dear. I love it.
Here's a quote from Arctic Wolf Labs.
As far as Arctic Wolf Labs is aware,
this is the first published instance of a threat actor posing as a legitimate security researcher
offering to delete hacked data from a separate ransomware group.
offering to delete hacked data from a separate ransomware group um so and there's a link in the show notes to the uh to the blog that details this while the personalities involved in these
secondary extortion attempts were presented as separate entities we assess with moderate
confidence the extortion attempts were likely perpetrated by the same threat actor um which just goes to show you know
you can't even you know i it's like that joke of the the nigerian prince in nigeria going i'm just
trying to give this money away so if you're you know if if you are truly a cyber samaritan going
out trying to help people start expecting to be just told to bugger off
because you won't be able to help them.
Yeah, I think that's it.
I think it's going to be a short and sweet one, this.
Gerard, this could have been a Billy Big Bulls.
If Jabba was here, this could have been a Billy Big Bulls.
Yeah, but we know which side of the fence he'd have been on.
Rant of the Week.
If good security content were bottled like ketchup,
this podcast would be the watery juice
which comes out when you don't shake properly.
In a niche of our own,
you're listening to the award-winning
Host Unknown Podcast.
All right, let's move on to uh this week's surprisingly sultry and sexy so as cyber scams go this one is rather unique um so in early december manjesh kumar and his name has
been changed protect the innocent he was scrolling on facebook when he came across a video uh from
the all india pregnant job service and so he decided to check it out right but it actually
sounded a bit too good to be true money and lots of it in return for getting a woman pregnant um is this a work from home job
is this uh well yes of course it's too good to be true so uh kumar typically earns um the equipment
like 15 000 rupees which is 180 dollars 142 pounds per month, working for a wedding party decoration company.
And so he thought, hey, I'm going to make some money.
And I get to, you know, he's not thinking with the top head.
He's thinking with the, you know, with the other part.
And so he starts to, you know, he investigates, he goes into it.
I think I did a very good job there. I need to go again.
Yeah, there was that.
Yeah, it turns out he's been, you know, he had the snip four years earlier.
But no.
So after he clicked the video, he registered.
The man, he got a phone call, right?
And he was told he needed to pay 799 rupee 799 rupees if he wanted to register for
the job so he's like okay this is great uh and now even when he's thinking about it he's like
hmm you know is this is this real is this scam is it too good to be true uh they they said like
you know it's a half million rupee job right So it's three years worth of wages to this guy.
And even then he's like, hang on a second.
This just isn't, isn't like, it just doesn't add up.
And then it gets better.
The guy says there's an extra 800,000 rupees when she's successfully pregnant.
So he's like, hang on a second.
So I get to go at this.
Like this is, you know, I'm not on a per hour basis here. This is like, hang on a second. So I get to go at this. Like this is,
you know, I'm not on a per hour basis here. This is like, this is ongoing. Three years worth of
salary. I get to go on it. So, you know, he's a poor guy. He's a poor young man. So you believe
them. So he paid his 799 rupees to register. And then over the next couple of weeks, you know,
they're keeping it hanging on, they're like,
just need another 2,550 rupees
for the court documents,
and it's like, okay,
and then there's the 4,500 rupees
as a safety deposit,
and then obviously for everything
that's paid so far,
there's like 8,000 rupees,
there's like goods and services tax,
you know, for the money
that you're going to receive,
so with all of these cases, you know, he's actually receiving receipts, and, you know, the money that you're going to receive so in with all of these cases
you know he's actually receiving receipts and you know it all looked legit and he even received some
fake court papers to make it look like they generally got these court papers um and then
he got something that was like a um you know like a uh a birth certificate like what it would look like you know so they're already
putting that picture in it so like a pregnancy verification form um whatever and they just kept
going and so when are you starting to have doubts they started sending pictures of like pretty women
so there's seven or eight women you have to choose which one of these you're going to impregnate and
it's like they'll book the hotel room uh It'll be in the town where they live,
so you don't actually have to know them.
It's literally, you just turn up,
you donate your seed and you're gone.
So, you know, he...
Two minute job.
Two minute job, if you're lucky.
Yeah, so it's just all this time,
you know, the poor guy was like being strung along
and he was paying this in small increments, right?
