The Host Unknown Podcast - Episode 185 - The Inexplicable Episode
Episode Date: February 26, 2024This week in InfoSec (06:25)With content liberated from the “today in infosec” twitter account and further afield16th February 2010: Version 2.0 of the CWE/SANS Top 25 Most Dangerous Software Er...rors was released.Take a look and decide which of these weaknesses have been eradicated over the last 14 years.Web Archivehttps://twitter.com/todayininfosec/status/175871241860197174820th February 2003: Alan Giang Tran, former network admin for 2 companies, was arrested after allegedly destroying data on the companies' networks. Two months later he pleaded guilty to a federal charge of intentionally causing damage to a protected computer.https://twitter.com/todayininfosec/status/1760021831354896443 Rant of the Week (14:01)Avast fined $16.5 million for ‘privacy’ software that actually sold users’ browsing dataAvast, the cybersecurity software company, is facing a $16.5 million fine after it was caught storing and selling customer information without their consent. The Federal Trade Commission (FTC) announced the fine on Thursday and said that it’s banning Avast from selling user data for advertising purposes.From at least 2014 to 2020, Avast harvested user web browsing information through its antivirus software and browser extension, according to the FTC’s complaint. This allowed it to collect data on religious beliefs, health concerns, political views, locations, and financial status. The company then stored this information “indefinitely” and sold it to over 100 third parties without the knowledge of customers, the complaint says. Billy Big Balls of the Week(25:02)Husband 'made over a million' by eavesdropping on BP wifeThe husband of a BP employee has been charged with insider trading in the US following claims he overheard details of calls made by his wife while working from home.The US Securities and Exchange Commission alleged Tyler Loudon made $1.76m (£1.39m) in illegal profits.The regulator claimed Mr Loudon heard several of his wife's conversations about BP's takeover of TravelCenters of America and bought shares in the firm.BP has declined to comment.The SEC said: "We allege that Mr Loudon took advantage of his remote working conditions and his wife's trust to profit from information he knew was confidential."His wife - a mergers and acquisitions manager at BP - worked on the oil giant's takeover of TravelCenters. The SEC said Mr Loudon purchased 46,450 shares of TravelCenter's stock, without his wife's knowledge, before the deal was made public in February last year.Following the announcement, TravelCenter's share price rose nearly 71% and Mr Loudon allegedly immediately sold all of his newly-bought shares for a profit, the SEC said. Industry News (32:16)Attacker Breakout Time Falls to Just One HourNCSC Sounds Alarm Over Private Branch Exchange AttacksBiden Executive Order to Bolster US Maritime CybersecurityRansomware Warning as CVSS 10.0 ScreenConnect Bug is ExploitedChinese Duo Found Guilty of $3m Apple Fraud PlotOWASP Releases Security Checklist for Generative AI DeploymentRussian-Aligned Network Doppelgänger Targets German ElectionsChange Healthcare Cyber-Attack Leads to Prescription DelaysICO Bans Serco Leisure's Use of Facial Recognition for Employee Attendance Tweet of the Week (42:37)https://twitter.com/lauriewired/status/1760751495073640705 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
coffee oh no i've been trying to cut down on coffee but he says with a giant mug i know i know
today's like six o'clock in the evening today's my cheat day i've actually like for the last week
i've only been having like maybe one or two a day and i've been feeling a lot actually you know what
i think too much coffee was causing my dehydration and headaches. No, really? I've cut down myself.
I've limited it to three or four cups a day now.
Yeah.
And I feel 100 times better for it.
I'm sleeping a lot longer.
Yeah.
I suppose also because Ramadan's coming up.
Oh, yeah.
And welcome to the Middle-Aged Men's Health Podcast.
You're listening to the Host Unknown Podcast.
Hello, hello, hello. Good morning, good afternoon, good evening from wherever you are joining us.
And welcome, welcome one and all. Welcome, dear listener, to episode 185.
189.
Of the Host Unknown podcast.
Welcome, both of you.
It's been quite a week for all of us, really, I think.
Jav, what have you been up to?
Nothing much.
I'd just like to give a shout out to Bess.
So she's a colleague of mine.
