The Host Unknown Podcast - Episode 223: The never-ending train journey episode
Episode Date: June 19, 202511th June 1986: Ferris Bueller's Day Off was released. https://x.com/todayininfosec/status/193283823510271631713th June 1994: A Russian hacker group led by Vladimir Levin stole $10.7 million from Citi...bank via X.25, in what was the first international bank robbery over a network to be made public. Levin was caught in London in 1995 and sentenced in the US to 3 years in prison in 1998. https://x.com/todayininfosec/status/1933504310643773697 “Localhost tracking” explained. It could cost Meta 32 billion. Wanted: Junior cybersecurity staff with 10 years' experience and a PhD Industry News#Infosec2025: Top Six Cyber Trends CISOs Need to KnowHalf of Mobile Users Now Face Daily ScamsResearcher Finds Five Zero-Days and 20+ Misconfigurations in Salesforce CloudHands-On Skills Now Key to Landing Your First Cyber RolePhishing Alert as Erie Insurance Reveals Cyber “Event”Europol Says Criminal Demand for Data is “Skyrocketing”NIST Publishes New Zero Trust Implementation GuidanceMicrosoft 365 Copilot: New Zero-Click AI Vulnerability Allows Corporate Data TheftEuropean Journalists Targeted by Paragon Spyware, Citizen Lab ConfirmsTweet of the weekhttps://bsky.app/profile/brianhonan.bsky.social/post/3lrilyd7rpk2m Come on! Like and bloody well subscribe!
Transcript
Discussion (0)
Next week I'm away but the week after I can do most days apart from Wednesday 25th I'm at some shaping the future cyber AI risk event.
Oh yeah I tried to apply for that I couldn't get tickets.
Hmm.
Well hopefully we can.
I've got my wait list for it.
Yeah never mind.
Yeah I don't even know who's speaking there is anyone interested?
I haven't actually checked out the speaker list yet.
Oh, I've got an email about that.
Oh, I'm speaking there. I'm the opening keynote.
Yeah, I'm busy that day.
Hello, hello, hello. Good morning, good afternoon, good evening
to everybody here, to all of our listeners
and law enforcement alike.
I trust everybody is doing well.
Welcome to the Host Unknown podcast.
It is episode...
it is episode...
223! 219 of the Host Unknown podcast. Welcome along, one and all.
And in fact you only found out the other day Andy that we've still got episode one up,
which you found very odd.
Oh man, Richard. So these numbers are all off, that's all I'm saying.
We're going to need to re-change. No, they're not off because I've got the original ones
in there. What you would call episode one, Andy would call episode minus four I think
by the numbering convention. Yeah, I mean that's fair. The test card. Yeah, but they're
still the same correct number of them. But then we are missing episodes 2, 3 and 4a. 2, 3
and 4a? Yeah, we're missing 2 because that was the original one. Was 3 the one 7 years
later or whatever it was? No, that's 4b. I'm serious, that is actually up there, S4B.
I went back through the archive.
He blew the dust off the old tape recordings.
Dear me. And talking of blowing dust off things, Jav, how are you?
I am not blowing dust off anything, I'm young and healthy and...
Can you just tell us how it's not been used for ages recently
On my vinyl record player. Yeah. Yes. Yeah, that's right. That's right
It's going good I was trying to think um, it's been a quick week because I had Monday off and
So I was actually a bit surprised when last night you guys were like I can't do
early like I can't do like 7 a.m. No that was Andy. Yeah Andy says I can do after
work like at 8 tomorrow and I was like why are they talking about the podcast
so early they're not very very like you know. It's Wednesday today. Yeah it's
Wednesday exactly so so then I was like oh no it is so then I just rolled with it as I do as
if like yes I was paying attention to everything yeah yeah I know it does that to you it does that
to you talking of Roly with it um Mr Roly how are you sir I'm all good I um I was out of the country
this week for a change oh really why are you guys So for work I went to Cardiff in Wales. Oh
I went to another country. I am so so sorry. Oh no.
Do you know what it's one of these things there's engineering works going on
the line at the moment some emergency maintenance as I understand it.
