The Host Unknown Podcast - Episode 213 - The So Many Technical Issues Episode
Episode Date: April 25, 2025This week in InfoSec (10:26)With content liberated from the “today in infosec” twitter account and further afield1st April 1998: Hackers changed the MIT home page to read "Disney to Acquire MIT ...for $6.9 Billion".https://x.com/todayininfosec/status/1907094503552336134 1st April 2004: The now ubiquitous Gmail service is launched as an invitation-only beta service. At first met with skepticism due to it being launched on April Fool’s Day, the ease of use and speed that Gmail offered for a web-based e-mail service quickly won converts. The fact that Gmail was invitiation-only for a long time helped fueled a mystique that those who had a Gmail address were hip and uber-cool. Those of us who are actually hip and uber-cool didn’t mind, of course, as those types of things don’t bother hip and uber-cool people. https://thisdayintechhistory.com/04/01/gmail-launched/ Rant of the Week (14:07)Kink and LGBT dating apps exposed 1.5m private user images onlinehttps://www.bbc.co.uk/news/articles/c05m5m5v327oResearchers have discovered nearly 1.5 million pictures from specialist dating apps – many of which are explicit – being stored online without password protection, leaving them vulnerable to hackers and extortionists.Anyone with the link was able to view the private photos from five platforms developed by M.A.D Mobile: kink sites BDSM People and Chica, and LGBT apps Pink, Brish and Translove.These services are used by an estimated 800,000 to 900,000 people.M.A.D Mobile was first warned about the security flaw on 20 January but didn't take action until the BBC emailed on Friday.They have since fixed it but not said how it happened or why they failed to protect the sensitive images. Billy Big Balls of the Week (24:00)Oracle's masterclass in breach comms: Deny, deflect, repeatThere have been some disclosure stinkers in the past. Back in 2016, The Reg discovered that Yahoo! had taken a few years to disclose security snafus that occured in 2013 and 2014, for example. These days we often see organizations simply choose not to publicly address their issues. A quick self-referral to the regulators and some letters sent directly to those affected pass as the bare minimum, and while these organizations won't get any Brownie points for transparency, the approach doesn't tend to invite too much in the way of long-lasting criticism either.When Oracle issued its flat-out denial of the first breach allegations that surfaced from cybercrime forums, it seemed like it was yet another wannabe big-time scriptkiddie making false claims for clout.To make matters worse, Oracle seemingly tried to swerve any flak with some careful semantics. Its original denial stated: "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."Infosec experts Kevin Beaumont and Jake Williams later both claimed that Oracle appears to have used the Internet Wayback Machine's archive exclusion process to remove evidence about the intrusion. Industry News (33:25)Google to Switch on E2EE for All Gmail UsersICO Apologizes After Data Protection Response SnafuNorth Korea's Fake IT Worker Scheme Sets Sights on EuropeRoyal Mail Investigates Data Breach Affecting SupplierStripe API Skimming Campaign Unveils New Techniques for TheftOver Half of Attacks on Electricity and Water Firms Are DestructiveAmateur Hacker Leverages Russian Bulletproof Hosting Server to Spread MalwareCrushFTP Vulnerability Exploited Following Disclosure IssuesMajor Online Platform for Child Exploitation Dismantled Tweet of the Week (41:25)https://x.com/MalwareJake/status/1907416667052786110 Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Have we got an in for this episode?
What do we need an in for?
I think the people should just be grateful that we are gracing them with our presences.
You're listening to the Host Unknown Podcast.
Hello, hello, hello, good morning, good afternoon, good evening from wherever you are joining
us and welcome. Welcome one and all, welcome dear listener to episode 213. 217. Oh hang on.
Back to our quality programming of the Host Unknown podcast.
Well it's been a while again gents. How have we been?
Jav, how have you been? I've been fantastic thanks. Life's good, the weather's getting better.
Last night I went to see Paul Chowdhury at the O2 in London.
Ah, very good.
One of my favourite comedians.
So, yeah, it's...
I've got nothing to complain about, honestly. Life is good.
Well, you're looking very slim and very bald as well, I might add.
You've finally joined the other two tits on this podcast and
now we've got a total recall set of tits. Yeah exactly although I have to
say my brother-in-law my wife's youngest brother he he's visiting us because
Ramadan ended and it was Eid so he's doing a PhD in it and he was
balding he's a lot younger he's aboutding. He's a lot younger. He's about 30, I think.
I've been a lot younger.
That's like my age.
Yeah, okay.
But a year or so ago, he got a hair graft,
you know, hair transplant done.
Oh, was it a turkey job?
No, he went to Pakistan.
He went to see his parents and then he got it done there.
And he came to this time
and he's got like a proper full head of hair now.