She wanted to schedule a meeting with me and she said,
oh, there's some weird podcast thing in your in your calendar and she was like you don't know what podcast it is i
said no it's my podcast it's called the host unknown podcast she goes really it's andy's
podcast is it available is it available and she goes yeah she pulled out her phone and started
looking for the podcast what's it called i said it's called the host the host so um so if you have to explain it we've already lost yeah no it's just clever but uh
you know i think i think you know we appeal to a certain level of intellect so if best is listening
thank you i will test you on this next week and and if you haven't, then I know that you haven't listened to the podcast.
So, you know, there you have it.
But other than that, it's been a good week.
The secret number, Bess, is 732.
Go and whisper that in Jav's ear next week.
Just slack it to me.
It's better.
In whisper font.
Anyway, Andy, how are you?
Well, actually, I know how you are because I saw you just yesterday
and it was quite notable because nobody asked about Jav.
Nobody was interested in where he was at all, were they?
They never are.
They never are, if I'm honest, whenever I'm out and about.
I'm the main event, so why do they care what the support act's doing, right?
Exactly. But I will, you know, can just uh ask for an apology from both of you what because last week uh obviously
you know we we've got our cameras and we can see each other last week you were gaslighting me into
believing that there was no bee or wasp or whatever in this room with me and like jav was
taking a piss he was shadow boxing on screen like mimicking my movements and then what happens as
soon as we finish recording a giant parrot climbs up my back and sits on my shoulder
the size of like my fist and the wasp like looked at me and just went miss me it did the two things you know the two
fingers at his eyes and then at your eyes and then back at his eyes again you and me buddy you and me
exactly yeah and you'd spent 20 minutes gaslighting me the fact that now for the second time you used
the term gaslighting made me lose whatever little respect
i had for you you know you were meant to be a kid of the 80s growing up as a man okay boomer
you know yeah therapies for bitches that's what we say yeah and like these terms like you know
i'm feeling really triggered i'm feeling really triggered this is not a safe space
this is not a safe space well not if you're afraid of wasps, it isn't.
Oh, my God.
Where's Ben Jernigan when you need him?
The way you were going on, it was like your house was infested.
Oh, my God, I'm worried I've got a nest somewhere.
How does a wasp get in a sealed room?
That's my issue.
They dig tunnels underneath your house.
It's like every magician's trick.
He was already in the room.
Oh, dear.
Anyway, talking of trigger warnings, Tom, how was your week?
Very good.
I picked up the Duchess of Ladywell from the airport on Wednesday morning.
Of course.
Welcome home, Duchess.
Indeed.
Indeed.
She said she enjoyed your email and that she was going to enjoy your trip to San Francisco with her
to get some BA air mile points while you talk crap about me.
So, yes, thanks for that, Andy.
You're welcome.
But, yes, it was nice to have her back,
certainly after six weeks or so.
And she said, did you miss me?
And I said, yes, I missed having someone to not phone every week.
So I'm not very good at ringing.
But, yeah, it was really nice.
It was really nice.
And then you and I were at the Thais conference yesterday,
which was good.
Yeah.
Yeah.
You know, it's funny.
Ever since I joined a vendor, TICE stopped inviting me unless I pay them serious amounts of money.
So, like, you know, it's not that I don't like it.
Well, your company were there yesterday.
Your company were there yesterday.
So, obviously, they just didn't want you there yesterday.
there yesterday, so obviously they just didn't want you there
yesterday.
Anyway, talking about things
that you don't want, shall we see
what we've got coming up for you today?
This week in Infosec is
the story of a guy who made his defence
lawyer's case very difficult.
Run to the week is a privacy
snafu we're not at all
surprised about. Billy Big Balls is a man whofu we're not at all surprised about. Billy Bigballs is a
man who made the most of working from home, literally. Interesting News is the latest and
greatest news stories from around the world. And Tweet of the Week is a matter of perspective.
OK, let's move on, shall we, to our favourite part of the show. It is the part of the show that we
call...
This Week in InfoSec.
It is that part of the show where we take a trip down InfoSec memory lane with content liberated from the Today in InfoSec
Twitter account. And our first story takes us back a mere 14 years to the 16th of February 2010,
when version two of the CWE slash SAN's top 25 most dangerous software errors was released.
And the great thing about this being such a factual reference point
is that you can just look at it now and see which of these weaknesses
have been eradicated over the last 14 years.
Let me take a guess.
Information out there.
Let me take a guess.
None of them.
Well, not far off.
Exactly.