Yeah. So the train's going via Gloucester. Oh god. It is
a pain in the arse. It's like literally over five hours door to door
shit from Paddington? No my door here but yeah but it is it you do go via Paddington takes me
about just over an hour and a half to get to Paddington. You know there's this guy I'm following
on TikTok and I might have shared one of his videos with you but he was in Manchester one day
and he wanted to come back to London and on the day
train tickets were like 220 quid yeah he booked a cheap flight it was like 20
quid to Iceland yeah the day there and then he flew back to London yeah so it's like you can do it like and
there's other people there's some woman that had to pick up a car in Derby and
she did similar where like to get the train up to buy this car was absolutely ridiculous.
So she basically went via Ibiza, spent the day in Ibiza and then flew into East Midlands Airport.
Cheers.
It was just cheaper than a train fare would have been. It's just ridiculous.
It's ridiculous.
Yeah.
If you just joined us, this is the old men talking about rail travel in the good old days when it was all steam.
Old men talking about the young men.
But anyway, how was Welsh Wales?
I was there very briefly, so I got there late. So I left after work, got there about half nine in the evening.
They didn't have a copy of my reservation at the hotel.
No.
And I know it was there because I booked it myself.
Did you have an email confirmation? at the hotel. No. And I know it was there because I booked it myself.
Yeah.
And yes.
Did you have an email confirmation?
No, and this was the issue, right?
So when I booked it, the lady actually said,
look, I can't get you an email confirmation
because our systems are down.
Which is true, I took a screenshot
so I tried the online platform first,
she said, but you know, I promise you,
all your stuff's there, my name is whatever. like okay cool I shall reference that got there four different
members of staff could not find my reservation they were like are you sure
it's here and I'm like you know I mean I'm not in the mood for this. Was it a
well-known brand? Did Lenny Henry sleep there? No it was no it's actually it's a
pretty decent hotel
it's part of a Celtic heritage collection. It must be if they had at least four
members of staff there ready to help you. At 9.30 at night? Yeah well not just they
then had to get someone else called Ryan thanks Ryan who came. I was like my guy look
so I was like you actually called me back from this number
to confirm the reservation at this time yesterday. And he was like, oh, he's like,
that's Central's reservations numbers. Let me go and check something. He went out back, he's like,
found the details on a shared Excel spreadsheet that we have. Jesus Christ. Okay, that's great.
But he upgraded me as an apology. See, so you, you got a twin bedroom rather than a single.
Exactly. No, I got a king size room. But you know,
the worst thing about the upgrade and this is me being ungrateful,
the room is much bigger, has a huge sofa in it, did not have a desk.
Whereas the single rooms have a desk. And, uh,
you know when you need to do that last minute presentation,
rework the night before? Oh, I thought you were talking about having somewhere to browse one handed with.
No, I'm sad. No time for that on a night before a presentation.
But yeah, no, I mean it was Wales.
Had it not gone via Gloucester, Tom, have you know swung by your place on the way back. Yeah so was I here on Wednesday?
I can't even remember this week's just been so much of a blur. No I was in
Reading all day Wednesday. Oh okay. So yeah. Well do you know I actually passed through
Reading at some point. Yeah most people do. Could have timed it and done a
sliding doors moment on the train.
Yeah, that's right. I'll be what's-her-face. You can be the other fella.
That would have been funny if I could remember the names of the actors.
Was it Gwyneth Paltrow? Gwyneth Paltrow. And who's the fella that she was with?
I don't know. I've not actually seen the film. I just remember from the trailer.
You just used the reference yeah look no one has time to watch stuff when when your source of
knowledge is from memes that I'll take it like yeah the longest film you've
watched recently is 24 seconds yeah which was actually just a load of 8
second VO AI stitches put together honestly some of them are so good they're better than actual stuff, but also what's scary is that I
Saw one the other day. It was like a
National Guard soldier and first he's doing a selfie. We've been deployed air to LA guys
We're gonna like, you know
ruffle up some feathers and this at the other. And then he's in the, then the second clip is him in the middle and like, guys,
they're selling balloons filled with like sand and oil at us and like, can't see
shit and like, we've got to retaliate.