It's like really good. Even my dad turned around to me the other day says like you should consider that
You know, he looks really good. I said dad. I'll go if you go with me. We'll both go turkey
We'll get our hair done. We get liposuction done. We'll get like, you know, the full works
We get our teeth done. Hair and teeth. That's all you need hair and teeth
you know the full words, get our teeth done. Hair and teeth, that's all you need hair and teeth.
And talking of unnecessary surgical intervention, Andy how are you doing?
I don't even know where that link is, it was absolutely necessary to get that out of me, It slipped in too far. That wasn't unnecessary surgery.
Who knew the Statue of Liberty model was so, so inflexible when it came down to it?
Exactly. I thought that the Oscar was going to provide some sort of...
The Oscar is a beginner level Statue of Liberty, that's got some angles on it.
I really thought that magnet would work but you know.
The problem is I swallowed the magnet, that's the issue. It was pulling the wrong way.
Where are we going with this? What's going on today guys?
I thought I was the perverted one in this group. Where are we going with this? What's going on today guys?
I thought I was the perverted one in this group.
I've been good. You know, I went on a crazy, the last few weeks, went on a crazy tier point one to re-qualify for gold status before the end of the tier point year. Yeah. Yeah, that was crazy because I was due to go out on the
day that Heathrow had all those issues. You know, remember they shut Heathrow?
Yeah. It's a chaos. Insurance job, wasn't it? Yeah, absolutely.
I suppose, yeah, some substation like 30 miles away caused the entire airport to shut.
There's a cleaner somewhere going, I'm sure I was okay to unplug that.
The label fell off which said do not switch off. Yeah exactly. Yeah no so yeah I there's a lot of
disruption obviously but it was part one of multiple flights and so obviously the airline
does have the obligation to rebook you
but I had nested flights so they weren't all on one ticket so it was an
extremely tight set of flights so yeah instead of going out from London to
Budapest direct I left the next day went by Frankfurt on Lufthansa instead so
obviously BA will rebook you on the next available flight
and it just happened to be Lufthansa 1.
Very terrible experience at Frankfurt airport and I'd say fuck the Germans.
I don't normally say that.
They were very rude.
Did not make it easy.
Absolutely hate that airport.
So I will not be doing that.
I literally, okay, so I had an hour to connect,
minimum connection time, okay?
We should have been alright.
Unfortunately, the flight was late
and I landed in one terminal.
Had to get to another terminal.
Yeah, and security was just absolute dicks about it as well.
There was literally no seat,
Jeff playing the world's smallest violin.
It was, yeah, absolutely shocking.
I mean, I was full of food and champagne from the
lounge trying to run so delayed on a totally unnecessary flight exactly and uh you know it's
hard to run when you're that full of um you know food it's certainly hard to run in a straight line
after all that champagne exactly and then you know after my first meal, I then, yeah, I barely made it.
Barely made it.
I was the last one on the plane.
The woman's jaw literally dropped as I came running around the corner.
The gate was already shut, but the bus had not yet departed.
So I managed to get on.
The guy who was driving the bus escorted me down as he was leaving for it as well and made it on the on the flight and very lovely stuff on the
airline though I will say that. So what I'm hearing is that Andy made his flight connection?
Yeah I did make it but I had to run I was dripping with sweat and I was too
hot to be drinking that champagne. Oh dear. It was not as enjoyable as it should have been. The big question then,
are you now qualified for gold for another year? I did re-qualify yes because honestly to do it
through BA now going forward is damn near impossible unless you're going to spend 25
grand a year on travel. They've gone to revenue base rather than points base though yeah so unfortunately
that the new way of doing it now i need to switch to finnair as my primary carrier no way and uh
credit flights that way b.a sent me a really nice email the other day saying oh you know we changed
it it's really easy all you need to do is like eight trips to new york a year and you qualify
for silver or like 30 trips to somewhere in europe eight trips to New York a year and you qualify for silver or like 30 trips to
somewhere in Europe. Eight trips in business class as well. Yeah exactly. Geez. Yeah that's right it's still possible to do it via
Finnair with not spending anywhere near that sort of money but yeah. So you have to fly on Finnair.
Yes, it has. You have to fly on Finnair.
Finnair is a very good product these days.
It's there.
Very good.
And I've not yet tried their lounge in Helsinki, but their lounge has got saunas in it, which
I'm looking forward to enjoying.
Ladies and gentlemen, if you just joined us, welcome to the host unknown air travel show.
But talking a sweaty naked men.
Tom, people can't see you.
Also known as going for going for going for gold.
For all the people who are going to remember that.
Yeah, exactly.
Sweaty old men. Yes.
I have asked him to leave the hotel room, but he's insisting to stay for some of the midi bars.