They were just sort of draining him and not the way he was hoping to get drained in that instance.
So, yeah, it got to the point where, you know, they he said, where's this money?
Right. You know, when is it? And they said it's on hold at the moment.
And, you know, you get paid after you pay twelve thousand six hundred rupees is the income tax.
But obviously obviously by this
point he'd actually lost an entire month's salary and he's like i can't pay anymore um can you give
me a refund uh and you know the person refused and then started uh showing credit of 500 000
rupees saying look you know this is going in your bank income tax authorities are going to raid you
they're going to raid your home they're going to arrest you you know your family's going to find out you're going to be disgraced for doing
this and all this kind of stuff so you know he lost all of this stuff and he is actually so
scared that he he switched off his phone and didn't switch it back on for like a couple of weeks
um and yeah it's it's i mean it's a it's a scam on multi-levels. One plays on a desperate young person
who's not thinking with the right...
The blood's in the wrong area.
Also something that's desirable to him.
Financially as well as...
Financially, exactly.
As a fellow.
And then there's the threat of the shame
and being exposed when it didn't come up.
We were talking just before the show about this,
and I said, I'm not convinced that this would work
in, say, UK, France, Germany, or whatever.
And I think maybe the reason for it, I think,
is there's plenty of scams that do work in the UK,
France, Germany, et cetera etc no doubt about it right
often romance scams are are you know one of them but this one this one i think hits back at
if not a unique culture but a culture where siren children were being seen as you know a man
where having family and having you know or being able to have children i think there are some
strong cultural elements to this but that just all that says is effectively the local gangs are
creating local scams that that play to local cultural norms at the end of the day you know and i think it's it's incredibly sad i mean that the this
this guy's trying to not only you know fill his wallet he's trying to sort of you know fulfill
other needs of his as a young single guy presumably and now he's he's he's probably
a nervous wreck it's just he's probably virtually destroyed his life yeah well he said
didn't strike him that it would be you know it could be a con because he's saying that you know
the man he dealt with uh sent copies of his identity cards yeah um you know he had a display
photo on whatsapp with a you know an attractive foreign woman holding a baby so you know it all
sort of psychological. Yeah.
You know, all the branding was there to make it look genuine.
God, incredibly sad, incredibly sad.
Yeah.
But this was, obviously, Jav would have backed the guy.
He would.
He would have backed the attacker here.
Yeah, absolutely.
What a scam.
All right, that was this week's...
Nope.
Wrong one.
Sorry.
Where has it gone?
Here we go.
Billy Big Balls of the Week.
That was quite poor timing, wasn't it?
Yeah, it's unfortunate.
But speaking of timing, Andy, what time is it?
It's that time of the show
where we head over to our news sources over at the InfoSec PA Newswire
who have been very busy bringing us the latest and greatest security news
from around the globe.
Industry News
23andMe blames user negligence
for data breach.
Industry News
Merck settles with insurers
over $700 million
not-Petya claim. Industry
News. North Korean hackers
stole $600 million
in crypto in 2023.
Anti-Hezbollah groups hack Beirut airport screens.
Ukrainian blackjack hackers take out Russian ISP.
Cyber insurance markets be worth over $90 billion by 2033. Industry News. Only 4% of US
states fully prepared for cyber attacks targeting elections. Industry News. NCSE publishes practical
security guidance for SMBs. Industry News. Mandiant's X account was hacked in brute force password attack.
Industry news.
And that was this week's...
Industry news.
Huge if true.
Huge if true.
Why didn't they just say only two US states are fully prepared for cyber attacks?
Why put a percentage on it? It's always better when you chuck in percentages though, right?
I was trying to do the maths in my head there. I was like, no, hang on, this is really easy.
But you know what? Some people probably don't know how many US states there are.
You know, like Americans. It's 50, right? Geography not being the strong point.
50 with the UK being the 51st.
Everyone knows there's 55.
Oh dear, what else?
There's 23 in me one.
This keeps coming back.
Yeah, they were saying about it was because of password reuse, right?
Yes.
And they're also saying that, look, you know, it's your fault for reusing.
But you're negligently recycling passwords.
How do they know?