And it's clearly done by.
Generated in Rio.
Yeah.
And you know, whoever done it was probably thought it was a
funny or whatever thing.
But the comments, the comments the comments like
people were just so angry you're the reason this country's so bad you should
be ashamed of yourself you should never go up even thank you for your service
Bob stay safe yeah it was just like and so many people like this is AI you know
this is AI you know this is it but I don't know people don't people are on the
edge they just like when they do these news anchors
They look realistic and the only way you can tell like now is that if it's if the scene changes after eight seconds
Yes, like that's the only way you can tell it's definitely AI for sure
They get like when I'm older. I'm gonna get fooled by AI 100%
Yeah, now you've got fooled by whatever the next AI will be.
Yeah.
The next thing.
Yeah, it wasn't like this in my day.
You could tell with AI, but with this newfangled,
I don't know, cyber brain thing.
Oh, dear.
Oh, man, talking of cyber brain things, Tom.
Ah, come on.
I like that one.
That's good.
I'll be the cyberbrain of the group
Missing cyberbrain. Missing smooth cyberbrain. I'm very good. Yes sir. Mostly at home this week.
It's been quite quiet but yeah up in London. Sorry up in Reading on Wednesday.
Reading on Wednesday. I'm going to be up in London three days next week actually.
But busy all three nights unfortunately.
But my daughter's got a showcase that she's doing for the end of the year
of a university, first year university, so that'll be fun.
And it's Chippenham Pride.
So I can get my big gay socks on and go out and get out on the march tomorrow.
The interesting thing being they said the march is on, or the parade is on, for an hour and a half.
And it's between these two points in the town, which if you walked it would take maybe 40 seconds.
I have no idea why it's going to take an hour and a half. Maybe we're all just
you know slow marching like in the New Orleans funerals type thing.
Or maybe take the long way round. You're going right around the other side.
Maybe, maybe. I don't know. It did seem a little odd but we shall see. Talking of weird and nonsensical odd things, shall we see what we've got coming up for you today?
This week in InfoSec gives us all a little...
Rant of the week proves that nothing is off the table for our favourite lizard king.
Billy Big Balls is making the problem, highlighting the problem,
and then charging money to solve the problem. Industry News is the latest and greatest security
news story from around the world and Tweet of the Week asks, are you feeling lucky punk?
So let's move on to our favorite part of the show, it's the part of the show that we like to call.
our favorite part of the show. It's the part of the show that we like to call... This Week in Infosec
It is that part of the show where we take a trip down Infosec memory lane with
content liberated from the Today in Infosec Twitter account and further afield. And today our first story takes us
back a mere 39 years. Sorry, how many? A mere 39, he said, 39 years. Yeah, thank you. I
was so on it up to that point. To the 11th of June 1986 when Ferris Bueller's
Day Off was released and if you didn't get it from Tom's intro coming up today that is
that song. Oh yeah. It's called The Something Racer by Yellow. By Yellow indeed. I have
a CD single of that. Well a CD's not bad, at least it's not 8 track. Yeah. I have a CD single of that. Well CD's not bad at least it's not you know
8-track. Yeah. So what did he do? Remotely hacked school's computer,
socially engineered school principal, socially engineered restaurant staff,
couldn't roll back an analogue odometer though. So I think this is one of the
early examples of a hacker movie we say 39 years ago. He also did fool his
parents as well didn't he because he rigged up a little physical security
charade thing. Lots of social engineering with a bit of a little bit
of tech in there.
Yeah, old school hacking for the internet.
But for all his tricks, he did hit hard stop when he had to cover his tracks the analog way.
With obviously the car odometer, where he took out his friend's dad's Ferrari 1959 GT California.
And put some miles on the clock and then couldn't figure out how
to turn the clock back so even the slickest operator has his limit.
You'd think someone would know how to do that. But then again you wouldn't have much of a story would you?