He didn't get his cuddle.
No, exactly. So yeah, I'm very good. I'm in Belfast at the moment. I was in Brussels last week.
I was somewhere else before, Cologne, the week before that. I was going to Paris next to it. I'm all over the place.
I'm sorry to hear about Paris. Yeah exactly at this rate I'm gonna hit bronzy by the end of next year so no doubt I'll go
to it. These short haul flights do add up. They do add up. Yeah you only need 26 to actually get silver. 26 for return flights on VA metal.
That's quite likely actually.
But the last time I was silver was 2015.
It just seems like such a backward step.
But yes otherwise very good doing lots of lots of traveling lots of talking lots of
Hotelling and stuff
Very much enjoying it
But as you can tell getting all three of us in the room at the same time given our busy schedules is
It's proven to be challenging to say the least
It is well, I mean I'm here. I'm happy to record solo
I if you guys give me the password to upload and publish,
then I actually don't need you anymore.
Not a chance, mate.
You know, I'm just going to try a host unknown one,
and it's going to let me in, right?
Host unknown one, exclamation mark.
Don't tell him about the exclamation mark!
Oh, dear.
I'm talking of wild ways to improve your password.
Shall we see what's coming up for you today?
This week in InfoSec shows us that the wonderful industry known as cyber is not immune to April Fool's pranks.
Rant of the week warns of the dangers of using kinky sites.
Billy Big Balls is a master class in PR,
industry news is the latest and greatest security news stories
from around the world,
and tweet of the week is a reminder
to update your vernacular.
So let's move on to our favourite part of the show,
it's the part of the show that we're let to pull.
This week in Infosec...
It is that part of the show where we take a trip down Infosec memory lane with content liberated from the Today in InfoSec Twitter account and further afield.
And our first story takes us back a mere 26 years.
Oh damn.
Have we got it? Have we got it? we got there it is a mere 26 years when hackers changed the MIT
homepage to read Disney to acquire MIT for six point nine billion dollars
obviously good for the lolz back in the late 90s people believed it because you
got your news online websites were still relatively new not every company had one
so those that
did have them, you would generally believe what was on there. A little harmless prank I think back
in the day that was still good. Alas, our second story takes us back a mere 21 years to the 1st of April 2004 when the now ubiquitous Gmail service was launched
as an invitation only beta service.
And obviously at first it was met with skepticism due to the fact that it was being launched
on April 4th day, but the ease of use and speed that Gmail offered for a web-based email
service quickly converted people
And obviously the fact that Gmail was invitation only for so long did help you that hyper mystique
And those added email address were obviously hip and uber cool. I was right. Yeah
But then obviously those of us who are actually hip and uber cool didn't mind
Of course if those types of things don't bother if an uber cool people which is what some people would say to
but no I dropped my hotmail very quickly once Gmail came out yeah because you're
not hip and uber cool because he doesn't yes because he's not a hotmail anymore
yeah we we had an April Fools lined up for this year didn't we but we didn't because he's not a hot male anymore.
We had an April Fools lined up for this year, didn't we? But we didn't pull the trigger.
No, because you got scared of Graham.
I didn't get scared of Graham.
I was just sensitive to not offending Graham.
See, I'm trying to be more empathetic
towards my fellow human beings, even if it is Graham.
Who are you and what have you done with Jav? Bloody hell! I mean, you're half the man he
was physically anyway now. I mean, I swear you are a different person. You are his younger,
better looking brother, aren't you?
I wish. I wish. Well, funnily, that's what my wife said to me the other day. On which notes? Let's move safety on, shall we?
This week in InfoSode.
People who prefer other security podcasts are statistically more likely to eject USB devices safely.
For those who live life dangerously, you're in good company with the award-winning Host Unknown podcast.
All right, let's move on to our next part of the show.
Let's get angry for...
So this is an article from the BBC, so it must be true. Kink and LGBT dating apps have exposed 1.5 million private user images online.
So researchers have discovered nearly one and a half million pictures from specialist dating apps,
many of which are explicit, presumably, being stored online without password protection,
leaving them vulnerable to hackers and extortionists
So I mean this would be this is bad enough for any website
Obviously people will go onto these kinds of websites
With I guess they would have a sense of feeling they have more to lose as a result of
being on said
websites because as we all know
Whilst one should never you know it someone's kink or you know yuck someone's yum as it were people do feel
funny about this sort of stuff so this this automatically just falls into the
into the arena of the companies should know better.
So anyone with the link was able to view private photos
from five platforms developed by Mad Mobile.
Kink Sites, BDSM People, and Chica, and LGBT apps,
Pink, Brish, and Translove.
So for a developer, Mad Mobile,
you really have to recognize the market you're in.