Well, they're saying it was password spraying attack,
that, you know, people were just pumping emails and passwords
and they were working.
But not only that, they're saying, like, you know,
you failed to update your passwords
after previous security incidents,
you know, which were unrelated to 23andMe.
And so it's not our fault.
But also, we made 2FA available on the site months ago.
Didn't enforce it, but we made it available.
And so, therefore, it is your fault.
So, you know know there is a lawsuit
because if it was a password spraying attack technically it was a legitimate authentication
it had the correct username and the correct password
which is exactly what 2fa is supposed to stop, right? You know, those sorts of attacks.
Yeah.
And if they have reused their password,
and we've all got accounts that have got reused passwords in,
not many, you know.
I've lost many accounts because I've used the same password.
I can't, I've lost count of the amount of accounts I've lost.
Convenience trumps security.
Exactly.
But it really is, if you're reusing the same password, it really is a user error.
That being said, 23andMe are on a hide into nowhere by blaming their users
23andMe are on a hide into nowhere by blaming their users rather than giving more advice and then saying,
because of this, we are now enforcing two-factor authentication.
I think they took the wrong approach on this.
Yeah, well, they're saying, look, it's available.
It's still not used.
I've got a 23andMe account.
I've still not enabled MFA.
But then I don't even know what my password is, if I'm honest.
It's...
I do Face ID.
Try your Amazon.
Try that password.
It's probably that one.
That's definitely not...
No, that's a password I don't use anywhere else.
I've used it for like 25 years, but it's not one I've use anywhere else. I've used it for like 25 years,
but it's not one I've used anywhere else.
It's the same password as Orange One.
Yeah, that's right.
Oh, dear.
God, the amount of passwords
that used to start with that.
What else have we got?
North Korean hackers only stole $600 million.
See, it's like things are down
so this is down on the previous year 850 million dollars here we go again hey the old crypto jokes
oh um but yeah it's it's interesting you never know where this uh where this money's going or
what they're doing well i, I heard that North Korea
are supplying Russia with weapons now
for Ukraine.
So maybe it's paying for that.
Oh, God.
And I saw a video of the mortar rounds
that they were using,
the North Korean mortar rounds
they were using in the Russian mortars.
Basically, they just weren't working.
I was going to say,
they're sort a short distance
fall out the end you could hear it slide down
and then they go and then they literally shake the thing out
they'd shake the round oh man you know you'd you'd hear it slide that you just gently back
away wouldn't you well they're all bent away with their hands over their ears and then like
nothing happens like oh let's undo it again
oh man good old quality uh and i think the last one that caught my eyes is um
mandian's twitter account was hacked where's the 2 that. Surely, surely you can get...
Maybe it's because Musk has made it shockingly expensive
to be able to handle team accounts and stuff like that.
Oh, there you go.
Look what you did in the actual article.
I'm just clicking into it.
Yeah.
So, okay.
So they started to...
So it got taken over on 3rd of January
and then they began sending its 123 million followers
links to a cryptocurrency
drainer phishing page.
Endorsed by Kevin Mandiant.
Oh, it says they had 2FA enabled.
Interesting.
How are they?
Okay, so 11th January, the firm published the result of its investigation. Oh, it says they had 2FA enabled. Interesting. How would they... Yeah.
Okay, so 11th January,
the firm published the result of its investigation.
I wonder who they called to investigate this.
Maybe some nice, you know,
cyber Samaritan rocked up and said,
Yeah.
Friend, you want help?
Yeah.
So, okay, so they pointed to misconfigurations in the account 2FA,
which the firm took some responsibility for,
but also laid the blame partly on X.
Normally 2FA would have mitigated this,
but due to some team transitions and a change in X's 2FA policy,
we were not adequately protected.
They didn't specify what changes there were.
On balance, I would tend to believe Mandiant over X.
Yes.
But it still doesn't quite seem right.
Oh, so you need to pay for premium
to get to...
Okay, that's the issue.
Right, gotcha.
Okay, so the Mandiant account
currently has no gold checkmark. mark well it's because it costs
which fucking fortune which indicates they they have not subscribed to the social media's premium
plan well and also surely mandiant's target audience is not a bunch of nazis right so
x is probably not the most you know important platform for them to be social media-ing on.