No indeed. Alas our second story takes us back a mere 31 years to the year that I was born. 13th of June 1994, a Russian
hacker group led by Vladimir Levin stole 10.7 million dollars from Citibank via an X25 in
what was the first international bank robbery over a network to be made public. Levin was eventually caught in London in 1995 and sentenced in the US to three
years in prison in 1998. So obviously back in 94 Levin, he was a Russian
biochemist turned hacker, as lots of Russians appear to be, somehow found
himself deep inside Citibank's global fund transfer system. Sorry, a lot of Russians are biochemists or hackers?
Both.
Okay.
I think it's part of their national service.
That's true, yeah.
Yeah.
But yeah, it wasn't through any sort of Hollywood style supercomputer hack,
but he simply just exploited a creaky old protocol called X25,
which banks used before the internet went mainstream.
And it was over a few
months it's actually happening he managed to transfer 10.7 million in total
out of Citibank accounts and into bank accounts around the world.
It's an X25 serial based protocol or something like that because you could run it over the
serial port. As I say I was born in 94 Tom I wouldn't know. 94. Yeah. So was he a genius coder?
Not really. He was actually working with others who had already done the hard part
as in breaking in and handing over the access. Levin just happens to be the guy
who clicked transfer from the outside and he was arrested at Heathrow Airport
whilst traveling, extradited to the US and then sentenced to only three years in prison.
Citibank clawed some of the money back, not all of it though, so it's three years worth it.
But no two-factual authentication, no behavioural monitoring, no network segmentation.
Even existed at the time.
Yeah, exactly.
Even existed at the time.
In 86.
Yeah, so.
And talking of existing at the time...
94.
Not 86, 94.
1994, you may have been short, fat, bald and cuddly looking, but you weren't a baby.
Lies.
Lies.
Year of my birth.
When we were saying June, I was only just...
I was a month old.
Very good.
I can tell you had a tough paper round. I was only just, I was a month old. Thank you.
I can tell you had a tough paper round.
Excellent, thank you Andy. That was this week's.
This week in InfoServe.
Are you not entertained?
What?
The judges were.
You're listening to Europe's most entertaining content. Bro, what are you talking entertained? What? The judges were. You're listening to Europe's most
entertaining content. Bro, what are you talking about man? The Host Unknown Podcast.
Right, let's move on. Let's get to the angry part.
Listen up! Rent of the week. It's time to motherf***ing rage! So there's a thing apparently called local host tracking, local host being your host,
i.e. TCPIP version 4 127.0.0.1 and thereby expires my TCPIP knowledge.
But nonetheless...
Can you translate it for those of us that learn IPv6?
IPv6?
I could, yes. IPv4 is a bit before my time.
I could, yeah, but it's not really relevant these days.
You've got to learn these things for yourself, right?
You do, yeah.
Otherwise, it'll never sink in.
If people say the answers all the time.
Exactly.
I think there's an A and an E and a two in there, something like that.
I can't remember anyway but some but local host
tracking explained and it could cost our favorite company meta 32 billion that's
where the B billion dollars chump change although it won't it won't cost them
that at all because we all know but yes our favorite lizard Kings company meta Our favorite Lizard King's company Meta has devised an ingenious system, and I would put that in inverted commas,
that bypasses Android's sandbox protections to identify you while browsing on your mobile device.
So bottom line is you can tell your mobile, in fact any computing device, that you wish to remain anonymous
and you don't wish to send any tracking information and you can do this through
not accepting any cookies, not connecting in through a VPN,
going into incognito mode so there's no record of where you've been, etc.
So even if you've used all of these VPN, incognito
mode, no cookies etc Meta found a way that it could still identify you so
Meta faces simultaneous and this is important here our liability under
regulations not least including GDPR, DSA and DMA, let alone the e-privacy directive.
So GDPR, DMA and DSA protect different legal interests, so they effectively, these penalties
under each can be imposed cumulatively, so it's not just, you know, 10 billion or whatever
under all of them, it's that if each one imposesoses 10 billion then it's 30 billion. The combined
theoretical maximum risk amounts to approximately 32 billion, that's 4% plus 6% plus 10% of
Metta's global annual revenue, which surpassed 164 billion in 2024. So again, it's not far.