I mean, even any dating site should be protecting
this kind of data very, very carefully.
And also this pushes back,
because I remember a few years ago,
I saw a talk by somebody who was a pen tester for
a number of adult sites.
And he said that adult sites were the one sort of segment of the industry where he never
found any problems because the adult sites took their security so seriously
that there was a one strike and you're out rule
for any developer who was found to be
developing a flawed code.
So I was really surprised to see this.
It seems like, well, basically anybody can now code
and get involved in the adult industry
or the alternative lifestyle industry and put people
at risk.
This was a real surprise to me.
But these services are used by an estimated 800 to 900,000 people around the world.
The best part was that Mad Mobile were warned about the security flaw on the 20th of January, but didn't do anything until
the BBC emailed them last week. What? What? I mean, that's that's like, go on, go on,
Andy.
So they were told like literally, it was over three months, essentially, they were set,
they sat on it. And they obviously fixed it very quickly.
Yeah. Three months, they've since fixed it very quickly. Yeah, three months.
They've since fixed it, but not said how it happened
or why they had failed to protect the sensitive images.
So I think every website that contains
any kind of personal data has a real duty of care
to its people.
But certainly, even if we just put aside the, you know, the kink and BDSM sides,
the LGBT apps like Pink and British and Transub, they are people who are potentially very vulnerable.
They are in certain countries, it's illegal and punishable by death. In other countries it's very much a very bad thing to admit to or
to be found out to be a part of that group. And for many of these people, families and
loved ones don't even know about their sexuality or what they're going through. So to have
this kind of duty of care just ignored by Mad Mobile is just a shocking,
shocking dereliction of duty.
And I do hope that people will vote with their feet
because there are many other sites out there
that will cater for these people.
But to put people's, potentially to put people's lives
in danger as a result of these breaches is terrible.
Not least because a million and a half photos being just spread out onto the internet without
people's consent, against their will and without their knowledge is shocking.
I've got nothing else to say on this. without people's consent against their will and without their knowledge is shocking.
I've got nothing else to say on this. I'm just really pissed off at Madmobile for
treating people like this. And so I guess the other thing where this can come into it, obviously we know like the US is going through a complete, who knows what's going on over there.
So they can, so the information they have now, like when you enter the country and the stuff they can find out on people
So there is lots of tools out there
I work for an organization that does deep dive into people as well sort of personal investigations
Where they can actually link?
You know social media accounts and you know all this you link so much stuff. If you imagine Maltigo
on steroids, it's like that. But even further, there's going to be a lot of countries that
could potentially do this. And not just the countries that you typically think of as being
dangerous to enter. The US, for example, you go to the deep south in the US, they don't like that, you know, they can map your name to all kinds of different things very quickly these days with the technology that's out there.
Let's face it, you know, the Americans have already published a book on their plans for the US. I think it was called what the Handmaid's Tale?
Yeah. So I think what we're at a point right now is... We're at that stage just before the Thunderdome. Yes. So Thunderdome comes what 2027? We're in that build-up stage. This is like
what's happening before. This is how we get to the that's right
I and and you know what Tina was wrong. We do need another hero. Yes. Yes
But what what it is we've done what?
somewhere between 200 and 200 and so 213 and 217 episodes
where Tom's ran ink and
a lot of time it's against a company that's had a breach of some sort.
And he's always like, need to do better, need to do better.
And I think by now we should just admit
that no one's gonna do better.
So my suggestion is, you know, there was this website,
I can't, or a Chrome plugin extension,
it would generate random traffic on your,
like do random searches,
so that you couldn't be profiled as well.
So just adding noise into your thing.
What we need to do is everyone needs to upload a picture
to a certain website and it generates millions and millions
of random photos of you. Some of them make
it look like you're into some kinks on some website, some of it looks like you're a farmer,
some of it looks like you're right wing, some of it makes it look like you're left wing
and all this. So you just flood the internet with so much noise about every individual
that whenever a breach does occur, everyone's like, yeah, it's probably one of those fake
images and no one cares. Yeah, but that's where historical data then becomes more valuable.
Yeah, we just need to find a way of burning the power station, the power substation that powers
the way back machine. We need our own doge, like our own department to go into all these companies
and purge
Historical data, that's a great idea. I'll be setting up the group on whatsapp as soon as this call is over our own doge
Um, there's a joke in here about
you know Refuting the fact that that's a naked image of you because i'm not that big
You know, that's that's a naked image of you because I'm not that big. You know, that's that's probably
well, I did. I did see this the other the other day, and I might have shared it with you, Andy.
But there's apparently someone suggested this as a loophole,
that if you want to write a book or make a movie about somebody
and you're worried that they're going to sue you, you include in the description
that they had a very small manhood. And then that way, if that person then objects and says,
this is based on me, they're also admitting. Well, that took a turn. That took a turn. All right, that was this week's.