So, you know, we've still got cross-site scripting we've still got sequel
injection we've still got buffer overflow the big the big boys are still there they're not going
anywhere they are stalwarts of the infosec industry and anyone with zero knowledge can
literally walk into this industry and just say, look, talk to developers and say, look, guys,
make sure that you are defended against gross site scripting. Make sure you're checking for
SQL injection, like preserve your SQL query structure. You know, make sure you check the
size of your input. You've got to look out for these buffer overflows. You don't even have to
understand it. It's been around for decades. I'm not a developer. I think we can ascertain that.
We know that, right?
I do not have the technical skills for this.
But if we were building planes, and we know that the OS top 10 also has these,
certainly the top two in there and has been for a long, long time.
If we were building planes and we knew 15 years ago that we had,
these were the top three issues, problematic issues with planes,
and then 15, you know, that caused them to break.
Like landing wheels not coming out on a plane.
Yeah, wheels falling off, you know, that sort of thing.
And 15 years later, they're saying,
you still haven't fixed that problem with the wheels, you know,
or, you know, the right wing bending in the
middle we this would be a problem right why is this not a problem or a bigger problem now for
our industry why are we still coding this stuff maybe i'm missing the point and wouldn't be the
first time right i don't get it a lot of it's about gambling, though, right?
They sort of say, well, that's going to take an extra six weeks of development time.
We need to release today.
Can we fix it further down the line?
I guess no one's died from a sequel injection.
No, not yet.
Not yet.
But I think it's really about perspective, isn't it?
People are naturally, if it's a physical threat,
you can see it and you can feel it and there's a very real impact.
Nowadays, you can get 50 emails a week,
oh, sorry, your data's been released in a breach
and you hit delete, okay, whatever, another company's been popped.
It's just not real.
I don't think it feels
real to people yeah so they don't prioritize it yeah yeah i mean i and i get that but it just
it just doesn't feel right as an industry you know we and even in you go to any conference
someone some ways referring to the airline industry about how they fix these problems
all sorts of problems and blah, blah, blah.
We should be more like that.
Yeah, we should.
We're still not.
Anyway, I'm sorry.
I'm a bit too early for my rant.
One door opened the other day.
One door fell open the other day.
And see how much of a big deal that was.
Yeah.
And no one even died.
So, like, you know.
And no one even died, dude.
You sound like a Boeing executive.
Making mountains out of molehills, man.
Yeah, come on.
More like making mountains out of spare parts of planes that fall off.
Anyway, yeah, I'm turning into a rant.
Andy, I'll let you get back on with it.
Since you're so bored with listening to me,
I can see you scrolling through your bloody website.
I actually, I was going to do a bit of research on the next story.
So our second story takes us back a mere 21 years to the 20th of February, 2003,
when Alan Jiang Tran, a former network admin for two companies,
was arrested after allegedly destroying data on those companies' networks. And it was two months
later he pleaded guilty to a federal charge of intentionally causing damage to a protected
computer. And what I was just looking at was which companies they were that he worked for.
And it turned out they were a pair of airport transportation companies so they didn't actually
name the companies but um he hacked computer systems and basically destroyed the customer
database uh all the customers database that they had on there um but what was funny was that he did this on the 5th of January 2003.
And they were specialized applications, so obviously industry specific.
But when federal investigators executed a search warrant at his house,
they found several computers and a folder marked retaliation.
And within that folder marked retaliation,
he had all the information about the
the company's computer systems and how he was going to hack them ladies and gentlemen i present
the criminal genius mind yeah exactly so his defense attorney obviously had a very difficult
was there a bit of a bit of a bit of a you of a forehead slap moment?
Yeah, looking at that evidence.
So he did, I don't know how long he got sent away for.
Yeah.
It's only after that that Andy started renaming his folders
from Blackmail, Extortion, Dirt on Tom, Dirt on Jeff.
Well, funny you say it.
Those are actually the names of my folders.
And it's more, I've got a couple of canaries in there
to see how often people go in to look at them.
That's exactly what I do.
That's exactly what I do.
I've got a file marked executive salary list
of a company I used to work at dot xls you know
and it's it's an empty excel it's just a canary right just to see if somebody's breaking in and
having a because that's what you go for although i imagine the the folder for jav is probably quite
full in fairness my life is an open book i have no secrets i tell no lies that
canary would actually be in leading the haystack in jasper that's right it'd be the least interesting
thing to look at uh thank you andy for this week's
this week in infoswim
This week in InfoServe.