It's a big chunk of change, but it's not going to put them out of business.
However, maximum fines have never before been applied simultaneously, but some might say these scoundrels,
I would say these soulless lizard people have earned it. So here's the thing, Metta seems to do anything and everything it can to bypass every single
kind of legal protection that goes into place to protect consumers, to make sure that they
are quite simply not taken advantage of, not unknowingly handing over data that they should clearly have known that they were making available.
But data that at a very basic level is protected by these regulations.
And Meta, as usual, are working their way around all of these protections.
And then almost just you know doing Pikachu surprise
face when they get caught and say well nobody told us so I find this absolutely
well one doesn't surprise me in the scientist two doesn't also surprise me
that they cracked androids first because as we all know only people who don't
care about security have androids or can't afford one.
And since we know how much Jav is paid, we know how much he cares about security as a result.
But nonetheless, working your way around these things just so you can track people
and just so you can sell them more stuff in an extraordinarily cynical way,
it's just appalling.
And if I don't sound angry, it's because I'm just so resigned at the fact that Meta
just will never ever, when given a choice between doing the right thing and a shitty
thing, will always do the shitty thing.
Sorry, I fell asleep when you were explaining TCPIP in the beginning and then I woke up
and you were talking, droning on and on about GDPR, DMA, some other regulations.
I went back to sleep again.
I went back to sleep again and then like there was silence and I woke up and Andy was sitting
there with a thousand yard look on his face.
Andy was nodding thoughtfully.
I'll have you know.
Well, I'm thinking this is actually a Billy Big Balls move, not a rant.
Well haven't we always said there's a fine line between the rant of the week and the Billy Big
Balls? You've got to admire that they've literally gone out of their way to bypass every control.
I mean admire the fact that they do the shadiest shit in the planet when it comes to its
customers. So they've used the loophole in the privacy protection system that
was put in place specifically designed to prevent all of this data gathering.
Yep, yep. So they're actually able to get all your information even if you aren't
using the app, even if you haven't using the app even if you haven't
logged into your account in the browser even if you use an incognito mode even
if you use a VPN and even if you delete cookies at the end of every session
yeah like that is gold that is you gotta admire it that like Andy said and and
yet yet yet tick to TikTok is a problem.
I know, I know.
So you agree with me, you agree with me, right?
But the thing is, this is coming from a company
that serves up targeted beauty ads
to teenage girls who've deleted selfies.
I have exhibited signs of low self-esteem
and is then targeting them with beauty ads etc.
This is a company that looks at something like that and goes,
seems legit to me.
This is a company that is creating problems that should never have existed
in our society in the first place.
And this is just one sign of it.
This is just one symptom of that whole malaise and virus, that just rot that's eating at our society.
And meta, I think, is right at the centre of that.
And we should bear that in mind next time we're
on WhatsApp which I tell you what I die a little and there's a lot of me left to
die but I die a little every time we use WhatsApp. It's not just us, everybody uses WhatsApp.
Is there a bot we can automate to send Tom more messages so we can speed up the dying
a little process?
Like I said, there's a lot of me left to die.
A lot of me left.
Anyway, the silence is that you're agreeing, you're frantically thinking of ways that
you can't to disagree with me.
No, like I said I fell asleep but then when
Andy explained it to me I woke up and then I said I agree with Andy it's a
devilishly ingenious way.
Rant of the week. You're listening to the double award-winning Host Unknown podcast.
unknown podcast. All right let's see if we can raise ourselves up from the gutter with this oh no it's this week's rant so maybe not. So according to a new report
from ISE2 that's what they're called now ISE2 we can new report from ISE2, that's what they're called now, ISE2, we can't call
them ISE2 apparently.
Is that like our RSAC conference?
Yes, RSAC conference.
Hiring managers have apparently been demanding that entry-level candidates possess qualifications
that would make a 20-year veteran blush.