Rant of the week.
If good security content were bottled like ketchup, this podcast would be the watery
juice which comes out when you don't shake properly. Blah. In a niche of our own, you're listening
to the award-winning Host Unknown podcast.
And talking of disappointingly sized members
of Host Unknown, Jab, over to you for...
Big Bones of the Beach.
Yes, yes, yes. So this is an absolute masterclass, I think. And sorry, so I think that's a subconscious thing. So as no one can see, Jav, apart from
myself and Tom, but he's opened his hands as if he's got a giant whopper in his hand.
As he's talking, he's subconsciously expanding his hands as wide as they go off the screen.
I'm doing the invisible accordion.
Yes sir.
I once had a penis this big.
Oh dear.
Anyway.
Don't worry.
Even a tic-tac can hurt when it hits you at 60 miles an hour, Jav.
I've never seen Jav move at 60 miles an hour.
Well you know, keep watching, one day you might you know, snafus in the past.
So if you remember back in 2016, it was disclosed that Yahoo had taken about three years to
disclose breaches that occurred in 2013 and 2014.
So it's really hard to know which breach Yahoo talks about. So is this a new one?
Just look at the new one. Yeah, no, just look at the employment history of Alex Stemmis.
Right, can you bleep that name out? I don't want to get sued right I'm not
no it was an unrelated comment yeah the two are not related yeah so that document which says
latest breach dot new final version V3. All I'll say with regards to that beeped out name, correlation does not equal causation.
So I'm not booping anything out.
It can come on and refute.
So these days we see organizations, sometimes they just choose not to publicly address their
issues. They quickly self-refer to the regulator, send a few letters out to those affected and
pass the bare minimum. And so you know they're not going to get any brownie
points for transparency but you know it doesn't bring about any long-term
criticism either. It's like you've done the bare minimum.
Now a few weeks ago, it was alleged
that Oracle had suffered not one but two huge breaches.
And this is where the big balls comes in.
I don't know whether they don't have anyone in PR
or they've got the best out PR people in the world.
Could be either.
But they just issued a flat out denial. What?
Even though there's data out there and customers have verified when journalists have gone to
them saying like here's some extracted data, say yes it is us. And to make matters worse, they try to swerve around with some
very carefully worded statements. The original denial state, there has been no breach of
Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud
customers experience a breach or loss of any data.
And this reminds me of like comical Ali from the Gulf War. Yes.
Where he's standing there like, you know,
we have air superiority and behind him the air force.
Air strikes coming in, blowing up buildings.
Everything's under control.
Exactly.
We have driven the Western dogs from the cities
a tank stop.
Yeah.
Yes.
And what's even worse, and this I think
is not something I've seen from a big company.
I've not seen it anywhere, but Kevin Bowman and Jake Williams,
also known as Gossie the Dog and Malware Jake,
well, at least that's what their handles on X used to be.
I don't know which platform they're on now.
But they both claimed that Oracle appears to have used
the internet way back machines archive exclusion process
to remove evidence about the intrusion.
Billy Big Bulls.
See, this goes to show, if you have the resource and the money, you can scrub.
So, this dude, Larry Ellison, right? He's a big fan of Trump.
Yes. Yeah, he would be. He's that type of person.
Well, he is. He's been on stage a number of times, but this whole
denial...
He's got no qualification either. He's one of those guys that never left university early like...
Yeah, that doesn't bother me so much.
Oh, no, it doesn't bother me. No, I'm saying it's one of the big things. He talks at universities
and does that sort of stuff.
Oh, I see. Yeah, Yeah one says why you coming here
Pretty much. Yeah, it's like look at the person to the left of you loser. Look at the person to the right of you loser
Yeah, exactly this guy. I mean he's he's an I like him. I like him already
I'm seeing right now
So this kind of attitude is really does filter down into the culture, right?
Fake news.
And that's exactly what's coming across here is, you know, we're too big to fail.
Nobody's going to tell us what we've done or what we've not done.
I find it vile.
And it's taking, it's becoming more common, which I think is really sad.
Yeah.
So one thing I read, and I'm not going to go down a rabbit hole here, but I found out
about the PayPal Mafia the other day.
Are you guys familiar with them?
No, do go ahead.
No.
Okay. Yes. No, do go on. Okay, so they're a former group of PayPal employees or founders and because they all got really rich.
They went up together, yeah.
They went off and they've, so Peter...
It's what we could be if we actually got on with each other instead of trying to take each other down every time someone gets a step up.