This is the Host Unknown Podcast.
The catch potato of InfoSec Broadcasting.
Right, let's move on.
This is a doozy, this one.
I'm looking forward to this one, actually.
It's time for... Listen up!
Rant of the Week.
It's time for Mother Listen up! Rant of the Week. It's time for Mother F***ing Rage.
So there was, or there is, a cyber security company.
In fact, we did cover this when it first happened four years ago,
or when we first found out about it.
Maybe not four years ago,
when we first found out about two or three years ago.
So a vast, exclamation mark, the cyber security software company,
is facing a $16.5 million fine, certainly not enough,
after it was caught storing and selling customer information without their consent.
So Avast is an endpoint protection product.
It sits on your computer, allows you to effectively,
if you're a small company, allows you to very cheaply tick a box
on your security audits effectively, but that's about it.
How cynical.
Have you seen Avast?
Have you used it?
I have, yes.
In the past, a long, long time ago.
Yeah, same.
On Windows XP was the last time I used it, in fairness.
Because it was free, right?
Now I know why.
Because one of the many things it does is obviously just a basic ant a basic antivirus engine but it will also
uh check when you go surfing the web it will check the uh where you go to make sure they're not
uh blacklisted websites or you know naughty websites or whatever and you can use it for that
what the what avast were doing was actually taking your browsing habit data or taking all of that browsing data, storing it and then selling it, selling it to a third party who then could use that data.
The Federal Trade Commission announced last Thursday that it's banning avast from selling user data for advertising
purposes now this data harvesting went on from 2014 to 2020 six years um uh picked up through
its browser extension uh allowed it to collect data on religious beliefs, health concerns, political views, locations, financial
status, the lot, everything, everything laid bare. The company then stored this indefinitely,
well, I guess up until fairly recently, and sold it to over 100 third parties. This wasn't even
just a sell it once, make a quick buck, but to 100 third parties. And the best part, without informing the
customers that it was doing so. Now, the thing that really bugs me about this sort of thing is
somebody pretty senior up in that organisation in a vast, and I'm pretty sure they're not a huge
company, there's probably a few hundred people, in there somebody signed off on this somebody thought this was a good idea and signed off on the fact let's sell
this data that we have harvested without our customers knowledge or approval and let's sell
it to a third party to make money and still not tell our customers that that's what we've done with it, which is utterly, utterly without any kind of,
I can't see any mitigating circumstances for that.
Because although it was 2014, so 10 years ago,
there were still privacy laws 10 years ago, as I recall,
and still some, you know, it was pre-GDPR, obviously,
but there were still
privacy laws out there so this is beyond the pale this is well they're frankly shitty executive
and corporate behavior so i think that the case actually uh made against him was it was 2014
until 2020 so it was actually well into when gdpr oh yes yeah yeah so yeah you're absolutely
right so um although it started before gdpr it was certainly long before yeah yeah long before
but it certainly it was going on while gdpr was in effect you're absolutely right you're absolutely
right and you know what's interesting you gotta wonder got to wonder. So they got a part of Avast got acquired by Norton for $8 billion.
You've got to wonder what type of due diligence was done on the company at the time.
Well, maybe Norton only bought the part that wasn't doing the dodgy shit below the table.
Yeah, exactly.
Yeah, yeah.
It's approximately got 1,700 employees
across its 25 offices worldwide.
17? As many as that?
Wow.
Yeah.
I'm amazed.
There were so many people in on it.
Yeah.
Yeah, that would certainly seem...
I mean, they must have made...
Well, they obviously made millions and millions.
And the problem is, I bet that $16.5 million fine,
whilst as a headline looks good,
is probably not going to make much of a dent at all.
Are you saying that you think that they made a vast amount of money?
Eh!
The amount of money they made was a vast exclamation mark.
Isn't it a vast exclamation mark?
Or am I just thinking of a pirate movie?
Yeah, you're thinking of...
Yes.
So their last company reports showed that they made
effectively $900 million in 2020.
So they're just shy of a billion dollar company.
What was their profit on that?
What was their operating profit on that?
Come on, researcher, do your job.
I know, that's just revenue.
It's difficult to see.
It's difficult to say,
but you'd normally make about 20 points on that, right?
So you'd normally, I imagine...
Total equity, 1.2 billion.