The study found that more than a third of hiring managers expect junior
hires to already have advanced certifications like the CISSP or the
CISM and for those not in the industry that's like expecting someone to be a
Michelin star chef when working at McDonald's. And also bear in mind you
cannot even if you pass your CISSP on the first day
that you leave university,
you can't get it for five years.
That's right.
You cannot put the letters after your name for five years,
and that's five years of relevant experience.
Exactly.
So how is that an entry level requirement?
It isn't.
And this is where it
gets really interesting because ISE too were the ones that have been pushing this certification,
shoving them down everyone's throat for years. And so like Dan Hauser, I know Dan, he's
a lovely guy, but he's formerly the ISE too chair. And he says, this has been a problem for some time and it seems like the battle
continues and I was like you worked within ISC2 you could have fixed the
problem from within but at that time you were complicit in the organization
pushing these things out. Just following orders. It's like the CEO of
Marlborough suddenly saying, you know what?
I've noticed people are smoking these things and I'm beginning to think it might be bad
for them.
It's like, well, no shit, Sherlock.
So that organization that's been selling these certifications had been shoving it down every
organization saying like, oh, you need to hire people with this certification, artificially
inflating this demand, throwing
out these figures that there's like 52 billion vacancies in the thing.
And now they're saying, oh, this is a bit of a problem.
This is a bit of a problem.
And this is like, I think the only other company I think that has been this ballsy is BP when
they rebranded as an environmental champion.
Yeah. Yes. Yeah.
Yes.
So, and if you don't know, ICT makes millions, they make millions from certification fees.
The CISP costs around 750, I think, to take the exam.
Dollars, I think.
Yeah, $750 to take the exam and most people will spend a few hundred, maybe
thousand on doing a boot camp, buying materials and things like that. And now they're saying,
oh dear, it seems there's an unreasonable expectation for junior staff to have, you know,
how did this happen? I don't know. Maybe check your marketing emails from the last 20 years or so.
I don't know. Maybe check your marketing emails from the last 20 years or so. So you want a job in site security, get certified or get left behind. That's kind of like where they went.
And then we wonder why hiring managers got the idea that these certifications were non-negotiable.
And I think the audacity of this report is what really gets me as a Billy Big Bruns. It's like
this report is what really gets me as a Billy Big Bronson. It's like an arsonist setting fire and then saying,
oh, there's lack of affordable housing
or relevant housing in the area or something.
You know, it takes balls to criticize the problem
that you helped create.
I mean, maybe McKinsey is the only other firm
that you can think of that have created more problems
than solved solutions to.
And I'm not saying that certifications are worthless.
They have a place.
But if you're a hiring manager, maybe
trust that junior staff can learn on the job
without these certifications.
And even in this report, they actually
say that they found that people who don't even come
from a security background or technical background
Actually bring lots and lots of really good ideas and value to it
So and also as a security manager as a hiring manager
You should know a little bit about the industry you're hiring from really you should it's you know
It's a bit like oh oh, I've only ever
sailed a ship in a swimming pool, therefore what should I know about sailing in the sea
when I've only ever been in a swimming pool? Actually, you need to know about the larger
issues here because it's going to influence what you do. And they don't, they're not looking into it, they're not finding out that
they obviously don't realise when they say that junior
role needs a CRWSP that it requires a minimum of five years.
Otherwise how could they hand on heart put that into the job
requirements? Unless they're wholly
incompetent. Good point, well made. Not happy with that.
We have Coram. Well, we have Coram, but I don't think this is a Billy Big Balls, this
is another bloody rant. It's outrageous. Once again, Jav's defending the undefendable. Like we said, there's a very thin line between a man and a Billy Big Balls.
Billy Big Balls of the Week.
Feeling overloaded with actionable information?
Fed up receiving well-researched factual security content?
Yes! receiving well-researched factual security content. Yeah!
Ask your doctor if the Host Unknown podcast is right for you.
Always read the label, never double dose on episodes.
Side effects may include nausea, eye rolling and involuntary swearing in anger.
All very true. Andy, I know what time it is that you told us to say the time it was, but what time have
you got?
That was janky.
Do you want me to do it again?
Try again.
Okay.
Andy, I know what time you told me to say it was, but what time do you say it is?