Yes, yes. So Elon Musk, Peter Thiel, all these kind of people, they went on and founded like
Facebook, investors in Facebook and LinkedIn and all these sort of things. And then when
you start piecing that together, now it makes sense why so many nerds are in such high positions and why they're so
politically aligned in many ways as well and and in fact like I was reading about how the now
vice president JD Vance was actually mentored by
many members of the PayPal Mafia and
mentored by many members of the PayPal Mafia and
Really kind of so like I said, I don't want to go down a rabbit hole But I think it's it's really good reading so homework for you Tom and
Listener is to go research on the the PayPal Mafia and I think it's it's fascinating. So you got Palantir as well
Yes Palantir. Yes
Yes, Russell Simmons who later co-founded Yelp after
PayPal. That went well for him. So really we need to be less like Peter Thiel and more like
Steve Wozniak. No I mean he's... that's how I feel we should be. Why? I mean that's like just like that.
You can be morally right or you can be rich. Steve Wozniak is insanely rich
and also a really good guy.
I don't know.
Steve Jobs maybe.
If you said Steve Jobs, I'd go with that.
Be a bit of an asshole behind closed doors
but a good charismatic on stage.
I could go with that. Steve Wozniak anyway that was this week's
Billy Big Balls of the week
there is an advantage to having control of the jingles. Bored of this, wanna move on?
30% nostalgic, 30% ranty, 30% ballsy,
and 30% terrible at maths. You're listening to the award-winning
Post Unknown Podcast.
And talking of getting bored, let's try and move things along before our audience gets
bored and decides we've spent too much time on this.
And talking of time, Andy, what time is it?
It is that time of the show where we head over to our news sources over at the InfoSec
PA Newswire who have been very busy bringing us the latest and greatest security news from
around the globe.
Google to switch on end-to-end encryption for all Gmail users.
ICO apologizes after data protection response snafu. INDUSTRIE News
North Korea's fake IT worker scheme sets sights on Europe.
INDUSTRIE News
Royal Mail investigates data breach affecting supplier.
INDUSTRIE News
Stripe API skimming campaign unveils new techniques for theft.
In the stream news. Over half of attacks on electricity and water firms are destructive.
In the stream news. Amateur hacker leverages Russian bulletproof hosting server to spread malware. In the stream news. Crush FTP vulnerability exploited following disclosure issues.
Industry News
Major online platform for child exploitation dismantled.
Industry News
And that was this week's
Industry News
Huge if true. Huge if true
Huge if true
Hang on here
Google have only just switched on end to end encryption
I thought everything was end to end encrypted now
No, so they've just been monetising everything in your mailbox there
They read the content and still profile you and stuff like that
I'm glad I just used my
They're going to figure out how to do that now
with the encryption enabled. Yeah, yeah, yeah, I just use my Gmail account for all my junk
accounts, you know, for all this stuff. I'll sign up here for right sticky Gmail. Yeah,
I use mine to sign up to those kinky BDSM sites. Yeah, all my my photos. Yeah I use your account as well Tom. No that was Andy who said that not Tom.
No I said I use your email to sign up for my junk as well that's what I meant. Oh right yes you do except you use my other
account. I keep on getting receipts for your meals in Florida and stuff like that. It's very weird. Mind
you, my expenses have never looked so good.
Yeah. But do you think Google is enabling to allow their ads to view it and also the
British government because inevitably they're going to ask for a back door as well?
Absolutely. Yeah. You got to trust the government these days. Anyway, so I'm looking at some of these stories.
So this Crush FTP one. So I've got personal issues with Crush FTP anyway.
Which I won't go into. However, so this one, a critical authentication bypass vulnerability in Crush FTP
with a 9.8 CVSS severity score
was actively exploited.
They're saying following a mishandled disclosure process.
Essentially what happened, security analyst at Outpost 24 said they discovered
the vulnerability, gave notification,
and told Crush that you got 90 days before we go public.
Very responsible. However, they're saying
the disclosure process was disrupted when another party allegedly published a separate
CVE without consulting anyone and just published it. And so the vulnerability went wide. So,
I mean, to me, this is just like another group winning like Leroy Jenkins, right? I wouldn't
call this a failing in the disclosure process.
This is like the vulnerability was there and someone else also stumbled across it and didn't
have the same reporting ideas as Outpost 24.
Yeah. Yeah. But that doesn't make for an interesting headline, does it?
No, it doesn't.
This is terrific. I like the ICO apologizes after data protection response snafu,
which is basically their response time is so terrible,
which is why over the last few weeks on these various road shows we've been doing,
I've just been describing being fined by the ICO is like being savaged by a dead sheep.
I mean, it's just nothing seems to happen or come out of it.
Oh.
That's a bit harsh.
Is it?
I mean, if you think about how many websites,
every week we're talking about someone losing data,
getting exploited.