Yeah.
Damn.
Yeah.
X is becoming even worse.
Right.
On that note, that was this week's Industry News.
We're not lazy when it comes to researching stories. Nope. We're just energy efficient. Industry News. We're settling towards the end of this show, aren't we? I can't believe how fast we go through and we're not carrying dead weight. It's like we're streamlined.
So, Tom, why don't you take us home with...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
That feels really weird not doing that.
It does, doesn't it?
Really weird.
How bizarre is that?
Anyway, this week's Tweet of the week is about an LG washing machine
So we know that most LG washing machines
Or most modern washing machines are now connected to the internet
All that sort of thing
But this tweet is from Johnny
At Johnny on X
And he says, the picture is of a graph
so check the show notes
but I think you can imagine
what it looks like
what the fuck
why is my LG washing machine
using 3.6 gigabytes
of data
a day
and the graph is showing a pretty consistent
3.6 gigabytes there's one day when
presumably he wasn't washing oh no that's one hour that's not that that's this is the daily
stat oh that's the two o'clock yeah two o'clock only dropped down to a mere 50 meg
so it's yeah it's chucking out what is it well over 150 meg an hour uh yeah 175 per hour 175 that is again
we were talking before the show what is it transmitting i mean is it is it acting as a
media server or something um is it is it the thing that's serving all of the lg washing machine ads
that you you're all now going to get uh from from listening to this but the best response to this
has to be it's from chris walker uh and his response is modern washing machines teleport
dirty clothes to a centralized cleaning facility and then return them after cleaning he then
follows up with an answer to the age-old question
lost socks and dropped packets genius utter utter genius i say but you know with those data
transfers it's not out of the realms of possibility right i know i know is it a Star Trek teleport, you know, or, you know, beaming down?
It's a three point. That's an entire, you know, HD movie.
Yeah. Per day.
Per day. A high quality HD movie, not even a compressed one.
Yeah.
I'm dumbfounded as to what this is.
You don't have the storage.
Surely you can't have enough storage on an LG machine to actually...
Well, that's what it is.
It's using cloud storage.
But what do you need to say?
I know.
Unbelievable.
It reminds me a little bit of when you know when the space shuttle first was first in use
there was not enough memory on the onboard computers to run the entire mission so they
literally upload a tape for launch and then when they got into space they delete the memory upload
a tape for you know orbital mechanics and all that sort of thing. And then when they got ready for going down for descent,
they'd clear the memory and upload a tape for descent.
It's a bit like that.
And they keep a spare pen in the pocket
in case the tape gets chewed up and they need to rewind it.
Yeah, exactly.
Who's got the emergency pen?
Well, the one they spent $750 million on, right?
Whatever it was, $75 million on a pen that writes upside down.
And the Russians used a pencil, blah, blah, blah.
But what the Russians also had was graphite floating around in space
and getting caught on all the electrical contacts in the capsule.
History lesson as well.
Really nerdy as well, right?
Anyway, that was
this week's
tweets of the week
so
to your earlier point
we've hurtled
to the end of the show
done a good job
I think
pretty clean
we haven't got
any of
well
any of Jav's
racist comments
coming out
no mumbling
yep
no mumbling
clear no loud keyboard clacking,
no phone going off in the background.
Thank goodness.
Thank goodness.
Yes, so excellent.
Andy, thank you very much for your time today.
Stay secure, my friend.
Stay secure. you've been listening to the host unknown podcast if you enjoyed what you heard
comment and subscribe
if you hated it
please leave your best insults
on our reddit channel
worst episode ever
r slash
smashing security
and we're out
we are
I was a bit disappointed
we didn't get to use
our Christmas jingles
last year
having not did we have Christmas to use our Christmas jingles last year.
Having not... Did we have Christmas jingles?
Have we got Christmas jingles?
Oh, I'll tell you why.
We got Christmas jingles years ago.
Because I haven't sorted out my soundboard yet,
so we're still using the built-in one.
You'd think I'd have had time over the last few weeks.
Well, obviously worth the money, that soundboard, right?
I'm nearly there, actually.
I'm building up a set of profiles.
I'm nearly there.
It's going to be good maybe