Yeah, they're making a couple of hundred million on this.
This is 10% of annual profit.
Of one year's profit.
Just shocking.
And also, the best thing is, to agree to this fine,
they didn't have to admit any...
What?
Oh, do you not see that?
What, you think I clicked through?
They
agreed that, you know,
whilst they disagree with the FTC's
judgement or
statements, they're just
happy to bring a close
to this matter.
Do you know what?
It's exactly what I thought.
We're happy to, whilst we disagree,
we're happy to bring this matter to a close
and we wish to get back to the business
of protecting our customers.
Exactly.
Data from being sold to anyone else.
So the thing is that, okay, the fact that they didn't inform the customers is
probably the only really wrong thing here because informed consent is a huge piece of data collection
there well i'm saying that's the only piece that's missing here but well the fact it's a piece of
privacy software that's supposed to shield your privacy yeah and so they're they're stopping it from going out to the web
but they're taking it into their offices
and then selling that.
And let's just say pre-GDPR it was
not explicitly stated
that they couldn't do this.
The moral and ethical boundaries
on this as a privacy piece of
software, privacy protected. Anyway, sorry, go on
make your point Geoff.
No, it's not really different
from what facebook has been doing for years what google's been doing for years no it's not the apps
you know what what have we been so what what is the quote that has been going around for years
if you don't pay for the product you are the product you are the product yeah so if it's a
free antivirus or privacy protection or what have you but to be
fair they were serving pop-ups in their antivirus as well so they were double dipping they were
making money from selling adverts to you and now that's what you thought the price was which is
what people think that was the cost of the product right oh i get to close these you got you got to
kind of admire that in a kind of bond villainous this is this is
rant of the week not billy big balls jab we know you admire them we know we know your where your
morals are you know what imagine if we would insert ads into the podcast or charge guests
to be on board if they're if they're from a vendor, that is.
Yeah, that's called sponsorship, isn't it?
Yeah, yeah.
And then we also sold the data of our 4.5 million listeners' data.
We sell them.
There's definitely a 4 and a five in there.
These people like to listen to.
Yeah.
And this week's episode is brought to you by Avast,
a totally free privacy shield for your home computer.
Protect your data with the market-leading Avast.
But do you know what?
If Avast want to come on this show
to put their side of the story across,
then just click on the sponsorship links on our website.
Exactly.
We do you a nice place, my friend.
Yes, we'll take some of that money.
Actually, just email me directly.
Gerard Malik.
I am your supporter and friend, and I will protect you from these people.
It doesn't really work like that,
because the only two of us on this podcast
have got a company that we could put this through.
Oh, no.
I mean, I know companies like this.
They like to...
I've had dealings before.
Brown envelope, used bills, under the keyboard, you know.
Under the keyboard. Isn't that what got you in trouble before?
no, no, no
you mean the brown envelope
also known as PayPal
no, no, no, I'm joking
I just do what Rishi Sunak does and just put
everything under my wife's name.
Yes.
I pay all of the tax that I'm legally bound to do.
On that note, that was Rant of the Week.
The Host Unknown podcast.
Orally delivering the warm and fuzzy feeling you get
when you pee yourself.
Ah.
Right.
Let's go
to the
next Billy Big Balls,
shall we?
Billy Big Balls of the week. Yo, yo, yo. shall we?
Yo, yo, yo.
So we are now Billy Big Balling,
the favourite part of our listeners,
as surveyed by, well, you know, three people.
But anyway, we all hear about insider threats and insider threats themselves are kind of like a ballsy move in their own right.
You work for a company, they pay you and then you betray their trust.
So that's kind of like, you know, it's a ballsy move.
It's like a betrayal of trust.
You're trying to look after yourself and no one else and what have you but
this is like insider inception so this is not just like an insider threat this is the insider
to the insider threat uh in that way so there was a lady uh who worked for bp uh
a lady who worked for BP who was looked after M&A for BP. So whenever they're looking to acquire something or what have you, you know, she'd look after that. And, you know, people that work in
these kinds of roles, like Andy knows very well because he spent a long time in this. They have to be very careful not to buy or sell in any shares of any companies that could be linked to anything that they have insider information about.
However, during the pandemic...
Regulated companies take that very seriously.
They take it extremely seriously.
And you have to do your compliance training to make sure you understand that.