Do you think that finding people every week
is gonna make a difference?
You know that scene in Bruce Olmachi where he's tapping away? You can have that. That's
how they should be. Right, 500,000, 10,000, 100,000, 2 million. Just get out there.
But then you've got to deal with the fallout of all the legal challenges that come back
the other way. That's for tomorrow.
Let's just empty the entrails today.
I mean, I saw the last rate. It's a nice, it's a good news story, but it's horrific when you look at the details of the child exploitation platform that's been taken down. It's called
KidFlix and it had 1.8 million registered users.
What? Registered users?
It had been operating since 2021.
Investigation started in 22. It had over 91,000 unique videos.
With the average-
It is, right? At this point, with that name,
they're not even trying to hide it.
No, no. It was primarily Belveria.
They done the investigation.
Belveria? Is that a borough of London?
It would be German and Dutch.
Oh, Bavaria. B German and duck Bavaria Bavaria
I don't know where the L came from
I was wondering whether it's like yeah
Bavaria
Bavaria yeah, it's Bavaria
Yeah, but
the they've
The crackdown led to seizure of more than 3000 electronic devices and the protection
of 39 children.
Also 79 individuals have been arrested.
Out of however many thousands of registered users.
It's still something.
I mean it's good, don't get me wrong. It's whittling away at it, but it's just so...
It's also sad as to how
widespread and big and how many sick people there are out there.
Yeah.
Yeah.
Just to like, you know, just the last one. The North Korea's I fake IT worker scheme sets site on Europe and no mention of my amazing podcast with the cyber
sisters, which I went into great detail about it, which was actually really well, if you haven't
seen it, I do recommend you go watch it. It was really well produced and put together.
And they even cut out all my armss and ahs and awkward pauses
so Tom you could maybe learn something from them when you edit this.
True. I could but I won't.
No.
I could.
On which note, let's move on. That was this week's...
Industry News the host unknown podcast orally delivering the warm and fuzzy feeling you get when you
pee yourself. Right Andy why don't you take us home with this week's Tweet of the Week and we always play that one twice
Tweet of the Week and this week's Tweet of the Week does actually come from the previously mentioned
Malware Jake aka Jake Williams it's actually getting really difficult to find just regular
tweets on Twitter now when you log in it's literally lots of right-wing content lots of violent videos I never thought I'd say that it's like it's almost like
it's trying to get your blood boiling when you scroll down the page people
getting beaten up for no reason that sort of stuff so yeah no need to leave
X Twitter it does absolutely yeah absolutely's go to the blue sky. Blue sky. Blue sky.
So we're going to do blue sky.
Okay.
Okay.
I just need to log into blue sky.
So what do we call it?
Bluey off the week.
Or...
Bluey off the week.
Or Bonnie Blue off the week.
Bonnie Blue of the week.
Alas, back to Jake.
He says it's 2025.
Please stop using terms whiteitelisting and blacklisting.
Yes, I know many of these terms were acceptable when you were growing up. Using them today
shows you are unable to adapt to change and in high change environments like cyber, that's
not a good look. And it's prompted a very interesting discussion. I think it is one
of these things where vernacular does change. Unfortunately I'm not logging into Twitter
on that machine, so I can't even read the comments for the very story that I just...
Actually, we know why you want to move off X. It's because you've only got one machine that can log into it
because you've forgotten your password. It's true. It is absolutely true. And I
can't reset the password because my Gmail account needs MFA and that authenticator app is on a different phone.
So you know I am very limited as to how I can log into it. So as a result of Andy's utter
incompetence as a personal cyber security. I can figure it out. I'm just going to migrate stuff. I can do it. It's just going to take some time, right?
I mean, what do you guys use instead of whitelisting and blacklisting? What do you guys use?
Blocklist instead of blacklist. Blocklist and allow list?
Yeah, that's becoming a common one.
Yeah.
It's difficult.
It's difficult. When you've had something for so long, to then switch.
There is that. I think there's also the intent behind things an awful lot.
And obviously, with the way the world is moving today a lot of
malicious intent is put into words whereas you know the three of us for example would never use
whitelist and blacklist with anything other than technical background as the thought. And would not even entertain
the thought of it being anything
other than that.
But...
With a younger generation
that has grown up differently
in a different thought.
Exactly.
But
words change.
Words have meaning and impact.
And if we don't
adopt change,
then we are the problem rather than actually trying
to support the people it affects.
Allow this, deny this.
So as a result of this, I think also this would mean
a good April Fools tweet, but the conference formerly known as Black Hat
is now gonna be known as Block Hat or Deny Hat.
Well, there you go, right?
I mean, you got that issue as well.
You got Black Hat and White Hat hackers, right?