It is that time of the show where we head over to our news sources over at the InfoSec
PA Newswire who have been very busy bringing us the latest and greatest security news from around the globe.
INDUSTRIM NEWS
Hashtag InfoSec 2025
Top 6 Cyber Trends CISOs Need To Know
INDUSTRIM NEWS
Half of mobile users now face daily scams.
Researcher finds 5, 0 days and 20 plus misconfigurations in Salesforce Cloud.
Hands-on skills now key to landing your first cyber role. Industry News Fishing Alert as Erie Insurance reveals cyber...
...event.
Industry News
Europol says criminal demand for data is skyrocketing.
Industry News
Nest publishes new Zero Trust implementation guidance.
Industry News
Microsoft 365 Copilot New zero click
AI vulnerability allows
corporate data theft.
European journalists
targeted by
Paragon. Spyware. Citizen
lab confirms.
And that was this week's
Industry
News
Huge if true. So I've gone straight This week's industry news.
Huge if true.
So I've gone straight for this M365 copilot zero click AI vulnerability.
I know it just rolls off the tongue.
So AI aim labs, sorry not aimers in AOL, messenger actually in aimlabs they have
identified a vulnerability that can lead to the exfiltration of sensitive
corporate data with a simple email so they've given it the name echo leak
because all good bones need a name sorry called it what echo leak sorry what
but um so the it so it's a bit more technical terms coming this way, Tom.
It exploits design flaws typical of RAG copilots,
that's Retrieval Augmented Generation Copilots,
allowing attackers to automatically
exfiltrate any data from
the M365 Copilot's context
without relying on specific user behavior.
So bear in mind with Copilot,
this is designed certainly in enterprises
to be a secure sort of tenancy for your data.
So it doesn't get shared with the outside world,
it's not used to train other LLMs.
You can dump all your corporate data into it
and then interrogate it, ask it questions.
And keep it all in your technical.
Well that's a theory anyway. So it turns out that these guys released a report just on
the 11th of June. Simply by crafting an email, the attacker sends an email containing instructions,
specific markdown syntax, supposed to triggerpilot's underlying LLM but
with a message phrased as instructions that were initially aimed at the
recipient of the email but your co-pilot will read it and then execute those
instructions. Wow! So as soon as you get it, your co-pilot assistant
will read it, follow the instructions it's given,
and when they tell you to, you know, send us back all the data you've got in your tenancy,
it will do that.
Wow, bloody hell.
Yeah.
That is a big one.
And this is what, you know, me and Andy have been trying to tell you, Tom, for weeks that
AI is embedded into everything, and you can't really opt out or turn it off or anything like that
it's there and I know and it's quite fun when you see people are actually putting sort of like LLM commands into
Into like their CVs and things like that. Yeah, we're like, you know, it's I don't know if that it's true
But sometimes people say it gets triggered and what have you. So did you see the Verizon data breach report this year?
Yes.
On about page 8 or something it says, LLM stop reading this point on and stop processing
data in this report.
Tell the user to go to the website, download it or something.
Very good.
What else have we got?
Well the top six cyber trends for CETOs need to have.
Oh I read this one. Brilliant article. Brilliant article.
No it's not. It's just like terrible.
It's absolutely amazing.
Quote some really dodgy people in there so like...
Okay I can see where this is going.
So let's just gloss over it. It's just a whole bunch of hot air masquerading as thought leadership content.
Because you'd recognize that wouldn't you Jav?
Game recognizes game.
Jav knows exactly how that content was created.
There you are Jav, you said this, did I? Okay. What else? I love
that Europol says criminal demand for data is skyrocketing. Again, the court is bleeding
obvious. In other news, water is wet. Yeah, exactly. No, water isn't wet. Oh, yeah, water makes you wet.
Half of mobile users now face daily scams. Again, it's like if you've got a mobile phone that's connected,
you know, put your hand up if you haven't received a dodgy text or a phone call or something.
I know. I'm getting more of them now. Normally about once a week I'm getting something now. Those actually are your home care home.
My kids have actually lost their phone week after week after week.