And, you know, it's like there's no real discussion on that if you're caught doing that the book gets thrown at you you're fired possible charges against you do you know what
we had to go one step further we needed permission from the company secretary to buy or sell shares
whilst engaging projects yeah yeah that that is quite quite common that is you need
high level of authority to do that but this lady she herself was not involved in anything
but because of the pandemic like most people she was working from home
and her husband was also working from home and obviously as you do when you're on
zoom calls or meetings or what have you the person in the same house as you can often hear what
you're talking about and he heard his wife talking about a merger or BP's takeover of travel centres. So he went promptly online and bought 46,450 shares.
That's about one share for each one of our listeners.
What?
He did this without his wife's knowledge, allegedly.
Allegedly.
And before the deal was made public in February last year.
Following the announcement, Trouble Centre's share price rose nearly 71%.
And Mr. Loudon allegedly immediately sold all of his newly bought shares for profit. He made about
£1.3 million in profit.
What?
Nice bit of business.
Yeah.
So, you know,
because they were within 20 feet of each other,
they were all frequently overheard each other's conversations.
Mr Loudon confessed to his wife about buying the shares
after the Financial Industry Regulatory Authority
began asking questions about the BP deal and who was in the know.
According to the filing, he said he bought the stock
because he wanted to make enough money
so that she did not have to work long hours anymore. So this is actually a love story.
This is a love story. It's actually just her fault, obviously. She worked too long. That was
the problem. Yes, exactly. Exactly. And she was apparently stunned by the revelation.
She reported the trading to a supervisor at BP.
Her email and text were reviewed by BP
and it found no evidence that she knowingly leaked the information.
But BP nonetheless terminated her employment, said the filing.
I have quite an important question.
Yep.
Are they still married?
No.
So, according to the regulator's complaint,
Mr Loudon's wife moved out of the house
and ceased all contact with him in June.
She initiated divorce proceedings.
I'm not surprised.
I'm not surprised. I'm not surprised.
Unless this is part two of the plan
where she takes him for everything he's got.
Yes.
So when the FIR go back to punish him,
he can immediately declare bankruptcy
because he no longer has any money.
Yes. But surely those funds would already have been frozen surely yeah but then you've got the house you've
got your other assets you've got everything you know this is an inside insider threat this is like
this is going to be a movie in a couple of years and i think this is the biggest billiest
big ball moves of insider threats that i've uh i've read and uh that's my story and i'm sticking
to it do you know what that is a billy big balls that is a billy big balls i mean again i present I present to you the criminal mind, but... Jeez!
What a... He got what was coming to him, but blimey!
That's horrific!
Yeah, yeah, I agree.
I agree.
Billy Big Balls.
But let's just...
Let's not celebrate...
Well, obviously let's not celebrate this dude for a start.
He got caught.
Yeah, amateur.
Yeah.
Yeah.
Wow.
All right, excellent.
Thank you.
That was this week's...
Billy Big Balls of the Week.
30% nostalgic.
30% ranty. 30% nostalgic 30% ranty 30% ballsy
and 30% terrible at maths
you're listening to the award winning
Post Unknown Podcast
yes you are
right Andy
let's just crack on with it mate
what time is it?
it's that time of the show where we head over to our news sources
over at the InfoSec PA Newswire, who have been very busy
bringing us the latest and greatest security news from around the globe.
Industry News.
Attacker breakout time falls to just one hour.
Industry news.
NCSE sounds alarm over private branch exchange attacks.
Industry news.
Biden executive order to bolster US maritime cyber...
Yeah.
Industry news.
Yeah.
Industry news.
Ransomware warning as CVSS 10.0 screen connect bug is exploited.
Industry news.
Chinese duo found guilty of $3 million Apple fraud plot.
Industry news.
OWASP releases security checklist for generative AI deployment.
Industry news Russian-aligned network Doppelganger targets German elections.
Industry news
Change healthcare cyber attack leads to prescription delays.
Industry news
ICO bans Circo Leisure's
Use of Facial Recognition
For Employee Attendance
Industry News
And that was this week's
Industry News
Huge
Huge if true
Huge if true
Huge
That OS checklist I bet you They tell you to check against SQL injection
and cross-site scripting when it comes to AI.
Guaranteed.
I wonder if they actually got ChatGPT to write it.
Oh, it's within a link.
Check how many fingers it's got.