It's exactly the same principle.
I'm not saying that that's right or wrong either,
but this logic would apply to the name of Black Hat.
Yeah.
And where do we stand on rainbow tables
just out of interest?
Well, that's a good one.
And because the US is now removing DEI from everything,
we have to call them spectrum tables from now on. Although then... No, no, no. The autistics want to have a word with you about that.
Exactly, exactly. Well, they might not make eye contact when they tell me that, but...
And you'll learn an awful lot about trains in the meantime as well.
Oh, man.
Why? Why? Why?
Back with a bang!
Great last show everyone.
What a way to go out.
So, in defending race we've now offended every other...
I bet it's going to be a woman that complains as well, right?
A trans woman!
I am beeping that fucker out.
No, please, just delete this whole section.
Just delete.
Okay, look, I think, but the point is, I think that, you know, there is, like, the whole
blacklist, whitelist, you know, to allow this tonight, there was never any intent behind
it. To us, it has always been a technical term. Yes, we will we will adapt that you know, that's
the new vernacular. We'll actually take that on board. But forgive us if it sometimes slips
out. But there will be a correction. Yeah, when you know, when pointed out or when we
realize. Yes, exactly. I mean, looking at some of the replies,
there's lots of people that disagree.
I mean, there's someone saying,
I want to know who asked for this change in language
because the people of colour I know in the industry
don't feel the need to change vocabulary.
Someone else said, these terms have nothing to do with racism.
It's about good and evil, light and shadow, if you will,
trying to turn it into racism in order to divert your signal
feels disconnected and disingenuous.
And I think there's stuff.
I think that's a valid point as well.
I think a lot of people have been using these terms for a long,
I suppose that's Jake's point, that you need to be adaptive.
But sometimes there are better battles to be for, some better things to put
your energy behind.
I just don't feel it's one of those things that really needs a lot of energy put behind
it.
You just change the terms, update your documentation and just move on.
You don't need to make a big song and dance about it.
Yeah, yeah, yeah.
Because it's the little things do add up.
I mean, just like British Airways air miles, right?
Yeah.
Those points do add up to bronze eventually.
But yeah, you've got to make these small changes.
But let's not just dwell on it.
Let's not spend 10 minutes of a section of a distinctly
second rate,
cybersecurity podcast on this subject.
Agreed, fantastic, right.
Tweet of the week.
Well, on that note, I think we put the world to rights
without a shadow of a doubt.
Gentlemen, thank you very much indeed.
Jav, thank you very much indeed. Jav, thank you so
much for your contributions and especially into, well into, I already want to say blacklist and
whitelist, the thing, the other thing that we're calling it. So thank you very much. Denialist,
that's the one, yes. Thank you very much.
You're welcome. Just out of curiosity, what would you say the colour of my beard is, Tom?
Salt and pepper.
Salt and pepper.
Definitely white and grey.
White and grey.
So that's ageist and racist?
Racist, yeah. It's like a black and white on a bed of brown.
Ah ha ha ha ha ha!
That is beautiful.
That is beautiful.
Oh, we call it a salt list and a pepper list.
And then like...
Oh, I love it!
Yeah, but then what about hashing and salting?
Oh. Because hash browns are brown.
Are they? They're not really. Hash is a drug.
Do you know what? I've got a call in five minutes. Okay then. Thank you so much Tom. It's been a
pleasure and I'm glad we all agreed on something in the end.
Maybe this could be us. This could be the turning point for us.
You know, three years from now, this will be that canon event where like the host unknown mafia got founded.
And we're all CEOs. Powerful.
Of the Thunderdome.
Of the Thunderdome.
And talking of heroes we don't need.
Andy, thank you very much.
Stay secure, my friends.
Stay secure.
Stay secure. comment and subscribe. If you hated it please leave your best insults on our reddit channel r slash smashing security. I am worried now that people are not
gonna understand that that last part was all humor and we I'm just gonna update my CV.
Do you think people look at us and really take what we say seriously?
Yeah.
Well, it was three years ago when that guy, he went off on one about joking about Russia.
When you know, what do we say?
When the Ukraine-Russia war kicked off and some guy went off on one.
I cannot remember that.
We actually got someone that commented
and said something. Oh he left. He said he would never listen to us again. Yeah but we
all know Graham still does listen to us. I'll find it. I'm going to have to find it. It's
easy to know. You are going to have to find that. I have no recollection of that. What
did we say? It was something about, you know, woke up in Ukraine and wondered why the sun was rising
at two in the morning or something like that.
Oh, we made a joke.
Oddly specific, a very good memory, Andy.
Well, it's because I thought it was a funny joke, right?
To get someone so wound up about that.
Wow.
Yeah, who knows.