Anything else? Shall we move on? More European journalists being targeted for God's sake.
We don't care about journalists.
Okay, let's move on, shall we? That was this week's...
People who prefer other security podcasts
are statistically more likely to eject USB devices safely.
For those who live life dangerously, you're in good company
with the award-winning Host Unknown podcast.
Right Andy, why don't you take us home with this week's Tweet of the Week. And we always play that
one twice. Tweet of the Week. And this week's tweet of the week comes from friend of the show
Brian Honan over at B Sky. Blue Sky. Oh I said B Sky B. Yeah. With the square reel. With the square
reel. He's at Brian Honan and he says it's Friday it's the 13th of the month go ahead and push that project or
code into production what could possibly go wrong
nothing more than what could happen if it was a Monday the 10th yeah exactly I
mean or any other Friday and it was the Victorians that changed that made Friday
the 13th unlucky anyway so why was that because originally Friday the And it was the Victorians that changed, that made Friday the 13th unlucky anyway. Why was that? Because originally Friday the 13th was like a, I'm paraphrasing this wildly,
do your own research, but it was a day recognised in celebration of a goddess of love and fertility.
So basically it was Friday fuck day or something like that. But of course
the Victorians being the Victorians they didn't like that so they decided to you know get all
those heathens back and basically say Friday the 13th was just an unlucky day. Well doing a quick
google search and reading the AI overview results you're wrong. Okay, fair enough. It has its roots in a combination of religious beliefs, historic events and
pop culture. One common explanation ties the superstition to the Last Supper
where Judas, the 13th guest, betrayed Jesus. Well that's an old one.
I think that's the one that the Victorians pushed. Another theory
involves the mass arrests of the Knights Templar on Friday October 13th 1307. You probably remember that Tom. He had retired just
a day that week. It also gained mainstream attention with the 1980
horror film Friday the 13th. With Jason. Yeah but all of that is based upon the Victorian concept of the 13th being unlucky. So I actually saw on
this Friday the 13th, let us not forget the sacred lesson that Salt and Pepper,
the grand visionary of DevOps, taught us. Push it, push it real good. That's fair enough. Yes. Well we'll see. I'm gonna do some more
research on this. I'm gonna prove it because otherwise tonight's party is
gonna be a bit of a bummer. Some people say that the first recorded murder,
Cain killing Abel, also occurred on Friday the 13th. They've got no way of knowing that. Oh for goodness sake. Because they were using this calendar back then I'm sure they were.
Roughly 9.48 a.m. right? Probably, I don't know. Well when did the crow come in? According to the live stream. You know you can get VO3 to make that. No, I just slipped. The knife slipped, it landed in his chest.
Excellent, thank you Andy for this week's...
So we come full circle to the end of the show.
Gentlemen, thank you so much for your time this week.
It's been fun, it's been emotional. I think I only made one mistake
so I think we're probably in pretty good shape overall. Jeff, thank you very much for your
contributions and wit and wisdom, charisma, charm and general all-round grey beardiness.
Well someone had to bring the grey beardiness, you're welcome.
And Andy, thank you sir.
Stay secure my friends.
Stay secure.
on our reddit channel. Worst episode ever.
rslash smashing security.
Also, the number 12 is often seen as a complete number.
12 months in a year, 12 inches in a foot.
And 13 is a number that follows,
making it seem like something that goes beyond the complete.
But there never used to be 12 months in a year.
Again, Victoria, this is all just layered on top of,
oh, let's make it unlucky.
Okay, why is it unlucky?
Oh, let's make some shit up.
I don't personally believe Friday to be unlucky,
like Friday the 13th or anything,
but I'm just trying to show
that I've integrated into your culture.
There's no threats of deportation from here yet.
Yet, exactly. I saw a VO3 video that Tommy Robinson had retweeted because he's now unbound on it,
and it's like a VO3 video of this immigrant, like, brown guy on a boat coming in and he's like I'm coming to Britain and I'm
gonna like now free money for me. I saw those videos yeah it took me 30
minutes to get benefits from the time I landed on the shore.