That's the best way of telling
yeah exactly all right so os project top 10 for large language model application security
version one let's get to it prompt injection number one check for prompt injection
two insecure output handling that's the lazy cross-site scripting.
Training data poisoning.
Denial of service, supply chain vulnerability,
sensitive information disclosure, insecure plugin.
Yeah, yeah, yeah, okay, cool.
Yeah, no, it's all standard good stuff to look at.
Now, this Chinese... Oh, go on, go on.
Well, I was going to say, I got drawn to that Circo leisure
being ordered to stop using facial recognition technology
and fingerprint scanning to monitor employee attendance.
So the UK's Data Protection Enforcement Agency
said that the company had unlawfully processed biometric data on 2000 employees.
Yeah, it's no idea why they...
Don't any companies hire lawyers anymore?
No.
Because...
Maybe it's the in-house legal.
Maybe it's the in-house legal.
But yeah, I think that the intention was to just avoid having to take note of who attended particular events.
Yeah.
And instead, they stored that data for excessive amounts of time.
Oh, right.
Didn't you have something like that?
I mean, you work for a company where I remember you had a vending machine that gave you ice cream, but you had to smile into a camera first.
Yeah, but it didn't retain that smile, though.
It's not like it kept a record of all smiles that were smiled at it.
But didn't it just post it on Instagram?
It gave you the option to post it on it it gave
you the option it didn't keep the record met it it gave it to meta to keep yeah no i think it
do you want to post this onto instagram i think it said or something like that you know but
but then there was no uh there's only one option which said yes continue
whilst it was holding the ice cream in front of you.
It was just dangling it.
It's like the metal claw had it by the stick right at the very end, you know?
Yeah.
I was going to find out who the Chinese duo found guilty
of 3 million Apple fraud plot.
Now, this one is really bizarre
because when you actually click through and take a look,
what they did was basically send Apple
a bunch of fake iPhones for repair
in the hope that they would just get swapped out
for real iPhones.
I mean, that's...
Yeah, and...
That's...
And they sent about 5,000 phones to Apple over a two-year period.
And they shipped the legitimate handsets they received to Hong Kong for onward sale.
Yeah.
So you give something that's bad in the hope of getting something good.
It just shows a ****.
Oh, man.
Damn.
Can we get away with that? I don't know. Can we get away with that?
I don't know.
Can we get away with that?
We can because it's...
No, no, no, I don't...
I'm not that kind of Asian.
I'm not that kind of Asian, OK?
You're the other kind.
You're the other kind.
Yeah.
It just goes to show
and then we have to divide that subset
it just goes to show that
oh man
what else have we got here
colour me surprised
Russian aligned network targets German elections.
I think the Russians are trying to target every single election
in every single country.
Russia attacking elections?
Exactly.
That's as old as time at the moment.
I think that's it then, isn't it, really?
Yeah.
There we go.
Oh, well, the attacker breakout time.
That first story you read, I think you thought it was
attackers weren't having enough breaks in their workday.
That's right, yeah.
It was it.
Exactly, exactly.
But, yeah, breakout time just falls to just one hour.
I think it's actually 70 minutes technically or something like that.
But yeah, you've got to be pretty quick.
From initial access, it is now 62 minutes.
Oh, right, okay.
Oh, that's right.
I remember the conversation I was having.
It's about the golden hour you need to identify and contain within that first hour.
Because outside of that, yeah, well, exactly.
Well, that's why we need AI,
because that's apparently all I was talking about yesterday.
But there you go.
There you go.
No, actually, there was this story on there
about the healthcare in America.
Like there was some sort of attack
and it led to delays in prescriptions.
And it just reminded me of my
my pharmacist chemist up the road and even when you go to the hospital it takes them so long
just to print off a label stick it on a box and give it to you it's like two hours later like oh
yeah we just start dispensing your prescription it's like you know how much slower can it really
get i mean if america is anything like the NHS.
But there's two stories actually that are missing on this.
OK.
I think our InfoSec dig is slacking.
So one is the big story that the LockBit ransomware group was attacked.
Well, taken out.
Yeah, old news.
Old news. That happened like at the
start of the week this is up-to-date info because i don't know when this this yeah this episode
could get posted any time between friday and wednesday yeah yes you could i can only do the
most recent story and so people just think they missed a previous episode where we talked about lock bit you're absolutely right and there was another story the israeli planes taken over by hackers
no i can't remember it now it's it's useful when we're recording a podcast for you to know what
you're going to talk about jeff i'm just saying since since when no no if you guys are going to
change the rules of engagement this you need to tell me beforehand.
This is a new rule from episode 184, okay?
You're the type of person that you play Monopoly with
and you change the rules halfway through.
Oh, no, no, no.
If you own this property, then you can do this
and I can double the rent.
Here we go.
The agent's got an issue with other people
owning properties all of a sudden.
And then flips the table.
Dear me.
I don't know.
Right.
This is a good table.
My dad made it himself.
All right.
That was this week's Industry News.
All right, that was this week's...
Industry News.
The host unknown podcast.
Orally delivering the warm and fuzzy feeling you get when you pee yourself.
We should rename that section the Can we get ourselves cancelled in four minutes or less?
No, can we get Jav cancelled in four minutes or less?
I think I would rather.
Right, Andy, take us home this week.
What? Sorry, Jav?
What are you going to say?
Just think.
Think before you say it.
I was going to say,
I've got multiple recordings of you two claiming this to be your podcast
and not my podcast.
So, you know, if anything, you two's claiming this to be your podcast and not my podcast so you know if anything you two
are liable and you both have companies as you've said today so like you know if lawyers if anyone
gets cancelled cancel the two bald white men yeah so we're so we're protected is what i'm saying
we've got companies you haven't i mean your house is on the line yeah your house is on the line. Yeah, your house is on the line, mate.
Houses.
Houses.
And other things he's got more than one of.
Right, let's move on, Andy.
Why don't you take us home this week with this week's...
Tweet of the Week.
And we always play that one twice.
Tweet of the Week.
And this week's Tweet of the week comes from Laurie Wired,
who posted a very, what do we call it?
It's all a matter of perspective.
So apparently in the US this week, AT&T went down and people were going mad about it on social networks.
And that's the second story that you wanted to talk about, was it?
That's exactly the second story I wanted to talk about, yes.
So Laurie Wired says,
the speculation around the AT&T outage
is a fascinating reflection of human psychology.
Cyber people are saying, it's a cyber attack.
Science people are saying, it's a solar flare.
Software people, it's a botched software release.
Network people, some tech messed up the BGP config.
Everyone else. That is absolutely true. Everyone else is out. Everyone else. some tech messed up the BGP config everyone else
absolutely true
everyone else
my phone don't work
yeah
yeah
but yeah no it's actually
quite funny because you can read
the responses to that and other people
have got you know they're literally jumping
on the bandwagon to explain
what they think the issue is and why it's that.
You know, if a guy says, as a janitor, I shouldn't have turned off that socket.
Yeah.
Very good. Excellent. Thank you, Andy, for this week's Tweet of the Week.
I'd say that kind of reminds me of, remember when BlackBerry's messages went down
and it was found out that it was just one server in Canada somewhere
that all the messages go through?
That's probably what we're going to find out about this outage.
Yeah.
In fact, have you seen that film about BlackBerry that's out at the moment?
It's really very, very good.
What is it out on?
What is it out on?
All the regular channels.
I watched it off Apple, obviously.
So that's not a regular channel?
No, it's not on Apple TV.
You know, I bought it on Apple to watch.
Ah.
OK.
It's not, you know. It's not on...
It was in the cinema.
It's in the cinema.
Okay, if you need to know everything you need to know about BlackBerry,
go on YouTube and look up BlackBerry Rocks.
Okay.
And I think it's a bunch of BlackBerry executives who put on a rock song in one of those hangers or something.
Oh, my God, yeah.
And it's amazing and cringe at the same time.
Yeah.
Well, it's a brilliant film.
It's really, really interesting.
Absolutely fascinating.
You know, just everything coming together all at once
just to make it happen.
A bit like this podcast, really.
Right.
Yes.
Shall we?
Well, let's close the show, shall we?
Jav, thank you so much for your time, intelligence, wit, wisdom
and your cancellations for this week.
You're welcome. And Andy, thank you. and your cancellations for this week.
You're welcome.
And Andy, thank you.
Stay secure, my friends. Stay secure. comment and subscribe if you hated it please leave your best insults on our reddit channel
r slash smashing security
can you just cut which bits of my beeping out
uh all of it
i don't know i just took a i don't know where my mind was at but it just
took a real nosedive even for my standards it was just like all the inside thoughts came out